Introduction to Digital Forensics and Digital Evidences ‘After reading this chapter, you will be able to: Understand the concep of digital forensic and * Understand the conc i ts effect on the digital world, Understand the concept of digital evidences + Interpret and apply various digital forensic * Apply evidence-handling procedure to both process models. obtained validated evidence. + Understand the rules and regulations in digital + Identify the different challenges in evidence forensics. handling. It requires a very unusual mind to undertake the analysis of the obvious, — Alfred North Whitehead ital Forensic Introduction to Dit Forensic science is a well-established science that plays a critical role in criminal justice systems. The origin of the word “forensic” can be traced back to the Latin word “forensis", which means open court. Forensic science is often referred to as forensics. Forensic science is applied in both criminal and civil actions. Therefore, effectively forensics means legal or related to courts. Digital forensics is also referred to as digital forensic science, a branch of computer forensic science that includes the restoration and inspection of material detected in digital devices, often in relation to a eybercrime. Information and Communications Technology (ICT) working environments face the challenge of prolonged computer use for activities that are not work-related. User activity portrayals may consist of browsing the Internet for one’s own purpose and utilizing online search engines for work-related informa tion. However, browsing sessions are not specific to only the above-mentioned activities. With the emergence of ICT, there have been simultancous advancements in social networking, mobile technology, cloud computing, and storage solutions that have increased the information flow within orga- nizations. This has weakened the security of organizational data. The increasing activity in ICT-focused environments has also led to an increase in the misuse of computer and network. A common employee can use simple password cracking tools to gain access to managerial account information, for fraud and theft of company resources as many open source tools are available to perform illegal activities.24 ase in comyparter selatedl invest verified by some Increased computer and network misuse have led 1 typical investigation includes certain hypothesis or obser “These developments in investigation have led to auditing, being user activity and cybererime. ‘The field of digital forensics has made some rapid de allow ordinary computer t available that yuide Japments over the past Few years duc 40 the crs 1s be mote proficient in per trivial and easy 0 advancement in tools and systems that difficule audit casks, Many literature and internet searches a1 ‘ user on how to perform simple tasks aimed at aceess to any computer, Ubi ig has enabled the ondinuyy Fon, such as copied music, pontopraphy nd in computer security conficlentith docs user to access all eypes of infor software and soon, Thus, there i830 i activities and a growing, need for forensic tools 10 tc and process results in comput ments, ill an effort to control such ‘According to Beebe, the lack of digital forensic standardization that is not acceptable in the court of kaw, Numerous forensic tools are free! anyone can conduct a computer forensic investigation. ‘The facilitate digital forensic investigations (DFls). Ina court of law, the process followed in gathering the digital evidence and the digital evidence itself is important. Unfortunately, the court praceedings focus on seruti nizing the validity of the process followed in evidence handling belore considering Numerous procedures have been proposed for the collection of digital forensic evidence. Comnrittces such as the Digital sic Research Workshop Group (DERWS) and the American Society of Digital Forensics and e Discovery (ASDFED) have proposed processes to be followed in the collection of digital evidence. From this, it follows that th lard forensic process in place that can be followed by digital forensic investigators. It would be a seriou ¢ fora forensic investigator to ignore the procedure of evidence collection in cases where the evidence aids in proving the case and leaves no doubt in the minds of those having to decide on the matter. Where evidence is presented without proof of thorough proce dure, the defence may question the forensic procedure followed to collect the digital evidence. The famous ‘American court case of Simpson is an example where the forensic process was scrutinized by the defence. In this case, the crime scene evidence was collected. However, a robust evidence collection process was nat followed, hence, the evidence was invalidated by the defence. ‘Tools such as a reliable solution in computer crime investigations. Both the process followed when using Enease and the resulting digital evidence have been accepted as reliable. Other cools have also been used successfully, such as ETK and Sleuth Kit. Some are commercially available while others are open source. Many of these tools have been validated and accepted as reliable by the American ji ry. However, the ce collection process and the digital evidence presentation are vital in any successful