SlideShare a Scribd company logo

Analysis of digital evidence

Download as PPTX, PDF
R
rakesh mishra

basic examination of digital evidence. i wish help every one.

Education
1 of 30
RAKESH KUMAR MISHRA 15MSFS035 M.Sc.(FORENSIC SCIENCE) 2ND SEMESTER
Content..  DIGITAL EVIDENCE  PLACE WHERE DIGITAL EVIDENCE FOUND  WHY INVESTIGATE..??  CARDINAL RULES OF COMPUTER FORENSIC  BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE..  DIGITAL EVIDENCE ANALYSIS METHEDOLOGY..  OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
DIGITAL EVIDENCE  Digital evidence is information stored or transmitted in binary form that may be relied on, in court.  Digital evidence includes information on computers, audio files, video recordings, and digital images.  Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.  This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence— ■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
possible places that digital evidence can reside, including:  Computers  External hard drives  CDs and DVDs  Thumb drives  Floppy disks  Cell phones  Voice over IP phones  Answering machines  iPods POSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND……
 Electronic game devices  Digital video recorders (Tivos)  Digital cameras  PDAs  GPSs  Routers  Switches  Wireless access points  Servers  Fax machines  Printers that buffer files  Photo-copiers that buffer files  Scanners that buffer files Continue…..
First we will need to consider the complaint or the initial reason for conducting an investigation. Some typical reasons that may warrant an investigation include but are not limited to: Unauthorised access on computer or Network Internet usage exceeds norm Using e−mail inappropriately Why Investigate..??
 Use of Internet, e−mail, or PC in a non−work−related manner Theft of information Violation of security policies or procedures Intellectual property Infringement Electronic tampering Online or Economic Fraud Software Piracy Telecommunication Fraud Terrorism (Homeland Security)  Child Abuse or Exploitation Continue…..
CARDINAL RULES OF COMPUTER FORENSIC…  The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.  The five cardinal rules are…Never Mishandle the EvidenceNever Work on the original Evidence Never trust the Subject’s Operating System. Document everything The Result should be repeatable and verifiable by a third
SEIZURE ACQUISTION ANALYSIS PRESENTATION
SEIZURE…  Prior to the actual examination digital media will be seized.  In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence.  In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.  In criminal matters law related to search warrants is applicable.  In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
ACQUISTION… A Tableau forensic write blocker  Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.  The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.  The original drive is then returned to secure storage to prevent tampering.
 The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue….. Sector….  A sector, being the smallest physical storage unit on the disk.  A sector is a subdivision of a track on a magnetic disk or optical disc.  Each sector stores a fixed amount of user- accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
Write Blockers…  Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.  There are two ways to build a write- blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.  Alternatively, the blocker can specifically block the write commands and let everything else through.  There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block. A hard drive attached to a portable write blocker
Analysis… A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular……  Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis  The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.  The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files…  A common technique used in computer forensics the recovery of deleted files.  Modern forensic software have their own tools recovering or carving out deleted data.  Most operating systems and file systems do always erase physical file data, allowing investigators to reconstruct it from the sectors.  File carving involves searching for known file headers within the disk image and deleted materials
DIGITAL EVIDENCE ANALYSIS METHODOLOGY…  Protect the crime scene  Force shutdown of the computer  Document the hardware configuration of the system  Transport the computer system to a Forensic Laboratory  Make bit stream backups of Hard disk and floppy disk  Authentication the data mathematically on all Storage devices (Hash value)  Document the System Date and time.  List the key words for the search  Evaluate the windows swap file  Evaluate file slack  Evaluation of unallocated Space (erased files)  Searching files , file slack and unallocated space for key words  Document file names, dates and time  Identify file, Programme and storage Anomalies  Evaluation the programme functionality  Document your findings  Retain copies of software used
 Protect the crime scene...  The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.  The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.  Force shutdown of the computer  This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.  Do not shut down the computer abruptly.
Follow the detailed power shut down procedure for various operating system as given in chart…. Operating system Power Shut Down Procedure MS DOS  Photograph screen and document any programmes running  Pull the power cord from the wall socket  In case of laptop, remove the battery pack UNIX/LINUX  Photograph screen and document any programmes running  Right click the menu  Frome menu, click Console  If root user prompt(#) not present , change user to root by typing su-  If root password not available , pull power cord from the wall socket  If password is available , enter it. At the # sign type sync;sync;halt and the system will shutdown  Pull power cord from wall socket Mac  Photograph screen and document any programmes running  Click Special  Click Shutdown  The window will tell you it is safe to turn off the computer.  Pull power cord from wall socket Windows  Photograph screen and document any programmes running  Pull power cord from wall socket 3.X/95/98/Nt  Pull power cord from wall socket  In case of laptop, remove the battery pack
