Unit -1

Foundations of Digital Forensics

 Within the past few years, a new class of crime scenes has become more prevalent,
that is, crimes committed within electronic or digital domains, particularly within
cyberspace.
 Criminal justice agencies throughout the world are being confronted with an
increased need to investigate crimes perpetrated partially or entirely over the internet
or other electronic media.
 Resources and procedures are needed to effectively search for, locate, and preserve
all types of electronic evidence.
 This evidence ranges from images of child pornography to encrypted data used to
further a variety of criminal activities. Even computer files or data may be discovered
and further analysis required.
Digital Evidence
 digital evidence is defined as any data stored or transmitted using a computer that
support or refute a theory of how an offense occurred or that address critical
elements of the offense.

When considering the many sources of digital evidence, computer systems are
categorized into three groups:

Open computer systems:

 Open computer systems are what most people think of as computers—systems
comprised of hard drives, keyboards, and monitors such as laptops, desktops, and
servers that obey standards.

 These systems, with their ever-increasing amounts of storage space, can be rich
sources of digital evidence. A simple file can contain incriminating information and
can have associated properties that are useful in an investigation.

 For example, details such as when a file was created, who likely created it, or that
it was created on another computer can all be important.
 Communication systems:
 Traditional telephone systems, wireless telecommunication systems, the Internet,
and networks in general can be a source of digital evidence.

 For instance, telecommunication systems transfer SMS/MMS messages, and the

Internet carries e-mail messages around the world. The time a message was sent,
who likely sent it, or what the message contained can all be important in an
investigation.

 To verify when a message was sent, it may be necessary to examine log files from
intermediate servers and routers that handled a given message. Some
communication systems can be configured to capture the full contents of traffic,
giving digital investigators access to all communications (e.g., message text and
attachments, and telephone conversations).
Embedded computer systems:

 Mobile devices, smart cards, and many other systems with embedded computers
may contain digital evidence.
  Mobile devices can contain communications, digital photographs and videos, and
other personal data.
 Navigation systems can be used to determine where a vehicle has been. Sensing
and Diagnostic Modules in many vehicles hold data that can be useful for
understanding accidents, including the vehicle speed, brake status, and throttle
position during the last 5 s before impact.
 Microwave ovens are now available with embedded computers that can download
information from the Internet and some home appliances allow users to program
them remotely via a wireless network or the Internet.

INCREASING AWARENESS OF Digital Evidence:

 Attorneys and police are encountering progressively more digital evidence in their
work.
 An increasing number of organizations are faced with the necessity of collecting
evidence on their networks in response to incidents such as computer intrusions,
fraud, intellectual property theft, sexual harassment, and even violent crimes.
 organizations are giving more attention to handling digital evidence in a way that will
hold up in court.
 As a result, there are rising expectations that computer security professionals will
have training and knowledge related to digital evidence handling.
 In addition to handling evidence properly, corporations and military operations need
to respond to and recover from incidents rapidly to minimize the losses caused by
an incident.

There are three significant drawbacks to this approach.

 First, attorneys and law enforcement personnel are only involved when the stakes
are high and the cases are complicated.
 Second, computer security professionals develop loose evidence processing habits
that can make it more difficult for law enforcement personnel and attorneys to
prosecute an offender.
  Third, this approach results in under-reporting of criminal activity, deflating statistics
that are used to allocate corporate and government spending on combating
computer-related crime.
 Tools that are designed for detecting malicious activity on computer networks are
rarely designed with evidence collection in mind.

Digital FORENSICS: PAST, PRESENT, AND Future

 Digital forensics has evolved from law enforcement efforts to address computer-
related crimes.
 countries established specialized groups to investigate computer-related crime on
a national level.
 Countries have updated the training programs in their academies, realizing that the
pervasiveness of computers requires every agent of law enforcement to have basic
awareness of digital evidence.
 The rapid developments in technology and computer-related crime have created a
significant demand for individuals who can collect, analyze, and interpret digital
evidence.
 Specifically, there is a growing need for qualified practitioners in the following three
general areas of specialization: preservation of digital evidence, extraction of usable
information from digital evidence, and interpretation of digital evidence to gain insight
into key aspects of an offense.
 certification and training programs are being developed to ensure that digital
evidence examiners have the necessary skills to perform their work compel- tenthly
and to follow approved procedures.
 Certification provides a standard that individuals need to reach to qualify in a
profession.
 specialists in digital forensics defined requirements for practitioners in the field.
This group identified the following three priority areas:
1.The competence of individual experts for both the defence and prosecution.
2. The training of experts.
3. The three levels of competence in terms of electronic evidence—basic
retrieval, analysis, and the interpretation of data.
 There is a need for standardization and professionalization in digital forensics.
Principles OF Digital FORENSICS

 forensic is a characteristic of evidence that satisfies its suitability for admission as

fact and its ability to persuade based upon proof.