prosecution. Digital forensics can be defined as follows: digital evidence pathier ace nited prosecttion cailable, creating 2 misconception among the common man that forensic tools used have various features that value. case have been accepted as Digital Forensic isa series of steps to uncover and analyze electronic data through scientific method. ‘The major goal of the process is to duplicate original data and preserve original evidence then performing the series of the investigation by collecting, identifying and validating the digital infor- mation for the purpose of reconstructing past events. [PBI _ Need of Digital Forensic Computer Forensics is the process of u ‘ ; ‘ ig the latest knowledge of science and technology with computer sciences to collect, analyze, and present proofs to the criminals or civil courts. Network administrator and rity staff administer and my ‘works and information systems should have complete knowledge of computer forensics, The meaning of the word “forensics” is “to bring to the court”Sy $a RESET INES sytRODUCTION TO DIGITAL FORENSICS AND DIGITAL EVIDENCES 25 4 f Iris necessary for newwork administrator and security £ c r raror and security staft of newworked ot jons to practice : compute forensics and should have kovsledge of laws, bcos rte of hee ca rae , ciicemarote lees . because rate of eyber crimes is increasing, greatly if your network is attacked and incruder is caught, then goad knowledge abour computer forensies will : help 0 provide evidence and prosecute the casein the cou ” : There ate many tisks if you practice computer forensies badly: HF you do not uke i in account, then vieal eviderice might be destroyed. New laws are heing developed to protect customers’ data: but, if ce ta is nor properly protected, then many li \ n kind, ion. As organizations rai 'Fabilites can be assigned to the org, re increasing in number and the risk of hackers and contractors is also increasing, so they have developed fown security systems. Organizations have developed security devices for thely network I a sion systems (IDS), proxies, irewalls which report on the security status of network of an oxganization. jor goal of computer fore , protect ain the integrity of t idence to use it efficiently and effectively in a case ¢ intrusions the! dete So. technically, the ms thac prove sics is t0 recogni, gath collected e such awa ES Rules of Computer/Digital Forensic While performing a DFT, the investigator should go by the following rules: Rule 1. An examination should never be performed on the original media t Rule 2. A copy is made onto forensically sterile media. New media should always be used if avaiable. Rule 3. The copy of the evidence must be an exact, bit-by-bit copy (Sometimes referred ro.as a bit-stream copy). Rale 4. The computer and the data on it must be protected during the acquisition of the media to ensure that the data is not modified (Use a write blocking device when possible) Rule 5. The examination must be conducted in such a way as 0 prevent any modifi evidence. Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom r cessed the evidence and ar what time. tion of the ght have a Ba Types of Digital Forensics antly evolving scientific field with many subdisciplines. Some of these subdisc- Digital forensics is a cons plines are as follows: Computer Forensics — the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops, and storage media in support of investigations and legal proceedings. “The purpose of computer forensics is to obtain evidence from various computer systems, storage me- dliums, of electronic documents, ‘Throughout the course of our investigations, we can obrain a wide range of information, including and file transfer logs: internet browsing history: email and text communication logs; hidden, del sensitive documents and spreadsheets; andl many Network Forensics ~ the monitoring, caput stem ced, tempor and password-protected file nore storing, and analysis of network activities oF events in order to discover the source of security attacks, intrusions or other problem incidents, that is, worms, virus, or malware attacks, abnormal necwork traffic and security breaches. The purpose of network fo~ rensics is to monitor and analyze computer network traffic, including LAN/WAN and internet traffic, withthe aim of gathering information, collecting evidence, or detecting and determining the extent of © intrusions and the amount of compromised ders DIGITAL Fi 26 + ORENS¢ the recovery of electronic evidence from mobile phones, smartphone, ids, CDS devices, tablets, and game consoles. Mobile device forensics iavolves the reco, vielata from mabile devices. This can include call and communications dats, stich as call logs, test messages, 1p communication via WhatsApp, WeChat, ete. as well location infor ile GPS or eel site logs ; gital Image Forensics - the extrction and analysis of digitally acquired photographic images gy validate theif authenticity by recovering the metadata of the image file o ascertain its history 5. Digital Video/Audio Forensics ~ che collection, analysis, and evaluation of sound and video record. Inge, The science is the establishmene of authenticity as to whether a recording is original and whether i has been tampered with, either maliciously or accidentally. 