Advanced Digital Forensics

E.R. Ramesh, M.C.A., [Link]., M.B.A.,

1
Internal
 Unit - 3 Advanced
Digital Forensics

Managing Forensic data

Tools for basic process functions

Viewing, converting and cryptographic hashing

Open source analysis tools and their use

Risks – Challenges (Encryption, Anonymity, Volatility, Anti-Forensic

Programs, Operating System Dependency)

2
Internal
 Advanced
Managing Forensic Data Digital Forensics

• Disk Duplicators
• Write Blockers
• Forensic Tools
• Faraday’s Bags
• Cables

Internal
 Advanced
Managing Forensic Data Digital Forensics

Chain of Custody

• Is a roadmap that tells how evidence is collected,

analysed and preserved.

Internal
Internal
 Advanced
Digital Forensic tool functions Digital Forensics

6
Internal
 Advanced
Digital Forensic tool functions Digital Forensics

7
Internal
 Advanced
Data Acquisition Digital Forensics

Forensic imaging

Hardware

Software 8
Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Write Blockers Digital Forensics

15
Internal
 Advanced
Write Blockers Digital Forensics

16
Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Digital Forensics
Data Acquisition

Internal
 Advanced
Forensic Imaging - Tableau TD2U Digital Forensics

22
Internal
 Advanced
Forensic Imaging - Tableau TD2U Digital Forensics

23
Internal
 Advanced
Forensic Imaging - Tableau TD2U Digital Forensics

24
Internal
 Advanced
Forensic Imaging - Tableau TD2U Digital Forensics

• Forensic Wiping
• Write-Block (default)
• Hard disk drive / USB drive:
o Disk Cloning
o Disk Imaging
• Hashing (MD5 and SHA1)
• Multiple copies (2)

25
Internal
 Advanced
Digital Forensics Digital Forensics

Four basic operational distinctions:

1) Live (or) Post-Mortem Analysis

a) i.e., volatile or static

2) Free and Open Source Software or closed and Proprietary

software

3) Multimedia or not.
a) Sensor-based system and indeterminate, or finite
system and determinate)

26
Internal
 Advanced
Digital Forensics Digital Forensics

Digital evidence may be acquired from:

1) Desktop and Laptop computers, media storage and file system

(hard drives, optical discs and floppy disks)

2) Networks, Routers, Servers, Tapes and Computer memory; and

3) Mobile, Handheld and embedded systems.

27
Internal
 Advanced
Viewing Forensic Data Digital Forensics

• Using EnCase’s search tool, you can view or search for keywords
anywhere on the physical drive.

• You can search the entire case (all devices in the case) at once or
any subset of data within the case, down to a single file.

• Using FTK Imager tool, you can view the suspected drive image
and extract the questioned file or data for forensic analysis.

• Using F-RAT tool, you can view the registry values of the
suspected computer.

28
Internal
 Advanced
Viewing Forensic Data Digital Forensics

• String and Keyword Searching – involves looking at

known and unknown files, as well as unallocated and
slack space, to identify readable text within a binary file
or to find a file that contains a specific string.

• Volatile evidence analysis – gives

the analyst the ability to see what
state the system is currently in by
peering into connections, processes
and cache tables.

29
Internal
 Advanced
Viewing Forensic Data Digital Forensics

• Timeline analysis – is the process whereby a timeline of

events is created and analyzed based on the modified,
accessed and changed times associated with all files
that were imaged.

• System file analysis – reveals

unauthorized changes to system
binaries.

30
Internal
 Advanced
Viewing Forensic Data Digital Forensics

Internal
 Advanced
Managing Forensic Data Digital Forensics

What is the need to manage forensic data?

• In many respects, IT evidence is just like any other evidence.

However the following characteristics warrant special processes
for its management:

• a) design: computer systems will only create and retain

electronic records if specifically designed to do so;

• b) volume: the large volume of electronic records causes

difficulties with storage and prolongs the discovery of a specific
electronic record;

32
Internal
 Advanced
Managing Forensic Data Digital Forensics

What is the need to manage forensic data?

• c) co-mingling: electronic records relating to a specific

wrongdoing are mixed with unrelated electronic records;

• d) copying: electronic copies can be immediately and perfectly

copied after which it is difficult, and in some cases impossible, to
identify the original from the copy.

• In other cases, a purported copy may be deliberately or

accidentally different from the original and hence evidentially
questionable;

33
Internal
 Advanced
Managing Forensic Data Digital Forensics

What is the need to manage forensic data?

