IA - DIGITAL FORENSICS Flashcards
Branches of Digital Forensics
- Computer Forensics
- Mobile Device Forensics
- Network Forensics
is a branch of digital forensics concerned with evidence found in computers and digital storage media
Computer Forensics
focused on the recovery of digital evidence form mobile devices using forensically sound methods
mobile device forensics
involved the alleged breaking of laws and law enforcement agencies and their digital forensic examiners
criminal cases
examiners specialize in one area of digital evidence; either at broad level or sub-specialisst
Digital Evidence Examiners
focused on monitoring and analyzing computer network traffic for information gathering, legal evidence or intrusion detention
network forensics
- gather or process evidence at crime scenes
- trained on the correct handling of technology
Digital Forensic Technician
Purpose of digital forensics
- criminal cases
- civil cases
- someone who has a desire to follow the evidence and solve a crime virtually
- recover data like documents, photos, and emails from a computer hard drive and other storage devices such as zip and flash drives with deleted, damaged, or otherwise manipulated
Digital Forensics Investigator
involved the protection of rights and property of individuals or contractual disputes between commercial entities where a form of digital forensics called electronic discovery may be involved
civil cases
- the admissibility of digital evidence relies on the tool used to extract it
- Forensic tools are subjected to the Daubert standard, where judge is responsible for ensuring that the processes and software used were acceptable
Investigative tools
Example Uses of Digital Forensics
- Intellectual Property Theft
- Industrial Espionage
- Employment Disputes
- Fraud Investigations
- Forgeries Related Matters
- Bankruptcy Investigations
- Inappropriate Use of The Internet and Email in workplace
- Issues Concern with the regulatory compliance
GENERAL TOOLS USED IN FOLLOWING CATEGORIES
- disk and data capture tools
- file viewer tools
- file analysis tools
- internet analysis tools
- email analysis tools
- registry analysis tools
- mobile device analysis tools
- mac os analysis tools
- network forensics tools
- database forensics tools
Internet crime is for investigators, laboratory and technical personnel to understand and how the process works and to stay closely engaged with advances in software and tracking techologies
Internet-Based
crims such as pornography, copyright infringement, extortion or counterfeiting have digital evidence which is on the computer’s hard drive and general equipment, including removable devices such as thumb drive and CRDOM
Stand-Alone Computers or Devices
- allow criminals to engage in an ever-growing variety of activities and devices keep track of every move and message
- it is th tracking capability that truns mobile devices into key evidence in many cases
Mobile Devices
Stages of Digital Forensics Investigation
- identification
- preservation
- analysis
- documentation
- presentation
is any probative information stored or transmitted in digital form that a party to a court case may use in trial
digital evidence
physical evidence cannot be wrong. it cannot perjure itself, it cannot be wholly absent. only human failure to find it, study and understand it, can diminish its value
Locard’s Principle
- deter any alteration in evidence, either intentionally or unintentionally, states that the court prefers original evidence in trial rather than a copy
- are used to establish a credible link between the attacker, victime, and crime scene
Best Evidence Rule
types of investigation
- criminal forensics
- intelligence gathering
- electronic discovery
- intrusion investigation
is usually part of a wider investigation conducted by law enforcement and other specialists with reports being intended to facilitate that investigation and ultimately be entered as an expert evidence before court
criminal forensics
is often associated with crime providing intelligence to help track, stop, or identify criminal activity
intelligence gathering
has a specific legal limitations and restrictions, usually in relation to the scope of any investigation
electronic discovery
- final form of investigation is different from previous ones
- instigated as a response to a network intrusion
intrusion investigation
techniques of digital forensics
- cross-drive analysis
- live analysis
2.1 volatile analysis
3.recovery of deleted files
4.stochastic forensics
5.stenography
- a forensic technique that correlates information found on multiple hard drives.
- this process, still being researched can be used to identify social networks and perform anomaly detection
cross-drive analysis
- the examination of computers from within the operating system using custom forensics to extract evidence
- this practice is useful when dealing with encrypting file system
live analysis
is data that is lost when power is switched off
volatile data
a method uses stochastric properties of the computer system to investigate activities lacking digital artifacts
stochastic forensics
order of voladility of digital evidences
- CPU
- ARP Cache
- Memory
- Temporary File System
- Data on Hard Disk
- remotely lagged data
- data contained on archival media
computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image
stenography
- modern forensic softwares have their own tools for recovering deleted data
- most OS and file systems fo not always rease physical file data, allowing investifators to reconstruct it from physical disk sectors
recovery of deleted files
the testbed should be created from the trusted source and functionality of the testbed should be checked in advance before using them in the build
create forensic tool testbed
chracteristics of digital evidence
- admissibility
- reliability
- convincing to judges
- completeness
- authentication
- assessment
- acquisition
- preservation
- examination and analysis
- documentation and reporting
first responder toolkit
- create forensic tool testbed
- document the forensic tool testbed
- document the summary of the forensic tools
- test the tools
for every tool that is acquired for the testbed, the follwiing information is documented for easy reference and record
document the summary of the forensic tools
now the tools selected and installed are testedd in the testbed and its performance and output is examined
test the tools
some common mistakes first responder should avoid
- do not shu off or reboot machine
- do not assume that any parts of the victim is reliable
- take precaution
- follow procedures
issues facing computer forensics
- technical issues
- legal issues
- administartive issues
technical issues
- encryption
- increasing storage space
- new technologies
- anti-forensics
- may confuse or distract computer examiner’s findings. In such cases, a competent opposing lawyer supplied with evidence from competent computer forensic analysit shoulw be able to dismiss such argument
Legal Issues
3 Famous Cases Solved Through Digital Forensics
- BTK Killer
- The Craigslist Killer
- Larry J Thomas Vs State of Indiana
dennis rader tortured and killed 10 people but the digital forensics experts were able to trace the metadata contained within the disk helping unveil the killers identity
BTK Killer
when investigators traced emails exchanged between victims and ip address led them to unlikely suspect
the craigslist killer
during the investigation, the authorities took the current posted on the culprits facebook account under consideration
Larry J. Thomas vs the state of Indiana
