Digital Forensics Study Notes

Introduction to Digital Forensics and its Process

Forensic Science

  • Definition: Forensic Science is the application of scientific methods to establish factual answers to legal problems.

  • Role of a Forensic Scientist: Responsible for establishing facts concerning:

    • What has happened?

    • How did it happen?

    • Who has been involved?

    • When did it occur?

Locard’s Exchange Principle

  • Concept: States that whenever two objects come into contact with each other, there is an exchange of materials between them.

  • Implication: Every criminal can be connected to a crime through trace evidence.

Crime Reconstruction

  • Definition: Determining the actions and events surrounding the commission of a crime.

  • Process: Involves determining the most likely hypothesis or sequence of events using the scientific method.

Investigations

  • Definition: A systematic examination aimed at identifying or verifying facts.

  • Objective: Identify key facts related to a crime or incident.

  • 5WH Formula: Defines objectives of an investigation:

    • Who: Persons involved (suspects, witnesses, victims).

    • Where: Location of the crime and other relevant locations.

    • What: Description of the facts of the crime.

    • When: Time of the crime and related events.

    • Why: Motivation for the crime.

    • How: Method of committing the crime.

Evidence Dynamics

  • Definition: Refers to influences that add, change, relocate, obscure, contaminate, or obliterate evidence, regardless of intent.

  • Importance: It plays a crucial role in crime scene reconstructions.

  • Example: Mechanisms for writing to a sector on a hard drive or operations for creating, changing, or deleting a file.

Digital Forensics

  • Definition: The use of scientifically derived and proven methods to preserve, collect, validate, identify, analyze, interpret, document, and present digital evidence.

  • Purpose: Facilitate the reconstruction of events found to be criminal or help anticipate unauthorized actions disruptive to planned operations.

  • Digital Archaeology vs. Digital Geology:

    • Digital Archaeology: Refers to digital traces in computer systems created by human behavior.

    • Digital Geology: Refers to traces created by systems as part of their inherent processes.

  • Goal: Gather facts about human behavior while understanding how computer systems behave.

Crimes and Incidents

  • Increasing reliance on digital forensics by law enforcement and companies in processing digital evidence for crimes or incidents (policy violations).

  • Terminology:

    • Incident: The event being investigated.

    • Digital Crime Scene: The location of the incident in cases of a crime.

Digital Devices, Media, and Objects

  • Digital Device: A physical object like a laptop, smartphone, or car.

    • Contains storage media (e.g., hard drive, memory), referred to as Digital Media.

    • Digital media contain data stored in a binary format known as Digital Data.

    • Digital Objects: Discrete collections of digital data worked on by forensic analysts.

Forensic Soundness and Fundamental Principles

  • An investigation is considered Forensically Sound if it adheres to established digital forensic principles, standards, and processes.

  • Key Concepts:

    • Evidence Integrity: Preservation of evidence in its original form.

    • Chain of Custody: Documentation of acquisition, control, analysis, and disposition of evidence.

Crime Reconstruction in Digital Forensics

  • Helps test hypotheses about possible chains of events using a five-step process:

    1. Evidence Examination: Identify and characterize relevant evidence.

    2. Role Classification: Determine the role of evidence as a cause or effect.

    3. Event Construction and Testing: Identify potential events and assess likelihood.

    4. Event Sequencing: Combine events into coherent chains.

    5. Hypothesis Testing: Use the scientific method to test the hypothesis.

Digital Evidence

  • Definition: Any digital data that can provide reliable information supporting or refuting a hypothesis of an incident or crime.

  • Layers of Abstraction: The practice of hiding implementation details of higher layers in computing to reduce complexity.

  • Example of Analysis: Analyzing data at the binary level to reconstruct relevant files.

  • Metadata: Data about data, containing critical information like creation time, location, and device used.

The Digital Forensics Process

  • Application of forensic processes ensures investigations are forensically sound, consisting of five consecutive and iterative steps:

    1. Identification: Detect and recognize the incident or crime.

    2. Collection: Gather digital raw data in a forensically sound manner.

    3. Examination: Structure the raw data for processing and understanding.

    4. Analysis: Deep dive into the collected and structured data.

    5. Presentation: Share findings with relevant parties.

The Identification Phase

  • Task: Detecting and determining the incident or crime for investigation.

  • Preservation Tasks:

    • Isolate, secure, and document physical and digital devices.

    • Live Systems: Running systems holding potential evidence; data may be lost if powered down.

