3. Objectives
1. To introduce learners with the understanding of Computer
Forensics Concepts
2. Understand key goal of Computer/Cyber Forensic
3. Acquire an understanding of Cardinal rules of Computer
forensics
4. Understand the digital evidence.
5. Understand Digital forensics processes
6. Study how cyber forensics is used in cybercrime investigations
7. Understand and use Investigation tools in Cyber forensic
4. Learning Outcomes
At the end of the course the learner should be able to:
1. Computer Forensics Concepts
2. Understand key goals of Computer Forensics
3. Understand of Cardinal rules of Computer forensics
4. Comprehend the digital evidence mean with the base term
Forensics science
5. Understand how cyber forensics is used in cybercrime
investigations.
6. Appreciate and apply different Investigation tools in Cyber
forensics.
5. Outlines
1. Introduction
2. Rationale of Computer Forensics
3. The key role of the investigator
4. Cyber crime vs Digital Evidence
5. Chain of Custody
6. Computer Forensics Processes
7. Computer Forensics tools
8. Challenges
6. Introduction(1/2)
• Forensics science is very old compared to Computer forensics,
since it was discovered over 100 years passed on the fingerprint
record.
• This is the science, that involves scientific tests and techniques
used in connection with the detection of crime.
• Refer to scientific techniques used to explore wrong doings
collect, preserve, and analyze scientific evidence during the
course of an investigation
8. Computer Forensics(1/2)
• Computer forensics is a field of technology that uses investigative
techniques to identify and store evidence from a computer device,
that is admissible in the court of law.
• Digital Forensic Research Workshop has defined digital forensics as
“The use of scientifically derived and proven methods toward the
preservation, validation, identification, analysis, interpretation,
documentation and presentation of digital evidence derived from
digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.”
10. Rationale for Computer Forensics
• With the digital revolution, the increase in digital crimes is
inevitable.
• People who use electronic devices leave behind different
footprints, traces and markings. These virtual or digital
traces could be file fragments, activity logs, timestamps,
metadata and so on
• Computer Forensics is needed in:-
oIdentifying the cause and possible intent of a cyber attack
11. Rationale for Computer Forensics
oSafeguarding digital evidence used in the attack before it becomes
obsolete
oIncreasing security hygiene, retracing hacker steps, and finding hacker
tools
oSearching for data access/exfiltration
oIdentifying the duration of unauthorized access on the network
oGeolocating the logins and mapping them
12. Cybercrime(1/4)
• Cybercrime is criminal activity done using computers and the
Internet. It encompasses any criminal act dealing with
computers and networks.
• It also includes traditional crimes conducted through the
Internet. For example; hate crimes, telemarketing, Internet
fraud, identity theft, credit card account thefts are considered
to be cyber crimes when the illegal activities are committed
through the use of a computer and the Internet.
13. Cybercrime(2/4)
• It includes anything from downloading illegal music files to
stealing millions of dollars from online bank accounts etc.
• Cybercrime also includes non-monetary offenses, such as
creating and distributing viruses on other computers or posting
confidential business information on the Internet.
14. Cybercrime(3/4)
• The first noted computer crime happened in 1969 and 1970
when scholars burned computers at different universities. At the
same period people were discovering techniques for gaining
unauthorized access to large –time shared computers.
• Therefore at this time it was the time where intrusion and fraud
committed with the aid of computer were first to be extensively
known as a new type of crime.
15. Cybercrime(4/4)
Examples of Cyber Crime cases Investigated in Tanzania
• Cyber Crimes Incidents in Financial Institutions of Tanzania
available at
https://www.researchgate.net/publication/275154064_Cyber_Crim
es_Incidents_in_Financial_Institutions_of_Tanzania
• Cybercrime and Criminal Investigation: challenges .Within The
Tanzania Police Force Forensic Laboratory: available at
http://scholar.mzumbe.ac.tz/bitstream/handle/11192.1/2405/MPA_JO
HN%20MAYUNGA_2013.pdf?sequence=1
16. Digital Evidence(1/4)
• Digital evidence is defined as “any information of probative
(proof) value that is either stored or transmitted in a digital
form”.