Document the Hardware Configuration of the System…  Pay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location.  In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to. Transport the computer system to a secure location(Forensic laboratory)…..  Do not leave the subject computer unattended unless it is locked up in a secure location.  Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
Make bit stream backups of Hard disked /floppy disks: Bit stream format.??? A bit stream format is the format of the data found in a stream of bits used in a digital communication or data storage application.  Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).  The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.  The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.  The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
Authentication the data mathematically on all Storage devices…  Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.  Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.  This is used as proof that the files have not been changed. hash algorithm ???  A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.  One use is a data structure called a hash table, widely used in computer software for rapid data lookup.  Hash functions accelerate table or database lookup by detecting duplicated records in a large file
Document the System Date and time.  The dates and times associated with the computer files can be extremely important from an evidence standpoint.  However, the accuracy of the dates and times is just as important.  Document the system date and time setting at the time the computer is taken into possession.List the key words for the search..  Forensic tools are available to search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.  Information gathered from the individuals, who are familiar with the case, would help in compelling a list of
Evaluate the windows swap file  The windows swap file is a potentially valuable source of evidence and leads.  The evaluation of the swap file can be automated with forensic tools.  New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.Evaluate file slack  File slack is a data storage area about which most of the computer users are not aware.  It is a source of significant security leakage and consist of raw memory dumps that occur during the work session, as the files are closed.  The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.  Forensic tools are required to view and evaluate the file slack
Evaluation of unallocated Space (erased files)  The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.  Unallocated space may still contain these erased files and the file slack associated with erased files.  The DOS undelete programme can be used to restore the previously erased files. Searching files, file slack and unallocated space for key words The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
Document file names, dates and time  From an evidence standpoint, file names, their date of creation and last modification can be relevant.  Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage Anomalies  Encrypted, compressed and graphic files store data in binary format.  As a result, a text search programme cannot identify text data stored in these formats.  Manual evaluation of these file is required and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
. Evaluation the programme functionality Depending on the application software involved, running programmes to learn their purpose may necessary. Document your findings  As indicated in the preceding steps, it is very important to document the finding as issues are identified and as evidence is found.  It is also important to document the software that was used in the forensic evaluation of the evidence, including the version numbers of the programmers. Retain copies of software used  As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.  Often it is necessary to duplicate the forensic processing result during or before trial.  Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
Offence & Punishment under the Information Act ,2000 Offence….. The offences included in the IT Act 2000 are as follows: 1. Tampering with the computer source documents. 2. Hacking with computer system. 3. Publishing of information which is obscene in electronic form. 4. Power of Controller to give directions 5. Directions of Controller to a subscriber to extend facilities to decrypt information 6. Protected system 7. Penalty for misrepresentation 8. Penalty for breach of confidentiality and privacy 9. Penalty for publishing Digital Signature Certificate false in certain particulars 10. Publication for fraudulent purpose 11. Act to apply for offence or contravention committed outside India 12. Confiscation 13. Penalties or confiscation not to interfere with other punishments. 14. Power to investigate offences.
Punishment  Section 43 of IT Act states any act of destroying, altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages  Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party  Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both  Section 66A states any offensive information with demean
 Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both  Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both  Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment  Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both Continue….
Analysis of digital evidence