6. Memory forensics ~ the recovery of evidence from the RAM of a running computer, also called liye acquisition. In practice, chere are exceptions to blur thi dictated by staff skill sets, contractual requirements, lab space, fication, because the grouping by the provider is For example: ets or smart phones without SIM cards could be considered compucers mory cards (and other removable storage media) are often found in smart phones and rablets, so they could be considered under mobile forensics or computer forensics. rablets with keyboards could be considered laptops and fit under computer or mobile forensics. “The science of digital forensics has a scemingly limitless future and as technology advances, the field will continue to expand as new types of digital data are created by new devices logging people's activity. Although igital forensics began outside the mainstream of forensic science, it is now fully absorbed and recognized asa branch of forensic science. QSHE Ethical issues “Ethics” is derived from the ancient Greek word eebik in digital forensic os, meaning “moral, showing moral character”. Ethics field can be defined as 2 set of moral principles that regulate the use of computers: some common drawbacks of computer forensics include intellectual property resources, privacy concerns, and the impact of computers on the society. To effectively spot ethical problems, an examiner must be familiar with the law and professional norms governing the cyber forensics discipline, and this familiarity is one of several presumptions incorporated into the code of ethics With this perspective in mind, ethical decision-making in digital forensics work comprises of one ot more of the following: 1. Honesty toward the investigation, 2. Prudence means carefully handling the digi 3. Compliance with the law and pro al evidences, -ssional norms. 2.5.1 General Ethics Norms for Investigator in Digital Forensic Field Computer forensics is an integral part of the widely expanding field of digital forensics, as with any investi gative field there comes a time when ethical issues will aise. During the research in the digital forensic field. ethics of rights comes first. Hence, before starting the investigation in the digital forensic field, the investigator should satisfy the following points. INTRO eN PVR yee iNICS AND b IGITAL EVIDENCES . 27 1. Should contribute eo wnald avoid harm to o ind teuscworthy, take action not to disetimin ‘operty rights, including copyrights and parents ° credit to intellectual property Id respect the privacy of others. Jd honor confidentiality 2.5.2 Unethical Norms for Digital Forensic Investigation The investigator should nor: 1. Uphold any relevant evidence. 2, Dedlate any confidential matters or knowledge learned in an investigator cour of competes juricion oF without the ents coment econ sao as 4, Express an opinion on the guilt or innocence belonging to any party $. Enguge o involve in any kind of unethical or illegal conduct, 5. Deliberately or knowingly undercake an assignment beyond his or her capability 6. Distort or falsify education, training or credentials. 7, Display bias or prejudice in findings or observations. 6. Exceed or ourpace authorization in conducting examinations. [E23] cigital Forensic Inve: Digica investigations, DFls, forensic examination, and forensic investigations have been used ro describe an investigation where a digital device forms part ofthe incident. For the purposes of this study, the term “digital forensic investigation” (DF) is used. The terms will, however, be used interchangeably in this section to reflect the opinions of other authors. The suecessful outcome of a DF is the presentation of digital evidence. ‘A DFT is conducted by an appropriately certified investigator. ‘A DPI is thus a special type of investigation wherever scientific procedures and techniques used can petmit the results, char is, che digital proof, to be allowable in a court of law. The results of a DFT should havea legal basis. Proof cannot be directly read, and a few tools are employed to look at the state ofthe infor- mation. One in every tool to watch the state of digital knowledge is indirect knowledge observation. This is similar to being told concerning one thing rather than seeing it for you, formally referred to as rumour within the rules of proof. The burden you atcribute to the evidentiary worth relies on the extent to which the tool is trustworthy. Digital forensic investigation or techniques used will be allowed co view the results ~ digital evidence — to be adi Introduction to a successful courtroom experience, which are The ficid of computer security includes events thar provide ; boch worthwhile and satisfactory. Investigation of a computer security incident leads toa legal proceeding, such a5 coure proceeding, where the digital evidence and documents obtained ae likely used as exhibits in the trial, ations DFlis a special type of investigation where the scientific procedures and Imissible in a court of aw. igital EvidencesDIGITAL FORENs 28 - NSi¢ cope us i» moet the requirements of the judging body and to withstand er face any challenges, ei esentil yy wn fallow the evidence-handling procedures. Nbo itis necessary 4 crue chat the evidence ling beve . lures chosen are