• It includes files stored on computer hard drive, digital video,
digital audio, network packets transmitted over local area
network, etc
• Depending on what facts the digital evidence is supposed to
prove, it can fall into different classes of evidence.
17. Digital Evidence(2/4)
• Digital images or software presented in court to prove the fact of
possession are real evidence.
• E-mail messages presented as proof of their content are
documentary evidence.
• Log files, file time stamps, all sorts of system information used
to reconstruct sequence of events are circumstantial evidence.
• Digital documents notarized using digital signature may fall into
testimony category.
18. Digital Evidence(3/4)
There are list of frameworks involved in essentially recognizing a piece of
digital evidence:-
• Physical context: it is required to be recognizable in its physical form, that is it should
reside on a specific piece of media.
• Logical context: It must be discoverable as to its logical position, that is where does it
reside relative to the file system
• Legal context The evidence is require to be in the correct context to read its meaning.
This requires to look at the machine language.eg American Standard code for
Information Interchange.(ASCII)
19. Digital Evidence(4/4)
Understanding the digital path of the evidence
Source: Bajaj, K.( 2014) “ Cyber Security: Understanding Cyber Crimes, Computer Forensics
and Legal Perspectives ”
20. The Chain of Custody (1)
• Chain of custody refer the sequential(in order)documentation
path that shows the appropriation, trusteeship, control, transfer,
investigation and nature of evidence ,physical or electronic.
• Generally the idea of the chain of custody is to ensure that the
evidence is not altered/damaged.
• The chain of custody wants that from the time the evidence is
gathered, every transfer of the evidence from one person to
another person need to be recorded as it helps to provide the
truth that no anyone has accessed the evidence
21. The Chain of Custody (2)
• It is encouraged to keep the number of evidences transfer as
small as possible.
• In larger views evidence comprises everything that is used to
demonstrate or shows the truth of a claim.
• The main reason of documenting the chain of custody is to
establish that the supposed evidence is, truly, connected to the
supposed crime.
• The aim is to establish the Integrity of the evidence.
22. Computer Forensics Process(1)
Source: Bajaj, K., 2014” . Cyber Security: Understanding Cyber Crimes,
Computer Forensics And Legal Perspectives ”
Computer Forensic Life Cycle
23. In summary, the digital forensics process involves the following steps:-
1. Identification
It is the first step in the forensic process. The identification process
mainly includes things like what evidence is present, where it is
stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile
phones, PDAs, etc.
2. Preservation
In this phase, data is isolated, secured, and preserved. It includes
preventing people from using the digital device so that digital
evidence is not tampered with.
Computer Forensics Process(2)
24. Computer Forensics Process(3)
3. Analysis
In this step, investigation agents reconstruct fragments of data and
draw conclusions based on evidence found. However, it might take
numerous iterations of examination to support a specific crime
theory.
4. Documentation
In this process, a record of all the visible data must be created. It
helps in recreating the crime scene and reviewing it. It Involves
proper documentation of the crime scene along with photographing,
sketching, and crime-scene mapping.
.
25. Computer Forensics Process(4)
5. Presentation
In this last step, the process of summarization and explanation
of conclusions is done. However, it should be written in a
layperson’s terms using abstracted terminologies. All abstracted
terminologies should reference the specific details
26. Computer Forensic Tools
• There are Commercial and Open Source Tools.
• The National Institute of Standards and Technology
(NIST) has developed a Computer Forensics Tool Testing
(CFTT) program that tests digital forensic tools and makes all
findings available to the public.
• More information on testing tools can be found via
https://www.dhs.gov/science-and-technology/nist-cftt-reports.
27. Open Source Tools
The Kali Linux
• Kali Linux is a Certified EC-Council Instructor (CEI) for
the Certified Ethical Hacker (CEH) software for the above
mentioned professional courses.
