2. Content..
DIGITAL EVIDENCE
PLACE WHERE DIGITAL EVIDENCE FOUND
WHY INVESTIGATE..??
CARDINAL RULES OF COMPUTER FORENSIC
BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE..
DIGITAL EVIDENCE ANALYSIS METHEDOLOGY..
OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
3. DIGITAL EVIDENCE
Digital evidence is information stored or transmitted in
binary form that may be relied on, in court.
Digital evidence includes information on computers, audio
files, video recordings, and digital images.
Digital evidence is information and data of value to an
investigation that is stored on, received, or transmitted by an
electronic device.
This evidence is acquired when data or electronic devices
are seized and secured for examination. Digital evidence—
■ Is latent, like fingerprints or DNA evidence.
■ Crosses jurisdictional borders quickly and easily.
■ Is easily altered, damaged, or destroyed.
■ Can be time sensitive.
4. possible places that digital evidence can
reside, including:
Computers
External hard drives
CDs and DVDs
Thumb drives
Floppy disks
Cell phones
Voice over IP phones
Answering machines
iPods
POSSIBLE PLACE WHERE
DIGITAL EVIDENCE
FOUND……
5. Electronic game devices
Digital video recorders (Tivos)
Digital cameras
PDAs
GPSs
Routers
Switches
Wireless access points
Servers
Fax machines
Printers that buffer files
Photo-copiers that buffer files
Scanners that buffer files
Continue…..
6. First we will need to consider the complaint
or the initial reason for conducting an
investigation.
Some typical reasons that may warrant an
investigation include but are not limited to:
Unauthorised access on computer or Network
Internet usage exceeds norm
Using e−mail inappropriately
Why
Investigate..??
7. Use of Internet, e−mail, or PC in a
non−work−related manner
Theft of information
Violation of security policies or procedures
Intellectual property Infringement
Electronic tampering
Online or Economic Fraud
Software Piracy
Telecommunication Fraud
Terrorism (Homeland Security)
Child Abuse or Exploitation
Continue…..
8. CARDINAL RULES OF
COMPUTER
FORENSIC…
The cardinal rules have been evolved to facilitate a
forensically sound examination of computer media and
enable a forensic scientist to testify in court in respect of
their handling a particular piece of evidence.
The five cardinal rules are…Never
Mishandle
the
EvidenceNever Work
on the
original
Evidence
Never trust
the Subject’s
Operating
System.
Document
everything
The Result
should be
repeatable
and verifiable
by a third
10. SEIZURE…
Prior to the actual examination digital media will be seized.
In criminal cases this will often be performed by law
enforcement personnel trained as technicians to ensure
the preservation of evidence.
In civil matters it will usually be a company officer, often
untrained. Various laws cover the seizure of material.
In criminal matters law related to search warrants is
applicable.
In civil proceedings the assumption is that a company is
able to investigate their own equipment without a warrant,
so long as the privacy and human rights of employees are
observed.
11. ACQUISTION…
A Tableau forensic write blocker
Once exhibits have been seized an
exact sector level duplicate (or "forensic
duplicate") of the media is created, usually
via a write blocking device, a process
referred to as Imaging or Acquisition.
The duplicate is created using a hard-drive
duplicator or software imaging tools such
as DCFLdd, Iximager, Guymager,
TrueBack, EnCase, FTK Imager or FDAS.
The original drive is then returned to secure
storage to prevent tampering.
12. The acquired image is verified by using the SHA-1 or MD5 hash
functions. At critical points throughout the analysis, the media is
verified again, known as "hashing", to ensure that the evidence
is still in its original state
Continue…..
Sector….
A sector, being the smallest physical storage
unit on the disk.
A sector is a subdivision of a track on
a magnetic disk or optical disc.
Each sector stores a fixed amount of user-
accessible data, traditionally
512 bytes for hard disk drive (HDDs) and
2048 bytes for CD-ROMs and DVD-ROMs
13. Write Blockers…
Write blockers are devices that allow
acquisition of information on
a drive without creating the possibility of
accidentally damaging the drive contents.
There are two ways to build a write-
blocker: the blocker can allow all
commands to pass from the computer to
the drive except for those that are on a
particular list.
Alternatively, the blocker can specifically block the write commands
and let everything else through.
There are two types of write blockers, Native and Tailgate. A Native
device uses the same interface on for both in and out, for example a
IDE to IDE write block. A Tailgate device uses one interface for one side
and a different one for the other, for example a Firewire to SATA write
block.