Recommended

Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeApplied Forensic Research Sciences
 

Recommended

Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeApplied Forensic Research Sciences
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 

More Related Content

What's hot

Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 

What's hot (20)

Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptx
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Incident response process
Incident response processIncident response process
Incident response process
 

Similar to Analysis of digital evidence

Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic MethodologiesLedjit
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 

Similar to Analysis of digital evidence (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 

Recently uploaded

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 

Recently uploaded (20)

YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 

Analysis of digital evidence

  • 2. Content..  DIGITAL EVIDENCE  PLACE WHERE DIGITAL EVIDENCE FOUND  WHY INVESTIGATE..??  CARDINAL RULES OF COMPUTER FORENSIC  BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE..  DIGITAL EVIDENCE ANALYSIS METHEDOLOGY..  OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
  • 3. DIGITAL EVIDENCE  Digital evidence is information stored or transmitted in binary form that may be relied on, in court.  Digital evidence includes information on computers, audio files, video recordings, and digital images.  Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.  This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence— ■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
  • 4. possible places that digital evidence can reside, including:  Computers  External hard drives  CDs and DVDs  Thumb drives  Floppy disks  Cell phones  Voice over IP phones  Answering machines  iPods POSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND……
  • 5.  Electronic game devices  Digital video recorders (Tivos)  Digital cameras  PDAs  GPSs  Routers  Switches  Wireless access points  Servers  Fax machines  Printers that buffer files  Photo-copiers that buffer files  Scanners that buffer files Continue…..
  • 6. First we will need to consider the complaint or the initial reason for conducting an investigation. Some typical reasons that may warrant an investigation include but are not limited to: Unauthorised access on computer or Network Internet usage exceeds norm Using e−mail inappropriately Why Investigate..??
  • 7.  Use of Internet, e−mail, or PC in a non−work−related manner Theft of information Violation of security policies or procedures Intellectual property Infringement Electronic tampering Online or Economic Fraud Software Piracy Telecommunication Fraud Terrorism (Homeland Security)  Child Abuse or Exploitation Continue…..
  • 8. CARDINAL RULES OF COMPUTER FORENSIC…  The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.  The five cardinal rules are…Never Mishandle the EvidenceNever Work on the original Evidence Never trust the Subject’s Operating System. Document everything The Result should be repeatable and verifiable by a third
  • 10. SEIZURE…  Prior to the actual examination digital media will be seized.  In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence.  In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.  In criminal matters law related to search warrants is applicable.  In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
  • 11. ACQUISTION… A Tableau forensic write blocker  Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.  The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.  The original drive is then returned to secure storage to prevent tampering.
  • 12.  The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue….. Sector….  A sector, being the smallest physical storage unit on the disk.  A sector is a subdivision of a track on a magnetic disk or optical disc.  Each sector stores a fixed amount of user- accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
  • 13. Write Blockers…  Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.  There are two ways to build a write- blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.  Alternatively, the blocker can specifically block the write commands and let everything else through.  There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block. A hard drive attached to a portable write blocker
  • 14. Analysis… A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular……  Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis  The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.  The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
  • 15. Deleted files…  A common technique used in computer forensics the recovery of deleted files.  Modern forensic software have their own tools recovering or carving out deleted data.  Most operating systems and file systems do always erase physical file data, allowing investigators to reconstruct it from the sectors.  File carving involves searching for known file headers within the disk image and deleted materials
  • 16. DIGITAL EVIDENCE ANALYSIS METHODOLOGY…  Protect the crime scene  Force shutdown of the computer  Document the hardware configuration of the system  Transport the computer system to a Forensic Laboratory  Make bit stream backups of Hard disk and floppy disk  Authentication the data mathematically on all Storage devices (Hash value)  Document the System Date and time.  List the key words for the search  Evaluate the windows swap file  Evaluate file slack  Evaluation of unallocated Space (erased files)  Searching files , file slack and unallocated space for key words  Document file names, dates and time  Identify file, Programme and storage Anomalies  Evaluation the programme functionality  Document your findings  Retain copies of software used
  • 17.  Protect the crime scene...  The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.  The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.  Force shutdown of the computer  This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.  Do not shut down the computer abruptly.