Evidence Exchange

 The main goals in any investigation are to follow the trails that offenders leave during
the commission of a crime and to tie perpetrators to the victims and crime scenes.
 Forensic analysts are employed to uncover compelling links between the offender,
victim, and crime scene.
 According to Lockard’s Exchange Principle, contact between two items will result in
an exchange.
 For example: In computer intrusions, the attackers will leave multiple traces of their
presence throughout the environment, including in the file systems, registry, system
logs, and network-level logs.
 Furthermore, the attackers could transfer elements of the crime scene back with
them, such as stolen user passwords or PII in a file or database. Such evidence can
be useful to link an individual to an intrusion.
  In an e-mail harassment case, the act of sending threatening messages via a Web-
based e-mail service can leave a number of traces.
 The Web browser used to send messages will store files, links, and other information

on the sender’s hard drive along with date-time–related information.

Evidence Characteristics:
 The exchanges that occur between individual and crime scene produce trace
evidence belonging to one of two general categories:
(I) evidence with attributes that fit in the group called class characteristics.
(ii)evidence with attributes that fall in the category called individual characteristics.

 class characteristics are common traits in similar items whereas individual

characteristics are more unique and can be linked to a specific person or activity
with greater certainty.
 Example: When there is concern that digital evidence has been concealed or
destroyed, class characteristics may reveal that a particular encryption mechanism
or data destruction tool was used on the evidential computer.
 Example: individual characteristics are rarer but not impossible to identify through
detailed forensic analysis. Certain printers mark every page with a pattern that can
be uniquely associated with the device. Unique marks on a digitized photograph
might be used to demonstrate that the suspect’s scanner or digital camera was
involved.
 The more corroborating evidence that investigators can obtain, the greater weight
the evidence will be given in court and the more certainty they can have in their
conclusions.

Forensic Soundness

 digital evidence must be preserved and examined in a forensically sound manner.

 method of preserving or examining digital evidence is only forensically sound if it
does not alter the original evidence source in any way.
 In digital forensics, the routine task of acquiring data from a hard drive, alters the
original state of the hard drive.
 One of the keys to forensic soundness is documentation.
 A solid case is built on supporting documentation that reports on where the evidence
originated and how it was handled.
 From a forensic standpoint, the acquisition process should change the original
evidence as little as possible and any changes should be documented and assessed
in the context of the final analytical results.
 Provided the acquisition process preserves a complete and accurate representation
of the original data, and its authenticity and integrity can be validated, it is generally
considered forensically sound.
 When preserving volatile data, digital investigators must document the date and
time that data were preserved and the tools that were used, and the MD5 hash
value of all outputs.

Authentication
 digital forensics assert that authentication is the process of ensuring that the
recovered evidence is the same as the originally seized data.
 From a technical standpoint, it is not always possible to compare the acquired data
with the original. The contents of RAM on a running computer are constantly
changing.
 From a legal standpoint, authentication is the process of determining whether the
evidence is worthy.
 individual who is familiar with the digital evidence to testify to its authenticity. For
instance, the individual who collected the evidence can confirm that the evidence
presented in court is the same as when it was collected.

Chain of Custody

 important aspects of authentication are maintaining and documenting the chain

of custody (a.k.a. continuity of possession) of evidence.
 person who handled evidence may be required to testify that the evidence
presented in court is the same as when it was processed during the investigation.
 it may not be necessary to produce at trial every individual who handled the
evidence, it is best to keep the number to a minimum and maintain documentation
to demonstrate that digital evidence has not been altered since it was collected.

Evidence Integrity
 In digital forensics, the process of verifying the integrity of evidence generally
involves a comparison of the digital fingerprint for that evidence taken at the time
of collection with the digital fingerprint of the evidence in its current state.
  Currently, the most commonly used algorithms for calculating message digests
in digital forensics are MD5 and SHA-1. SHA is very similar to MD5.

Objectivity:
  The interpretation and presentation of evidence should be free from bias to
provide decision makers with the clearest possible view of the facts.
 The most effective approach to remaining objective is to let the evidence speak
for itself as much as possible.

