This document discusses digital forensics best practices using open source tools and the admissibility of digital evidence in courts. It provides an overview of digital forensics processes including acquisition, analysis, documentation and reporting of digital evidence from devices, networks and online activities. It compares open source and proprietary forensic tools and lists examples of each. The document also discusses requirements for digital evidence admissibility in Indian courts under the Evidence Act and the role of expert witnesses in digital forensics cases.
Scanning the Internet for External Cloud Exposures via SSL Certs
Digital Forensics best practices with the use of open source tools and admissibility of digital evidence in courts
1. Digital Forensics Best Practices with the
use of Open Source Tools and
Admissibility of Digital Evidence in
Courts
Mr. Ninad Nawaghare CFE CFAP DEA CSIR
Mr. Sagar Rahurkar CFE BLS LLB LLM CCI
2. The boy is accused of sending an obscene sms
As per National Crime Research Bureau, during 2012, 587 cases were
registered under cyber crime category for eve teasing / harassment
Illustration 1
Source: National Crime Research Bureau - http://ncrb.gov.in/
3. The origin of threatening email was traced back to a cyber café.
Illustration 2
As per National Crime Research Bureau, during 2012 , total 135 cases were
registered under cyber crime category for extortion & revenge settling.
Source: National Crime Research Bureau - http://ncrb.gov.in/
4. Illustration 3
Accounting software is stolen from a server located in Country A. With minor
alterations, same software is sold at a cheaper cost in Country B
As per National Crime Research Bureau, during 2012, total 624 cases were
registered under cyber crime category for greed of money and 668 cases were
registered for fraud/ illegal gain.
Source: National Crime Research Bureau - http://ncrb.gov.in/
5. Illustration 4
With an intention to revenge the management, disgruntled employee sends a fake
mail to the stake holders mentioning irregularities in the company affairs.
As per National Crime Research Bureau, during 2012, total 117 cases were
registered under cyber crime category for causing disrepute either to an
individual, government or organizations
Source: National Crime Research Bureau - http://ncrb.gov.in/
6. Vexing Questions with respect to the illustrations
Where is the evidence?
How do I investigate? How to prove the crime?
What is the evidence?
7. Solution is “Digital Forensics”
2‘Digital’ is defined in Oxford Dictionary as:
(of signals or data) expressed as series of the digits 0 and 1, typically
represented by values of a physical quantity such as voltage or magnetic
polarization. Often contrasted with analogue.
• involving or relating to the use of computer technology: the digital revolution
3‘Forensics’ is defined in Oxford Dictionary as:
Scientific tests or techniques used in connection with the detection of crime
Thus Digital Forensics can be defined as:
Discipline that combines elements of law and computer science to collect and
analyze data from computer systems, networks, wireless communications and
storage devices in a way that is admissible as evidence in a court of law.
Source:
2http://oxforddictionaries.com/definition/english/digital?q=Digital / 3http://oxforddictionaries.com/definition/english/forensic
8. Expected outcome of “Digital Forensics” is “Digital Evidence”
Digital evidence can be defined as :
Information and data of value to an investigation that is stored on, received,
or transmitted by an electronic device. This evidence is acquired when data or
electronic devices are seized and secured for examination.
Traits of Digital Evidence
May be found in
Storage devices like hard disc, CD, DVD, memory card, USB drive, mobile phones
& SIM card & Online resource like mail servers & cloud servers
Can be hidden in
Password protected files, Encrypted files , Steganography files, Formatted hard
disc , HPA (Host Protected Area) or DCO (Device Configuration Overlay) of the
hard drives
Can relate to
Online fraud , Organized crime , Identity theft , Data theft , Unauthorized access,
Malicious files (Virus attack) , Data alteration , Cyber defamation , Cyber
pornography, Online gambling ,Sale of illegal items etc..
9. Phases in “Digital Forensics” process
Phase 1: Identification of storage media for potential evidence
Phase 2: Acquisition of the storage media
Phase 3: Forensic analysis of the acquired media
Phase 4: Documentation & Reporting
10. Forensic analysis of the acquired media involves….
Analyzing
digital information
Identifying traces of
network / computer intrusion
Identifying & examining
malicious files.
Employing techniques to
crack file & system passwords.
Detecting
steganography
Recovering deleted,
fragmented & corrupted data
Maintaining evidence
custody procedures
Courtroom PresentationAnalyzing Online Activities
11. Digital Forensics Process
Subjected To
Storage Media Digital Evidence
Acquires
Digital Forensics Process can be implemented either by using commercial
tools a.k.a. proprietary tools or open source free tools.