not diflicule to implement ac your organization as this ean so become an eethea, ‘ for an oanization. In this chapter, we will discuss the collection. handling, and singe of information jg propriate mater, We will aso explain the effective and efficient evidenee-handling procedures along ‘ with the guidelines for implementing these procedures in your organizat ‘cafe While investigating 4 computer sccusigyinckent, we are sometimes ansue and indesiive whether gy « item (vi chip pp disk, et.) should be consered as an evidence or an attachment of adden du, : Relevant evidence is defined as “An information which has a positive impact on the action occurred, such ag : ieent.” ution or data of valtte t0 3 ig Is, pictures and videos, the information supporting an Digital evidence is any ialor transmitted by an electronic device. Text messages, ema some of the most conmion types of digital evidence. c can be stated as any information that can be confident or rusted aud can prove something ndicating that a certain substance or condition is present. It is sale to use 1 help us prove our case fred on, received by, o¢ ind internet searches are ase in trial, that is, evidence du media, electronic fi ante ited as evidence or proof and handled according to your organizations investigation. Many materials or objects . printouts, of other objects obtained du such as document, electron tigation (Fig, 2.1). They ea evidence-handling process. bet gure 2.1 Examples of digital devives, 2.7.1 The Best Evidence Rule The best evidence rules tha the original oF tre writing or porn its contents withean any expectations. ln the best evident rl cred as superior evidence. One af the niles states qh a cording must be confessed in court to prove ; ano at ifan evidence i Binal copy of the document is consi readable by sight or reflects the dataINTRODUGTION 10 DIGITAL FORENSICS AND BIGiTAL EVIDENCES +29 accurately, such as printout or data stored in a computer or simi © considered as “original”. It states that multiple copies of or equivalent to the “original r devices or any other output, it is electronic files may be a part of the “original” The collected electronic evidence is mostly transferred to different media. Hence, many computer security professionals are dependent on this rule, We d as the most complete copy or a co evidence, which is closely related to the original evidence, One evidence media, Let us say a cle ine best evidence y which includes all necessary parts of of the best evidences is having the original hay a copy of the original evidence media. Then, it is considered as the best ©, We treat forensic duplication by considering it as the best evidence, ‘Therefore, when we say “est evidence”, it refers to the evidence we have in our power, . + Or are 2.7.2. Original Evidence ing Sometimes the procedure adopted to deal with a situation or case takes it outside the control of the client/ Se vietim. We also assume that a case with proper diligence ora case with persistent work will end up ina judi se, cial proceeding, ancl we will handle the evidences accordingly. If criminal or civil proceedings (proceedings cs. other than criminal proceeding in a court) are a possibility, then we often persistently push the client/victine ns to allow us to handover all the original evidences, since we have evidence-handling procedures in place For our purpose, we define original evidence as the truth oF real(original) copy of the evidence media which is given by a client/victim, We define best incidence as the most complete copy, which includes all the necessary parts of the evidence that are closely related to the original evidence. Its also called as duplicati of evidence media. There should be an evidence protector which wil store either the best evidence or orig inal evidence for every investigation in the evidence Rules of Digital Evidence Rule of evidence is also called as daw of evidence. It surrounds the rules and legal principles chat govern all the proof of facts. This rule helps us co decermine what evidence must or must not be considered by trict of fact. The rule of evidence is also concemed with the amount, quality, and type of proof which helps us to prove in a litigation. The rules may vary according to the criminal court, civil court, ete. The rules must be: 1. Admissible: ‘The evidence must be usable in the cou 2. Authentic: The evidence should act posit 3. Complete: A proof that covers all perspectives. 4. Reliable: There ought to be no doubt about the reality of the specialist’ decision. 5. Believable: The evidence should be understandable and believable to the jury. Rule 103: Rule of evidence ely to an incident 1, Maintaining a claim of error. 2. No renewal of objection of proof, 3. Aim an offer of proof. 