File000117

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Investigators Now Crack
Crime Computers on The Spot
Source: http://news.cnet.com/

EC-Council
Module Objective
• The Definition of Digital Evidence
• Characteristics of Digital Evidence
• Types of Digital Data
• Best Evidence Rule
• Federal Rules of Evidence
• International Principles for Computer Evidence
• The Scientific Working Group on Digital Evidence (SWGDE)
• Electronic Devices: Types and Collecting Potential Evidence
• Digital Evidence Examination Process
• Evidence Assessment
• Evidence Acquisition
• Evidence Preservation
• Evidence Examination and Analysis
• Evidence Documentation and Reporting
• Electronic Crime and Digital Evidence Consideration by Crime Category
This module will familiarize you with:

EC-Council
Module Flow
Electronic Devices:
Types and
Collecting Potential Evidence
Evidence Acquisition Evidence Assessment
Evidence Documentation
and Reporting
Evidence Examination
and Analysis
Evidence Preservation
Digital Evidence
Examination Process
Electronic Crime and Digital
Evidence Consideration
by Crime Category
Characteristics of Digital
Evidence
Definition of Digital
Evidence
Scientific Working Group
on Digital Evidence
(SWGDE)
Types of Digital Data
International Principles for
Computer Evidence
Best Evidence RuleFederal Rules of Evidence

EC-Council
Digital Data

EC-Council
Definition of Digital Evidence
• Graphics files
• Audio and video recording and files
• Internet browser histories
• Server logs
• Word processing and spreadsheet files
• Emails
• Log files
Digital evidence is found in the files such
as:
Digital evidence is defined as “any information of probative value that is either stored or
transmitted in a digital form”
Digital information can be gathered while examining digital storage media, monitoring
the network traffic, or making the duplicate copies of digital data found during forensics
investigation

EC-Council
Increasing Awareness of Digital
Evidence
Businesses are facing the need for gathering evidence on their
networks in reply to the computer crime
Many organizations are taking into account the legal remedies
when attackers target their network and focus on gathering the
digital evidence in a way that will hold up in court
Government organizations are also paying attention in using
digital evidence to identify the terrorist’s activities and prevent
future attacks
As a result, there is increase in the expectation that computer
forensic investigators have complete knowledge of handling
digital evidence

EC-Council
Challenging Aspects of Digital
Evidence
Forensics investigators face many challenges while preserving the
digital evidence as it is a chaotic form of evidence and is critical to
handle
During the investigation, it can be altered maliciously or
unintentionally without leaving any traces
Digital evidence is circumstantial that makes it difficult for a forensics
investigator to attribute the system’s activity
It is an abstraction of some events, when the investigator performs
some task on the computer, the resulting activity creates data remnants
that gives the incomplete view of the actual evidence

EC-Council
The Role of Digital Evidence
Role of digital evidence is to establish a credible link between the attacker,
victim, and the crime scene
According to Locard's Exchange Principle, “anyone or anything, entering a
crime scene takes something of the scene with them, and leaves something of
themselves behind when they leave”
For example, at the time of crime, if any information from an victim
computer is stored on the server or system itself, investigator can trace that
information by examining log files, Internet browsing history etc.

EC-Council
Characteristics of Digital Evidence
• Evidence must be related to the fact being provedAdmissible
• Evidence must be real and related to the incident in a
proper way
Authentic
• Evidence must prove the attacker’s actions and his
innocence
Complete
• Evidence must not cast any doubt on the authenticity and
veracity of the evidence
Reliable
• Evidence must be clear and understandable by the judgesBelievable
The digital evidence must have some characteristics to be disclosed in the
court of law
Characteristics of the digital evidence:

EC-Council
Fragility of Digital Evidence
Digital evidence is fragile in nature
During the investigation of the crime scene, if the computer is
turned off, the data which is not saved can be lost permanently
If the computer is connected to the Internet, the person involved in
the crime may delete the evidence by deleting the log files
After the incident, if a user ‘writes’ any data to the system, it may
overwrite the crime evidence

EC-Council
Anti-Digital Forensics (ADF)
ADF is an approach to manipulate, erase, or obfuscate the digital
data
It makes forensic examination difficult, time consuming, or
impossible
General categories of ADF are:
• Overwriting data and metadata (wiping)
• It destroys any potentially incriminating data by multiple overwrites
• “0” or random numbers are used to overwrite the actual data
• Exploitation of bugs in forensic tools
• Forensic imaging and analysis tools are programmed to misread the files
• For example, text file may be read as an executable file

EC-Council
Anti-Digital Forensics (cont’d)
Hiding data (Steganography, Cryptography, and Low-tech methods)
• Confidential data is hidden under the images
• Messages are encrypted using strong cryptographic algorithms which
cannot by decrypted by analysts
• Through low tech methods, data or information is hided from an
examiner
Obfuscation of data
• Obfuscation of data is intended to confuse the forensic analysts
• It is created by using anonymous remailers to strip the email header’s
information
• Bootable USB or CD/DVD is also used to compromise the system or
network

EC-Council
Types of Digital Data
• Volatile data can be modified
• It contains system time, logged-on user(s), open files, network
information, process information, process-to-port mapping,
process memory, clipboard contents, service/driver information,
and command history
Volatile data
• Non-volatile data is used for the secondary storage and is long-
term persisting
• It contains hidden files, slack space, swap file, index.dat files,
unallocated clusters, unused partitions, hidden partitions, registry
settings , and event logs
Non-volatile data

EC-Council
Types of Digital Data (cont’d)
• Transient data contains information such as open network connection,
user logout, programs that reside in memory, and cache data
• If the machine is turned off, all these information are lost permanently
Transient data:
• Fragile data is that information which is temporarily saved on the hard
disk and can be changed
• It contains information such as last access time stamps, access date on
files etc.
Fragile data:
• Temporarily accessible data are stored on the hard disk and are accessible
only for certain time
• It contains data like encrypted file system information
Temporarily accessible data:

EC-Council
• Active data is the presently used data by the parties for their daily
operations
• This data is direct and straightforward to recognize and access using the
current system
Active data:
• Archival data manages data for long term storage and maintains records
Archival data:
• Backup data refers to a copy of the system data
• This data can be used at any time of recovery process after disaster or
system crash
Backup data:

EC-Council
• The data which is stored on a computer when a
document is deleted is called residual data
• When a file is deleted, the computer tags the file space
instead of cleaning the file memory
• The file can be retrieved until the space is reused
Residual data:
• Metadata maintains a record about a particular
document
• The record consists of format of file, how, when, and
who has created, saved, and modified the file
Metadata:

EC-Council
Rules of Evidence
• Rules of evidence govern whether, when, how, and for
what purpose proof of a case may be placed before a trier
of fact for consideration
• The trier of fact may be a judge or a jury, depending on the
purpose of the trial and the choices of the parties
Definition:
Evidence that is to be present in the court must comply with the established
rules of the evidence
Prior to the investigation process, it is important that the investigator
understands the Rules of Evidence

EC-Council
Best Evidence Rule
Best evidence rule is established to prevent any alternation of
digital evidence either intentionally or unintentionally
It states that the court only allows the original evidence of any
document, photograph, or recording at the trial rather than
copy but the duplicate will be allowed as an evidence under the
following conditions:
• Original evidence destroyed due to fire and flood
• Original evidence destroyed in the normal course of business
• Original evidence in possession of a third party

EC-Council
Federal Rules of Evidence
• (a) Effect of erroneous ruling
• Error may not be predicated upon a ruling which admits or excludes
evidence unless a substantial right of the party is affected
• (1) Objection. - In case the ruling is one admitting evidence, a timely objection
or motion to strike appears of record, stating the specific ground of objection, if
the specific ground was not apparent from the context; or
• (2) Offer of proof. - In case the ruling is one excluding evidence, the substance
of the evidence was made known to the court by offer or was apparent from the
context within which questions were asked
Rulings on Evidence:
These rules shall be construed to secure fairness in administration, elimination of
unjustifiable expense and delay, and promotion of growth and development of the
law of evidence to the end that the truth may be ascertained and proceedings
justly determined

EC-Council
Federal Rules of Evidence (cont’d)
• (b) Record of offer and ruling
• The court may add any other or further statement which shows the
character of the evidence, the form in which it was offered, the
objection made, and the ruling there on. It may direct the making of an
offer in question and answer form
• (c) Hearing of jury
• Proceedings shall be conducted, to the extent practicable, so as to
prevent inadmissible evidence from being suggested to the jury by any
means, such as making statements or offers of proof or asking
questions in the hearing of the jury
• (d) Plain error
• Nothing in this rule precludes taking notice of plain errors affecting
substantial rights although they were not brought to the attention of
the court
Rulings on Evidence:

EC-Council
• Questions of admissibility generally
• Preliminary questions concerning the qualification of a person to be a
witness, the existence of a privilege, or the admissibility of evidence shall
be determined by the court, subject to the provisions of subdivision (b)
• In making its determination, it is not bound by the rules of evidence
except those with respect to privileges
• Relevancy conditioned on fact
• When the relevancy of evidence depends upon the fulfillment of a
condition of fact, the court shall admit it upon, or subject to, the
introduction of evidence sufficient to support a finding of the fulfillment
of the condition
• Testimony by accused
• The accused does not, by testifying upon a preliminary matter, become
subject to cross-examination as to other issues in the case
Preliminary Questions:

EC-Council
• Hearing of jury
• Hearings on the admissibility of confessions shall in all cases be
conducted out of the hearing of the jury
• Hearings on other preliminary matters shall be conducted when the
interests of justice require, or when an accused is a witness and so
requests
• Weight and credibility
• This rule does not limit the right of a party to introduce before the jury
evidence relevant to weight or credibility
Preliminary Questions:
• When evidence which is admissible as to one party or for one purpose but
not admissible as to another party or for another purpose is admitted, the
court, upon request, shall restrict the evidence to its proper scope and
instruct the jury accordingly
Limited Admissibility:

EC-Council
Hearsay Rule:
• Hearsay is a statement, other than one made by the declarant while
testifying at the trial or hearing, offered in evidence to prove the
truth of the matter asserted
• It is not admissible except as provided by these rules or by other
rules prescribed by the Supreme Court pursuant to statutory
authority or by Act of Congress
Statements which are not hearsay:
• Prior statement by witness
• Admission by party-opponent

EC-Council
• Present sense impression
• Excited utterance
• Statements for purposes of medical diagnosis or treatment
• Recorded recollection
• Records of regularly conducted activity
• Absence of entry in records kept in accordance with the provisions
• Public records and reports
• Records of vital statistics
Even if the declarant is available as a witness, the following
are not excluded by the hearsay rule:
Rule 803. Hearsay Exceptions - Availability of Declarant Immaterial

EC-Council
Rule 804. Hearsay Exceptions; Declarant Unavailable
If the declarant is unavailable as a witness, the following are not
excluded by the hearsay rule:
• Former testimony
• Statement under belief of impending death
• Statement against interest
• Statement of personal or family history

EC-Council
• Writings and recordings:
• Writings and recordings consist of letters, words, or numbers, or their equivalent, set
down by handwriting, typewriting, printing, photostating, photographing, magnetic
impulse, mechanical or electronic recording, or other form of data compilation
• Photographs:
• Photographs include still photographs, X-ray films, video tapes, and motion pictures
• Original:
• An original of a writing or recording is the writing or recording itself or any
counterpart intended to have the same effect by a person executing or issuing it
• Duplicate:
• A duplicate is a counterpart produced by the same impression as the original, or
from the same matrix, or by means of photography, including enlargements and
miniatures, or by mechanical or electronic re-recording, or by chemical
reproduction, or by other equivalent techniques which accurately reproduces the
original
Rule 1001: Definitions
Content of writing, recording, and photographs

EC-Council
• To prove the content of a writing, recording, or photograph, the
original writing, recording, or photograph is required, except as
otherwise provided in these rules or by Act of Congress
Rule 1002: Requirement of Original
• A duplicate is admissible to the same extent as an original unless
• (1) a genuine question is raised as to the authenticity of the original or
• (2) in the circumstances it would be unfair to admit the duplicate in lieu
of the original
Rule 1003: Admissibility of Duplicates

