Other Technical Aspects Flashcards
Principles of Digital Forensics
Forensic investigations involve the collection and analysis of evidence in crime scenes, including fingerprints and DNA.
- Dr. Edmond Locard’s exchange principle states that there will always be an exchange of microscopic material when two items come into contact.
- In the digital world, actions performed on a computer leave a digital footprint or evidence.
- Digital evidence is fragile and can be easily destroyed or tampered with if not handled properly.
- Incidents in the digital realm can have adverse impacts, and it is crucial to gather information to determine the cause and seek redress from perpetrators.
- Digital forensics, also known as computer forensics, involves retrieving digital evidence from various devices such as end user devices, network appliances, and mobile devices.
- There are a variety of tools and techniques available for retrieving digital information for investigative purposes.
Investigations
After an incident, three main types of investigations may be conducted: administrative, civil, and criminal.
Administrative investigations are internal to an organization. (Small minor investigation - Warning given)
Civil investigations involve presenting digital evidence in a civil court, such as employment tribunals. E.G. Breach of contract, libel, slander
Criminal investigations involve presenting digital evidence as part of a criminal prosecution.
The burden of proof in civil cases is demonstrating a reasonable likelihood of an event, while in criminal cases, the case must be proved beyond reasonable doubt.
Digital forensics requires competent investigators to prevent potential damage or destruction of evidence.
Deleting a file from a computer does not immediately remove the data; it removes the pointer to the data, making the space available for overwriting. Forensic tools can retrieve flagged data, providing valuable evidence.
Computers store vast amounts of information, including records of user activities, communication, file operations, and more. These records can serve as evidence in supporting a case.
The Process
The digital forensic process follows the discovery reference model, which consists of several stages.
The stages of the discovery reference model include Identification, Preservation, Collection, Processing, Review, Analyse, Production, and Presentation.
Identification involves identifying potential evidence.
Preservation is crucial to prevent loss, damage, or alteration of the evidence.
Collection involves acquiring the evidence in its original form.
Processing is carried out on the evidence for later analysis.
Reviewing is done to determine the value of the discovered evidence.
Analysis is conducted to gain insights into the incident.
Production involves packaging the results of the analysis as evidence for the investigation.
Presentation may involve presenting the evidence in court or other contexts.
Preservation is considered the most important stage because it ensures the original form of the captured evidence is maintained.
Another sequence of stages in digital forensic investigations can be Acquisition, Investigation and analysis, and Reporting.
Type of examination - Dead Box
Two main methods of acquiring potential evidence in digital forensics: dead box forensics and live forensics.
Dead box forensics was the primary method in the early days, involving removing power from the running computer and creating a forensic image of the hard disk.
Forensic imaging software creates a bit stream copy of the hard disk, capturing all binary bits, including deleted files and partition tables.
A hash of the hard drive is created during the imaging process, serving as a signature of the hard drive at the point of seizure.
The original hard drive is sealed and preserved, and all forensic examination is conducted on the image copy.
The primary rule of digital forensics is to never work on the original evidence to avoid any potential modifications.
Forensic write blockers, hardware devices, ensure the integrity of the original evidence by allowing data flow only from the original to the copy.
Remember, preserving the integrity of the evidence and working on image copies are essential practices in digital forensics to ensure the admissibility and reliability of evidence in legal proceedings.
Type of examination - Live Forensics
Live forensics is a current methodology for forensic investigations, allowing investigation of a running computer.
In live forensics, access is gained to the powered-up computer to capture real-time information.
Live forensics can capture the contents of RAM, including encryption keys and passwords.
It can also provide information about running processes, network connections, and contents of caches.
Live forensics can access disk contents of encrypted hard drives since the disk is unencrypted while running.
After live capture, the computer is powered down, and the subsequent analysis is conducted on the hard disk as in dead box forensics.
Note: Live forensics can provide valuable real-time information that complements the analysis conducted on the acquired forensic image during dead box forensics.
Chain of custody
Chain of custody is crucial for evidence to be accepted by a court.
It is a record of the handling of evidence from seizure to presentation in court.
An evidence custodian is responsible for maintaining the chain of custody, and evidence should be stored in a locked evidence locker.
Write blockers and the chain of custody help ensure the integrity of evidence.
Digital artifacts such as log files can be seized and examined using similar procedures as hard disk imaging.
Digital signatures and hashing can be used to verify the integrity of seized artifacts.
Digital forensics requires skilled professionals, and organizations may need to hire forensic experts if they lack in-house capabilities.
Effective communication with forensic service providers is essential.
Anyone giving evidence in court should be trained for this activity due to the adversarial nature of the court environment.
Evidence should be factual, stand on its own, and produce consistent results when following the procedures.
Expert witnesses may be called upon to provide their professional opinion based on their expertise and experience.
The Four Principles of Digital Evidence
Forensic Readiness
Other Aspects – Cryptography
Cryptography
What can cryptography do for us?
The language of cryptography
The Four Elements of Cryptography
Symmetric ciphers
Asymmetric ciphers
Hashing
Digital signatures
Symmetric Ciphers - Block/Stream Ciphers
Symmetric ciphers work on blocks of data and use a single key for both encryption and decryption.
The key should be random and relatively short, such as 128 or 256 bits.
Symmetric ciphers provide confidentiality for bulk data and are relatively quick with their encryption.
Both parties need a copy of the same key, which may need to be exchanged securely.
The strength of a symmetric cipher depends on the length of the encryption key.
Keys lengths of 128 bits or greater are commonly used to ensure security against modern cryptanalysis techniques.
The secrecy of symmetric encryption relies on the key being an appropriate length and kept secret, while the algorithms and implementations are publicly known.
Kerkhoff’s principle states that a cryptographic system should be secure even if all its details, except for the key, are publicly known.
Examples of symmetric encryption algorithms include DES (56 bits), 3DES (168 bits), AES (128/192/256 bits), RC5 (usually 128 bits), Rijndael (128/192/256 bits), Blowfish (32-448 bits), and RC4 (stream cipher, rarely used nowadays).
Block ciphers encrypt data in blocks, while stream ciphers encrypt bit by bit.
Stream ciphers - These work by encrypting the plaintext data one bit at a time
Asymmetric Ciphers
Asymmetric ciphers use two keys: a public key and a private key.
The public key is freely distributed, while the private key must be kept private.
Whatever is encrypted with one key can only be decrypted with the other key.
To communicate with confidentiality, the sender encrypts the message with the recipient’s public key, and the recipient decrypts it with their private key.
The sender possesses the recipient’s public key, which is freely available.
Asymmetric encryption can also be used for authentication by encrypting the message with the sender’s private key and decrypting it with the sender’s public key.
Asymmetric encryption keys are typically much larger, around 2048 bits or longer.
Asymmetric encryption is slower than symmetric encryption.
Asymmetric ciphers work using various mathematical techniques.
Depending on how the keys are used, asymmetric encryption can provide confidentiality and authentication.