UNIT 1

Digital Forensics

It is the collection, analysis, and interpretation of digital evidence.

1.1 Digita l Evidence

For the purposes of this text, digital evidence is defined as any data stored or
transmitted using a computer that support or refute a theory of how an offense
occurred or that address critical elements of the offense such as intent or alibi
(adapted from Chisum, 1999).
or

The data referred to in this definition are essentially a combination of numbers

that represent information of various kinds, including text, images, audio, and video.
 Principles of Digita l Forensics
1.4.1 Evidence Exchange
• The main goals in any investigation are to follow the trails that offenders leave
during the commission of a crime and to tie perpetrators to the victims and
crime scenes. Although witnesses may identify a suspect, tangible evidence of
an individual’s involvement is usually more compelling and reliable. Forensic
analysts are employed to uncover compelling links between the offender,
victim, and crime scene.
• In computer intrusions, the attackers will leave multiple traces of their
presence throughout the environment, including in the file systems,
registry, system logs, and network-level logs. Furthermore, the attackers
could transfer elements of the crime scene back with them, such as stolen
user passwords. such evidence can be useful to link an individual to an
intrusion.
• In an e-mail harassment case, the act of sending threatening messages via a Web-
based e-mail service such as Hotmail can leave a number of traces. The Web
browser used to send messages will store files, links, and other information on the
sender’s hard drive along with date-time–related information. Therefore, forensic
analysts may find an abundance of information relating to the sent message on the
offender’s hard drive, including the original message contents. Additionally,
investigators may be able to obtain related information from Hotmail, including
Web server access logs, IP addresses, and possibly the entire message in the sent
mail folder of the offender’s e-mail account.
 1.4.2 Evidence Characteristics

• The exchanges that occur between individual and crime scene produce trace evidence
belonging to one of two general categories: (i) evidence with attributes that fit in the
group called class characteristics and (ii) evidence with attributes that fall in the category
called individual characteristics.
• For instance, class characteristics in a questioned Microsoft Word document may enable
forensic analysts to determine that the document is fake, because it could have been
created using a version of Microsoft Word that was released several years after the
purported creation date of the document. When there is concern that digital evidence
has been concealed or destroyed, class characteristics may reveal that a particular
encryption mechanism or data destruction tool was used on the evidential computer.
• The more conclusive individual characteristics are rarer but not impossible to identify
through detailed forensic analysis. Certain printers mark every page with a pattern that
can be uniquely associated with the device. Unique marks on a digitized photograph
might be used to demonstrate that the suspect’s scanner or digital camera was involved.
Similarly, a specific floppy drive may make unique magnetic impressions on a floppy
disk, helping to establish a link between a given floppy disk and the suspect’s computer
 1.4.3 Forensic Soundness

• In order to be useful in an investigation, digital evidence must be preserved and

examined in a forensically sound manner. Some practitioners of digital forensics
think that a method of preserving or examining digital evidence is only forensically
sound if it does not alter the original evidence source in any way.
• In digital forensics, the routine task of acquiring data from a hard drive, even when
using a hardware write-blocker, alters the original state of the hard drive. Such
alterations can include making a hidden area of the hard drive accessible, or
updating information maintained by Self-Monitoring, Analysis, and Reporting
Technology (S.M.A.R.T.) on modern hard drives. Furthermore, most methods of
acquiring the contents of memory on live computer systems and mobile devices
alter or overwrite portions of memory, but this is a generally accepted practice in
digital forensics. In fact, courts are starting to compel preservation of volatile
computer data in some cases, which requires digital investigators to preserve data
on live systems. In Columbia Pictures Indus. v. Bunnell, for example, thecourt held
that random access memory (RAM) on a Web server could contain relevant log
data and was therefore within the scope of discoverable information in this case.
 1.4.4 Authentication

• Authentication of digital evidence will be covered in more detail in Chapter 3, but it

is important to have a basic understanding of this concept from the outset.
• For instance, the individual who collected the evidence can confirm that the
evidence presented in court is the same as when it was collected.
• Similarly, a system administrator can testify that log files presented in court
originated from her/his system.
 1.4.5 Chain of Custody

