2. Outline
• Introduction
• Categories
• History
• Review
• Types of computer crimes and investigations.
• Anti-forensics
• Future Challenges
• Real life cases
• Conclusion
• References
3. Introduction
• Your computer will betray you.
• Change is inevitable.
• digital forensics is still in its infancy.
4. Introduction – cntd’
According to a study by University of California – Berkeley
in 2001. It was found that 93% of all new information at
that time was created entirely in digital format.
5. What?
• Forensics is the application of science to solve a legal problem.
• Digital Forensics is the preservation, identification, extraction, interpretation and
documentation of computer evidence which can be used in the court of law.
• In Forensic Magazine, Ken Zatyko defined digital forensics this way:
“The application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation.”
7. History
• The field started to emerge in the 1980’s.
• Since the late 1970s the amount of crime involving computers has been growing very
quickly, creating a need for constantly developing forensic tools and practices.
• The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which
included legislation against the unauthorized modification or deletion of data on a computer
system.
• In the 1980’s, the federal laws began to incorporate computer offences and Canada was the
first country to pass legislation in 1983.
• Starting 2000, in response to the need for standardization, various bodies and agencies have
published guidelines for digital forensics.
• Many of the early members were computer hobbyists and became responsible for the field's
initial research and direction.
• One of the first practical (or at least publicized) examples of digital forensics was Cliff
Stoll's pursuit of hacker Markus Hess in 1986.
8. Review – Why and Who?
• Why? - Due to the growth in computer crime law
enforcement agencies began establishing specialized
groups to handle the technical aspects of investigations.
• Who? - Criminal Prosecutors & law enforcement
agencies, Insurance Companies, Private Corporations.
10. Types of Computer Crimes and
Investigations
• Types of Computer Crimes:
Computer based crimes.
Computer facilitated crimes.
• Types of Investigations:
Criminal forensics.
Intelligence gathering.
civil litigation – Also known as Electronic discovery (eDiscovery).
Intrusion investigation.
administrative matters.
11. Conditions of Reliability
• The “conditions of reliability” are generally the same for
most jurisdictions and it was stated that electronic copies
of data are admissible provided that:
They were from the indicated source.
They were acquired using proven tools and techniques.
They have not been altered since the time of acquisition.
12. Challenges – Digital Forensics
• Digital evidence accepted into court.
• Costs.
• Presents the potential for exposing privileged documents.
• Legal practitioners must have extensive computer
knowledge.
13. Locard’s Exchange Principle
• “Wherever he steps, whatever he touches, whatever he
leaves, even unconsciously, will serve as a silent witness
against him. Not only his fingerprints or his footprints,
but his hair, the fibers from his clothes, the glass he
breaks, the tool mark he leaves, the paint he scratches,
the blood or semen he deposits or collects. All of these
and more, bear mute witness against him. This is
evidence that does not forget. It is not confused by the
excitement of the moment. It is not absent because
human witnesses are. It is factual evidence. Physical
evidence cannot be wrong, it cannot perjure itself, it
cannot be wholly absent. Only human failure to find it,
study and understand it, can diminish its value.”
• It can be interpreted as follows: In the physical world,
when perpetrators enter or leave a crime scene, they will
leave something behind and take something with them.
Examples include DNA, latent prints, hair, and fibers
14. Locard’s Analogy for
Digital Forensics
• Registry keys and log files can serve as the digital equivalent
to hair and fiber.
• Like DNA, our ability to detect and analyze these artifacts
relies heavily on the technology available at the time.
• Viewing a device or incident through the “lens” of Locard’s
principle can be very helpful in locating and interpreting not
only physical but digital evidence as well.
15. The field of Anti-forensics
• To counter the relatively new forensic advances, anti-
forensic tools and techniques are cropping up in
significant numbers.
• They are being used by criminals, terrorists, and
corporate executives.
• Definition: “an approach to manipulate, erase, or
obfuscate digital data or to make its examination difficult,
time consuming, or virtually impossible”
16. Several Techniques for Anti-forensics
• Hiding Data:
Changing file names and extensions.
Burying files deep within seemingly unrelated directories.
Hiding files within files.
Encryption.
Steganography.
• Destroying Data:
Drive wiping
“Darik’s Boot and Nuke”
“DiskWipe”
“CBL Data Shredder”
“Webroot Window Washer”
“Evidence Eliminator”
17. Concerns about Data wiping
• From an evidentiary or
investigative perspective, the
presence or use of these
applications can serve as the next
best thing to the original
evidence.
• As Seen, some tales are left in the
registry
18. More concerns
• When looking at the
drive at the bit level,
a distinct repeating
pattern of data may
be seen. This is
completely different
from what would
normally be found
on a hard drive in
everyday use.
19. More concerns
• Some operating systems,
Apple OSX Lion for
example, ship with a
drive wiping utility
installed. Called Secure
Erase, this utility offers
multiple options for data
destruction.
20. Future Challenges and POR
• Standards and Controls:
Standards and controls are a fundamental part of scientific
analysis, including forensic science.
Its relevance to digital forensics is a matter of dispute.
Standard Control
A prepared sample that has
known properties that is used as
a control during forensic
analyses.
A test performed in parallel with
experimental samples that is
designed to demonstrate that a
procedure is working correctly
and the results are valid.
21. Future Challenges and POR
• Standards and Control – cntd’:
Two opinions exist.
John Barbra Scientific Working Group on Digital
Evidence
“In the end, closely following these
established scientific practices ensures
that any results gained are accurate,
reliable, and repeatable. He further
argued that without the use of standards
and controls, it would be “extremely
difficult or impossible to scientifically
assess the validity of the results obtained
from the analysis of the physical
evidence”
“Their position is that standards are being
used in digital forensics, but controls
are “not applicable in the computer forensics
sub-discipline”
SWGDE’s position centers on false
positives.
Tools and processes may miss evidence,
but they will never find evidence that
doesn’t exist.
22. Future Challenges and POR
• CLOUD FORENSICS
Technically: Deleted files on a magnetic drive remain on the disk
until they are overwritten. In the cloud, when a file is deleted the
mapping is removed immediately, usually within a matter of
seconds. This means that there is no remote access to the deleted
data.
Legally: Dealing with multiple jurisdictions can significantly
frustrate efforts to get to the relevant data
• SOLID STATE DRIVES (SSD)
• SPEED OF CHANGE
23. Case Scenarios – Case 1
Italian Case Law on Digital Evidence
• Digital evidence could be altered and can contain countless
pieces of information. The “Garlasco” case is a clear example
of this.
24. Case Scenarios – Case 2
BTK Killer
• The case of Dennis Rader, better known as the BTK killer.
• It was solved thirty years later with the help of digital forensics.
• He murdered ten people in Kansas from 1974 to 1991. Rader managed to avoid
capture for over thirty years until technology betrayed him.
• A floppy disk was received from the BTK killer.
• The disc contained a file named “Test A.rtf.” (The .rtf extension stands for “Rich
Text File”). A forensic exam of the file struck gold. The file’s metadata (the data
about the data) gave investigators the leads they had been waiting over thirty
years for. Aside from the “Date Created” (Thursday, February 10, 2005 6:05:34
PM) and the “Date Modified” (Monday, February 14, 2005 2:47:44 PM) were the
“Title” (Christ Lutheran Church) and “Last Saved By:” (Dennis).
25. Conclusion
• Digital Forensics field is an emerging field and it faces
lots of challenges that are still POR. However, the intense
research makes it viable to be taken into consideration in
house of court.