  • 18. Follow the detailed power shut down procedure for various operating system as given in chart…. Operating system Power Shut Down Procedure MS DOS  Photograph screen and document any programmes running  Pull the power cord from the wall socket  In case of laptop, remove the battery pack UNIX/LINUX  Photograph screen and document any programmes running  Right click the menu  Frome menu, click Console  If root user prompt(#) not present , change user to root by typing su-  If root password not available , pull power cord from the wall socket  If password is available , enter it. At the # sign type sync;sync;halt and the system will shutdown  Pull power cord from wall socket Mac  Photograph screen and document any programmes running  Click Special  Click Shutdown  The window will tell you it is safe to turn off the computer.  Pull power cord from wall socket Windows  Photograph screen and document any programmes running  Pull power cord from wall socket 3.X/95/98/Nt  Pull power cord from wall socket  In case of laptop, remove the battery pack
  • 19. Document the Hardware Configuration of the System…  Pay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location.  In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to. Transport the computer system to a secure location(Forensic laboratory)…..  Do not leave the subject computer unattended unless it is locked up in a secure location.  Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
  • 20. Make bit stream backups of Hard disked /floppy disks: Bit stream format.??? A bit stream format is the format of the data found in a stream of bits used in a digital communication or data storage application.  Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).  The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.  The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.  The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
  • 21. Authentication the data mathematically on all Storage devices…  Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.  Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.  This is used as proof that the files have not been changed. hash algorithm ???  A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.  One use is a data structure called a hash table, widely used in computer software for rapid data lookup.  Hash functions accelerate table or database lookup by detecting duplicated records in a large file
  • 22. Document the System Date and time.  The dates and times associated with the computer files can be extremely important from an evidence standpoint.  However, the accuracy of the dates and times is just as important.  Document the system date and time setting at the time the computer is taken into possession.List the key words for the search..  Forensic tools are available to search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.  Information gathered from the individuals, who are familiar with the case, would help in compelling a list of
  • 23. Evaluate the windows swap file  The windows swap file is a potentially valuable source of evidence and leads.  The evaluation of the swap file can be automated with forensic tools.  New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.Evaluate file slack  File slack is a data storage area about which most of the computer users are not aware.  It is a source of significant security leakage and consist of raw memory dumps that occur during the work session, as the files are closed.  The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.  Forensic tools are required to view and evaluate the file slack
  • 24. Evaluation of unallocated Space (erased files)  The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.  Unallocated space may still contain these erased files and the file slack associated with erased files.  The DOS undelete programme can be used to restore the previously erased files. Searching files, file slack and unallocated space for key words The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
  • 25. Document file names, dates and time  From an evidence standpoint, file names, their date of creation and last modification can be relevant.  Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage Anomalies  Encrypted, compressed and graphic files store data in binary format.  As a result, a text search programme cannot identify text data stored in these formats.  Manual evaluation of these file is required and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
  • 26. . Evaluation the programme functionality Depending on the application software involved, running programmes to learn their purpose may necessary. Document your findings  As indicated in the preceding steps, it is very important to document the finding as issues are identified and as evidence is found.  It is also important to document the software that was used in the forensic evaluation of the evidence, including the version numbers of the programmers. Retain copies of software used  As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.  Often it is necessary to duplicate the forensic processing result during or before trial.  Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
  • 27. Offence & Punishment under the Information Act ,2000 Offence….. The offences included in the IT Act 2000 are as follows: 1. Tampering with the computer source documents. 2. Hacking with computer system. 3. Publishing of information which is obscene in electronic form. 4. Power of Controller to give directions 5. Directions of Controller to a subscriber to extend facilities to decrypt information 6. Protected system 7. Penalty for misrepresentation 8. Penalty for breach of confidentiality and privacy 9. Penalty for publishing Digital Signature Certificate false in certain particulars 10. Publication for fraudulent purpose 11. Act to apply for offence or contravention committed outside India 12. Confiscation 13. Penalties or confiscation not to interfere with other punishments. 14. Power to investigate offences.
  • 28. Punishment  Section 43 of IT Act states any act of destroying, altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages  Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party  Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both  Section 66A states any offensive information with demean
  • 29.  Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both  Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both  Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment  Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both Continue….