• e) volatility: electronic records can be immediately and

deliberately or accidentally altered and expunged; and

• f) automation: electronic records may be automatically altered

or deleted.

34
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Obligation to provide records

• a) Understand regulatory, administrative and best-practice

obligations to produce, retain and provide records;

• b) Understand the steps that can be taken to maximize the

evidentiary weighting of records and the implications of not
doing so; and

• c) Understand regulatory constraints to the retention and

provision of records.
35
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Design for evidence

• Ensure that computer systems and procedures are capable of

establishing the following:

• a) The authenticity and alteration of electronic records;

• b) The reliability of computer programs generating such records;

• c) The time and date of creation or alteration;

36
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Design for evidence

• d) The identity of the author of an electronic record; and

• e) The safe custody and handling of records.

• Evidence collection

• Collect information in a forensically sound manner. Ensure that

evidence collection procedures are both:
a) technologically robust to collect all relevant evidence; and
b) legally robust to maximize evidentiary weighting.
37
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Evidence collection

• Collect information in a forensically sound manner. Ensure that

evidence collection procedures are both:

• a) technologically robust to collect all relevant evidence; and

• b) legally robust to maximize evidentiary weighting.

38
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Chain of Custody:

• Establish procedures for the safe custody and retention of

evidentiary records.

• Maintain a log recording all access to and handling of

evidentiary records.

39
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Original and forensic duplicate:

• Determine if you are handling the original record or a copy of

the original record. Ensure that any actions performed on the
original or a copy are appropriate and are appropriately
documented.

• Original evidence should be preserved in the state in which it is

first identified—it should not be altered, and in instances where
alteration is unavoidable, then any changes must be properly
documented.
40
Internal
 Advanced
Managing Forensic Data Digital Forensics

Principles for managing forensic data

Personnel:

• Ensure that personnel involved in the design, production,

collection, analysis and presentation of evidence have
appropriate training, experience and qualifications to fulfil their
role(s).

41
Internal
 Advanced
Viewing Forensic Data Digital Forensics

Browsing Forensic Image using:

• EnCase (Licensed Version)

• FTK – Forensic Took Kit (Open source tools)

42
Internal
 Advanced
Converting Forensic Data Digital Forensics

• Data compression

• Data encryption

43
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data compression

• In signal processing, data compression, source coding, or

bit-rate reduction involves encoding information using
fewer bits than the original representation.

• Compression can be either lossy or lossless. Lossless

compression reduces bits by identifying and eliminating
statistical redundancy. No information is lost in lossless
compression.

• Lossy compression reduces bits by removing unnecessary or

less important information.

44
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data compression

• The process of reducing the size of a data file is often

referred to as data compression. In the context of data
transmission, it is called source coding; encoding done at the
source of the data before it is stored or transmitted.
• Source coding should not be confused with channel coding,
for error detection and correction or line coding, the means
for mapping data onto a signal.

• Compression is useful because it reduces resources required

to store and transmit data.

45
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data compression

• Computational resources are consumed in the compression

process and, usually, in the reversal of the process
(decompression). Data compression is subject to a space–
time complexity trade-off.

• For instance, a compression scheme for video may require

expensive hardware for the video to be decompressed fast
enough to be viewed as it is being decompressed, and the
option to decompress the video in full before watching it may
be inconvenient or require additional storage.

46
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data compression

• The design of data compression schemes involves trade-offs

among various factors, including the degree of compression,
the amount of distortion introduced (when using lossy data
compression), and the computational resources required to
compress and decompress the data.

47
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data encryption

• In cryptography, encryption is the process of encoding a

message or information in such a way that only authorized
parties can access it and those who are not authorized
cannot.

• Encryption does not itself prevent interference, but denies

the intelligible content to a would-be interceptor.

• In an encryption scheme, the intended information or

message, referred to as plaintext, is encrypted using an
encryption algorithm – a cipher – generating ciphertext that
can be read only if decrypted.
48
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data encryption

• For technical reasons, an encryption scheme usually uses a

pseudo-random encryption key generated by an algorithm.

• It is in principle possible to decrypt the message without

possessing the key, but, for a well-designed encryption
scheme, considerable computational resources and skills are
required.

• An authorized recipient can easily decrypt the message with

the key provided by the originator to recipients but not to
unauthorized users.

