By: Prabha Devi Ganesan
INTRODUCTION
Digital Forensics is also defined as the science of identifying, preserving, analyzing and reporting of any evidence stored in the digital media like computer, network, server and mobile device. The documents of the evidence which are collected from the storage media computer system or any digital device can be used as evidence in the court. Before performing a forensic investigation a digital forensic examiner must understand various concepts in forensic.
People who can involve at the time of investigation are
- First responder
- Forensic investigators
- Court expert witness
- Law enforcement personnel
Process of Digital Forensics
- Identification -The first process of digital forensic is that what kind of evidence is present and also identifying the format and finding out where it is stored in the computer or mobile device.
- Preservation – It means that all the data is isolated, preserved and secured from using the digital device.
- Analysis – Based on the evidence found the fragments of data are reconstructed and the conclusion is being drawn as a conclusion. It also tells that how was it taken place.
- Reporting – It is like reconstructing all the crime scene and reviewing it with proper photograph, sketching and mapping the crime scene
- Presentation – This is the last process and all the above process are being summarized in this process and explained and put to a conclusion. The terms should be written in a abstracted terminologies
Learn more about Digital Forensics with Enhelion’s Online certified course certified by Obsidian!
Principles of digital evidence can be gathered digitally from the messages that are sent via phone, email internal history, computer files, images and instant messages. It can also be from the sources like desktop computers, laptops, mobile devices and cloud.
Main objectives
It helps to find the identity of the suspect or the culprit. Reconstructing the procedures at the crime scene may help to ensure that digital evidence which is obtained is not being altered or corrupted. It also helps to identify the evidence at short period of time and also gives overview of any malicious activity involved. It also helps to find the motive behind the crime scene. Process of computer forensic report gives a complete documentation on the investigation process. All the evidence is preserved by following chain of custody.
In case of confiscating a computer, expert forensic examiner must be called. The expert is called to ensure that any criminal actions doesn’t get lost or damaged if the computer is switched off. Pictures of the data that is currently being displayed on the screen and when the computer system is taken into custody when the server system is off because when the server system is off, the data saved can be damaged or disrupted from the services provided to the customers. As soon as the mobile is being confiscated it must be switched off and battery must be removed it is to make sure that the recent call information and cell tower remains unchanged. Once if it is off we shouldn’t turn it on because it may change the information on the device. A remote command can be sent without the knowledge of the investigator if the attacker gets to know about the mobile device is on. The mobile must be kept off because there are many other chances where it can be switch on easily. All the evidence which is collected is kept in FARADAY BAGS or other materials used when isolating a mobile device. We should turn on flight mode. Turn off WIFI. Turn off Bluetooth. NFC or other communications system must be off. To prevent static electricity it can be kept in a material where there is no passage of electric current like paper bag, paper made out if cardboard and any envelope made up of paper.
Learn more about Digital Forensics with Enhelion’s Online certified course certified by Obsidian!
LAW ENFORCEMENT
Computer based evidence have common in court proceedings and also it consists of many important information for computer for intelligence than the law enforcement. There is much enforcement of techniques that law enforcement is not being known. Digital forensics is involved in the commercial organizations in case of any disputes regarding the employment, wrong or fraud investigation and intellectual property theft bankruptcy etc.
CASE LAW 1: (CREDIT CARD FRAUD)
STATE OF TAMILNADU VS THE MANAGER OF BPO ORGANIZATIONS (BUSINESS PROCESS OUTSOURCING)
FACTS OF CASE: The manager with the fraud control unit of BPO filed a complaint stating that two of his employees has conspired with the credit card holder and manipulated the credit card limit and as a result they cheated the company of INR 0.72 million. After the investigation they have seized six mobile phones, imported wrist watches, jewelers, credit cards and leather accessories all worth of INR0.3 million and cash INR 25000. They also informed the company of the security lapses in their software so that cases like this could not be repeated in the future. This case has won the second runner-up position for India Cyber Cop Award for its investigating. It was also stated that the case was remarkable by the investigating team of the business process and its use in collecting digital evidence.