EC-Council
• The original is not required, and other evidence of the contents of
a writing, recording, or photograph is admissible if:
• (1) Originals are lost or destroyed. All originals are lost or have been
destroyed, unless the proponent lost or destroyed them in bad faith
• (2) Original is not obtainable. No original can be obtained by any
available judicial process or procedure
• (3) Original is in possession of the opponent. At a time when an original
was under the control of the party against whom offered, that party was
put on notice, by the pleadings or otherwise, that the contents would be a
subject of proof at the hearing, and that party does not produce the
original at the hearing
• (4) Collateral matters. The writing, recording, or photograph is not
closely related to a controlling issue
Rule 1004: Admissibility of Other Evidence of Contents

EC-Council
International Organization on
Computer Evidence (IOCE)
The International Organization on Computer Evidence (IOCE) was established
in 1995
The purpose of this organization is to provide a forum to global law
enforcement agencies for exchanging information regarding cyber crime
investigation and other issues associated with computer forensics
IOCE develops a service for direct communication between member agencies
and arranges many conferences to establish a strong relationship

EC-Council
http://www.ioce.org/

EC-Council
IOCE International Principles for
Digital Evidence
When dealing with digital evidence, all of the general forensic and procedural principles
must be applied
Upon seizing digital evidence, actions taken should not change that evidence
When it is necessary for a person to access the original digital evidence, that person should
be trained for the purpose
All activities relating to the seizure, access, storage, or transfer of the digital evidence must
be fully documented, preserved, and available for review
An individual is responsible for all actions taken with respect to digital evidence whilst the
digital evidence is in their possession
Any agency, which is responsible for seizing, accessing, storing, or transferring digital
evidence is responsible for compliance with these principles

EC-Council
Scientific Working Group on Digital
Evidence (SWGDE)
http://www.swgde.org/

EC-Council
SWGDE Standards for the Exchange
of Digital Evidence
• In order to ensure that the digital evidence is collected, preserved,
examined, or transferred in a manner safeguarding the accuracy and
reliability of the evidence, law enforcement and forensic organizations must
establish and maintain an effective quality system. Standard Operating
Procedures (SOPs) are documented quality-control guidelines that must be
supported by proper case records and broadly accepted procedures,
equipment, and materials
Principle 1
• All agencies that seize and/or examine digital evidence must maintain an
appropriate SOP document. All elements of an agency's policies and
procedures concerning digital evidence must be clearly set forth in this SOP
document, which must be issued under the agency's management authority
Standards and Criteria 1.1

EC-Council
of Digital Evidence (cont’d)
• Agency management must review the SOPs on an annual
basis to ensure their continued suitability and
effectiveness
• Procedures used must be generally accepted in the field or
supported by data gathered and recorded in a scientific
manner
• The agency must maintain written copies of appropriate
technical procedures

EC-Council
of Digital Evidence (cont’d)
• The agency must use hardware and software that is appropriate and
effective for the seizure or examination procedure
• All activities relating to the seizure, storage, examination, or transfer of the
digital evidence must be recorded in writing and be available for review and
testimony
• Any action that has the potential to alter, damage, or destroy any aspect of
the original evidence must be performed by qualified persons in a
forensically sound manner

EC-Council
Electronic Devices: Types and

EC-Council
• They are address books, database files, audio or video files, documents or text files,
image or graphics files, Internet bookmarks or favorites and spreadsheet files, where you
can obtain information of investigative value
User-Created Files
• They are compressed files, misnamed files, encrypted files, password-protected files,
hidden files, and steganography
User-Protected Files
• They are backup files, log files, configuration files, printer spool files, cookies, swap files,
hidden files, system files, history files, and temporary files
Computer-Created Files
Computer Systems:
Evidence is found in files that are stored on servers, memory cards, hard drives, removable
storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape

EC-Council
Collecting Potential Evidence (cont’d)
Hard drive
• Hard drive is an electronic storage device which stores data magnetically
• It stores the data in different file formats such as text, picture, and video file etc.
• To collect the evidence, check text , picture, video, multimedia, database, and
computer program files
Thumb drive
• Thumb drive is a removable data storage device with USB connection
• It is small in size and lightweight
• To collect the evidence, check text, graphics, image, and picture files
Memory card
• Memory card is a removable electronic storage device and used in many devices
such as digital camera, PDA, computer etc.
• Data present in the memory card is not lost when power is turned off
• To collect the evidence, check event logs, chat logs, test file, image file, picture
file, and browsing history of Internet
Hard drive
Thumb drive
Memory card

EC-Council
Access Control Devices:
Smart card
• It is a portable device that contains a microprocessor, which stores
encryption key or password and digital certificate
Dongle
• It is a copy protection device provided with software that is plugged into
a computer port
Biometric scanner
• It is connected to a computer system that identifies the physical
characteristics of an individual
Smart Cards
Dongle
Biometric scanner
Evidence is found in recognizing or authenticating the information
of the card and the user, level of access, configurations,
permissions, and in the device itself

EC-Council
Deleted messages
Last number called
Memo
Phone numbers
Tapes
Answering Machine:
It is a part of a telephone or is connected between a telephone and
the landline connection
Evidence is found in voice recordings such as:

EC-Council
• Images
• Removable cartridges
• Video
• Sound
• Time and Date stamp
Evidence is found in:
Digital Camera:
It records images and video and transfers them to
computer media with the help of conversion hardware
Digital Camera

EC-Council
Handheld Devices such as Personal Digital
Assistants (PDAs) and Electronic Organizers
• PDA is a hand held and portable device that includes
computing, telephone/fax, paging, and networking
• Evidence is found in Address book, appointment calendars
or information, documents, e-mail, handwriting, password,
phone book, text messages, and voice messages
Modem:
• It is used by computers to communicate over telephone
lines
• Evidence is found on the device itself Modem
PDA

EC-Council
• Evidence is found on the MAC (Media Access Control) address
Local Area Network (LAN) Card/Network Interface Card (NIC)
• Routers, hubs, and switches connect different computers or networks
• For routers, evidence is found in the configuration files
• For hubs and switches, evidence is found on the devices themselves
Routers, Hubs, and Switches
• Server is a central computer which gives service to other computers
connected in the same network
• Evidence is found in the computer system
Server
• Network cables consists of a variety of colors, thicknesses, shapes, and
connectors depending on the components they are connected with
• Evidence is found on the devices
Network Cables and Connectors
Network Interface Card
Router
Hub
Switches
Network Cables
Connectors
Network Components:

EC-Council
• It is a handheld and portable electronic device for sending
and receiving electronic messages that may be in numeric
form or in alphanumeric form
• It contains volatile evidence such as address information, text
messages, e-mail, voice messages, and phone numbers
Pager:
• It includes thermal, laser, inkjet and impact printers, which
are connected to the computer over a cable (serial, parallel
and universal serial bus) or accessed over an infrared port
• Some printers contain a memory buffer, which enables you to
receive and store multiple documents
• Evidence is found through usage logs, time and date
information, and network identity information, Ink
cartridges, and Time and date stamp
Printer:
Pager
Printer

EC-Council
Removable Storage Device and Media:
Storage device and media such as tape, CD, DVD, floppy
are used to store digital information
These devices are portable and stores different files
such as text, graphics, multimedia, and video files
Evidence is found in the devices themselves

EC-Council
Scanner:
It is an optical device connected to a computer,
which enables the document to pass on the
scanning device and sends it to the computer as a
file
Evidence is found by looking at the marks on the
glass of the scanner

EC-Council
Telephones:
• Evidence is found through:
• Names
• Phone numbers
• Caller identification information
• Appointment information
• Electronic mail and pages
Copiers:
• They make the copies of printed or graphical documents
• Evidence is found in:
• Documents
• User usage logs
• Time and date stamps

EC-Council
• They read the information that is present on the tracks
of the magnetic stripe
• Card expiration date
• User’s address
• Credit card numbers
• User’s name
Credit Card Skimmers:
• Evidence in found through:
• Address book
• Notes
• Appointment calendars
• Phone numbers
• Email
Digital Watches:
Credit Card Skimmer
Digital Watch

EC-Council
Facsimile (Fax) Machines
• Documents
• Phone numbers
• Film cartridge
• Send or receive logs
Global Positioning Systems
(GPS)
• Previous destinations
• Way points
• Routes and
• Travel Logs

EC-Council
Evidence Assessment

EC-Council
Digital Evidence Examination
Process
Evidence Assessment
Evidence Acquisition
Evidence Examination and
Analysis
Evidence Documentation and
Reporting

EC-Council
Evidence Assessment
The digital evidence should be thoroughly assessed with respect to the scope of
the case to determine the course of the action
Conduct a thorough assessment by reviewing the search warrant or other legal
authorization, case detail, nature of hardware and software, potential evidence
sought, and the circumstances surrounding the acquisition of the evidence

EC-Council
Evidence Assessment (cont’d)
Prioritize the evidence where necessary:
• Location where evidence is found or
• Stability of the media to be examined
Determine how to document the evidence (e.g., photograph, sketch, notes)
Evaluate storage locations for electromagnetic interference
Determine the condition of the evidence as a result of packaging, transport, or
storage
Assess the need to provide continuous electric power to the battery-operated
devices

EC-Council
Prepare for Evidence Acquisition
• An initial estimate of the impact of the situation on the organization's
business
• A detailed network topology diagram that highlights the affected
computer systems and provides details about how those systems might
be affected
• Summaries of interviews with users and system administrators
• Outcomes of any legal and third-party interactions
• Reports and logs generated by tools used during the assessment phase
• A proposed course of action
Documentation that helps in preparing for
evidence acquisition:
To prepare for the acquisition of evidence, all the actions and outcomes of
the previous phases of the digital evidence examination process should be
determined properly

EC-Council

EC-Council
Preparation for Searches
Before preparing a warrant to seize all or part of a computer
system and the information it contains, it is critical to
determine the computer's role in the offense
• A counterfeiter might use his computer, scanner, and color
printer to scan U.S. currency and then print money
• A drug dealer may store records pertaining to customers,
prices, and quantities delivered on a personal computer
• A blackmailer may type and store threatening letters in his
computer
• Attackers often use their computers both to attack other’s
computer systems and to store the stolen files
For example:

EC-Council
Seizing the Evidence
If a computer is used to store the evidence then the storage media
should be seized in addition with other devices
While running programs to collect analysis information, the books
found in the scene should be collected to understand the programs
The suspect should be prevented from touching the system
At the time of seizing process, the computer should not be powered
down

EC-Council
Imaging
Remove the subject storage device and perform the acquisition using
the examiner’s system
When attaching the subject device to the examiner’s system,
configure the storage device so that it will be recognized
Ensure that the examiner’s storage device is forensically clean when
acquiring the evidence

EC-Council
Bit-Stream Copies
Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the
original disk
A bit-stream image is the file that contains the bit-stream copy of all the data on a disk or
partition
The computer should not be operated and computer evidence should not be processed
until bit stream backups have been made of all hard disk drives and floppy disks

EC-Council
Write Protection
Write protection should be initiated, if available, to preserve and protect original evidence
Creating a known value for the subject evidence prior to acquiring the evidence (e.g.
performing an independent cyclic redundancy check(CRC), MD5 hashing)
If hardware write protection is used:
• Install a write protection device
• Boot the system with the examiner’s controlled operating system
If software write protection is used:
• Boot the system with the examiner-controlled operating system
• Activate write protection

EC-Council
Digital evidence is fragile and can be altered, damaged, or destroyed
by improper handling or examination
In case of failure, evidence may be unusable or it may lead to an
inaccurate conclusion
Acquire the original digital evidence in a manner that protects and
preserves the evidence

EC-Council
Evidence Acquisition from Crime
Location (cont’d)
Disassemble the case of the computer to be examined to permit
physical access to the storage devices
Ensure that the equipment is protected from static electricity and
magnetic fields
Identify the storage devices that need to be acquired; these devices can
be internal, external, or both

EC-Council
Evidence Acquisition from Crime
Location (cont’d)
• Drive condition (e.g. make, model, geometry, size, jumper
settings, location, drive interface)
• Internal components (e.g. sound card, video card,
network card, including media access control (MAC)
address, personal computer memory card international
association (PCMCIA) cards)
Document internal storage devices and
hardware configuration:
Disconnect storage devices (using the power connector or data cable from the
back of the drive or from the motherboard) to prevent the destruction, damage,
or alteration of data