49
Internal
 Advanced
Converting Forensic Data Digital Forensics

Data encryption

• Forensic data which needs to be shared outside the forensic

organization needs to be encrypted before sharing through
network for analysis.
50
Internal
 Advanced
Cryptographic Hashing Digital Forensics

• A cryptographic hash function is a hash function which

takes an input (or 'message') and returns a fixed-size
alphanumeric string.

• The string is called the 'hash value', 'message digest', 'digital

fingerprint', 'digest' or 'checksum'.

• MD5 – 128 bits (16 bytes)

• SHA1 – 160 bits (20 bytes)

51
Internal
 Advanced
Cryptographic Hashing Digital Forensics

MD5

• MD5 was designed by Ronald Rivest in 1991 to replace an

earlier hash function MD4, and was specified in 1992 as RFC
1321.

• Collisions against MD5 can be calculated within seconds

which makes the algorithm unsuitable for most use cases
where a cryptographic hash is required.

• MD5 produces a digest of 128 bits (16 bytes).

52
Internal
 Advanced
Cryptographic Hashing Digital Forensics

SHA1

• SHA-1 was developed as part of the U.S. Government's

Capstone project. The original specification - now commonly
called SHA-0 - of the algorithm was published in 1993 under
the title Secure Hash Standard, FIPS PUB 180, by U.S.
government standards agency NIST (National Institute of
Standards and Technology).

• It was withdrawn by the NSA shortly after publication and

was superseded by the revised version, published in 1995 in
FIPS PUB 180-1 and commonly designated SHA-1.

53
Internal
 Advanced
Cryptographic Hashing Digital Forensics

SHA1

• Collisions against the full SHA-1 algorithm can be produced

using the shattered attack and the hash function should
considered broken. SHA-1 produces a hash digest of 160 bits
(20 bytes).

• Documents may refer to SHA-1 as just "SHA", even though

this may conflict with the other Standard Hash Algorithms
such as SHA-0, SHA-2 and SHA-3.

54
Internal
 Advanced
Cryptographic Hashing Digital Forensics

The ideal hash function has three main properties:

1. It is extremely easy to calculate a hash for any given data.

2. It is extremely computationally difficult to calculate an

alphanumeric text that has a given hash.

3. It is extremely unlikely that two slightly different messages

will have the same hash.

55
Internal
 Advanced
Cryptographic Hashing Digital Forensics

56
Internal
 Open Source analysis tools Advanced
Digital Forensics
and their use
• Encase Imager

• FTK Imager

• ProDiscover Basic

• Bulk Extractor

• WinHex

• Ultimate Forensic Outflow

57
Internal
 Advanced
Risks - Challenges Digital Forensics

• Encryption

• Anonymity

• Volatility

• Anti-Forensic Programs

• Operating System Dependency

58
Internal
 Advanced
Challenges - Encryption Digital Forensics

• While encryption is undoubtedly beneficial for data security,

it poses significant challenges for digital forensic
investigations.

• When investigators find encrypted data, they may hit a brick

wall accessing and analyzing it. This obstacle can hamper
their investigation progress.

• Timely access to digital evidence is crucial in criminal cases

like child exploitation, terrorism, or cybercrime. Encountering
encrypted data can pose significant problems in such cases.

59
Internal
 Advanced
Challenges - Encryption Digital Forensics

The “Going Dark” Debate

• The ongoing tension between encryption and law

enforcement’s ability to access encrypted data has been
referred to as the “going dark” debate. Law enforcement
agencies argue that excessive encryption hinders their ability
to gather evidence and investigate crimes, potentially
hindering public safety.

• On the other hand, privacy advocates and tech companies

maintain that strong encryption is essential for protecting
individual privacy and maintaining trust in digital
communications.
60
Internal
 Advanced
Challenges - Encryption Digital Forensics

• The debate has ignited heated discussions and legal debates.

Governments have proposed measures such as mandating
backdoors or exceptional access mechanisms to address the
encryption challenge.

Forensic Techniques and Workarounds

•
Despite encryption challenges, digital forensic professionals
have devised techniques and alternative solutions. These
help them gather evidence from encrypted data sources.

• These include:

61
Internal
 Advanced
Challenges - Encryption Digital Forensics

• Keyword Searches and Metadata Analysis: Even when the

content is encrypted, investigators may be able to extract
valuable information from unencrypted metadata or perform
keyword searches on file names and other identifiers.