A hard drive attached to a portable
write blocker
14. Analysis…
A number of techniques are used during computer forensics
investigations and much has been written on the many techniques
used by law enforcement in particular……
Cross-drive analysis
A forensic technique that correlates information found on
multiple hard drives. The process, still being researched, can be used
to identify social networks and to perform anomaly detection.
Live analysis
The examination of computers from within the operating system
using custom forensics or existing sysadmin tools to extract
evidence.
The practice is useful when dealing with Encrypting File Systems,
for example, where the encryption keys may be collected and, in
some instances, the logical hard drive volume may be imaged
(known as a live acquisition) before the computer is shut down.
15. Deleted files…
A common technique used in computer forensics
the recovery of deleted files.
Modern forensic software have their own tools
recovering or carving out deleted data.
Most operating systems and file systems do
always erase physical file data, allowing
investigators to reconstruct it from the
sectors.
File carving involves searching for known file
headers within the disk image and
deleted materials
16. DIGITAL EVIDENCE ANALYSIS
METHODOLOGY…
Protect the crime scene
Force shutdown of the computer
Document the hardware configuration of the system
Transport the computer system to a Forensic Laboratory
Make bit stream backups of Hard disk and floppy disk
Authentication the data mathematically on all Storage devices (Hash value)
Document the System Date and time.
List the key words for the search
Evaluate the windows swap file
Evaluate file slack
Evaluation of unallocated Space (erased files)
Searching files , file slack and unallocated space for key words
Document file names, dates and time
Identify file, Programme and storage Anomalies
Evaluation the programme functionality
Document your findings
Retain copies of software used
17. Protect the crime scene...
The first and fore most step is to
protect the crime scene, for which
access to the area around the suspect
computer should be restricted only to
the individual involved with the
investigation.
The scene should be documented in great details. The computer
and the surrounding area should be photographed from all angels.
Force shutdown of the computer
This should be done as quickly as possible.
Consideration should be given to possible
destructive processes that may be operating
in the background.
Do not shut down the computer abruptly.
18. Follow the detailed power shut down procedure for various operating system as
given in chart….
Operating system Power Shut Down Procedure
MS DOS Photograph screen and document any programmes running
Pull the power cord from the wall socket
In case of laptop, remove the battery pack
UNIX/LINUX Photograph screen and document any programmes running
Right click the menu
Frome menu, click Console
If root user prompt(#) not present , change user to root by typing su-
If root password not available , pull power cord from the wall socket
If password is available , enter it. At the # sign type sync;sync;halt and
the system will shutdown
Pull power cord from wall socket
Mac Photograph screen and document any programmes running
Click Special
Click Shutdown
The window will tell you it is safe to turn off the computer.
Pull power cord from wall socket
Windows Photograph screen and document any programmes running
Pull power cord from wall socket
3.X/95/98/Nt Pull power cord from wall socket
In case of laptop, remove the battery pack
19. Document the Hardware Configuration of the System…
Pay close attention to how the computer is
set up before it is dismantled, as it will have
to be restored to its original condition at a
secure location.
In additional to photography, diagram the
computer configuration on paper and by
labelling which cables are attached and
what they are attached to.
Transport the computer system to a secure location(Forensic
laboratory)…..
Do not leave the subject computer
unattended unless it is locked up in a
secure location.
Transport the seized equipment to a secure
and controlled environment that is trusted
to be free of any thing that could modify or
destroy the evidence.
20. Make bit stream backups of Hard disked /floppy disks:
Bit stream
format.???
A bit stream format is the
format of the data found in
a stream of bits used in
a digital communication
or data storage application.
Disconnect the hard drive and boot
from a floppy disk (the BIOS may
need to be modified to allow boot from
a floppy).
The computer should not be operated and computer evidence
should not be processed until bit stream backups of all hard disk
drives and floppy disks have been made.
The evidence processing should be done on a restored copy of
the bit stream backup rather than on the original computer.
The computer forensic scientist should
make a bit stream image of the suspect
hard drive before anything else
21. Authentication the data mathematically on all Storage
devices…
Proof may have to provide that none of the evidence has been altered after the
computer came into possession of the investigation team. Forensic tools are
available to mathematically authenticate the data using a 128-bit level of
accuracy.
Use a hash algorithm to generate a numeric expression and compare this to the
same has algorithm an the data that was backed up, in order to mathematically
authenticate the data.
This is used as proof that the files have not been changed.
hash
algorithm
???
A hash function is any function that can
be used to map data of arbitrary size to
data of fixed size. The values returned by a hash function
are called hash values, hash
codes, hash sums, or simply hashes.
One use is a data structure called
a hash table, widely used in computer
software for rapid data lookup.
