Uploaded byMayuraD1
PPTX, PDF90 views

ppt for Module 5 cybersecuirty_023501.pptx

cyber security

Embed presentation

Download to read offline
Module 5 Understanding Computer Forensics Prepared By: Gowtham R Naik Dept. of CS&E, The National Institute of Engineering
Introduction: Cyberforensics • Provides digital evidence of a specific or general activity • Key role in investigation of cybercrime • “Evidence” in the case of “cyberoffenses” • Handling of the digital forensics evidence • Computer is either the subject or the object of cybercrimes or is used as a tool to commit a cybercrime Historical Background of Cyberforensics: • The earliest recorded computer crimes occurred in1969 and 1970 when student protestors burned computers at various universities. • Computer intrusion and fraud committed with the help of computers were the first crimes to be widely recognized as a new type of crime. • The application of computer for investigating computer based crime has led to development of a new field called as computer forensics. Sometimes also referred as Digital forensics.
Digital Forensics Science • Defn: Application of analyses techniques to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence. The following are two more definitions worth considering: • Digital forensics: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. • Computer Forensics: The lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and metadata derived from digital devices which may contain information that is notable and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil and criminal investigations. In other words, it is the collection of techniques and tools used to find evidence in a computer.
The Role of Digital Forensics is to: • Uncover and Document evidence and leads. • Corroborate evidence discovered in other ways(E-Discovery) • Assist in showing a pattern of events(data mining has a application here). • Connect attack and victim computers(Locard's Exchange principle). • Reveal an end-to-end path of the events leading to a compromise attempt, successful or not. • Extract data that may be hidden, deleted or otherwise not directly available.
Need for Computer Forensics • Convergence of ICT advances and the pervasive use of computers worldwide • High technical capacity of modern computers/computing devices • New risks for computer users Widespread use of computer forensics is the result of: • Increasing dependence of law enforcement on digital evidence • Ubiquity of computers that followed from the microcomputer revolution Evidence • Everything that is used to determine or demonstrate the truth of an assertion. • Can be used in court to convict people who are believed to have committed crimes. • Handle carefully.
Cyberforensics and Digital Evidence 1. Computer forensics 2. Network forensics Computer forensics experts know the techniques to retrieve the data from files listed in standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login IDs, encrypted files, hidden partitions, etc. Typically, the evidences reside on computer systems, user created files, user protected files, computer created files and on computer networks. The Rules of Evidence According to the “Indian Evidence Act 1872,” “Evidence” means and includes: 3. All statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, are called oral evidence. 4. All documents that are produced for the inspection of the court are called documentary evidence.
There are number of contexts involved in actually identifying a piece of digital evidence: 1.Physical context: it must be definable in its physical form, that is , it should reside on a specific piece. 2. Logical context: it must be identifiable as to its logical position, that is where does it reside relative to the file system. 3. Legal context: we must place the evidence in the correct context to read its meaning, This may require looking at the evidence as machine learning, for example , American standard code for Information Interchange (ASCII).
The path taken by digital evidence can be conceptually depicted as shown in Fig:
Digital Forensics Life Cycle As per FBI’s (Federal Bureau of Investigation) view, digital evidence is present in nearly every crime scene. That is why law enforcement must know how to recognize, seize, transport and store original digital evidence to preserve it for forensics examination. The cardinal roles to remember are that evidence is: 1. Admissible. 2. Authentic. 3. Complete. 4. Reliable. 5. Understandable and believable.