• One of the most important aspects of authentication is maintaining and

documenting the chain of custody (a.k.a. continuity of possession) of evidence.
• Each person who handled evidence may be required to testify that the evidence
presented in court is the same as when it was processed during the investigation.
Although it may not be necessary to produce at trial every individual who handled
the evidence, it is best to keep the number to a minimum and maintain
documentation to demonstrate that digital evidence has not been altered since it
was collected. A sample chain of custody form is shown
• in Figure 1.2, recording the transfer of evidence, when, where, and why.
 1.4.6 Evidence Integrity

• The purpose of integrity checks is to show that evidence has not been altered from
the time it was collected, thus supporting the authentication process. In digital
forensics, the process of verifying the integrity of evidence generally involves a
comparison of the digital fingerprint for that evidence taken at the time of
collection with the digital fin
• Currently, the most commonly used algorithms for calculating message digests in
digital forensics are MD5 and SHA-1. SHA is very similar to MD5 and is currently
the U.S. government’s message digest algorithm of choice.
 1.4.7 Objectivity

• A cornerstone of a forensic analysis is objectivity. The interpretation and

presentation of evidence should be free from bias to provide decision makers with
the clearest possible view of the facts. As will be discussed in Chapter 3, this can be
difficult given preconceived notions and the external pressures to reach specific
conclusions.
• The most effective approach to remaining objective is to let the evidence speak for
itself as much as possible. Every conclusion should be presented along with all of
the supporting factual evidence. Another effective approach to ensuring
objectivity is to have a peer review process that assesses a forensic analyst’s
findings for bias or any other weakness.
 1.4.8 Repeatability

• An important aspect of the scientific method is that any experiments or

observations must be repeatable in order to be independently verifiable. This is
particularly important to be able to independently verify findings in a forensic
context, when a person’s liberty and livelihood may be at stake. Therefore, it may
become necessary for one forensic analyst to repeat some or all of the analysis
performed by another forensic analyst. To enable such a verification of forensic
findings, it is important to document the steps taken to find and analyze digital
evidence in sufficient detail to enable others to verify the results independently.
This documentation may include the location and other characteristics of the
digital evidence, as well as the tools used to analyze the data.
 Challenging Aspects of Digital
Evidence
• First, it is a evidence that can be very difficult to handle
• Digital evidence is volatile and fragile and the improper handling of this evidence can
alter it. Because of its volatility and fragility, protocols need to be followed to ensure
that data is not modified during its handling (i.e., during its access, collection,
packaging, transfer, and storage)
• Second, digital evidence is generally an abstraction of some digital object or event.
When a person instructs a computer to perform a task such as sending an e-mail, the
resulting activities generate data remnants that give only a partial view of what
occurred (Venema & Farmer, 2000).
• Fortunately, digital evidence has several features that mitigate this problem.
• Digital evidence can be duplicated exactly and a copy can be examined
as if it were the original.
• It is common practice when dealing with digital evidence to examine a copy, thus
avoiding the risk of altering or damaging the original evidence.
• With the right tools, it is very easy to determine if digital evidence has
been modified or tampered with by comparing it with an original copy.
• Digital evidence is difficult to destroy. Even when a file is “deleted” or a
hard drive is formatted, digital evidence can be recovered.
• When criminals attempt to destroy digital evidence, copies and associated
remnants can remain in places that they were not aware of.
 Evidence Dynamics and the Introduction of Error
• Some examples of evidence dynamics encountered in past cases:
• A system administrator attempted to recover deleted files from a hard drive by installing
software on an evidential computer, saving recovered files onto the same drive. This
process overwrote unallocated space, rendering potentially useful deleted data
unrecoverable.
• Consultants installed a pirated version of a forensic tool on the compromised server. In
addition to breaking the law by using an unlicensed version of digital forensic software,
the installation altered and overwrote data on the evidential computer.
• Responding to a computer intrusion, a system administrator intentionally deleted an
account that the intruder had created and attempted to preserve digital evidence using
the standard backup facility on the system.
• This backup facility was outdated and had a flaw that caused it to change the times of
the files on the disk before copying them. Thus, the date-time stamps of all files on the
disk were changed to the current time, making it nearly impossible to reconstruct the
crime.
• During an investigation involving several machines, a first responder did not follow
standard operating procedures and failed to collect important evidence. Additionally,
evidence collected from several identical computer systems was not thoroughly
documented, making it very difficult to determinewhich evidence came from which
system.
 The role of computers in crime

