Intro to Digital Forensics [Part 1 - Digital Evidence]

Operations
1

Hello again! The results of the poll from my last post are very clear, so I’ve decided to go forward with the “Intro to Digital Forensics” topic

Like I previously mentioned, this post will cover various topics regarding Digital Forensics, hopefully serving as a good introduction to the field. I’m not an expert in the matter, meaning this post might contain a few errors and misconceptions as it will be based on my limited knowledge. That being said, we are all still learning, so if you see something that isn’t right, dont’ be afraid to say so in the comments and help us all learn.

Midway through writing this, I decided to separate the topic into various parts, as to not overwhelm the readers.

Let’s get to it then!

INTRO TO DIGITAL FORENSICS

Digital Forensics (or Computer Forensics) is one the most recent branches of the Forensic Sciences, focusing on the recovery and subsequent analysis / investigation of digital data as a means to produce digital evidence with probationary validity in court. What I mean is, you can’t simply present something in court and call it evidence.

As such, it becomes necessary to ensure the preservation of digital evidence through its appropriate seizure, acquisition, analysis, identification, validation, interpretation, documentation and, finally, presentation.

As you can see, this is a very long and complex process. Given it’s complexity, a Digital Forensics Operation quite often requires a specialized and multidisciplinary team. Some may specialize in Network Forensics, others in Mobile Forensics. Some Ops might even need experts in various computer related fields (i.e hardware, databases, telecommunications, etc).

Through out this article I will focus on the more Legal / Court related aspect of Digital Forensics, as opposed to the Private Investigations side of it, even though they are quite the same, technically.

[+] DIGITAL EVIDENCE

The word evidence refers to the body of facts that prove whether a given proposition is true or valid. However, the concept of Digital Evidence is a bit more specific. As such, it can be defined by any type of probative information stored in any digital/electronic storage media, or transmitted through public or private computer/communications networks. Simplifying, it’s any (probative) data/information stored or transmitted in digital/binary form.

More and more often, we produce astounding amounts of data, meaning that it is becoming quite ubiquitous. So, even though digital evidence is usually associated with Computer and e-crime, it is now being used to prosecute all sorts of crimes (for example, a recovered email may reveal an intent or motive to commit a crime, maybe even a whereabout on a missing person).

When comparing both traditional and digital evidence, we’ll see that they share a few similarities:

  • They are both fragile and can be easily manipulated, damaged or destroyed;

  • They can easily cross geographical and jurisdictional borders , either physically or through the Internet;

  • Their value frequently depends on the exact date/time and location they are produced (they are time sensitive);

Some problems we face when dealing with Digital Evidence are:

  • Its tangibilty (or lack thereof). As oposed to traditional evidence, which is physical, digital eveidence is usually untangible;

  • The ubiquity of data. Given the world wide spread of the Internet and its services and the sheer quantity and diversity of information that can be produced, altered, transmitted and deleted in such a short amount of time, makes it quite difficult to handle and control (whether physical or logical). Not to mention the use of Cloud services, which are more and more often taking data away from our hands;

Principle of Evidence

Returning to the comparison of the the traditional and digital evidence, we see that both must rely on and respect the same fundamentals:

  • Admissability - must be in accordance with the current legislation. How it is seized, acquired, analysed, etc, must respect the law in effect;

  • Authentication - the evidence must be legitimate and untampered with;

  • Complete - to prove its integrity, the full evidence must be presented, not just the “convenient” bits;

  • Realiable - the forensic expert must be able to describe and explain all the actions taken regarding the evidence;

  • Believable - the evidence must be comprehensible;

To respect these principles, we’ll highlight two main requirements.

  1. The evidence must be legally admissable regarding its seizure (theoretically, any evidence that is illegally obtained, is discarded and unadmissable in court). This should only be done by trained technicians (of law enforcement, in criminal cases) to ensure the preservation of evidence;

  2. The evidence must be technically undeniable regarding its origin (the source of the information must be verifiable and irrefutable) and its integrity;

Acquiring Digital Evidence

When acquiring digital evidence, one must take caution to minimize and mitigate the impact in a given system, accessing it in the least destructive way possible, as to avoid altering the data within.

However, this is quite hard to attain, considering that a computer system is usually in a state of continous changes. In fact, when dealing with a live system (that is, when you need to operate in system that is powered on), there’s always a change of state, due to opening a file, a program or even altering RAM content. As such, this risk must be consciously accepted and taken to account by the forensic team. Any forensic expert must be extremely aware of how his actions are influencing and impacting the system in question.

One of the ways to mitigate this risk is to consider component volatility. You should begin extraction from the most volatile components (i.e RAM) to the least volatile ones (i.e HDD). Below is an example of a possible extraction scenario:

  1. When the computer is powered on, list and identify the contents of the RAM;
  2. Identification of Network Interfaces;
  3. Identification of running processes and their respective state;
  4. List the active TCP/UDP ports;
  5. List and identify the registered and active user accounts;
  6. List and identify the contents of page files and swap areas;
  7. List and identify the contents of the file system, considering the volumes and partitions present on the disk;
  8. List and identify the various hardware devices connected to the system;

Sources:

[1] https://en.wikipedia.org/wiki/Digital_forensic_process
[2] https://en.wikipedia.org/wiki/Digital_forensics
[3] https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx
[4] http://www.iacpcybercenter.org/topics/digital-evidence/
[5] Antunes, Mário, and Baltazar Rodrigues. Introdução à Cibersegurança. FCA, 2018.

This marks the end of Intro to Digital Forensics [Part 1 - Digital Evidence]. I hope you enjoyed and learned something by reading this article. The next entry will cover Methodology and Procedures. Please don’t hesitate to ask any questions or to correct anything you think is wrong in the comments.

11 Likes
2

This topic was automatically closed after 30 days. New replies are no longer allowed.