Repeatability:

 An important aspect of the scientific method is that any experiments or observations

must be repeatable in order to be independently verifiable.
 This is particularly important to be able to independently verify findings in a forensic
context, when a person’s liberty and livelihood may be at stake.
 Therefore, it may become necessary for one forensic analyst to repeat some or all
of the analysis performed by another forensic analyst.
 To enable such a verification of forensic findings, it is important to document the
steps taken to find and analyze digital evidence in sufficient detail to enable others
to verify the results independently.
  This documentation may include the location and other characteristics of the digital
evidence, as well as the tools used to analyze the data.

Challenging aspects of digital evidence:

 First, Digital evidence is a messy, slippery form of evidence that can be very difficult
to handle. For Example, a hard drive platter contains data pieces of information
mixed together and layered on top of each other over time. Only a small portion of
this mixture might be relevant to a case, making it necessary to extract useful pieces,
fit them together, and translate them into a form that can be interpreted.
 Second, digital evidence is generally an abstraction of some digital object or event.
When a person instructs a computer to perform a task such as sending an e-mail,
the resulting activities generate data remnants that give only a partial view of what
 occurred. Only certain results of the activity such as the e-mail message and server
logs remain to give us a partial view of what occurred.
 Furthermore, using a forensic tool to recover a deleted file from storage media
involves several layers of abstraction from magnetic fields on the disk to the letters
and numbers that we see on the screen. So, we never see the actual data but only
a representation.
 Third, digital evidence is usually circumstantial, making it difficult to attribute
computer activity to an individual.
 For example, if a case hinges upon a single form or source of digital evidence such
as date-time stamps on computer files, then the case is unacceptably weak. Without
additional information, it could be reasonably argued that someone else used the
computer at the time.
 Fourth, digital evidence can be manipulated or destroyed so easily raises new
challenges for digital investigators. Digital evidence can be altered or obliterated
either maliciously by offenders or accidentally during collection without leaving any
obvious signs of distortion.

To mitigate this problem:

 Digital evidence can be duplicated exactly and a copy can be examined as if it
were the original. It is common practice when dealing with digital evidence to
examine a copy, thus avoiding the risk of altering or damaging the original
evidence.
 With the right tools, it is very easy to determine if digital evidence has been
modified or tampered with by comparing it with an original copy.
 Digital evidence is difficult to destroy. Even when a file is “deleted” or a hard drive
is formatted, digital evidence can be recovered.
  When criminals attempt to destroy digital evidence, copies and associated
remnants can remain in places that they were not aware of.

THE ROLE OF COMPUTERS IN CRIME

 it is productive to develop terminology describing the role of computers in crime.
 The specific role that a computer plays in a crime also determines how it can be
used as evidence. When a computer contains only a few pieces of digital evidence,
investigators might not be authorized to collect the entire computer.
 when a computer is the key piece of evidence in an investigation and contains a
large amount of digital evidence, it is often necessary to collect the entire computer
and its contents.
 when a computer plays a significant role in a crime, it is easier to obtain a warrant
to search and seize the entire computer.
 Several attempts have been made to develop a language, in the form of categories,
to help describe the role of computers in crime.

Three sets of categories are:

 Donn Parker proposed the following four categories
 A computer can be the object of a crime. When a computer is affected by the
criminal act, it is the object of the crime (e.g., when a computer is stolen or
destroyed).
 A computer can be the subject of a crime. When a computer is the environment in
which the crime is committed, it is the subject of the crime (e.g., when a computer
 is infected by a virus or impaired in some other way to inconvenience the
individuals who use it).
 The computer can be used as the tool for conducting or planning a crime. For
example, when a computer is used to forge documents or break into other
computers, it is the instrument of the crime.
 The symbol of the computer itself can be used to intimidate or deceive. An example
given is of a stockbroker who told his clients that he was able to make huge profits
on rapid stock option trading by using a secret compute program in a giant
computer in a Wall Street brokerage firm. Although he had no such programs or
access to the computer in question, hundreds of clients were convinced enough to
invest a minimum of $100,000 each.

 The most significant omission in Parker’s categories is computers as sources of

digital evidence.
Professor David L. Carter used his knowledge of Criminal Justice to improve upon
Parker’s categorization of computer-related crime.
  instead of describing a computer as an object or tool of crime as Parker
did, Carter used the more direct and legally oriented terms target and instrumentality,
respectively.
 Carter did not distinguish between physical evidence (computer components) and
digital evidence (the contents of the computer components).