• In addition to clarifying the general terms describing this

field, it is productive to develop terminology describing the
role of computers in crime. More specific language is crucial
for developing a deeper understanding of how computers
• can be involved in crime and more refined approaches are
crucial for
• investigating different kinds of crimes. For example,
investigating a computer
• intrusion requires one approach, while investigating a
homicide with related
• digital evidence requires a completely different procedure.
four categories—while reading through these categories, notice the lack of reference
to digital evidence.
1. A computer can be the object of a crime. When a computer is affected by
the criminal act, it is the object of the crime (e.g., when a computer is
stolen or destroyed).
2. A computer can be the subject of a crime. When a computer is the environment
in which the crime is committed, it is the subject of the crime
(e.g., when a computer is infected by a virus or impaired in some other
way to inconvenience the individuals who use it).
3. The computer can be used as the tool for conducting or planning a crime.
For example, when a computer is used to forge documents or break into
other computers, it is the instrument of the crime.
4. The symbol of the computer itself can be used to intimidate or deceive. An
example given is of a stockbroker who told his clients that he was able to
make huge profits on rapid stock option trading by using a secret computer
program in a giant computer in a Wall Street brokerage firm. Although he
had no such programs or access to the computer in question, hundreds of
clients were convinced enough to invest a minimum of $100,000 each.
• In this context, hardware refers to all of the physical components
of a computer, and information refers to the data and programs
that are stored on and transmitted using a computer. The three
categories that refer to information all fall under the guise of
digital evidence:
• USDOJ (US Department of Justice):
• 1. Hardware as Contraband or Fruits of Crime.
• 2. Hardware as an Instrumentality.
• 3. Hardware as Evidence.
• 4. Information as Contraband or Fruits of Crime.
• 5. Information as an Instrumentality.
• 6. Information as Evidence.
 1. Hardware as Contraband or Fruits of
Crime
• Contraband is a property that the private citizen is not permitted to possess.
• For example, under certain circumstances, it is illegal for an individual in the
• United States to possess hardware that is used to intercept electronic
communications
• (18 USCS 2512). The concern is that such devices enable individuals
• to obtain confidential information, violate other people’s privacy, and commit
• a wide range of other crimes using intercepted data. Cloned cellular phones
• and the equipment that is used to clone them are other examples of hardware
• as contraband.
• The fruits of crime include property that was obtained by criminal activity,
• such as computer equipment that was stolen or purchased using stolen credit
• card numbers. Also, microprocessors are regularly stolen because they are very
• valuable, they are in high demand, and they are easy to transport.
 [Link] as an Instrumentality

• When computer hardware has played a significant role in a crime, it is

considered
• an instrumentality. This distinction is useful because, if a computer
• is used like a weapon in a criminal act, much like a gun or a knife, this could
• lead to additional charges or a heightened degree of punishment. The
clearest
• example of hardware as the instrumentality of crime is a computer that is
specially
• manufactured, equipped, and/or configured to commit a specific crime.
• For instance, sniffers are pieces of hardware that are specifically designed
to
• eavesdrop on a network. Computer intruders often use sniffers to collect
passwords
• that can then be used to gain unauthorized access to computers.
 3 Hardware as Evidence