Digital Forensics Process: • Digital forensics evidence consists of exhibits. • The exhibits are introduced as evidence by either side. • Testimony is presented to establish the process. • The party must show the evidence. • Digital forensics evidence can be challenged. • Forensics experts formulate a cost proposal. • Proposed timeline of activities, lists of anticipated deliverables and a plan for production and turnover of evidence. • Submission of a preliminary risk analysis for the forensics service being proposed.
Fig : Process model for understanding a seizure and handling of forensics evidence legal framework.
Phases in Computer Forensics/Digital Forensics 1. Preparation and identification 2. Collection and recording 3. Storing and transporting 4. Examination/investigation 5. Analysis, interpretation and attribution 6. Reporting 7. Testifying Collecting and Recording Digital Evidence • Computers * Digital thermometers • Cell phones * RFID tags and webpages • Digital cameras * Black boxes inside automobiles • Hard drives • CD-ROM • USB memory devices
Collecting and Recording Digital Evidence: Sources 1. Computers 2. Cell phones 3. Digital cameras 4. Hard drives 5. CD-ROM 6. USB memory devices 7. Digital thermometers 8. Black boxes inside automobiles 9. RFID tags and webpages
Storing and Transporting Digital Evidence: 1. Image computer media using a write-blocking tool to ensure that no data is added to the suspect device 2. Establish and maintain the chain of custody 3. Document everything that has been done 4. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. 5. Care must be taken in transportation to prevent spoliation (in a hot car, digital media tends to lose bits). 6. Care must be taken to preserve chain of custody and assure that a witness can testify accurately about what took place.
Examining/Investigating Digital Evidence: • Special care must be taken to ensure that the forensics specialist has the legal authority to seize, copy and examine the data. • Sometimes authority stems from a search warrant. • As a general rule, one should not examine digital information unless one has the legal authority to do so. • Amateur forensics examiners should keep this in mind before starting any unauthorized investigation. Analysis, Interpretation and Attribution: • Analysis, interpretation and attribution of evidence are the most difficult aspects encountered by most forensics analysts. • Analysis, interpretation and attribution of digital forensics evidence can be reconciled with non-digital evidence. • Digital forensics evidence can be externally stipulated. • Open-source tools are available to conduct analysis of open ports, mapped drives on the live computer system.
Reporting: • A report is generated. • The report may be in a written form or an oral testimony (or combination of the two). • Evidence, analysis, interpretation and attribution to be presented in the form of expert reports, depositions and testimony. • Presentation of the report (a complex and tricky process) Broad-Level Elements of the Report 1. Identity of the reporting agency 2. Case identifier or submission number 3. Case investigator 4. Identity of the submitter 5. Date of receipt 6. Date of report 7. Serial number, make and model 8. Identity and signature of the examiner 9. Steps taken during examination 10. Results/conclusions
Principles to maintain the integrity of digital evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court. Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media that person must be competent to do so and be able to give evidence explaining the relevance and the implications of his/her actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in-charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Chain of Custody Concept • It is the central concept in cyber forensics/digital forensics investigation. • It is the process of validating how many kinds of evidences have been gathered, tracked and protected on the way to a court of law. • It is essential to get in the habit of protecting all evidences equally so that they will hold up in court. • The purpose is that the proponent of a piece of evidence must demonstrate that it is what it purports to be. • The chain of custody is a chronological written record of those individuals who have had custody of the evidence from its initial acquisition until its final disposition. • A chain of custody begins when an item of relevant evidence is collected, and the chain is maintained until the evidence is disposed off. • The chain of custody assumes continuous accountability.
THANK YOU