USDOJ (U.S. Department of Justice) created a set of categories and an associated

set of search and seizure guidelines. These categories made the necessary distinction
between hardware (electronic evidence) and information (digital evidence).
 Hardware refers to all of the physical components of a computer, and information
refers to the data and programs that are stored on and transmitted using a
computer.
1. Hardware as Contraband or Fruits of Crime.
2. Hardware as an Instrumentality.
3. Hardware as Evidence.
4. Information as Contraband or Fruits of Crime.
5. Information as an Instrumentality.
6. Information as Evidence

 categories are not intended to be mutually exclusive. A single crime can

fall into more than one category.

Hardware as Contraband or Fruits of Crime

 Contraband is a property that the private citizen is not permitted to possess
 For example, it is illegal for an individual to possess hardware that is used to
intercept electronic communications. The concern is that such devices enable
individuals to obtain confidential information, violate other people’s privacy, and
 commit a wide range of other crimes using intercepted data. Cloned cellular
phones and the equipment that is used to clone them are other examples of
hardware as contraband.
 The fruits of crime include property that was obtained by criminal activity, such as
computer equipment that was stolen or purchased using stolen credit card
numbers. Also, microprocessors are regularly stolen because they are very
valuable, they are in high demand, and they are easy to transport.
 The main reason for seizing contraband or fruits of crime is to prevent and deter
future crimes.

Hardware as an Instrumentality

 When computer hardware has played a significant role in a crime, it is considered

an instrumentality.
 if a computer is used like a weapon in a criminal act, much like a gun or a knife,
this could lead to additional charges or a heightened degree of punishment.
 Example: a computer that is specially manufactured, equipped, and/or configured
to commit a specific crime. For instance, sniffers are pieces of hardware that are
specifically designed to eavesdrop on a network. Computer intruders often use
 sniffers to collect passwords that can then be used to gain unauthorized access
to computers.
 The primary reason for authorizing law enforcement to seize an instrumentality of
crime is to prevent future crimes.

Hardware as Evidence
 This separate category of hardware as evidence is necessary to cover computer
hardware that is neither contraband nor the instrumentality of a crime.
 Example: if a scanner that is used to digitize child pornography has unique scanning
characteristics that link the hardware to the digitized images, it could be seized as
evidence.

Information as Contraband or Fruits of Crime

 contraband information is information that the private citizen is not permitted to
possess.
 common form of information as contraband is encryption software.
 individual to possess a computer program that can encode data using strong
encryption algorithms because it gives criminals too much privacy.
 Another form of contraband is child pornography.
 Information as fruits of crime include illegal copies of computer programs, stolen
trade secrets and passwords, and any other information that was obtained by
criminal activity.
Information as an Instrumentality
 Information can be the instrumentality of a crime if it was designed or intended
for use or has been used as a means of committing a criminal offense.
 Programs that computer intruders use to break into computer systems are the
instrumentality of a crime.
 These programs, commonly known as exploits, enable computer intruders to
gain unauthorized access to computers with a specific vulnerability.
 computer programs that record people’s passwords when they log into a
computer can be an instrumentality, and computer programs that crack
passwords often play a significant role in a crime.
Information as Evidence
 This is the richest category of all.
 Many of our daily actions leave a trail of digits. All service providers (e.g.,
telephone companies, ISPs, banks, credit institutions) keep some information
about their customers.
 These records can reveal the location and time of an individual’s activities, such
as items purchased in a supermarket, car rentals and gasoline purchases,
automated toll payment, mobile telephone calls, Internet access, online banking
and shopping, and withdrawals from automated teller systems (with
accompanying digital photo graphs).
 Telephone companies and ISPs try to limit the amount of information that they
keep on customer activities, to limit their storage and retrieval costs and their
liability, law makers in some countries are starting to compel some
communications service providers to keep more complete logs.
Cybercrime Law: A United States Perspective
Primary Laws:
 Computer Fraud and Abuse Act (CFAA): Codified as § 1030 of Title 18 of the
U.S. Code.
 Identity Theft and Restitution Act of 2008: Recent amendments to the CFAA.
 Other Statutes: Criminalizing identity theft, child pornography, and copyright 0and
trademark offenses.
2.1 Computer Fraud and Abuse Act (CFAA)
Protected Computer: Defined as a computer used by a financial institution, the federal
government, or in interstate or foreign commerce.
Key Offenses:
 Unauthorized access to a computer.
 Disseminating malware.
 Launching denial of service (DDoS) attacks.
 Trafficking in passwords.
 Using computers to commit fraud or extortion.
2.2 Identity Theft
 Basic Identity Theft Offense: § 1028(a)(7) of Title 18.
 Aggravated Identity Theft: § 1028A of Title 18.
 Key Elements: Unauthorized use of another person's means of identification with
intent to commit a crime.
2.3 Child Pornography
 Child Pornography Protection Act (CPPA): Codified as 18 U.S. Code § 2260.
 Key Definitions: Includes "real" and "virtual" child pornography.
2.4 Copyright Infringement(breaking law)
 Federal Copyright Law: Codified in Title 17 of the U.S. Code.
 Key Offenses: Wilful infringement for commercial advantage or private financial
gain.
2.5 Trademarks and Trade Secrets
 Lanham Act: Primary source of protection for trademarks.
 Economic Espionage Act: Theft of trade secrets, codified as 18 U.S. Code §§
1831 and 1832.
State Cybercrime Law
Common Offenses:
 Access Crimes: Simple and aggravated hacking.
 Malware: Dissemination of viruses, worms, and other types of malwares.
 Denial of Service (DDoS) Attacks: Explicitly outlawed in some states.
 Computer Forgery: Creating, altering, or deleting data in a computer.
 Computer Fraud and Theft: Using computers to commit fraud or theft.
 Computer Extortion: Using computers to commit extortion.
 Crimes Against Children: Soliciting minors for sex, creating, possessing, and
distributing child pornography

