Introduction to Digital Forensics

What is Digital Forensics?

Credit to frankwxu

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after:

  • Proper search authority
  • Chain of custody (Evidence Transmittal Letter)
  • Validation with mathematics (hash function)
  • Use of validated tools
  • Repeatability
  • Reporting
  • Possible expert presentation

The application of science to identification,collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody of the data.

Types of Digital Investigations

Public-sector investigations: Involve government agencies responsible for criminal investigations and prosecution.

Private-sector investigations: Policy violations, E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage.

Steps of digital investigation

  • Procedure of gathering the evidence (evidence media)
  • Acquiring an image of evidence media
  • Analysing digital evidence
  • Produce a final report
  • Critiquing the case

Procedure of gathering the Evidence

Meet the IT manager to interview him, Fill out the evidence form, have the IT manager sign. Place the evidence in a secure container, carry the evidence to the computer forensics lab. Complete the evidence custody form, Secure evidence by locking the container.

Acquiring an image of evidence media

Bit-by-bit copy of the original storage medium, copy deleted files, e-mail messages or recover file fragments – known as “image” or “image file”.

Backup software only copy known files, Backup software cannot copy deleted files, e-mail messages or recover file fragments.

Analysing Digital Evidence

OS, applications, file, logs

Deleted files

File fragments

Memory

Produce a final report

Document your work, Repeatable findings, Conclusive evidence that suspect did or did not commit a crime or violate a company policy.

Who, what, when, where, why, and how?

Formalise evidence.

Critiquing the Case

  • How could you improve your performance in the case?
  • Did you expect the results you found? Did the case develop in ways you did not expect?
  • Was the documentation as thorough as it could have been?
  • What feedback has been received from the requesting source?
  • Did you discover any new problems? If so, what are they?
  • Did you use new techniques during the case or during research?
Report_ExampleDownload