4 Plain error taken as notice, Evidence collection should always be performed to ensure thac it will withstand legal proceedings. Key ctiteria for handling such evidence are ouslined as folloves: 1. ‘The proper protocol should be followed for acquisition of the evidence irrespective of whether it phys- ical or digital. Gentle handling should be exercised for those situations where the device may be dam- aged (¢.g., dropped o wet). f“s DIGITAL FORENSi¢ 2. Special handling may be required for some situations. For example, when the device is actively destroy. pda through disk formating may need to be shut down immediately to preserve the evidence, On the other hand, in some situations, it would not be appropriate to shut down the device so that the digital forensics expert can examine the device's temporary memory. - 3. All artifacts, physical and/or digital should be collected, retained, and transferred using. a preserved chain of custody. ; 4. All materials should be date and time stamped, identifying who collected the evidence and the location ic is being transported to after initial collection. : 5. Proper logs should be maintained when transferring possession. ; @. When sexing evidence, stable access controls should be implemented and tracked to certify the evi dence has only been accessed by authorized individual. FEZ characteristics of Digital Evidence This section provides a few hints of the essence and characteristics of digital evidence. These characteristics can help and challenge investigators during an investigation. 2.9.1 Locard’s Exchange Principle “According to Edmond Locard’s principle, when two items make contact, there will be an interchange. The Locard principle is often cited in forensic sciences and is relevant in digital forensics investigations. ‘When an incident takes place, a criminal will leave a hint evidence at the scene and remove a hint evidence from the scene. This alteration is known as the Locard exchange principle. Many methods have been suggested in conventional forensic sciences to strongly prosecute criminals. Techniques used consist of blood analysis, DNA matching, and fingerprint verification, These techniques are used to certify the exis- tence of a suspected person at a physical scene. Based on this principle, Culley suggests that where there isa communication with a computer system, clues will be left. 2.9.2. Digital Stream of Bits Cohen refers to digital evidence as a bag of bits, which in turn can be arranged in arrays to display the information, The information in continuous bits will rarely make sense, and tools are needed to show these structures logically so that it is readable. ‘The circumscances in which digital evidence are found also helps the investigator during the inspection Metadata is used co portray data more specifically and is helpful in determining the background of digital evidence. Types of Evidence There are many types of evidence, each with their own specific or unique characteristics. Some of the majot types of evidence are as follows: 1, Illustrative evidence 2. Electronic evidence 3. Documented evidence __ANIRODUCTION TO DIGITAL FOREN AND DIGITAL EVIDENCES. 2 4. Explainable evidence 5. Substantial evidence 6. Testimonial 2.10.1 Illustrative Evidence Mlusteative evidence is also called as demonstrative evidence, It is gene which is a common form of proof, Paes / ly 4 representation of an object < ‘or example, photographs, videos, sound recordings, X-rays, may graphs, charts, simulations, sculptures, and models dings rays ph drawiny 2.10.2 Electronic Evidence Electronic evidence is nothing but digital evidence. As we know, the use of greatly increased. The evidences or proof that can be obtained from evidence (viz., emails, hard drives, word-processing documents, inst phone logs, etc.) tal evidence in trials has an electronic source is called as digital cant message logs, ATM transactions, cell 2.10.3 Documented Evidence Documented evidence is similar to dei idence, However, in documentary evidence, the proofis presented in writing (viz., contracts, s,etc.). It ean include any number of medias. Such docu- mentation can be recorded and stored (viz., photographs, recordings, films, printed emails, etc). 2.10.4 Explainable Evidence (Exculpatory) This type of evidence is typically used in criminal cases in which it supports the dependent, either partially or totally removing their guilt in the case. It is also referred o as exculpatory evidence. 2.10.5 Substantial Evidence A proof that is introduced in the form of a physical object, whether whole or in part, is referted to as substan tial evidence. Itis also called as physical evidence. Such evidence might consist of dried blood, fingerprints, and DNA samples, casts of footprints, or tires at the scene of crime, 2.10.6 Testimonial I isa kind of evidence spoken by a spectator under oath, or written evidence given under oath by an official declaration, that is, affidavit. This is one of the common forms of evidence in the system. Eg Challenges in Evidence Handling While responding to a computer security incident, a failure to adequately document is one of the most common mistakes made by computer security professionals. Analytical data might never be collected, critical data may be lost, or data’s origin and meaning may become unknown. As there are many evidences collected, the evidence collected based on technical complexity is the fact that the properly retrieved evidence requires a paper trial. Such documentations give an impression of having a certain quality against che nacural instinets cal knowledge of individuals, who often investigate computer security incidents. of the technical praDIGITAL FORE Ns. 32+ erly understood by all investigators. Investing fore, itis essential for every Organization yo. “The