2. What is digital forensics?
Digital Forensics is defined as the process of preservation, identification,
extraction, and documentation of computer evidence which can be used by the
court of law. It is a science of finding evidence from digital media like a computer,
mobile phone, server, or network. It provides the forensic team with the best
techniques and tools to solve complicated digital-related cases.
3/2/2024 PROCESS OF DIGITAL FORENSICS
9. DATA ACQUISITION / COLLECTING
EVIDENCE
Data acquisition is the act of taking possession
of or obtaining control of data and adding it to a
collection of evidence.
3/2/2024 PROCESS OF DIGITAL FORENSICS
10. DATA ACQUISITION / COLLECTING
EVIDENCE – METHODS
Determining the Best Acquisition Methods
Forensic investigators can acquire digital evidence using the following methods:
1. Creating a bit-stream disk-to-image file
2. Making a bit-stream disk-to-disk copy
3. Creating a sparse data copy of a folder or file
3/2/2024 PROCESS OF DIGITAL FORENSICS
11. Creating a bit-stream disk-to-image
file
Disk-To-Image File
Creating a bit-stream disk-to-image file is the most common
method forensic investigators use.
When using this method, forensic investigators are able to
make as many copies of the digital evidence as they need.
Investigators are able to image the original disk to another
disk.
An investigator can then make use of other tools such as
EnCase, FTK, Smart, Task, and Ilook to read and analyze the
image file.
3/2/2024 PROCESS OF DIGITAL FORENSICS
12. Making a bit-stream disk-to-disk copy
Disk-To-Disk Copy
If an investigator is unable to create a bit-stream disk-to-image
file, the alternative is to create a bit-streamdisk-to-disk copy of
the suspect’s disk drive in order to acquire the information from
it.
There are several bitstreaming programs that can copy the
information from one disk to another.
Disk-to-disk imaging tools include SafeBack, SnapCopy, and
Norton Ghost.
Many of these applications run under MS-DOS.
3/2/2024 PROCESS OF DIGITAL FORENSICS
13. Creating a sparse data copy of a
folder or file
Sparse Data Copy
There are times during a forensic investigation when an investigator finds
incriminating evidence in a particular file or folder.
Therefore, it would not be necessary to create a bit-stream disk-to-image
file or a disk-to-disk copy.
The investigator would just need to create a sparse data copy of the
folder or file.
A sparse data copy is a copy that an investigator makes of only part of a
large set of data in which only the data pertinent to the investigationn is
included.
An investigator may choose to make a sparse data copy to reduce the
overall size of an evidence file.
3/2/2024 PROCESS OF DIGITAL FORENSICS
14. DATA RECOVERY CONTINGENCIES
Investigators must make contingency plans when data acquisition failure occurs.
To preserve digital evidence, investigators must create a duplicate copy of the evidence files.
In case the original data recovered is corrupted, investigators can make use of the second copy.
Investigators can use forensic tools such as EnCase and SafeBack to obtain multiple copies.
Typically, computer forensic investigators make at least bit-stream image copies of the digital evidence that is
collected.
Investigators have at their disposal more than one bit-streaming tool.
They should use at least two of these tools to make copies of the digital evidence in case one tool doesn’t properly acquire the data.
During the data recovery process, an investigator must remember not to make any changes to the digital
evidence.
Forensic activities must be performed only on the bit-stream copies of digital evidence to ensure that
the original evidence is not altered or corrupted
3/2/2024 PROCESS OF DIGITAL FORENSICS
15. DATA ACQUISITION SOFTWARE TOOLS
Windows Standard Tools
Linux Standard Tools
3/2/2024 PROCESS OF DIGITAL FORENSICS
22. oThe changes you make while collecting the volatile data, will impact the processes found in RAM.
That is why you need to take notes and document everything you do.
oSome examples of volatile data we collect are the current state of the system networking
information (the ARP table, connections, routing table, and name cache), the logged-on users,
running services, running processes, shared drives, remote activity, and open encrypted
containers.
oWe have to balance the changes we will make versus the evidence that may be potentially lost
forever.
oThe term "forensically sound manner" ---Digital evidence is said to be forensically sound if it was
collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is
reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital
evidence was not corrupted or destroyed during investigative processes whether on purpose or by
accident
oThe order of collecting volatile data is significant because if you collect volatile data in the wrong
order, you may destroy the evidence you are looking for.
oRAM is considered to be the most volatile of all volatile data, so we would want to collect that first.
