Basic Digital Forensic Analysis and Investigation Notes

Cybercrime Investigation

  • Need for Study: Studying cybercrime investigation is crucial in today's digital world.

Internet Usage

  • Global Usage: Approximately 3.2 billion people use the internet, which is about 55.1% of the world's population.

Cybercrime Earnings

  • Annual Revenue: Cybercriminals earn over $3.25 billion annually through social media-enabled cybercrime.

Digital World

  • Dependence on Digital Evidence: Future investigations heavily rely on the ability to quickly identify, preserve, and analyze digital evidence.
  • Preferred Mode: The internet is the preferred mode of business and communication.
  • Information Sources: Identifying every source of information and potential evidence is critically important.

Cybercrime Investigation Phases

  • There are four phases in cybercrime investigation:
    • Pre-search
    • Search
    • Post-search Investigation (the largest phase)
    • Trial

Pre-Search Phase

  • Case Build-up: Investigators gather intelligence and assess the scope of the cybercrime.
  • Evidence Identification: Identifying potential digital evidence is a key part of this phase.
  • Legal Authorizations: Securing necessary legal authorizations, like a search warrant, is crucial.
  • Planning: Careful planning of the search operation is done to minimize risks and preserve volatile data.
  • Legal Compliance: Ensuring actions comply with legal standards to make evidence admissible in court.

Search Phase

  • Execution: Investigators execute the operation to seize digital evidence, following the pre-approved plan based on the Rules on Cyberwarrants.
  • Evidence Collection: Collection of computers, mobile devices, and storage media.
  • Volatile Data: Capturing volatile data when necessary.
  • Chain of Custody: Maintaining a strict chain of custody to prevent evidence tampering.
  • Preservation: Focus on securing and preserving evidence exactly as found to ensure its integrity.

Post-Search Investigation

  • Forensic Examination: Detailed forensic examination of seized digital evidence to uncover, recover, and analyze data related to the cybercrime.
  • Reconstruction: Investigators reconstruct timelines and trace activities.
  • Decryption: Decrypting files.
  • Correlation: Correlating findings with the suspect’s actions.
  • Documentation: Meticulously documenting the entire process.

Trial Phase

  • Collaboration: Investigators work with prosecutors to present digital evidence.
  • Authentication: Ensuring evidence is authenticated and admissible in court.
  • Expert Reports: Writing expert reports detailing forensic methods used.
  • Chain of Custody Defense: Defending the chain of custody.
  • Expert Testimony: Testifying as expert witnesses to establish that evidence was properly obtained, preserved, and analyzed according to legal and technical standards.

How Computers Save Data

  • Saving Data: When a computer saves data, it writes the information into storage (hard drive, SSD, USB) as binary code (0s and 1s) into specific sectors or blocks of memory.
  • File System: A file system (NTFS, FAT32) keeps a map or index of where the data is located for quick retrieval.

How Computers Delete Data

  • Deleting Data: When data is deleted, the actual content is not immediately erased.
  • Marking Space: Instead, the space is marked as