Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acquisition and Examination of Forensic Evidence

Published byΤιμόθεος Βάμβας Modified over 6 years ago

Similar presentations

Presentation on theme: "Acquisition and Examination of Forensic Evidence"— Presentation transcript:

1 Acquisition and Examination of Forensic Evidence
MADS 6697, Louai Rahal

2 Identification social media, devices, IoT, hidden flash drives Collection Should respect privacy rights and the law of search and seizure Analysis Use digital data to uncover details about the crime Reporting Reporting to the court Reporting the results of the investigation. Detailed, transparent, scientifically and forensically sound statements

3 Evidence preservation Hashing
Collection Should respect privacy rights and the law of search and seizure Evidence preservation Hashing Bit by bit copying of the data to another hard drive Process transparency Documenting the chain of custody Checking for evidence integrity

4 Digital evidence is defined as any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime (Arnes, 2018) Chain of custody refers to the documentation of acquisition, control, analysis, and disposition of physical and electronic evidence (Arnes, 2018) “Metadata, or data about data, contains information about data objects. For example, the metadata associated with a digital photograph can contain the time of taking the photo, the geographical location, and the camera used. The analysis of metadata is an important activity throughout the forensic process, as metadata can contain information that is key to solving a case” (Arnes, 2018)

5 First Respondent Mistake
“a detective at the crime scene allegedly tried to unlock the mobile phone of the suspect. While doing so, he repeatedly entered incorrect PIN and PUK codes to unlock the SIM card. This led to data relevant to the case being erased. The defense team argued that the police investigation destroyed critical evidence that would have been relevant to the case” (Arnes, 2018)

6 Science: Falsifiability, Replication

7 “ The documentation activities begin from the moment the investigator starts handling
the digital devices that will be “touched” during the investigation phases. The documentation enables reproducibility of results and traceability from the physical object’s origin to the final evidence presentation. This calls for thorough documentation throughout the digital forensic process ” (Arnes, 2018) A process is replicable when a repetition of the same process leads to the same results

8 Analysis of a digital forensics investigation.
Identify 3 mistakes made by the investigator.

9 If a digital forensics investigation fails to prove that a person is guilty, it does not necessarily mean that the person is not guilty

10 Live systems: systems that are running and are at the time of identification potentially holding evidence that may be lost or hard to acquire if the system is shut down. Dead systems: systems not running. Any data in temporary storage areas such as cache, main memory, running processes, or active application dialogues on a computer will normally be lost when the system is powered down. Arnes (2018)

11 Arnes, 2018

12 turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

13 turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

14 Magnetic/Electrical charges
Hardware Magnetic/Electrical charges bits bytes 1 byte = 8 bits Hex 1 Hex = 16 bits ASCII English Characters

15 Marcella and Guillossou, 2012

16 Marcella and Guillossou, 2012

17 Marcella and Guillossou, 2012

18 Create a notepad file and insert one word in it: Hello.
Convert the ASCII characters to hexadecimal characters. You can use any hexadecimal calculator. Add the hex signature for a .txt file to the beginning of your hex code. Open your file with a hexadecimal editor. The hex code in the file reader should match with the hex code you created manually. Marcella and Guillossou, 2012

19 Magnetic/Electrical charges
Hardware Magnetic/Electrical charges Allocated/Unallocated areas ……………… Allocated to file file1.txt When file1.txt is deleted The data for file1.txt will continue to be available till it gets overwritten

20 Example of a recovered Image
Arnes, 2018

21 Should the results of the investigation be published ?
Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ?

22 Should the results of the investigation be published ?
Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? “imagine research into a product which revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence”

23 Discuss the case from the perspectives of:
Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? Discuss the case from the perspectives of: Categorical Imperialism Utilitarianism The ethics of care

24 4 sentences Sentence 1: Digital Forensics Case you will be writing about. Sentence 2: How was the evidence identified, collected, and reported. If not enough details found describe how the evidence should have been identified, collected, safeguarded, and reported. Sentence 3: How was the evidence safeguarded. If not enough details are provided, describe how the evidence should have been safeguarded Sentence 4: What ethical concerns and issues does the case raise.

25 Hash Values are admissible to court
Imaging “The process of making an exact copy (bit by bit) of the original drive” Hash Values are admissible to court “the government’s expert witness testified that no two dissimilar files will have the same hash value” The law prohibits the distribution of forensic images of child pornography files “The Adam Walsh Child Protection and Safety Act […] prohibited the defense from obtaining copies of the child pornography evidence”

26 National Institute of Standards and Technology
Criteria of reliability of a forensic tool The tool shall make a bit-stream duplicate or an image of an original disk or partition The tool shall not alter the original disk The tool shall be able to verify the integrity of a disk image file The tool shall log I/O errors The tool’s documentation shall be correct

27 Files and File System Forensics
Data on Disk: A sector: 512 bytes A cluster: 2 or more sectors File: data that resides on clusters

28 First few bytes: File header
1 First few bytes: File header The file header contains the file signature File content

29 1 A 1 E 4 6 7 8 B C F 9 To make the investigation of files easier, files are read in hexadecimal format

30 Which of the following is NOT a valid hexadecimal String: ABCDEFG
1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 999999AAAA

31 Which of the following is NOT a valid hexadecimal String: ABCDEFG
1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 999999AAAA

32 https://digital-forensics. sans

33 Independent of Operating System Checking file signatures
1 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data A 1 E 4 6 7 8 B C F 9 IF is found in a .word file, how would it be interpreted? IF is found in a .gif file, how would it be interpreted?

34 Independent of Operating System Checking file signatures
1 A 1 E 4 6 7 8 B C F 9 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data Examine partition table to know which files sectors are allocated and which ones are not allocated

35 1 A 1 E 4 6 7 8 B C F 9 “Ryan Jaye created two partitions on his on his 80 GB hard drive […] 20 GB were dedicated to his child pornography collection. When Ryan Jaye became suspicious that he had been discovered, he decided to delete the second partition[…] Luckily for law enforcement, when a partition is deleted, the data within that partition remains until it is overwritten”

36 Search strategies specific to the File System NTFS: Master File Table
1 A 1 E 4 6 7 8 B C F 9 Logical Extraction: Search strategies specific to the File System NTFS: Master File Table Slack

37 A sector is 512 bytes. What if the file size is 200 bytes?
A 1 E 4 6 7 8 B C F 9 Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’

38 A sector is 512 bytes. What if the file size is 200 bytes?
Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’ Which Slack space will most likely contain data from deleted files? 1 A 1 E 4 6 7 8 B C F 9

39 Filtering with Hashing:
“file hashes may be used to eliminate duplicate data” “Hash values may also be compared to datasets that contain known hash values for specific files” 1 Create three or four or n copies of a notepad file (file1.txt) in a new folder Create other notepad files Hash all files in the folder Create a python script that checks all the hashes of all the files in a folder and that deletes all duplicated of (file1.txt) in a new folder. Use handout from class 5 and use the code below: import os os.remove(“file.txt")

Download ppt "Acquisition and Examination of Forensic Evidence"

Similar presentations

Computer Forensics.

Computer Forensics.
2008 CSI Challenge.

2008 CSI Challenge.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.

File System Analysis.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Collection of Evidence Computer Forensics 152/252.

Collection of Evidence Computer Forensics 152/252.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google