3/2/2024 PROCESS OF DIGITAL FORENSICS
28. •Dates and time zones can cause issues for the digital forensic investigator if they forget to consider them.
•If you only conduct exams in a specific time zone and all of your seized data comes from the same tim
zone, then the issues you face are small.
• But if the data comes from multiple time zones or you travel to various time zones, then they can cau
some confusion if you do not take them into account.
•Setting the forensic machine and tools to use universal time (UTC) as a standard frame of reference help
solve this problem. Also, ensure that you adjust any timeframe where criminal activity may have occurre
in UTC.
• It does not help that operating systems save metadata in a multitude of different time zones.
•You also have to consider that the suspect may have changed the time zone settings on the computer
hide their illicit activity.
•Timeline analysis is critical when conducting a forensic exam.
•Next, we will need to be able to identify files we know are irrelevant, as well as instantly
•identify contraband images.
•We can do that with hash analysis.
3/2/2024 PROCESS OF DIGITAL FORENSICS
48. 3/2/2024 PROCESS OF DIGITAL FORENSICS
Device Manager of Windows is available to get information
about all the devices that were connected to a particular
system.
49. Recovering Deleted Files and Partitions
3/2/2024 PROCESS OF DIGITAL FORENSICS
Anatomy of a Hard Disk :
A hard disk drive (HDD), hard disk, hard drive or
fixed disk is a data storage device used for
storing and retrieving digital information using
one or more rigid ("hard") rapidly rotating disks
(platters) coated with magnetic material.
The platters are paired with magnetic heads
arranged on a moving actuator arm, which read
and write data to the platter surfaces.
Data is accessed in a random-access manner,
meaning that individual blocks of data can be
stored or retrieved in any order rather than
sequentially. HDDs retain stored data even when
powered off.
50. The primary characteristics of an HDD are its
capacity and performance. Capacity is specified in
unit prefixes corresponding to powers of 1000: a 1-
terabyte (TB) drive has a capacity of 1,000
gigabytes (GB; where 1 gigabyte = 1 billion bytes).
An HDD records data by magnetizing a thin film of
ferromagnetic material on a disk. Sequential changes
in the direction of magnetization represent binary
data bits.
The data is read from the disk by detecting the
transitions in magnetization. User data is encoded
using an encoding scheme, such as run-length
limited encoding, which determines how the data is
represented by the magnetic transitions.
3/2/2024 PROCESS OF DIGITAL FORENSICS
51. In computer disk storage, a sector is a subdivision of
a track on a magnetic disk or optical disc. Each
sector stores a fixed amount of user-accessible data,
traditionally 512 bytes for hard disk drives (HDDs)
and 2048 bytes for CD-ROMs and DVD-ROMs.
Newer HDDs use 4096-byte (4 KB) sectors, which
are known as the Advanced Format (AF).
Geometrically, the word sector means a portion of a
disk between a center, two radii and a corresponding
arc (see Figure 17, item B), which is shaped like a
slice of a pie. Thus, the disk sector (Figure 17, item
C) refers to the intersection of a track and
geometrical sector.
3/2/2024 PROCESS OF DIGITAL FORENSICS
52. In disk drives, each physical sector is made up of
three basic parts, the sector header, the data area and
the error-correcting code (ECC). The sector header
contains information used by the drive and
controller; this information includes sync bytes,
address identification, flaw flag and header parity
bytes.
The header may also include an alternate address to
be used if the data area is undependable. The
address identification is used to ensure that the
mechanics of the drive have positioned the
read/write head over the correct location.
3/2/2024 PROCESS OF DIGITAL FORENSICS
53. In disk drives, each physical sector is made up of
three basic parts, the sector header, the data area and
the error-correcting code (ECC). The sector header
contains information used by the drive and
controller; this information includes sync bytes,
address identification, flaw flag and header parity
bytes.
The header may also include an alternate address to
be used if the data area is undependable. The
address identification is used to ensure that the
mechanics of the drive have positioned the
read/write head over the correct location. The data
area contains the recorded user data, while the ECC
field contains codes based on the data field, which
are used to check and possibly correct errors that
may have been introduced into the data.
3/2/2024 PROCESS OF DIGITAL FORENSICS