• Before 1972, “mere evidence” of a crime could not be seized. However,

this
• restriction was removed and it is now acceptable to “search for and seize
any
• property that constitutes evidence of the commission of a criminal
offense”
• (Federal Rules of Criminal Procedure 41 [b]). This separate category of
hardware
• as evidence is necessary to cover computer hardware that is neither
contraband
• nor the instrumentality of a crime. For instance, if a scanner that is used
• to digitize child pornography has unique scanning characteristics that link
the
• hardware to the digitized images, it could be seized as evidence.
4. Information as Contraband or Fruits of Crime

• As previously mentioned, contraband information is information that the

• private citizen is not permitted to possess. A common form of information
• as contraband is encryption software. In some countries, it is illegal for an
• individual to possess a computer program that can encode data using strong
• encryption algorithms because it gives criminals too much privacy. If a
criminal
• is caught but all of the incriminating digital evidence is encrypted, it
• might not be possible to decode the evidence and prosecute the criminal.
• Another form of contraband is child pornography. Information as fruits
• of crime include illegal copies of computer programs, stolen trade secrets
• and passwords, and any other information that was obtained by criminal
• activity.
 5.
Information as an Instrumentality

• Information can be the instrumentality of a crime if it was designed or

• intended for use or has been used as a means of committing a criminal
offense.
• Programs that computer intruders use to break into computer systems are the
instrumentality of a crime. These programs, commonly known as exploits,
• enable computer intruders to gain unauthorized access to computers with
• a specific vulnerability. Also, computer programs that record people’s
passwords
• when they log into a computer can be an instrumentality, and computer
• programs that crack passwords often play a significant role in a crime.
• As with hardware, the significance of the information’s role is paramount to
• determining if it is the instrumentality of a crime. Unless a plausible argument
• can be made that the information played a significant role in the crime,
• it probably should not be seized as an instrumentality of the crime.
 [Link] as Evidence

• This is the richest category of all. Many of our daily actions leave a trail of digits.
• All service providers (e.g., telephone companies, ISPs, banks, credit institutions)
• keep some information about their customers. These records can reveal
• the location and time of an individual’s activities, such as items purchased in
• a supermarket, car rentals and gasoline purchases, automated toll payment,
• mobile telephone calls, Internet access, online banking and shopping, and
• withdrawals from automated teller systems (with accompanying digital photographs).
• Although telephone companies and ISPs try to limit the amount of
• information that they keep on customer activities, to limit their storage and
• retrieval costs and their liability, law makers in some countries are starting to
• compel some communications service providers to keep more complete logs.
• For instance, the U.S. Computer Assistance Law Enforcement Act (CALEA) that
• took effect in 2000 compels telephone companies to keep detailed records of
• their customers’ calls for an indefinite period of time. The European Union
• has created log retention guidelines for its member states. In Japan, there is an
• ongoing debate about whether ISPs should be compelled to keep more complete
• logs.
 Cyber crime law
• What is Cyber Law? Cyber Law is the law governing cyber
space. Cyber space is a very wide term and includes
computers, networks, software, data storage devices
(such as hard disks, USB disks etc), the Internet, websites,
emails and even electronic devices such as cell phones,
ATM machines etc. Cyber law encompasses laws relating
to:
1. Cyber Crimes
2. Electronic and Digital Signatures
3. Intellectual Property
4. Data Protection and Privacy
• Need for Cyber Law:
• TACKLING CYBER CRIMES INTELLECTUAL PROPERTY RIGHTS AND COPYRIGHTS
PROTECTION ACT
1. Cyberspace is an intangible dimension that is impossible to govern and regulate
using conventional law.
2. Cyberspace has complete disrespect for jurisdictional boundaries. A person in
India could break into a bank’s electronic vault hosted on a computer in USA and
transfer millions of Rupees to another bank in Switzerland, all within minutes. All
he would need is a laptop computer and a cell phone.
3. Cyberspace handles gigantic traffic volumes every second. Billions of emails are
crisscrossing the globe even as we read this, millions of websites are being
accessed every minute and billions of dollars are electronically transferred
around the world by banks every day.
4. Cyberspace is absolutely open to participation by all. A ten-year-old in Bhutan can
have a live chat session with an eight-year-old in Bali without any regard for the
distance or the anonymity between them