Commercial / Proprietary Tools are software applications designed with a
commercial objective. The source code & the internal working of the software
application is privileged and concealed from the user.
Open Source Free Tools are software applications available for usage at no
cost. The source code & the internal working of the software application is
known to the user. Further more, user has the liberty of altering the source
code as per the requirements.
To Recapitulate
12. ISSUES with Commercial / Proprietary Tools
High capital cost
High operational cost
High maintenance cost (Paid updates or bugs fixing)
Algorithm/logic not known
Source code is strictly privileged
Heavy dependency on the software manufacturer
Restricted usage
ADVANTAGES with Open Source Tools
Zero capital cost
Minimal / No operational cost
Minimal / No maintenance cost
Algorithm/logic is known to the user
Source code is freely available for access , editing & customization
Extensive support from the open source community
Free usage to any number of users
13. Law Enforcement initiative in “Open Source Digital Forensics Tools”
By: Belgian Federal Computer Crime Unit (FCCU)
http://www.lnx4n6.be/index.php
An advanced network forensic framework
By: Australian Federal Police, Brisbane, Australia
http://sourceforge.net/projects/pyflag/files/
Project in The Software and Systems Division supported by
Law Enforcement Standards Office and Department of Homeland
Security. http://www.cftt.nist.gov/index.html
14. The Open Computer Forensics Architecture (OCFA) is a modular
computer forensics framework built by the Dutch National Police
Agency
Law Enforcement initiative in “Open Source Digital Forensics Tools” cont.
http://ocfa.sourceforge.net/
ForeIndex: A Framework for Analysis and Triage of Data Forensics
By: Forensic Expert of Brazilian Federal Police & Researcher of the
Brazilian Space Agency
http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/presentations/
15. Proprietary Tools
EnCase Forensic - Guidance
Software
www.guidancesoftware.com/encase-forensic.htm
FTK – AccessData www.accessdata.com/products/digital-forensics/ftk
WinHex - X-Ways Software
Technology AG
www.x-ways.net/winhex/
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile Forensics
and Data transfer solutions
www.cellebrite.com/
Paraben – Handheld Digital
Forensics
http://www.paraben.com/handheld-forensics.html
Open Source Tools
Digital Forensics Framework www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/
Open source tools listed below may not be limited to the same
Commercial / Proprietary & Open Source Tools for Imaging in Acquisition Phase
16. Proprietary Tools
EnCase Forensic -
Guidance Software
www.guidancesoftware.com/encase-
forensic.htm
FTK – AccessData www.accessdata.com/products/digital-
forensics/ftk
WinHex - X-Ways
Software Technology
AG
www.x-ways.net/winhex/
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile
Forensics and Data
transfer solutions
www.cellebrite.com/
Paraben – Handheld
Digital Forensics
http://www.paraben.com/handheld-
forensics.html
Open Source Tools
Digital Forensics
Framework
www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/
SAFT Mobile
Forensics
www.signalsec.com/saft/
Analyzing digital
information
Identifying & examining
malicious files
Recovering deleted,
fragmented, corrupted data
Analyzing
Online Activities
Open source tools listed below may not be limited to the same
Commercial / Proprietary & Open Source Tools for Forensic Analysis
Analyzing mobiles
17. Analyzing RAM
Free Tools
CMAT http://sourceforge.net/projects/cmat
Volafox https://www.volatilesystems.com/default/volatility
Volatile https://www.volatilesystems.com/default/volatility
Proprietary Tools
Second Look http://secondlookforensics.com/
Windows Scope http://windowsscope.com/
Memoryze http://www.mandiant.com/resources/download/memoryze/
Network Forensics : capturing / analyzing network packets
Free Tools
WireShark http://www.wireshark.org/
NetworkMinor http://networkminer.en.malavida.com/
Proprietary Tools
NetIntercept
http://www.securitywizardry.com/index.php/produ
cts/forensic-solutions/network-forensic-
tools/niksun-netintercept.html
Registry analysis
Free Tools
Registry Decoder http://www.digitalforensicssolutions.com/registrydecoder/
Proprietary Tools
Registry Recon http://arsenalrecon.com/apps/
Open source tools listed below may not be limited to the same
Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
Identifying traces of
network / computer intrusion
18. Password cracking
Free Tools
John the Ripper www.openwall.com/john
Cracking Passwords
for Windows, PDF,
Word RAR , ZIP &
Excel
http://pcsupport.about.com/od/toolsofthetrade/t
p/password-cracker-recovery.htm
Proprietary Tools
Password Recovery www.elcomsoft.com/products.html
Passware http://www.lostpassword.com/
Detecting Pornography
Free Tools
Redlight Porn
Scanner
http://dfcsc.uri.edu/research/redLightTrial
[NIJ Funded Project:
http://www.nij.gov/topics/technology/software-
tools.htm]
Proprietary Tools
SurfRecon http://www.surfrecon.com/products/home-edition.php
Open source tools listed below may not be limited to the same
Employing techniques to
crack file & system passwords
Commercial / Proprietary & Open Source Tools for Forensic Analysis cont.