CASE LAW 2: (BLACKMAILING)
STATE OF MAHARASTRA VS THE NRI (NON-RESIDENT INDIAN)
FACTS OF THE CASE: the accused was a NRI was working in Dubai she posed to a young girl living in Kolkata to enter into Han email correspondence. The accused started corresponding with the complainant using different email IDs with different female names which made the complainant believe that he was corresponding with different girls. Later on the accused asked for money and gifts and also sexual favors from the girls whom he was corresponding with. The accused started blackmailing the complainant referring to the email exchanges and she was made to believe that one of the girl committed suicide and sent fake copies of high court of Calcutta he also paid the bribe for the officials who supposedly investigating and compensate the family. This case won the first runner-up position India Cyber Cop Award for its investigating
Coming to the network forensics it involves HEX CODES AND ASCII CODES
ASCII CODES – AMERICAN STANDARD CODE FOR INFORMATION INETRCHANGE
When we take forensics it is also important to know about the number system fundamental. It is for the understanding the machine. There are 4 types they are binary, octal, decimal and hexadecimal
Binary number
Base -2
Symbols- (1-0)
Octal number
Base – 8
Digits – (0-7)
Decimal number
Base -10
Standard number is always 10
Hexadecimal number
Base – 16
Digits – (0-9)
Characters – A to f
OFFSET – It indicates the distance between the starting or beginning of the object and a given element or point with the same object.
FILE SYSTEM FORENSICS
The Identification, collection and analysis of digital evidence from different types of storage media is known as FILE SYSTEM FORENSICS. There are many concepts that relates to the file system
Firstly,
Hard disk – data can be hidden on the maintenance track or it can be protected or preserved in a protected area on the hard disk which is also known as evidence collection tool
File allocation table (FAT) and Master File table (MFT) in New Technology File System (NTFS) are to keep a track of files present in the storage media
Deleted files are removed from the file system table even though it looks like it has been deleted from the hard disk and looks like it doesn’t appear in the hard disk anymore and the clusters which are being deleted allows the other files to save or store data. There are different ways to recover the data using certain techniques we can use hex format when we are using hex format we should start from the starting or beginning and end of the file. We should copy it in a text file. After saving it in a text file it has to be saved in an appropriate file extension.
PARTITION TABLE
It is the Master boot record. It enables a computer system to know how the hard drive is being organized particular partition are being erased but still it is being stored in the hard drive.
SLACK SPACE
The data is hidden in a random data is called ram slack found left over at the end of the volume. If the data are being deleted and if the clusters are not being stored it can be used in to store the data, and also the data which is deleted can be restored. It is mainly to hide the data in the storage media in a computer.
Learn more about Digital Forensics with Enhelion’s Online certified course certified by Obsidian!
FREE SPACE
The space which is being created are being obtained after the deletion of the file which is been deleted from the original partition is called free space
FAKED BAD CLUSTERS
The data can also be stored in cluster that are named as bad and master file table which is names as badclus contains the information about the bad clusters present in NTFS file system. Size of file system is equivalent to the size of the volume. It is used to hide the size of the data stored on volume by a suspect
FAT 32 – 1996
It is mainly used in DOS and windows operating system before windows XP. 32 in the FAT32 represent the 32 bit number to depict cluster value. It accommodates 2^32. Newer hard drive don’t use FAT32
It gives a idea about where a particular file is stored it is also considered to be very simple when compared to NTFS file system.
NTFS
It’s a newer file system than FAT32
It is being used in Window NT & 2006
It has 512 byte record called boot record
It is used to read the information regarding the partition present on the file system and other relevant information that is used by the operating system to load properly
CONCLUSION
Digital forensic examination of electronic system has end up in a great success in the analysis of cyber and computer assisted crime and also it has equivalent importance on the appropriate incident management capabilities to handle misuse of systems.
Learn more about Digital Forensics with Enhelion’s Online certified course certified by Obsidian!