EC-Council
Acquiring Evidence from Storage
Devices
Investigate the geometry of any storage devices to ensure that all space is
accounted for, including host-protected data areas (e.g. non-host specific data
such as the partition table matches the physical geometry of the drive)
Capture the electronic serial number of the drive and other user-accessible, host-
specific data
Acquire the subject evidence to the examiner's storage device using the
appropriate software and hardware tools such as:
• Stand-alone duplication software
• Forensic analysis software suite
• Dedicated hardware devices
Verify successful acquisition by comparing the known values of the original and
the copy or by doing a sector-by-sector comparison of the original to the copy

EC-Council
Collecting Evidence
Data on digital evidence can be collected either locally or over a network
Acquiring the data locally has the advantage of greater control over the computer(s) and the data
involved
Other factors, such as the secrecy of the investigation, the nature of the evidence that must be gathered,
and the timeframe for the investigation will ultimately determine whether the evidence is collected
locally or over the network
Create accurate documentation that will later allow to identify and authenticate the evidence that are
collected
Determine which investigation methods to use i.e., typically a combination of offline and online
investigations is used
In offline investigations, additional analysis is performed on a bit-wise copy of the original evidence
In an online investigation, analysis is performed on the original live evidence

EC-Council
Collecting Evidence (cont’d)
• Server information includes server role, logs (such as event logs), files,
and applications
• Logs from internal and external facing network devices, such as firewalls,
routers, proxy servers, network access servers (NAS), and intrusion
detection systems (IDS) that may be used in the possible attack path
• Internal hardware components, such as network adapters (which include
media access control (MAC) address information) and PCMCIA cards
• Storage devices that need to be acquired (internal and external), including
hard disks, network storage devices, and removable media
Identify and document the potential sources of data:
Note: When capturing volatile data, carefully consider the order in which the
data is collected

EC-Council
• If any internal storage devices are to be removed, turn off the computer
first
• Before turning off the computer, verify that all volatile data has been
captured
• Determine whether to remove the storage device from the suspect
computer and use your own system to acquire the data
• Create a bit-wise copy of the evidence in a backup destination, ensuring
that the original data is write-protected
• Document the internal storage devices and ensure that information about
their configurations is included
• Verify the data collected, create checksums, and digital signatures when
possible to establish that the copied data is identical to the original
Use the following methods to collect data from the storage
media and record storage media configuration
information:

EC-Council
• Process Register
• Virtual and physical memory
• Network state
• Running processes
• Disks, floppies, tapes
• CD-ROM, paper printouts
Evidence can be collected from a live computer by searching:
• Running processes (ps or the /proc file system)
• Active network connections (netstat)
• ARP cache (arp)
• List of open files (lsof)
• Virtual and physical memory (/dev/mem, /dev/kmem)
Volatile and important sources of evidence on live systems and the
commands used to capture the evidence:

EC-Council
• Guidance Software’s EnCase (www.guidancesoftware.com)
• Accessdata’s Forensic Toolkit (www.accessdata.com)
Computer Forensic Tools for Data Collection
include:

EC-Council
Collecting Evidence from RAM
• When an application is opened, RAM stores the files present in that
application
• The memory is lost when the files are closed and is used by the operating
system for other file storage
• Do not power down the computer which may destroy the critical
information
• Evidence can be present in RAM even after wiping from the hard disk, to
perform this:
• Wipe the file from the hard disk after opening it using a wiping tool
• Use a utility dd to write the contents of RAM into hard disk which is a general
purpose UNIX utility; copies files and is useful for creating forensic images
Trace Evidence in RAM

EC-Council
Collecting Evidence from RAM
(cont’d)
• At the time of no RAM memory available to allocate memory for
an application, the operating system transfers the content
present in RAM to a temporary Swap file to use the RAM
memory for new application
• The contents in the swap file are overwritten frequently
• The examiner can trace the swap file by searching the headers
and footers associated with a particular file
Trace evidence in Swap file

EC-Council
Collecting Evidence from a Stand-
alone Network Computer
Do not use the computer for evidence search
Photograph all the devices connected to the computer
Do not turn on the system, if it is in off state
If the computer is ON, take a photograph of the screen
If the computer is ON and the screen is blank, move the mouse
slowly and take a photograph of the screen
Unplug all the cords and devices connected to the computer and label
them for later identification
If the computer is connected to the router and modem, unplug the
power

EC-Council
Chain of Custody
Chain of Custody is a road map that tells about how the
evidence is collected, analyzed, and preserved to present in
front of the court
It ensures auditing of the original data evidence and tracking
the logs accurately
In chain of custody, all the transfer of evidence from person
to person should be documented

EC-Council
Chain of Evidence Form
Date Type of Incident Case#
Model# Manufacturer# Serial#
Consent Required Y/N Signature of Consenting Person Tag#
Description of Form
Person Receiving Evidence Signature
Chain of Custody
Form
Location
Date Reason
To
Location
From
Location
Date Reason
To
Location
From
Location
Date Reason
To
Location
From
Location
Date Reason
To
Location
Final Disposition of Evidence Date

EC-Council

EC-Council
Preserving Digital Evidence:
Checklist
Document the actions and changes that you observe in the monitor, computer,
printer, or in other peripherals
Verify if the monitor is in on, off, or in sleep mode
Remove the power cable depending on the power state of the computer i.e., in
on, off, or in sleep mode
Do not turn “on” the computer if it is in “off” state
Take photo of the monitor screen if the computer is in “on” state
Check the connections of the telephone modem, cable, ISDN, and DSL

EC-Council
Checklist (cont’d)
Remove the plug from the power router or modem
Remove any floppy disks that are available at the scene to
safeguard the potential evidence
Keep tape on drive slots and power connector
Photograph the connections of the computer and the
corresponding cables and label them individually
Label every connector and cable that are connected to the
peripheral devices

EC-Council
Personal digital assistants (PDAs), cell phones, and digital cameras store
information in the internal memory
Do not turn “on” the device if it is in “off” state
Leave the device “on” if it is in “on” state, only in case of PDAs or cell
phones
Photograph the screen display of the device
Label and collect all the cables and transport them along with the device
Make sure that the device is charged
Hold the additional storage media such as memory sticks and compact
flash