challenges fice in evidence handling must he proP. should also understand how to meet these challenges. There ssential : pane idence handling procedares chat support compurer secure? AEN The most dificul op pare erence handler i to authenticate the collected evidence at ¢he judi ial proceeding Maintaining, aoe eeerrody isalso necesary. You must have both power and skill 0 validare Your viens, 2.11.1 Authentication of Evidence ions define data as “written-works” and ts and recorded material must be authenticated allected by any personfinvestigator should be collected using authentcny cdlings these will become major evidences ro prove the use during court procee piece of evidence of the testimony, it is necessary to have an authp, ‘personal knowledge to its origin. hhould be authenticated, otherwise the informa, ff record is that the evidence collected by any scted must have some sort of interna) d “record-keeping”. Before introducing The laws of many state juris them as evidence, docum: The evidences that are methods and techniques be crime. In other words, for providing ticated evidence by a spectator who has For an evidence to be admissible, it is necessary that its tion cannot be presented to the judging body: The matter o person should meet the demand of authentication. The evidences colle ‘mentation chat records the manner of collected information. docu 2.11.2. Chain of Custody Maintaining the chain of custody means thar the evidences collected should not be accessed by any unauthoriaed individual and must be stored in a tamper-proof manner. For each item obtained, there must bea comple chain of custody record. Chain of custody is nothing bur the requirement that you may be able co trace the locaion of evidence from the moment it was collected to the moment it was presented in a judicial proceeding (Fig. 22). 100% Authentic Figure 2.2. Digital evidence should be 100% authentic. ‘To meet the requirements of chai Pi sea her me of chain of custody (Pig. 2.3), evidences are stored in a secure place by pe parents and leral law enforcement agencies, which havea property departments. As per th? experts and kw enforcement officers, evidences are “el ; re e r 8, evidences are “checked-out” whenever the} iewed ne eee a wheneve y ne to be revies = fhecked-in” whenever they are returned hack to stora eaeINTRODUCTION TO DIGITAL FORENSICS AND DIGITAL EVIDENCES ed or have must be i wet the evidetiog ae canted aaa ‘ kept in your sane azall times) of all the collected best evidence inet anyon eran sind ne ee eens co must be stored within a safe or storage room, “Evidence safe” ie nothi Srodians must contol al the acces tothe cia one nothing bur the storage area. The evidence CHAIN OF CUSTODY Figure 2.3 Chain of custody. 2.11.3 Evidence Validation The challenge is to ensure that providing or obtaining the data that you have collected is similar to the dara provided or presented in the court. Several years pass between the collection of evidence and the production of evidence ata judiciary proceeding, which is very common. To meet the challenge of validation, itis neces- sary to ensure that the original media matches the forensic duplication by using MDS hashes. The evidence for every file is nothing but the MDS hash values that are generated for every file that contributes co the case. The verify function within the Encase application can be used while duplicating a hard drive with Encase. To perform a forensic duplication using dd, you must record a MDS hash for both the original evidence media and binary files or the files which compose the forensic duplication. Note: Evidence collection calculated by MDS after 6 months may not be helpful. MDS hashes should be performed when the evidence is obtained.34 + el In this chapter, we discussed numerous digital forensic models and highlighted ee phases in each model. Fach DEPM uses particular series of phases. “I forensic field, there are many forensic approaches which can be used by the investigator to te the cases. Digital evidences can be found mary SN) Key Terms + Acquisition: The process of creating a duplicate copy of digital media for the purpose of exam- ining it. - Computational forensies: Computational foren- sics are digital forensics with the use of artificial Used within the fields to refer to the physical medium (viz., a hard drive) or data- storage device. E-discovery or Discovery: A common acronym for electronic discovery: Digital media ssized for investigation is y referred to as an “exhibit”. + Hashing: Within the field, “hashing” refers to the use of hash functions (e.g., CRC, SHA1 or MDS) to verify that an “image” is identical to the source media Image: A duplicate copy of some digital media created as part of the forensic process. Imaging: Synonym of “acquisition”. Live analysis: Analysis of a piece of digital media from within itself; often used to acquire data from RAM where this would be lost upon shutting down the device. + Slack space: The unused space at the end of a file ina file stem that uses fixed-size clusters (ifthe file is smaller than the fixed block size, then the unused, space is simply left). Often contains deleted infor- sation from previous uses of the block. + Steganography: The word steganography comes fiom the Greck name “steganos” (hidden