Cybercrime Law: A European Perspective

Legal Frameworks
 Council of Europe Convention on Cybercrime: Aims to harmonize national laws
and improve international cooperation.
 EU Framework Decisions: Focus on attacks against information systems and
combating fraud and counterfeiting of non-cash means of payment.
3. Specific Cybercrime Offenses
Computer-Integrity Crimes:
 Illegal Access (Hacking): Unauthorized access to computer systems.
 Illegal Interception: Unauthorized interception of non-public transmissions.
 Data and System Interference: Damaging, deleting, or altering computer data;
hindering the functioning of computer systems.
 Misuse of Devices: Production, sale, or possession of devices intended for
committing cybercrimes.
Computer-Assisted Crimes:
 Forgery: Input, alteration, deletion, or suppression of computer data to create
inauthentic data.
  Fraud: Causing loss of property through manipulation of computer data or
systems.
Content-Related Crimes:
 Child Pornography: Production, distribution, and possession of child
pornography, including virtual images.
 Online Grooming: Using the internet to establish trust with minors for sexual
abuse.
 Racism: Dissemination of racist and xenophobic material through computer
systems.

Cybercrime Law: Indian Perspective

 In India, cybercrimes are primarily governed by the Information Technology Act,
2000 (IT Act 2000), which has been amended several times to address new types of
cyber-crimes. Here are some key provisions related to cybercrimes under this act:

 Tampering with Computer Source Documents (Section 65): This involves

knowingly or intentionally concealing, destroying, or altering computer source code.
The penalty can be imprisonment up to three years, or a fine up to ₹200,000
 Hacking with Computer System (Section 66): If a person, with the intent to cause
wrongful loss or damage, destroys, deletes, or alters information in a computer
resource, they can face imprisonment up to three years, or a fine up to ₹500,000
 Receiving Stolen Computer or Communication Device (Section 66B):
Receiving or retaining a stolen computer resource or communication device can lead
to imprisonment up to three years, or a fine up to ₹100,000
 Using Password of Another Person (Section 66C): Fraudulently using another
person's password, digital signature, or other unique identification can result in
imprisonment up to three years, or a fine up to ₹100,000
 Cheating Using Computer Resource (Section 66D): Cheating someone using a
computer resource can lead to imprisonment up to three years, or a fine up to
₹100,000
 Publishing Private Images of Others (Section 66E): Capturing, transmitting, or
publishing images of a person's private parts without their consent can result in
imprisonment up to three years, or a fine up to ₹200,000
 Cyber Terrorism (Section 66F): Acts of cyber terrorism, such as denying access to
authorized personnel or introducing contaminants into a system with the intention of
threatening India's unity, integrity, sovereignty, or security, can lead to imprisonment
for life
 Publishing Obscene Information (Section 67): Publishing or transmitting obscene
material in electronic form can result in imprisonment up to five years, and a fine up
to ₹1,000,000.