    • Dead Systems: Non-running systems where temporary data is generally lost when shut down.

    • Use containment tools (e.g.,Faraday bags) to protect devices from RF sources.

The Collection Phase

  • Definition: Collection of data from digital devices using forensically sound methods.

  • Metadata Tied to Evidence: Should include case name, number, examiner details, timestamps, and locations.

  • Sources of Digital Evidence: Include hard drives, CPUs, GPUs, memory, flash drives, network, etc.

  • Evidence Integrity: Critical during this phase; methods like write blockers and digital hash functions are vital.

    • Cryptographic Hash Functions: Non-reversible mathematical functions returning fixed-size strings. Common functions include MD5, SHA1, and SHA256.

  • Order of Volatility: Prioritizes potential evidence based on data volatility.

The Examination Phase

  • Preparation and extraction of potential digital evidence.

  • Triage Technique: Prioritize evidence based on time/resources constraints.

  • Different Digital Forensics Data Formats: Include Raw data, EnCase, SMART, AFF, Prodiscover.

  • Large volumes present challenges, with the need for careful file handling to prevent changes during analysis.

  • Known File Hash Databases: Include both malicious (bad files) and benign (good files).

The Analysis Phase

  • Definition: Processing information to determine event facts, the significance of evidence, and responsible persons.

  • Data Storage: Different layers of abstraction (bits to visual formats).

  • Search Techniques:

    • String and Keyword Searches: Makes analysis faster.

    • Specific properties can be searched, including phone numbers, addresses, file properties, etc.

  • Anti Forensics: Techniques aimed at complicating forensic investigations:

    • Media Wiping: To prevent data recovery by erasure methods.

    • Encrypted/obfuscated data complicates access to evidence.

Timelining and Visualization in Analysis

  • Timelining: Organizes time-based access and modification data, helping to visualize events.

  • Graphical Representation: Tools that present data visually based on common attributes (e.g., email sender/receiver visualizations).

  • Link Analysis: Presents structured connections between items of interest in cases.

The Presentation Phase

  • Sharing analysis results with interested parties via comprehensive reports.

  • Final Report Content:

    • Roles and tasks assigned in the investigation.

    • Executive summary of evidence sources.

    • Documentation of acquisition, analysis, and maintaining evidence integrity.

    • Visualizations and screenshots.

    • Information for reproducibility.

    • Tools utilized during analysis.

    • Findings from the analysis.

  • Importance of Visuals: Diagrams, graphics, and timelines are crucial for non-technical audiences to understand the report.

The Digital Forensics Puzzle: The USB Insider Theft Case

  • Scenario: Investigation into suspected theft of confidential data by a staff member prior to resignation at Victoria University.

  • Employees involved:

    1. Dr. Ali – Researcher

    2. Emma – Lab Assistant

    3. Michael – IT Technician

  • Stolen Data: Uploaded to a competitor's website.

  • Task for Students: Determine the potential suspect based on evidence.

Evidence Overview

  • Evidence 1 – Login Log:

    • User Login Records:

    • User: emma.lab, Login time: 22 May – 18:10

    • User: dr.ali, Login time: 22 May – 18:15, Logout time: 22 May – 18:17

  • Evidence 2 – USB Device Log:

    • USB Connection: Device Name: SanDisk USB, Serial ID: SDX-8892, Time: 22 May – 18:18.

  • Evidence 3 – File Access Log:

    • File Accessed: ResearchProjectData.xlsx, Access time: 22 May – 18:19, User: emma.lab.

  • Evidence 4 – File Copy Record:

    • Large data transfer detected from Lab Computer to USB device SDX-8892, Time: 22 May – 18:20.

  • Evidence 5 – Browser Activity:

    • URL accessed: https://fileshare-upload.net, Time: 22 May – 18:23.

  • Evidence 6 – CCTV Log:

    • 18:05 Emma enters lab

    • 18:12 Dr. Ali enters lab

    • 18:17 Dr. Ali leaves lab

    • 18:25 Emma leaves lab.

Student Task

  • Group Work: Divide into groups of 4.

  • Questions to Address:

    1. Who is the primary suspect?

    2. What digital evidence supports your conclusion?

    3. What timeline of events explains the incident?

    4. Is the evidence sufficient for court?

    5. What additional evidence should be collected?

Additional Evidence

  • Remote Desktop Session:

    • User: michael.IT; Remote access time: 18:16.

    • Potential for Michael to have accessed Emma’s account remotely.