20. Orientation
• Digital Evidence - Meaning
• Requirements U/Sec. 65B of the Indian Evidence Act
• Expert Examiner of Electronic Evidence
• Daubert Principle for Expert Witness
21. Digital Evidence
Evidence as defined U/Sec. 3 of the Indian Evidence Act means and includes –
All statements and all documents including electronic records produced for the
inspection of the Court.
22. Requirement U/Sec. 65B of the Indian Evidence Act
Sec. 65B - Admissibility of electronic records
• Any information contained in an electronic record,
• If printed on a paper, stored, recorded or copied in optical or magnetic media produced
by a computer shall deemed to be a document,
• If the conditions mentioned in this section are satisfied in relation to the information
and computer in question and
• Shall be admissible in any proceedings, without further proof or production of the
original, as evidence of any contents of the original or of any fact stated therein or
which direct evidence would be admissible.
23. Conditions U/Sec. 65B
(a) Regular use of Computer by the authorised person
The computer output containing the information was produced by the
computer during the period over which the computer was used regularly to
store or process information for the purposes of any activities regularly carried
on over that period by the person having lawful control over the use of the
computer.
(b) Regular feeding of information in the system in the ordinary course of
Business
During the said period, information of the kind contained in the electronic
record or of the kind from which the information so contained is derived was
regularly fed into the computer in the ordinary course of the said activities;
24. Conditions U/Sec. 65B
(c) Working state of the media
Throughout the material part of the said period, the computer was operating
properly or, if not, then in respect of any period in which it was not operating
properly or was out operation during that part of the period, was not such as to
affect the electronic record or the accuracy of its contents; and
(d) The information contained in the electronic record reproduces or is derived
from such information fed into the computer in the ordinary course of the said
activities.
25. Requirement of an Affidavit
• To demonstrate compliance with the requirements of conditions, a statement
in form of affidavit is required to be made in the court.
• It should be signed by a person occupying a responsible official position in
relation to the operation of the relevant device or the management of the
relevant activities
• Section 65B(4).
26. Is it really necessary ?
• The requirement to file an affidavit under Sec. 65B is not absolute. Supreme
Court, in the case of State v. Navjot Sandhu , while examining Section 65B,
held that, even when an affidavit/certificate under Sec. 65B is not filed it
would not foreclose the Court from examining such evidence provided it
complies with the requirements of Section 63 and 65 of the Evidence Act (refer
to Para 150 of the judgement).
• Vodafone Essar Ltd. Vs. Raju Sud the Bombay High Court dispensed with the
requirement under Sec. 65B.
27. Expert Witness
• Witness, who by virtue of education, training, skill, or experience, is believed
to have knowledge in a particular subject beyond an average person.
• In a famous Scottish case, Davie v Edinburgh Magistrates (1953), the function
of an expert witness is discussed as, ‘to furnish the judge with the necessary
scientific criteria for testing the accuracy of their conclusions, so as to enable
them to form their own independent judgment by the application of these
criteria to the facts provided in evidence’.
28. If scientific, technical, or other specialized knowledge will assist the trier of fact to understand
the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge,
skill, experience, training, or education and may testify his opinion.
Criteria for expert U/the principle –
1) Whether the expert has used scientific methods/discovery techniques?
2) Whether method/s used by the expert in the case has ever been used by any other
expert or same expert in any other case?
3) Whether the testimony is the product of reliable principles and methods?
4) Whether the expert has applied the principles and methods reliably to the facts of the
case?
Daubert Principle for Expert Witness
29. Sec. 79A – The Information Technology Act, 2000
• The Central Government may, for the purposes of providing expert opinion on
electronic evidence before any court or other authority specify, by notification
in the official Gazette, any department, body or agency of the Central
Government or a State Government as an Examiner of Electronic Evidence.
Examiner of Electronic Evidence