More Related Content

PPTX
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
PPTX
Computer Forensics.pptx
byHappyness Mkumbo
 
PDF
1.Digital Forensics Collection, Presservation and Appreciation of Electronic ...
byAnandkumar105685
 
PPTX
mobile forensic.pptx
byAmbuj Kumar
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
PPTX
Digital Forensics: Concept, Stages, Guidelines, Techniques, and Data Recovery
byGodwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PPTX
Digital forensics ahmed emam
byahmad abdelhafeez
 
PPTX
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
Computer Forensics.pptx
byHappyness Mkumbo
 
1.Digital Forensics Collection, Presservation and Appreciation of Electronic ...
byAnandkumar105685
 
mobile forensic.pptx
byAmbuj Kumar
 
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
Digital Forensics: Concept, Stages, Guidelines, Techniques, and Data Recovery
byGodwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
Digital forensics ahmed emam
byahmad abdelhafeez
 
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 

Similar to ppt for Module 5 cybersecuirty_023501.pptx

PDF
Cyber Forensics Module 1
byManu Mathew Cherian
 
PPT
Digital forensics
byNicholas Davis
 
PPT
CS426_forensics.ppt
byPrabithGupta1
 
PDF
Cyber forensics and auditing
bySweta Kumari Barnwal
 
PPTX
Cyber crime - and digital device.pptx
byAlAsad4
 
PDF
digital forensics-9 of cyber security.pdf
byAdyakantaSahoo
 
PPT
Digital Forensics
byNicholas Davis
 
PPT
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
PPTX
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
PPTX
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
PPT
Network Forensics Basic lecture for Everyone
byBurhanKhan774154
 
PDF
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
PPT
CS426_forensics.ppt
byOkviNugroho1
 
PDF
A Review on Recovering and Examining Computer Forensic Evidences
byBRNSSPublicationHubI
 
PDF
Computer forencis
byTeja Bheemanapally
 
PDF
Sued or Suing: Introduction to Digital Forensics
byAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
PPT
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
PPT
Computer Forensics
byAlchemist095
 
PPTX
wang.pptx
bySteveIrwin25
 
PDF
Chfi V3 Module 01 Computer Forensics In Todays World
bygueste0d962
 
Cyber Forensics Module 1
byManu Mathew Cherian
 
Digital forensics
byNicholas Davis
 
CS426_forensics.ppt
byPrabithGupta1
 
Cyber forensics and auditing
bySweta Kumari Barnwal
 
Cyber crime - and digital device.pptx
byAlAsad4
 
digital forensics-9 of cyber security.pdf
byAdyakantaSahoo
 
Digital Forensics
byNicholas Davis
 
01 computer%20 forensics%20in%20todays%20world
byAqib Memon
 
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
Cyber forensics 02 mit-2014
byMuzzammil Wani
 
Network Forensics Basic lecture for Everyone
byBurhanKhan774154
 
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
CS426_forensics.ppt
byOkviNugroho1
 
A Review on Recovering and Examining Computer Forensic Evidences
byBRNSSPublicationHubI
 
Computer forencis
byTeja Bheemanapally
 
Sued or Suing: Introduction to Digital Forensics
byAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
Computer Forensics
byAlchemist095
 
wang.pptx
bySteveIrwin25
 
Chfi V3 Module 01 Computer Forensics In Todays World
bygueste0d962
 

More from MayuraD1

PPTX
cyber security module 2 ppt of first year
byMayuraD1
 
PPTX
module 3 of cybersecurity of first year students
byMayuraD1
 
PPTX
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
PPT
Wireless & Mobile Communications_Third_unit.ppt
byMayuraD1
 
PPTX
dimentionalityreduction-241109090040-5290a6cd.pptx
byMayuraD1
 
PPT
feature-selection.ppt on machine learning
byMayuraD1
 
PPTX
_major project final ppt (1).pptx important
byMayuraD1
 
PPTX
Unit 2.pptx of social networks of Mtech CNE
byMayuraD1
 
PPTX
DeepFakes presentation : brief idea of DeepFakes
byMayuraD1
 
PPTX
10asymmetrickeycryptographystudents-240406142312-cd71b097.pptx
byMayuraD1
 
PPT
wi-fi.ppt required for WAN subject for engineering
byMayuraD1
 
PPTX
Decision trees concept from Machine learning
byMayuraD1
 
PPTX
Sentiment Analysis_ppt (1).pptx useful ppt
byMayuraD1
 
PPT
1111111111111111111111111111111111111111
byMayuraD1
 
PPT
Support Vector machine in Machine learning course
byMayuraD1
 
PPTX
Module1-Part2.pptx of social networks of PG
byMayuraD1
 
PPTX
Education Field for the composition function
byMayuraD1
 
PDF
SDP_May2023:student developement program
byMayuraD1
 
PPTX
Unit one of cybersecurity for first year students
byMayuraD1
 
PDF
cyber_security_brochure details of workshop
byMayuraD1
 
cyber security module 2 ppt of first year
byMayuraD1
 
module 3 of cybersecurity of first year students
byMayuraD1
 
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
Wireless & Mobile Communications_Third_unit.ppt
byMayuraD1
 