EC-Council
Transfer fragile data to a non-volatile medium/device without disrupting any other
component of the computer
Do not use the victim’s hard disk to store the fragile data
Avoid the use of too much virtual memory as it may cause data overwriting
Use floppy disk for a small amount of data/information
Do not use USB or firewire drive to store data because they change the system’s state
If the victim’s system is connected to the Internet, use the same path that is used by the
intruder to extract the data from the victim’s computer
Disconnect the victim’s computer from the Internet to protect it from further attack

EC-Council
Do not use the original digital data regularly for examination
Do not run any program on the victim’s computer
If any changes occur during the collection of the evidence,
document all the changes accordingly
Capture an accurate image of the system as possible
Do not run any anti-virus program because it changes date
and time of each file they scan
Ensure that your actions are repeatable

EC-Council
Preserving Floppy and Other
Removable Media
• Tape over the notch
• Mark the information such as date, time, and initials
using the permanent marker
• Place in static free bags
5 ¼ inch disks
• Place the write protected tab in the open position
• Mark the information using permanent marker
3 ½ inch disks
• Remove the plastic write enable ring
• Mark the information on tape up to first 10-13 feet
Reel-to-reel tapes

EC-Council
Preserving Floppy and Other
Removable Media (cont’d)
• Remove the record tab
• Mark the information on plastic surface of tape using the
permanent marker
• Place in static free bag
Cassette tapes
• Tape over the notch
• Mark the information using permanent marker
Disk cartridges (removable hard drives)
• Align the arrow at safe mark by turning the dial
• Mark the information on plastic surface using the
permanent marker
• Place in static free bag
Cartridge tapes

EC-Council
Handling Digital Evidence
Wear protective latex gloves for searching and seizing operations on the site
Store the electronic evidence in a secure area and climate controlled environment
Use wireless StrongHold bag to block the wireless signals from getting to the electronic
device
Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape
drives
Pack the magnetic media in antistatic packaging
Protect the electronic evidence from magnetic field, dust, vibration, and other factors
that may damage the integrity of the electronic evidence

EC-Council
Store and Archive
• Physically secure and store the evidence in a tamperproof location
• Ensure that no unauthorized personnel has access to the evidence, over the network, or
otherwise
• Protect storage equipment from magnetic fields
• Make at least two copies of the evidence that are collected, and store one copy in a
secure offsite location
• Ensure that the evidence is physically secured (for example, by placing the evidence in
a safe) as well as digitally secured
• Clearly document the chain of custody of the evidence
• Create a check-in / check-out list that includes information such as the name of the
person examining the evidence, the exact date and time they check out the evidence,
and the exact date and time they return it
Best practices for data storage and archival include the
following:
When evidence is collected and ready for analysis, it is important to store and archive the
evidence in a way that ensures its safety and integrity

EC-Council
Digital Evidence Findings
• Digital laboratory experts must educate the case agents,
prosecutors to review the report of the evidence finding which
includes:
• In-service training
• Legal updates
• Individual conversations
• Discussion on how to find report
Educate the intended audience:
• Finding report should include:
• Investigator’s request
• Detailed description of the examined items
• Receipt and disposition of the founded evidence
• Examiner’s identity
Develop a report of findings:

EC-Council
Evidence Examination and Analysis

EC-Council
DO NOT Work on the
Original Evidence

EC-Council
Evidence Examination
General forensic principles apply when examining digital
evidence
Different types of cases and media may require different
methods of examination
Persons conducting an examination of digital evidence
should be trained for this purpose
The examination should not be conducted on the original
evidence

EC-Council
Evidence Examination (cont’d)
• Prepare working directory/directories on separate
media to which evidentiary files and data can be
recovered and/or extracted
Preparation
• There are two different types of extraction: physical
and logical
• The physical extraction phase identifies and recovers data
across the entire physical drive without the file system
• The logical extraction phase identifies and recovers files
and data based on the installed operating system(s), file
system(s), and/or application(s)
Extraction

EC-Council
Physical Extraction
• Keyword searching, file carving, and extraction of the partition
table, and unused space on the physical drive
• Performing a keyword search across the physical drive may be
useful as it allows the examiner to extract data that may not be
accounted for by the operating system and file system
• File carving utilities processed across the physical drive may assist
in recovering and extracting useable files and data that may not be
accounted by the operating system and file system
• Examining the partition structure may identify the file systems
present and determine if the entire physical size of the hard drive is
accounted for
This may include the following methods:
During this stage, the extraction of the data from the drive occurs at the
physical level regardless of file systems present on the drive

EC-Council
Logical Extraction
• Extraction of the file system information to reveal characteristics such as
directory structure, file attributes, file names, date and time stamps, file
size, and file location
• Data reduction to identify and eliminate known files through the
comparison of the calculated hash values to the authenticated hash values
• Extraction of files pertinent to the examination. Methods to accomplish
this may be based on the file’s name and extension, file header, file
content, and location on the drive
• Recovery of the deleted files
• Extraction of the password-protected, encrypted, and compressed data
• Extraction of file slack
• Extraction of the unallocated space
Steps may include:
During this stage, the extraction of the data from the drive is based on the file system(s)
present on the drive and may include data from such areas as active files, deleted files, file
slack, and unallocated file space

EC-Council
Analyze Host Data
• Identify what you are looking for, there will be a large amount of
host data, and only a portion of that data might be relevant to the
incident
• Examine the operating system data, including clock drift
information, and any data loaded into the host computer's
memory to see if you can determine whether any malicious
applications or processes are running or scheduled to run
• Examine the running applications, processes, and network
connections
• Use tools such as Windows Sysinternals ProcessExplorer,
LogonSession, and PSFile to perform these tasks
Procedures used to analyze host data are:
Host data includes information about the operating system and
application’s components

EC-Council
Analyze Storage Media
• Perform offline analysis on a bit-wise copy of the original evidence
• Determine whether data encryption was used, such as the Encrypting File
System (EFS) in Microsoft Windows. Several registry keys can be
examined to determine whether EFS was ever used on the computer
• If necessary, uncompress any compressed files and archives
• Create a diagram of the directory’s structure
Procedures used to extract and analyze data from
the storage media collected are:
The storage media collected during the ‘Acquire the Data’ phase contains many
files
Analyze these files to determine their relevance to the incident, which can be a
daunting task because the storage media such as hard disks and backup tapes
often contain hundreds of thousands of files