• Live Data Acquisition: If investigators can gain access to a

device or system while it is powered on and unlocked, they
may be able to capture decrypted data or memory contents
before the system is locked or encrypted.

• Exploiting Vulnerabilities: In some cases, vulnerabilities or

flaws in encryption implementation may allow investigators
to bypass encryption and access the data.
62
Internal
 Advanced
Challenges - Encryption Digital Forensics

• Brute-Force Attacks: These attacks can be used to guess

weak encryption keys or passwords, particularly when
dealing with less secure algorithms or short passwords.

• Cloud Data Extraction: With the increasing use of cloud

services, investigators may be able to obtain data from cloud
providers, potentially bypassing local encryption on devices
or systems.

• Legal Processes: In some cases, investigators may be able to

compel individuals or organizations to provide encryption
keys or passwords through legal processes, such as court
orders or search warrants.
63
Internal
 Advanced
Challenges - Anonymity Digital Forensics

• Anonymity and identity shielding allow a user to hide or

disguise their identifying information online. While this
protects their privacy, it can make it difficult to hold them
responsible for what they say and do online.

A user can hide or disguise their identifying information, such as

their real name, age, location and data use, through:

• total anonymity – not revealing any identifying information

about themselves

• partial anonymity – only revealing their identifying

information to a limited audience that shields it from the
general public.
64
Internal
 Advanced
Challenges - Anonymity Digital Forensics

• There are various ways for a user to hide or disguise their

identifying information.

• Technical approaches to anonymity include

software, browsers and encrypted or decentralised
platforms.

• Examples include virtual private networks that mask the

user’s location and device details (IP address), anonymising
processes that conceal the link between a message and the
sender, and end-to-end encryption that allows only a sender
and recipient to decode digital content.

65
Internal
 Advanced
Challenges - Volatility Digital Forensics

• Digital evidence is volatile and fragile and the improper

handling of this evidence can alter it. Because of its volatility
and fragility, protocols need to be followed to ensure that
data is not modified during its handling (i.e., during its
access, collection, packaging, transfer, and storage). These
protocols delineate the steps to be followed when handling
digital evidence.

• There are protocols for the collecting volatile evidence.

Volatile evidence should be collected based on the order of
volatility; that is, the most volatile evidence should be
collected first, and the least volatile should be collected last.

66
Internal
 Advanced
Challenges - Volatility Digital Forensics

The following sample of the order of volatile data (from most to

least volatile) for standard systems:

• registers, cache
• routing table, ...[address resolution protocol or ARP] cache,
process table, kernel statistics, memory
• temporary file systems
• disk
• remote logging and monitoring data that is relevant to the
system in question
• physical configuration, network topology
• archival media

67
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

• Anti-forensics refers to any strategy or software to thwart a

computer inquiry. People can hide information in a variety of
ways. Some applications can deceive computers by changing
data. Cybercriminals can circumvent data by changing the
header or metadata or altering the header from .jpg to .mp3
to trick people into believing it is an audio file.

• Cybercriminals use anti-forensic techniques to falsify the

cyber forensics evidence report, leading the forensic
investigators on a wrong investigation trail. Therefore, it
becomes a daunting task for the forensic investigator to
retrieve any evidence from the crime scene. The forensics
investigation process requires a lot of time to identify these
anti-forensic techniques.
68
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

Anti-forensic techniques are used to:

oDelete evidence of cybercrime

oCompromise forensic analyst’s reports
oDelete or modify the log records of the attacker’s activities

• Forensic investigators find it tough to recover any solid

evidence against the attacker or trace the digital footprints.
Therefore, they cannot pinpoint the origin of the attack to
retrieve stolen data or reach the attacker group to negotiate
the outcomes of the attacks. Several anti-forensic techniques
go undetected in a threat or malware detection tool or
security analysis.

69
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

Top 6 Anti-Forensic Techniques

• With the increase in ransomware attacks and other malware

campaigns, it’s evident that cybercrimes are increasingly
using sophisticated techniques to launch their attack.

• Some of the popular anti-forensics’ methods threat attackers

use include:

70
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

1. Encryption
• One of the widespread anti-forensic techniques is
encryption, which is the art of embedding confidential and
sensitive information into ciphertext (garbled text). Modern-
day encryption algorithms are used to prevent unwanted
eyes from accessing the concealed text, image, or code.
Attackers make use of full-volume encryption and a key file to
hide their malicious codes or campaigns. A secret key is used
to seal the information, which is then decrypted —
deciphering ciphertext back to plain text at the destination
point.
• Forensic analysts are unable to decrypt malicious files
without an authenticated secret key. Malicious files which
are encrypted are not detected in many security screening
techniques and tools. 71
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

2. Program Packers

• Program packers are just one of the many anti-forensics

techniques that attackers use to hide their data from any
detection or scanning methods. Like cryptography, the
packers first compress/encrypt the data files and other
executable file codes.