dimentionalityreduction-241109090040-5290a6cd.pptx
byMayuraD1
 
feature-selection.ppt on machine learning
byMayuraD1
 
_major project final ppt (1).pptx important
byMayuraD1
 
Unit 2.pptx of social networks of Mtech CNE
byMayuraD1
 
DeepFakes presentation : brief idea of DeepFakes
byMayuraD1
 
10asymmetrickeycryptographystudents-240406142312-cd71b097.pptx
byMayuraD1
 
wi-fi.ppt required for WAN subject for engineering
byMayuraD1
 
Decision trees concept from Machine learning
byMayuraD1
 
Sentiment Analysis_ppt (1).pptx useful ppt
byMayuraD1
 
1111111111111111111111111111111111111111
byMayuraD1
 
Support Vector machine in Machine learning course
byMayuraD1
 
Module1-Part2.pptx of social networks of PG
byMayuraD1
 
Education Field for the composition function
byMayuraD1
 
SDP_May2023:student developement program
byMayuraD1
 
Unit one of cybersecurity for first year students
byMayuraD1
 
cyber_security_brochure details of workshop
byMayuraD1
 

Recently uploaded

PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
PDF
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PDF
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 

ppt for Module 5 cybersecuirty_023501.pptx

  • 1.
    Module 5 Understanding ComputerForensics Prepared By: Gowtham R Naik Dept. of CS&E, The National Institute of Engineering
  • 2.
    Introduction: Cyberforensics • Providesdigital evidence of a specific or general activity • Key role in investigation of cybercrime • “Evidence” in the case of “cyberoffenses” • Handling of the digital forensics evidence • Computer is either the subject or the object of cybercrimes or is used as a tool to commit a cybercrime Historical Background of Cyberforensics: • The earliest recorded computer crimes occurred in1969 and 1970 when student protestors burned computers at various universities. • Computer intrusion and fraud committed with the help of computers were the first crimes to be widely recognized as a new type of crime. • The application of computer for investigating computer based crime has led to development of a new field called as computer forensics. Sometimes also referred as Digital forensics.
  • 3.
    Digital Forensics Science •Defn: Application of analyses techniques to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence. The following are two more definitions worth considering: • Digital forensics: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. • Computer Forensics: The lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and metadata derived from digital devices which may contain information that is notable and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil and criminal investigations. In other words, it is the collection of techniques and tools used to find evidence in a computer.
  • 4.
    The Role ofDigital Forensics is to: • Uncover and Document evidence and leads. • Corroborate evidence discovered in other ways(E-Discovery) • Assist in showing a pattern of events(data mining has a application here). • Connect attack and victim computers(Locard's Exchange principle). • Reveal an end-to-end path of the events leading to a compromise attempt, successful or not. • Extract data that may be hidden, deleted or otherwise not directly available.
  • 6.
    Need for ComputerForensics • Convergence of ICT advances and the pervasive use of computers worldwide • High technical capacity of modern computers/computing devices • New risks for computer users Widespread use of computer forensics is the result of: • Increasing dependence of law enforcement on digital evidence • Ubiquity of computers that followed from the microcomputer revolution Evidence • Everything that is used to determine or demonstrate the truth of an assertion. • Can be used in court to convict people who are believed to have committed crimes. • Handle carefully.
  • 7.
    Cyberforensics and DigitalEvidence 1. Computer forensics 2. Network forensics Computer forensics experts know the techniques to retrieve the data from files listed in standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login IDs, encrypted files, hidden partitions, etc. Typically, the evidences reside on computer systems, user created files, user protected files, computer created files and on computer networks. The Rules of Evidence According to the “Indian Evidence Act 1872,” “Evidence” means and includes: 3. All statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, are called oral evidence. 4. All documents that are produced for the inspection of the court are called documentary evidence.
  • 8.
    There are numberof contexts involved in actually identifying a piece of digital evidence: 1.Physical context: it must be definable in its physical form, that is , it should reside on a specific piece. 2. Logical context: it must be identifiable as to its logical position, that is where does it reside relative to the file system. 3. Legal context: we must place the evidence in the correct context to read its meaning, This may require looking at the evidence as machine learning, for example , American standard code for Information Interchange (ASCII).
  • 9.
    The path takenby digital evidence can be conceptually depicted as shown in Fig:
  • 10.
    Digital Forensics LifeCycle As per FBI’s (Federal Bureau of Investigation) view, digital evidence is present in nearly every crime scene. That is why law enforcement must know how to recognize, seize, transport and store original digital evidence to preserve it for forensics examination. The cardinal roles to remember are that evidence is: 1. Admissible. 2. Authentic. 3. Complete. 4. Reliable. 5. Understandable and believable.
  • 11.
    Digital Forensics Process: •Digital forensics evidence consists of exhibits. • The exhibits are introduced as evidence by either side. • Testimony is presented to establish the process. • The party must show the evidence. • Digital forensics evidence can be challenged. • Forensics experts formulate a cost proposal. • Proposed timeline of activities, lists of anticipated deliverables and a plan for production and turnover of evidence. • Submission of a preliminary risk analysis for the forensics service being proposed.
  • 12.
    Fig : Processmodel for understanding a seizure and handling of forensics evidence legal framework.
  • 13.
    Phases in ComputerForensics/Digital Forensics 1. Preparation and identification 2. Collection and recording 3. Storing and transporting 4. Examination/investigation 5. Analysis, interpretation and attribution 6. Reporting 7. Testifying Collecting and Recording Digital Evidence • Computers * Digital thermometers • Cell phones * RFID tags and webpages • Digital cameras * Black boxes inside automobiles • Hard drives • CD-ROM • USB memory devices
  • 14.
    Collecting and RecordingDigital Evidence: Sources 1. Computers 2. Cell phones 3. Digital cameras 4. Hard drives 5. CD-ROM 6. USB memory devices 7. Digital thermometers 8. Black boxes inside automobiles 9. RFID tags and webpages
  • 15.
    Storing and TransportingDigital Evidence: 1. Image computer media using a write-blocking tool to ensure that no data is added to the suspect device 2. Establish and maintain the chain of custody 3. Document everything that has been done 4. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. 5. Care must be taken in transportation to prevent spoliation (in a hot car, digital media tends to lose bits). 6. Care must be taken to preserve chain of custody and assure that a witness can testify accurately about what took place.
  • 16.
    Examining/Investigating Digital Evidence: •Special care must be taken to ensure that the forensics specialist has the legal authority to seize, copy and examine the data. • Sometimes authority stems from a search warrant. • As a general rule, one should not examine digital information unless one has the legal authority to do so. • Amateur forensics examiners should keep this in mind before starting any unauthorized investigation. Analysis, Interpretation and Attribution: • Analysis, interpretation and attribution of evidence are the most difficult aspects encountered by most forensics analysts. • Analysis, interpretation and attribution of digital forensics evidence can be reconciled with non-digital evidence. • Digital forensics evidence can be externally stipulated. • Open-source tools are available to conduct analysis of open ports, mapped drives on the live computer system.
  • 17.
    Reporting: • A reportis generated. • The report may be in a written form or an oral testimony (or combination of the two). • Evidence, analysis, interpretation and attribution to be presented in the form of expert reports, depositions and testimony. • Presentation of the report (a complex and tricky process) Broad-Level Elements of the Report 1. Identity of the reporting agency 2. Case identifier or submission number 3. Case investigator 4. Identity of the submitter 5. Date of receipt 6. Date of report 7. Serial number, make and model 8. Identity and signature of the examiner 9. Steps taken during examination 10. Results/conclusions
  • 18.
    Principles to maintainthe integrity of digital evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court. Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media that person must be competent to do so and be able to give evidence explaining the relevance and the implications of his/her actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in-charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
  • 19.
    Chain of CustodyConcept • It is the central concept in cyber forensics/digital forensics investigation. • It is the process of validating how many kinds of evidences have been gathered, tracked and protected on the way to a court of law. • It is essential to get in the habit of protecting all evidences equally so that they will hold up in court. • The purpose is that the proponent of a piece of evidence must demonstrate that it is what it purports to be. • The chain of custody is a chronological written record of those individuals who have had custody of the evidence from its initial acquisition until its final disposition. • A chain of custody begins when an item of relevant evidence is collected, and the chain is maintained until the evidence is disposed off. • The chain of custody assumes continuous accountability.
  • 20.