EC-Council
Analyze Storage Media (cont’d)
• Identify files of interest
• Examine the registry, the database that contains Windows
configuration information, for information about the computer
boot process, installed applications, and login information such
as username and logon domain
• Search the contents of all gathered files to help identify files that
may be of interest
• Study the metadata of files of interest, using tools such as
Encase
• Use file viewers to view the content of the identified files, which
allow you to scan and preview certain files without the original
application that created them
Procedures used to extract and analyze data
from the storage media collected are:

EC-Council
Analyze Network Data
• Examine network service logs for any events of
interest
• Examine firewall, proxy server, intrusion
detection system (IDS), and remote access
service logs
• View any packet sniffer or network monitor logs
for data that might help you determine the
activities that took place over the network
Procedure used in analyzing
network data are:
The investigations focus on and examine images of the data

EC-Council
Analysis of Extracted Data
Analysis is the process of interpreting the extracted data
to determine their significance to the case
Some examples of analysis that may be performed
include:
• Timeframe analysis
• Data hiding analysis
• Application and file analysis
• Ownership and possession
Analysis may require a review of the request for service,
legal authority for the search of the digital evidence,
investigative leads, and/or analytical leads

EC-Council
Timeframe Analysis
• Reviewing the time and date stamps contained in the file system metadata
(e.g. last modified, last accessed, created, change of status) to link files of
interest to the timeframes relevant to the investigation
• An example of this analysis would be using the last modified date and time to establish
when the contents of a file were last changed
• Reviewing the system and application logs that may be present
• These may include error logs, installation logs, connection logs, security logs, etc.
• For example, examination of a security log may indicate when a user name/password
combination was used to log into a system
Two methods used for timeframe analysis:
Timeframe analysis can be useful in determining when events occurred on a
computer system, which can be used as a part of associating usage of the
computer to an individual(s) at the time the events occurred
Take into consideration any differences in the individual’s computer date and
time as reported in the BIOS

EC-Council
Data Hiding Analysis
• Correlating the file headers to the corresponding file extensions to
identify any mismatches
• Presence of mismatches may indicate that the user intentionally hid
data
• Gaining access to all password-protected, encrypted, and
compressed files, which may indicate an attempt to conceal the data
from unauthorized users. A password itself may be as relevant as the
contents of the file
• Steganography
Methods used include:
Data can be concealed on a computer system. Data hiding analysis can
be useful in detecting and recovering such data and may indicate
knowledge, ownership, or intent

EC-Council
Application and File Analysis
Many programs and files identified may contain information relevant
to the investigation and provide insight into the capability of the
system and the knowledge of the user
Results of this analysis may indicate the additional steps that need to
be taken in the extraction and analysis processes

EC-Council
Application and File Analysis
(cont’d)
• Reviewing file names for relevance and patterns
• Examining the file’s content
• Identifying the number and type of the operating system(s)
• Correlating the files with the installed applications
• Considering relationships between files; example, correlating Internet
history to cache files and e-mail files to e-mail attachments
• Identifying the unknown file types to determine their value to the
investigation
• Examining the users’ default storage location(s) for applications and the
file structure of the drive to determine if files have been stored in their
default or alternate location(s)
• Examining user-configuration settings
• Analyzing file metadata, the content of the user-created file containing
data additional to that presented to the user, typically viewed through the
application that created it
Some examples include:

EC-Council
Ownership and Possession
• Placing the subject at the computer at a particular date and time
may help to determine ownership and possession (timeframe
analysis)
• Files of interest may be located in non default locations (e.g., user-
created directory named “child porn”) (application and file analysis)
Elements of knowledgeable possession may be based
on the analysis described, including one or more of
the following factors:
In some instances, it may be essential to identify the individual(s) who
created, modified, or accessed a file. It may also be important to determine
ownership and knowledgeable possession of the questioned data

EC-Council
Ownership and Possession
(cont’d)
• The file name itself may be of evidentiary value and also may
indicate the contents of the file (application and file analysis)
• Hidden data may indicate a deliberate attempt to avoid detection
(hidden data analysis)
• If the passwords needed to gain access to the encrypted and
password-protected files are recovered, the passwords themselves
may indicate possession or ownership (hidden data analysis)
• Contents of a file may indicate ownership or possession by
containing information specific to a user (application and file
analysis)
Elements of knowledgeable possession may be based
on the analysis described above, including one or
more of the following factors:

EC-Council
Evidence Documentation and
Reporting

EC-Council
Documenting the Evidence
Documentation of the digital evidence examination is an ongoing
process, therefore it is important to correctly record each step during
the examination
Report should be written simultaneously with the examination and
presentation of the report should be consistent with the departmental
policies

EC-Council
Evidence Examiner Report
The common consideration list that helps the
examiner throughout the documentation process:
• Take notes when discussing with the case investigator
• Preserve a copy of the search authority and chain of
custody documentation
• Write detailed notes about each action taken
• Include date, time, complete description, and result of
each action taken in the documentation
• Document any irregularities encountered during the
examination
• Include the operating system’s name, software, and
installed patches

EC-Council
Final Report of Findings
Disclose specific files related to the request
Other files, including deleted files, that support the findings
String searches, keyword searches, and text string searches
Internet-related evidence, such as website traffic analysis, chat
logs, cache files, e-mail, and news group activity
Graphic image analysis
Indicators of ownership, which could include program
registration data

EC-Council
Final Report of Findings (cont’d)
Descriptive Data analysis
Description of the relevant programs on the examined items
Techniques used to hide or mask data, such as encryption, steganography,
hidden attributes, hidden partitions, and file name anomalies
Supporting materials
• List supporting materials that are included with the report, such as printouts of
particular items of evidence, digital copies of evidence, and chain of custody
documentation

EC-Council
Computer Evidence Worksheet
Case Number : ________________ Exhibit Number: ______________
Laboratory Number: ____________ Control Number: ______________
Computer Information
Manufacturer: ________________ Model: ____________________
Serial Number: __________________________________________
Examiner marking: _______________________________________
Computer Type: Desktop Laptop Other: ________
Computer Condition: Good Damage
Number of hard Drives: __________ 3.5’’Floppy drive 5.25’’ Floppy drive
Modem Network card Tape drive Tape drive type: ________
100 MB Zip 250 MB Zip CD Reader CD Read/write
DVD Others: _____________________