Hash functions accelerate table or
database lookup by detecting
duplicated records in a large file
22. Document the System Date and time.
The dates and times associated with the
computer files can be extremely
important from an evidence standpoint.
However, the accuracy of the dates and
times is just as important.
Document the system date and time
setting at the time the computer is taken
into possession.List the key words for the search..
Forensic tools are available to search for
the relevant evidence. Usually, some
information is known about the
allegations, the computer user and the
alleged associates that may be involved.
Information gathered from the
individuals, who are familiar with the
case, would help in compelling a list of
23. Evaluate the windows swap file
The windows swap file is a potentially valuable source of
evidence and leads.
The evaluation of the swap file can be automated with forensic
tools.
New technologies Inc. has tools and programmes that will
capture erased file space and create a file that can be
searched for key words that can be added to the list.Evaluate file slack
File slack is a data storage area about which most of the
computer users are not aware.
It is a source of significant security leakage and consist of
raw memory dumps that occur during the work session, as the
files are closed.
The data dumped from the memory ends up being stored at
the end of allocated files, beyond the reach or view of the
user.
Forensic tools are required to view and evaluate the file slack
24. Evaluation of unallocated Space
(erased files)
The ‘delete’ function of DOS and Windows does not
completely erase the file names or the file contents.
Unallocated space may still contain these erased files and the
file slack associated with erased files.
The DOS undelete programme can be used to restore the
previously erased files.
Searching files, file slack and unallocated space for key words
The list of relevant key words, identified in the previous step,
should be used to search all relevant computer hard disk drives
and floppy disks.
25. Document file names, dates and time
From an evidence standpoint, file
names, their date of creation and last
modification can be relevant.
Therefore, it is important to catalogue
all this date and time of existing and
erased files.Identify file, Programme and storage Anomalies
Encrypted, compressed and graphic files store data
in binary format.
As a result, a text search programme cannot identify
text data stored in these formats.
Manual evaluation of these file is required and in
case of encrypted files, more efforts may be
involved. Reviewing the portions on seized hard
disk drive is also important.
26. . Evaluation the programme functionality
Depending on the application software involved, running programmes
to learn their purpose may necessary.
Document your findings
As indicated in the preceding steps, it is very important to document
the finding as issues are identified and as evidence is found.
It is also important to document the software that was used in the
forensic evaluation of the evidence, including the version numbers of
the programmers.
Retain copies of software used
As part of the documentation process, it is recommended that a copy
of the forensic tool software used be include.
Often it is necessary to duplicate the forensic processing result during
or before trial.
Duplication of result can be difficult or impossible to achieve if the
software has been upgraded and the original version used was not
retained.
27. Offence & Punishment under the Information
Act ,2000
Offence…..
The offences included in the IT Act 2000 are as follows:
1. Tampering with the computer source documents.
2. Hacking with computer system.
3. Publishing of information which is obscene in electronic form.
4. Power of Controller to give directions
5. Directions of Controller to a subscriber to extend facilities to
decrypt information
6. Protected system
7. Penalty for misrepresentation
8. Penalty for breach of confidentiality and privacy
9. Penalty for publishing Digital Signature Certificate false in certain
particulars
10. Publication for fraudulent purpose
11. Act to apply for offence or contravention committed outside India
12. Confiscation
13. Penalties or confiscation not to interfere with other punishments.
14. Power to investigate offences.
28. Punishment
Section 43 of IT Act states any act of destroying, altering or
stealing computer system/network or deleting information
with act of damaging data or information without authorization
of owner of that computer is liable for payment to be made to
owner as compensation for damages
Section 43A of IT Act states any corporate body dealing with
sensitive information and negligent with implementing
reasonable security practices causing loss or wrongful gain to
any other person will also be liable as convict for
compensation to the affected party
Section 66 states hacking of computer system by individual
with dishonesty or fraudulently with 3 yrs. imprisonment with
fine of Rs. 5,00,000 or both
Section 66A states any offensive information with demean
29. Section 66 B,C,D for fraudulently or dishonesty using or
transmitting information or Identity theft is punishable with 3 yr
imprisonment or 1,00,000 fine or both
Section 66 E for Violation of privacy by transmitting image of
private area is punishable with 3 yr imprisonment or 2,00,000
fine or both
Section 66 F on Cyber Terrorism affecting unity, integrity
security, sovereignity of India through digital medium is liable
for life imprisonment
Section 67 states publishing obscene information or
pornography or transmitting obscene information in public is
liable for imprisonment upto 5 years or penalty of Rs.
10,00,000 or both
Continue….