or secret) and “graphy” (writing or drawing) and literally means hidden wa Steganography uses techniques to conimunicate informacion in a way that is hidden, “ee DIGITAL FOREN in the form of information from computer dog ments, emails, instant messages, internet history, op text from various electronic devic effective. evidence in almost all vital role in digital forens and it is ver Computer is treated as a primary sour P of . Digital evidence plays, investigation, « Verification: A term used to refer t0 the hashing of both source media and acquired image to verify the accuracy of the copy. + Hacking: Modifying a computer in a way which was nor originally intended to benelit the hackers goals. + Denial-of-service attack: An attempt to prevent legitimate users of a computer system from having access 10 that sy formation or services. + Metadata: Data about data. It can be embeddet within files or stored externally in a separate file and may contain information about the files author, formar, creation date, and so on. + Write blocker: A hardware device or solivare application which prevents any data from t modified or added to the storage medium being examined + Bit copy: “Bic” isa contraction of the cerm “binary digie” and is the fundamental unit of computi A bit copy refers to a sequential copy of every bit on a storage medium, which includes areas ofthe medium “invisible” to the user. + RAM: Random Access Memory. RAM is 4 computer's temporary workspace and is volt tile, which means its contents are lost when the computer is powered off. + Key-logging: The recording of keyboard inptt giving the ability to read a user's typed passwort emails, and other confidential information. * Data: Information in analog or digital form thi can be transmitted or processed. + Data extraction: A process thae identifies recovers information that may not be immet ately apparent, ° ant eeINTRODUCTION TO DIGITAL FORENSICS AND DIGITAL EVIDENCES : A procedure that converts plain text into symbols to prevent anyone but the intended recipient from understanding the message + File format: The structure by which data is orga- nized in a file. + Forensic wipe: A verifiable procedure for sani- ting a defined area of digital media by over, writing each byte with 2 known value; this process revents cross-contamination of data + Hash or hash value: Numerical values that repre sent a string of text (search term), generated by hashing functions (algorithms), Hash values are used co query large sums of data such as databases or hard drives for specific terms. [n forensics, hash values are also used to substantiate the integrity of digival evidence and/or for inclusion and exclu- sion comparisons against known value sets. + Log file: A record of actions, events, and related data. + Media: Objects on which data can be stored. Includes hard drives, thumb drives, CD/DVD, floppy discs, SIM cards from mobile devices, memory cards for cameras, etc. + Metadata: Data, frequently embedded within a file, chat describes a file or directory, and can include the locations where the content is stored, daces and times, application-specific information, and permissions (e.g., email headers and website source code contain metadata). + Partition: User-defined section of electronic media. Partitions can be used to separate and hide information on a hard drive. + Source code: ‘The instructions written ina programming language used to build a computer program. ES Review Questions L. What is digital forensics? 2. Explain the process of digital forensics. 3, Whac ethical issues are involved in the di forensic process? 4. Explain the history of digital forensic field. 5.. What is an evidence-handling procedure? 35 * Work copy: A copy or duplicate of a recording or data chat can be used for subsequent processing - [tis also called an image, * Write block/write protect: Hardware and/or sofiware methods of preventing modification of content on a media storage unit such asa CD or thumb driv * Acquisition of digital evidence: Acquisition of digital evidence begins when information and/or physical items are collected or stored for examin tion. The term “evidence” implies that the collec- tion of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and is appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee. “ *+ Data objects: Objects or information of potential probative value that are associated with physical items. Data objects may occur in different formats without altering the original information. * Digital Evidence: Information of probative value scored or transmivted in digital form. * Physical items: Items on which data objects ot information may be stored and/or through which dara objects are transferred. * Original digital evidence: Physical items and data objects associated with such items at the time of acquisition or seizure. * Duplicate digital evidence: An accurate digital reproduction of all daa objects contained on an original physical item. * Copy: An accurate reproduction of information contained on an original physical item, indepe dent of the original physical item. and/or analys 6. What are the challenges in evidence handling? digital evidence? - the vatious types of evidence, Explain the rules of evidence. 9. Deseribe the term metadata,