Digital Forensics and Evidence Management

Fundamentals of Digital Forensics

  • Definition: A branch of forensic science involving the recovery and investigation of material found in digital devices for application to criminal and civil laws.

  • Scope: Relates to any issue involving the Internet, computers, mobile devices, CCTV cameras, fitness trackers, and cloud services.

  • Timeline Variation:

    • Cyber crime: Evidence is often old; investigations can last years.

    • Incident response: Evidence is recent; work typically lasts hours to weeks.

Legal Framework and Legislation

  • New Zealand Legislation:

    • Evidence Act 2006 (extension of the 1908 Act).

    • Unsolicited Electronic Messages Act 2007.

    • Harmful Digital Communications Act 2015.

    • Copyright (Infringing File Sharing) Amendment Act 2011.

  • Evidence Admissibility: Governed by best practices and guidelines to ensure evidence is not tainted or unusable.

Classifications of Evidence

  • Primary: The best or "first-hand" evidence (e.g., original CCTV recordings).

  • Secondary: Copies accepted when primary evidence is unavailable.

  • Hearsay: Something overheard and relayed by a third party; not admissible unless "by leave of the court."

  • Other Types: Similar fact (modusoperandimodus \, operandi), Documentary (includes photographs), Character, Oral, Direct, Real (inanimate objects), Opinion (expert only), and Circumstantial.

The Digital Forensics Process (DFRWS)

  • Identification: Based on Locard’s exchange principle: "When two objects come into contact, they leave a trace on each other." Digital traces include browser history, web server logs, and cookies.

  • Preservation: Safeguarding data from deletion or modification by isolating systems, snapshotting virtual machines, and using digital signatures.

  • Collection: The process of acquiring digital evidence. It follows an order of volatility (from most to least volatile):

    1. Registers, cache.

    2. Routing Table, ARP Cache, RAM.

    3. Temporary filesystems.

    4. Disk.

    5. Remote logging/monitoring data.

    6. Physical configuration/network topology.

    7. Archival media.

  • Examination: Extraction of data using approved tools like EnCase while ensuring no damage to the original evidence.

  • Analysis: Interpreting extracted data (e.g., tracking connections to a Control and Command server) to determine the nature of an attack.

  • Presentation: Reporting findings in a clear, concise, and unbiased manner.

Evidence Integrity and the Forensic Lab

  • Chain of Custody: A document tracking the lifecycle of evidence from collection to destruction. Any break in the chain may lead to exclusion from court.

  • Physical Security: Labs must be climate-controlled, locked, and monitored with entry/exit logs and evidence lockers.

  • Hardware and Tools:

    • Forensic Workstations: Disconnected from the Internet to prevent corruption.

    • Physical Write Blocker: Device that prevents writing data to a drive during imaging.

    • Faraday Bags: Used to isolate mobile devices from network signals.

  • Software Applications:

    • EnCase, FTK Forensic Tool Kit, and X-Ways.

    • SANS SIFT: Free platform for imaging and memory analysis.

  • Jump Kit: Portable equipment for offsite analysis, including a forensic laptop, write blockers, anti-static bags, and documentation forms.