• The program packers were initially used to compress the size

of the files and programs. However, hackers started utilizing
packers to hide an infected file or program to trespass the
security by avoiding detection through anti-malware tools or
security analysis. Some of the packers used for malicious
purposes are UPX, The Enigma Protector, MPRESS, etc.
72
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

3. Overwriting data

• Attackers use overwriting programs to circumvent forensics

investigations and minimize digital footprints. Otherwise
known as data cleaning or data erasure, securely deleting
data is an old-school trick that attackers use.

• Many tools are available today to overwrite crucial text,

metadata, or entire media on a storage system, which
hinders the task of forensic analysts during the recovery
phase.

• This technique of overwriting original data minimizes the

attacker’s digital footprints of false and altered data.
73
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

Overwriting data includes:

• Overwriting all the original data

• Overwriting individual files
• Overwriting previously deleted files and working on those
files until no free space remains

74
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

4. Onion Routing

• Onion routing is a technique used to communicate

anonymously over a network where the messages are
encrypted in a layered manner. The layered encryption
resembles an onion, hence the name.

• The Onion Router or TOR is used to access the web

anonymously, providing hackers with a great option to access
the dark web, hide their footprints and launch cyberattacks.
Onion Routing allows hackers to hide their internet activities,
IP address, and network usage.

75
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

• The data transmitted through onion routing passes through

multiple network nodes, each with layered encryption. The
data reaches the destination when the last encryption layer is
passed through.

• Forensic investigators will successfully break through each

layer from the destination to the exit node to determine the
attacker. Onion routing makes it difficult for forensic
investigators to trace the attack back to the attacker and
increases the time for security analysis.

76
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

5. Steganography

• Steganography is the process of hiding secret messages or

information within an audio, image, video, or text file in a
non-suspicious manner.

• Steganography techniques are often incorporated with

encryption to provide an added layer of security.

• The secret data is extracted by the authenticated person with

access to the destination using a steganography tool for
decoding the hidden message.

77
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

• Hackers have been using steganography to hide malicious

codes and files within legitimate files to bypass security and
obfuscate their trails.

• This anti-forensic technique allows attackers to conduct

malicious activities without being detected through threat
detection tools and other security parameters.

• Hackers have been known to hide secret malicious payloads

or suspicious messages with invisible ink within images of
celebrities, news articles, advertisements, etc.

78
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

6. Changing Timestamps

• Forensic investigators can pinpoint or trace the attacker by

figuring out the location and time of the attack.

• Therefore, attackers use anti-forensic techniques such as

changing timestamps to hide or eliminate the logs,
determining the attacker’s location or attack time.

• Changing timestamps can delete the entries or overwrite the

entry logs, making it difficult for the investigator to
determine the actual information for evidence.

79
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

• Attackers can even modify the timestamp of a file or program

as an added method to escape the investigation. They alter
the timestamp on the servers to bypass the network security,
launch an attack and delete the evidence without it being
logged into the server.

• The challenges anti-forensics tools present to a digital

forensics’ investigation are alarming. Businesses are
transitioning to remote work frameworks and adopting
sophisticated digital practices. Likewise, malicious actors
using anti-forensics tools and techniques to launch malware
campaigns are evolving and increasingly complex.

80
Internal
 Advanced
Challenges – Anti-Forensic programs Digital Forensics

• They can also encrypt network protocols to perform identity

theft or corrupt files. Therefore, organizations must
implement countermeasure strategies to detect, report, and
restrict the use of anti-forensic techniques.

81
Internal
 Challenges – Advanced
Digital Forensics
Operating System dependency
• Some forensic tools will work effectively on certain version of
Operating system.

• Non-availability of forensic tool for specific operating system

running on the suspected host.

• Incompatibility formats of operating system artifacts

acquired from suspected host.

82
Internal
 Advanced
Q&A Digital Forensics

E.R. Ramesh, M.C.A., [Link]., M.B.A.,

+91 98410 59353 / +91 98403 50547
rameshvani@[Link]
83
Internal