• This operating system is usually the star of the class due to
its many impressive. Pushed security programs, ranging
from scanning and reconnaissance tools to advanced
exploitation tools and reporting tools.
• Kali Linux can be used as a live-response forensic tool as it
contains many of the tools required for full investigations.
28. Open Source Tools(1)
Source: (Parasram,2020) Digital Forensics with kali Linux
Kali Linux live view mode for forensics in bootable DVD or Flash drive
30. Commercial forensics tools(1)
1. Belkasoft Evidence Center (EC) 2020
• Belkasoft EC is an automated incident response and forensic
tool that is capable of analyzing acquired images of memory
dumps, virtual machines, and cloud and mobile backups, as well
as physical and logical drives.
• The tool is also capable of recovering, and analyzing information
from:
Office documents, Browser activity and information, Email and
Social media activity, Mobile applications, Messenger
applications (WhatsApp, Facebook Messenger, and even
BlackBerry Messenger)
Website: https://belkasoft.com/ or https://belkasoft.com/get
31. Commercial forensics tools(2)
2. AccessData Forensic Toolkit (FTK)
• This tool is used worldwide by professionally by forensic
investigators and law enforcement agencies worldwide
to accomplish the following:
• Indexing of data, to allow faster and easier searching
and analysis, Password cracking and file decryption,
Automated analysis, Ability to perform customized data
carving, Advanced data recovery
• Website: https://accessdata.com/product-
download/forensic-toolkit-ftk-internationalversion-7-0-0
32. Commercial forensics tools(3)
3. EnCase Forensic
• This tool is used internationally by professionals and law
enforcement agencies for almost two decades.
• EnCase gives solution on incident response, e-discovery,
and endpoint and mobile forensics.Below are the output
provided:
Website: https://www.guidancesoftware.com/encase-
forensic
33. Challenges in computer Forensics(1)
• Anonymity of digital information
Digital information generated, stored, and transmitted between
computing devices does not bear any physical imprints
connecting it to the individual who caused its generation. Unless
the information is a recording from external sensors capable of
perceiving individualizing characteristics (e.g. speech recording,
video, or photographs) or was generated using some secret
known to a single person (e.g. digital signature) there is nothing
intrinsic linking digits to a person.
34. Computer forensics challenges (2)
Danger of damaged information
• Like many other types of evidential material, digital information
stored on magnetic and optical media can be damaged by a
variety of causes. Dampness, strong magnetic fields, ultraviolet
radiation, and incompetent use of storage devices and
examination tools are some of the possibilities.
• A single bit change may cause dramatic change in its
interpretation..
• To minimise the impact of this problem, typical storage devices
use checksumming and similar means allowing them to
reasonably reliably detect accidental information damage.
35. Other Challenges
• The increase of PC’s and extensive use of internet access
• Easy availability of hacking tools
• Lack of physical evidence makes prosecution difficult.
• The large amount of storage space into Terabytes that makes
this investigation job difficult.
• Any technological changes require an upgrade or changes to
solutions.
36. Bibliography
• Bajaj, K. (2014). Cyber Security: Understanding Cyber Crimes, Computer Forensics
And Legal Perspectives (2 ed.). Hoboken: John Wiley &Sons Asia Pte L.t.d.
• Britz, M. T. (2016). Computer Forensics and Cyber Crime and Introduction (2 ed.).
Repro: Repro Knowledge Cast L.t.d.
• Mark Merkow, J. B. (2016). Information Security Principles and Practices (2 ed.).
Repro: Ripro knowledge cast L.t.d.
• Pande, J. (2017). Introduction to Cybersecurity (1 ed.). Haldwani: Uttarakhand
Open University.
• Parasram, S. V. (2020). Digital Forensics with Kali Linux . Birmingham-Mumbai:
Packt Publishing .
• https://online.norwich.edu/academic-programs/resources/5-steps-for-
conducting-computer-forensics-investigations(Improve it)