By Sarah Brule COMP 1631, Winter 2011 February 2nd, 2011

 Digital forensics is the examination, analysis and recovery of digital devices such as floppy disks, flash drives, hardrives as evidence during criminal investigation  It is often used for computer crimes or other crime scenes where a computer may of been used.

 What most people don’t know is a deleted item is only marked, it is still in the memory in form of “slack space” which is leftover bits of old files that can be re-located and put back together.  Digital forensics can be used for other crimes, in order to confirm alibis and statements, to identify motives and other relevant information needed to solve a crime.

Initially, investigators will look for more obvious things such as:  Signs of intrusion - Such as hidden files, directories, logs  Graphic images - Web history, image files  Personal Information - , documents * After reconstruction, it will also be possible to find deleted items that were stored in the slack space of the data storage

 First step is to figure out what information may be relevant. It must be in its unaltered state.  The investigator must then make a duplicate image of the information needed and use a write blocking tool in order to prevent any alteration of the original.

Analysis and imaging  Analysis is the process of using scientific methods of obtaining the information from the digital device in order to reconstruct the evidence.  During analysis, the duplicate is used in order to preserve any data from original form so not to contaminate the evidence.  Types of analysis are :  Text analysis  Image analysis  Video analysis  Executable analysis  File clustering / classification  Password Cracking

 A bitstream is a time series of bits. These are found in computing devices and are used to create files when stored in data storage  During analysis, the investigator must use a bit stream download in order to copy the files, instead of just copy and paste, in order to preserve the slack space as well as the file.  One change in the bit stream could alter the information that is being reconstructed.

 Reconstruction of data is the rebuilding deleted, damaged and lost files in order to find the evidence that is needed.  It can be found in one of three places:  Slack space  Virtual memory  Encrypted Files  The investigator must prove that the information revealed by reconstruction is relevant or inconsistent by using algorithm functions.

 In order for investigators to recover deleted files, they must use a data-recovery software.  It is almost impossible to delete all forms of data off a computer or other digital device. Even a destructive system restore will leave some files deep in the hardrive.  Formatting does not destroy any files, it just makes the files “hidden”.  The only way to be 100% certain that the files are deleted is to do a forensic wipe-out of your hardrive.

 The B-Method was created in It is a very convenient way to find data inconsistencies in digital evidence. Instead of language like in Java, C++, etc. B uses something called Abstract Machine Notation(AMN) which is a very complex language using calculus and complex algorithms  The B-Method uses complex algorithm functions in order to tell you how the system works. Using algorithm functions, You can find out what always holds true in a system and what is inconsistent.  This is very popular in the forensics field because you can manipulate your program to find information that was made up to seem “normal” in a system.

 The steps to using the B- Method is to first create a program using algorithm language to specify the properties that always hold true in a system. Once that is done, investigators will then write a program concerning the evidential data in order to find inconsistencies in the system.  The program is there to analyse files stored in the memory but also any inconsistency in the absence of files that seems that they should be there, and where the timestamps on certain logs don’t match up with anything. These tend to be harder to do without algorithmic functions.  Sample of the B-method  “MACHINE FTPServer  DEFINITIONS  MODIFY == 1;  DELETE == 2;  FILESLOT == N ;  TIMESTAMP == N ;  EVENT == N ;  LAST_INDEX(X,Y,Z) == max(dom(log {(XαYαZ)}))  CONSTANTS max_log_size  PROPERTIES max_log_size ∈ N1  VARIABLES fileStore, clk, log  INVARIANT  fileStore ∈ FILESLOT TIMESTAMP ∧  clk ∈ N ∧  log ∈ seq(TIMESTAMP×EVENT×FILESLOT) ∧  /* Property 0 */  ( ∀ (slot,mtime,dtime).(slot ∈ TIMESTAMP ∧ mtime ∈ TIMESTAMP ∧ dtime ∈ TIMESTAMP ∧  (mtime,MODIFY,slot) ∈ ran(log) ∧  ∀ otime.(otime ∈ TIMESTAMP ∧ (otime,MODIFY,slot) ∈ ran(log) ⇒ mtime≥otime) ∧  dtime>mtime ∧ (dtime,DELETE,slot) ∉ ran(log)  ⇒ fileStore(slot) = mtime)) ∧  /* Property 1 */  ( ∀ (slotX,slotY).((slotX ∈ dom(fileStore) ∧ (fileStore(slotX),MODIFY,slotX) ∈ ran(log) ∧ slotY ∈  dom(fileStore) ∧ (fileStore(slotY),MODIFY,slotY) ∈ ran(log) ∧ (slotX ≠ slotY)) ⇒  (LAST_INDEX(fileStore(slotX),MODIFY,slotX) < LAST_INDEX(fileStore(slotY),MODIFY,slotY)  ⇒ fileStore(slotX) ≤ fileStore(slotY)))) ∧  ( ∀ (slotX,slotY).((slotX ∈ dom(fileStore) ∧.” ( Gladyshev, Pavel, 20)

 Digital forensics can be branched off into 4 different categories  Computer Forensics  Mobile Device forensics  Network Forensics  Database Forensics

 Computer forensics is one of the 4 branches from digital forensics. It is often associated with computer crimes. It is used to explain the current state of a computing device  It deals with information in computers, embedded systems and static memory. Computer forensics deals with a broad range of information from computer logs and actual files, to lost and deleted files.

 Mobile device forensics deals with the recovery of information off mobile devices such as cell phones and PDA’s.  The difference between computer and mobile forensics is the investigator will be searching for simple forms of communication (SMS or ) information instead of deleted files.  Mobile device forensics also helps in locating people, as well as information.

 Network Forensics: Network forensics is the analysis of networks. Investigators often search for signs of intrusion and illegal trafficking. It is used to gather data and information.  Database Forensics : Database forensics is the study of database information.  Investigators use log-files and ram-data to help recover relevant information in a crime.

 “Bit stream." Wikipedia, The Free Encyclopaedia. Wikimedia Foundation, Inc. 22 July January 31st,  Carrier, Brian. “Defining Digital Forensic Examination & Analysis Tools.” Google January 31st,  Carrier, Brian. “A Crash Course in Digital Forensics.” Google Docs. Basis Technology Corporation, June 14, center/forensics/crash-course-in-digital-forensics.pdf. February 1st, center/forensics/crash-course-in-digital-forensics.pdf  " Digital forensics." Wikipedia, The Free Encyclopaedia. Wikimedia Foundation, Inc. 22 July January 30th,  Gladyshev, Pavel. “Rigorous Development of Automated Inconsistency Checks for Digital Evidence Using the B Method.” Formal Forensics. Vol. 6 Issue 2. International Journal of Digital Evidence, February 2 nd,  Gleason, BJ. “Digital Forensics.” Google Docs. N.p, N.d. February 1st,