EC-Council
Computer Evidence Worksheet
(cont’d)
CMOS Information Not Available
Password Logon Yes No Password = ________
Current Time _______ AM PM Current Date ___/___/___
COMS Time _________ AM PM Current Date ___/___/___
CMOS Hard Drive #1 Setting
Capacity:______ Cylinders:_______ Heads:______ Sectors:_______
Made: LBA Normal Auto Legacy CHS
Made: LBA Normal Auto Legacy CHS
CMOS Hard Drive #2 Setting
Auto
Auto

EC-Council
Hard Drive Evidence Worksheet
Case Number : ________________ Exhibit Number: ______________
Laboratory Number: ____________ Control Number: ______________
Hard Drive #1 Label Information [Not Available ] Hard Drive #2 Label Information [Not Available ]
Manufacturer: ________________
Model: _____________________
Serial Number: _______________
Capacity:_______ Cylinders:_________
Heads:_________ Sectors:__________
Controller Rev.____________________
IDE 50 Pin SCSI
68 Pin SCSI 80 Pin SCSI Other
Jumper: Master Slave
Cable Select Undetermined
Manufacturer: ________________
Model: _____________________
Serial Number: _______________
Capacity:_______ Cylinders:_________
Heads:_________ Sectors:__________
Controller Rev.____________________
IDE 50 Pin SCSI
68 Pin SCSI 80 Pin SCSI Other
Jumper: Master Slave
Cable Select Undetermined

EC-Council
Hard Drive Evidence Worksheet
(cont’d)
Hard Disk #1 Parameter Information
DOS FDisk PTable PartInfo Linux Fdisk SafeBack Encase Other:___
LBA Address Sectors: _____________ Formatted Drive Capacity: ____________
Volume Label: __________________________________________________
Partitions:
Name Bootable? Start End Type
________ _________ _________ _________
________ _________ _________ _________
________ _________ _________ _________

EC-Council
Removable Media Worksheet
Case Number : ________________ Exhibit Number: ___________
Laboratory Number: ____________ Control Number: ___________
Media Type / Quality
Diskette [ ] LS 120 [ ] 100 MB Zip [ ] 250 MB Zip [ ]
1 GB Jaz [ ] 2 GB Jaz [ ] Magneto-optical [ ] Tape [ ]
CD [ ] DVD [ ] Other [ ]
Examination
Exhibit #
Sub-Exhibit #
Triage Duplicated Browse Unerase
Keyword
Search

EC-Council
Electronic Crime and Digital Evidence
Consideration by Crime Category

EC-Council
Consideration by Crime Category
• Account data based on online auction sites
• Accounting or bookkeeping software and related data
files
• Address books
• Customer information or credit card data
• Databases
• Digital camera software
• E-mail/notes/letters
• Financial or asset records
• Internet browser history or cache files
Online auction fraud

EC-Council
Child Exploitation/Abuse:
• Chat logs
• Date and time stamps
• Digital camera software
• Games
• Graphic editing and viewing software
• Images
• Internet activity logs
• Movie files
• User-created directory and file names that
categorize images
Consideration by Crime Category (cont’d)

EC-Council
• Address books
• Configuration files
• Executable programs
• Internet protocol (IP) address and user name
• Internet Relay Chat (IRC) logs
• Source code
• Text files (user names and passwords)
Computer Intrusion:

EC-Council
Death Investigation:
• Address books
• Diaries
• Financial/asset records
• Images
• Legal documents and wills
• Medical records
• Telephone records

EC-Council
• Check, currency, and money order images
• Credit card skimmers
• Images of signatures
• False financial transaction forms
• False identification
Economic Fraud (Including Online Fraud and
Counterfeiting):
• Legal documents
• Victim’s background research
• Financial or asset records
E-Mail Threats/Harassment/Stalking:

EC-Council
Extortion:
• Date and time stamps
• History log
• Temporary Internet files
• User names
Gambling:
• Customer database and player records
• Customer information or credit card data
• Electronic money
• Sports betting statistics
• Image players

EC-Council
• Credit card generators
• Credit card reader/writer
• Digital cameras
• Scanners
Hardware and software tools:
• Birth certificates
• Check cashing cards
• Digital photo images for photo identification
• Driver’s license
• Electronic signatures
• Fictitious vehicle registrations
• Scanned signatures
• Social security cards
Identification templates:
Identity Theft:

EC-Council
• E-mails and newsgroup postings
• Erased documents
• Online orders
• Online trading information
• System files and file slack
• World Wide Web activity at forgery sites
Internet activity related to ID theft:
• Business checks
• Cashiers checks
• Counterfeit money
• Credit card numbers
• Fictitious court documents
• Fictitious loan documents
• Fictitious sales receipts
Negotiable instruments:
Identity Theft:

EC-Council
Narcotics:
• Address books
• Calendar
• Databases
• Drug recipes
• Prescription form images

EC-Council
Prostitution:
• Address books
• Biographies
• Calendar
• Customer database/records
• Medical records
• World Wide web page advertising

EC-Council
• Chat logs
• Image files of software certificates
• Serial numbers
• Software cracking information and utilities
• User-created directory and file names that
classify the copyrighted software
Software Piracy:

EC-Council
• Cloning software
• Customer database/records
• Electronic Serial Number (ESN)/Mobile
Identification Number (MIN) pair records
• “How to phreak” manuals
• Internet activity
Telecommunications Fraud:

EC-Council
Summary
Digital evidence is information and digital data of investigative value that is
recorded or preserved on electronic devices
Rules of evidence govern whether, when, how, and for what purpose proof of a
case may be placed before a trier of fact for consideration
The digital evidence should be thoroughly assessed with respect to the scope of
the case to determine the course of action
Digital evidence is fragile and can be altered, damaged, or destroyed by
improper handling or examination
Transfer fragile data to a non-volatile medium/device without disrupting any
other component of the computer
Documentation of digital evidence examination is an ongoing process, therefore
it is important to correctly record each step during the examination

EC-Council

File000117

More Related Content

What's hot

Viewers also liked

Similar to File000117

More from Desmond Devendran

Recently uploaded

File000117