Digital Forensics Supervised by : Dr. Ashraf Tammam Presented by : Abdallah Hodieb
Jul 16, 2015
What
It is a branch of forensic science specialized in recovery and investigation of material found in digital devices.
often related to computer crime.
Why
Due to the growth in computer crime law enforcement agencies began establishing specialized groups to handle the technical aspects of investigations.
Computer Crimes such as :Fraud, Forgery , Extortion , Industrial espionage Virus/Trojan distribution Homicide investigationsTheft of or destruction of intellectual property
How
The process might differ according to the laws enforced by the country .
But the general process mainly consists of :● Acquisition● Preservation● Identification● Evaluation● Presentation
ChallengesLegal rules determine whether potential evidence is admissible in court.
Authenticity and validity of evidence must be ensured.
Evidence can’t damaged, destroyed, or compromised by the procedures used in identification .
Preventing viruses infections during the analysis process
Extraction process is properly handled to protect from mechanical or electromagnetic damage.
Acquisition
Is the process of acquiring any data that can be used as evidence , from the confiscated exhibits.
The process must guarantee that the data is not changed during the acquisition [ ex : no modification date changes ]
Ex: Computer Devices , Network maps , External Devices.
General Acquisition Process
Restrict access ( local / remote ) to the machine.Dump memory ( if possible ).Document Hardware Configuration ( internal and external ).Make a digital copy of all applicable storage devices.Authenticate all copies using Checksums .Document all the search steps and operations executed.
Types of Data
Volatile : Memory Contents.Network Traffic.
Non-Volatile:File System contents [ HD , USB Disks , etc .. ]
Preservation
The original state of the data should be preserved exactly as acquired .
Any operations done on the data should be done on an exact copy , to guarantee the integrity of the original confiscated data.
Identification
Identifying what data could be recovered and retrieving it by using Computer Forensic tools.
Identifying and recovering hidden / deleted data using various tools.
Identification of any tampering or anomalies in the data.
General Identification Process
Make a List of Key Search Words.Evaluate the Windows Swap File.Evaluate Unallocated Space (Erased Files).Document File Names, Dates and Times.Identify File, Program and Storage Anomalies.Evaluate Program Functionality.Document Your Findings.
Examples of hidden data
Changing file names ,extensions.Encryption.Hidden drive space non-partitioned space in-between partitions.Slack Space.Partition waste space.Bad sectors.Other steganography ways.
Steganography Example
To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too.
The duck flies at midnight.
Evaluation
Evaluation of the recovered information , and determining if it can be used as evidence .
Presentation
Presenting of evidence discovered in a manner which complies with the rules and regulations .
ex: It understood by lawyers, non-technically staff and suitable as evidence as determined by country laws.
Tools
Digital Forensic experts use a combination of software and hardware tools.
The tools include disk analysers , steganography analysis tools , decryption , hex viewers , network monitors , etc ..
List of the most used software tools : https://en.wikipedia.org/wiki/List_of_digital_forensics_tools