Digital Forensics: An Introduction

Digital Forensics is the application of scientific methods in preserving, recovering, and investigating digital evidence in a Digital crime scenario.  It can be correctly defined as, collection, examination, analysis, and documentation by using scientifically proven methods to investigate a digital crime and present it before the court.

Table of Contents:

  • Elements of a Digital Crime
  • Goals of Digital Forensic Investigation
  • Classification of Digital Forensics
  • Digital Evidence
  • Principles of Digital Forensics
  • Process of Forensic Investigation
  • Types of Tools

Elements of a Digital Crime

To prove a digital crime, as an investigator you should have the following elements to bring out a conclusion. All the elements will be related to one another in a more or so.

Goals of Digital Forensic Investigation

As a digital forensic investigator, you should have a goal for investigation. Depicted below are the five most important goals of investigation;

Classification of Digital Forensics

Digital forensics is a very broad term that has various classifications within it. The most popular forensic investigations are as follow:

  1. Computer Forensics: It is the most primitive type of digital forensics which usually was introduced in the early evolution of computer systems. It includes investigating computers, laptops, logs, USB drives, hard drives, Operating systems, etc.
  2. Network Forensics: It includes investigating by analyzing network events, intrusion, and data packets that were transmitted to detect network attacks.
  3. Multimedia Forensics: It comprises of investigation of images, audio, and video files that are recovered as evidence in a digital crime scene.
  4. Mobile Forensics: It comprises of investigation of smartphones like android, iOS, etc for finding digital evidence and recovering the deleted data important for the case.
  5. Memory Forensics: It is the forensic investigation of the memory or ram dump of the system to find out volatile memory like chat history, clipboard history, browser history, etc.
  6. Cloud Forensics: Considering the virtual storage are in demand, the investigation of the cloud environment also plays a key role in a digital crime scene for gathering evidence.

The classification of digital forensics isn’t limited to the above diagram and as t can be classified into more depending on the cases.

Digital Evidence

Digital evidence or electronic evidence can be defined as any object that stores digital information and transmits it in any form which was used in the act of crime or in supporting the investigation of the case in a trial before the court.

The evidence found at the crime scene should have two key properties

  1. They should be admissible in the court
  2. They should be authentic.

The digital evidence can be like of various types and should be availed ethically by following the prescribed guidelines of investigations. Here are a few digital evidences in the diagram below, but the list goes on.

 

Understanding Data and Metadata

The difference between the data and the metadata for the forensic investigation can be easily understood with the help of the diagram below;

Principles of Digital Forensics

  1. Securing the Crime Scene: This is the most primary principle of Digital Forensics. As an investigator you should prohibit any access to your suspected digital evidence, document all processes and connections, disconnecting wireless connections, etc. to keep your evidence secure.
  2. Limiting evidence Interaction: As an investigator, you should make sure that your evidence is having a limited interaction by capturing the ram and can also perform cold boot attacks on the evidence.
  3. Maintaining Chain of Custody: Chain of custody is a record of sequence in which the evidence was collected, date and timestamps at the collection, the investigator who accessed and handled it, etc.

Process of Digital Forensic Investigation

  • Identification: This is the first step that an investigator takes at the crime scene is to identify the purpose of the investigation and recognize the potential digital evidence.
  • Preservation: This is the next step where the investigator has to be careful as he should make sure that the evidence has not tampered which may complicate the investigation
  • Collection: This step involves acquiring the evidence most appropriately without causing any harm to the evidence and packing it in a Faraday Bag.
  • Examination: This step is a precursor to performing any analysis of the evidence. This step requires careful inspection of the evidence for any other secondary details.
  • Analysis: In this step, the investigator carries out the most crucial things like joining the bits and pieces of the pieces of evidence, retrieving deleted files, etc.
  • Interpretation: This step involves concluding the investigation finding after reconstruction of the crime scene.
  • Documentation: This step usually involves preparing a detailed report or a document on the entire investigation.
  • Presentation: This is a mandatory step only when it is asked for cross-examination which is to be mentioned in very simple terms of understanding for commoners.

Types of Tools

An investigator needs to have the right set of tools for conducting a digital forensic investigation. It is for the investigator to decide the tool appropriate for the case.  The tools also depend on the application based on hardware and software. The types of tools can be classified into three types; Open Source, Proprietary, and Self-created.

Conclusion

 Hence, we have covered the basic understanding and requirements for Digital Forensic Investigation.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here

Forensic Investigation: Preserve TimeStamp

As a Digital Forensic Investigator, you might understand, how important it is to preserve timestamps of any evidence gathered at the scene of a crime. You will be on your toes to make sure that the timestamps of the original evidence are never altered at the time of acquisition. This is important as you have to maintain the chain of custody of the evidence.

Table of Contents

  • Introduction to Timestamp
  • Preserving Timestamp using command-prompt
  • Preserving Timestamp using ForensiCopy
  • Preserving Timestamp using OSForensics
  • Preserving Timestamp using Copy Files with Dates
  • Preserving Timestamp using SafeCopy
  • Preserving Timestamp using TeraCopy
  • Preserving Timestamp in Linux

Some of the popular file systems like FAT, NTFS, and EXT store file timestamps in the following manner

Let us take a scenario where you have been investigating a case and suddenly you have the opportunity to gather evidence files or folder from a system which you had been wanting to seize for a very long time, but now you don’t have your paid and expensive tools with you. If you use the traditional copy and paste method, you will be changing the timestamps of the documents

If we want to avoid these problems in our forensic investigation, we are going to learn to use a few simple forensic techniques and open-source software where you will be able to copy folder or files from one location to the other without changing the timestamps, hence preserving the timestamp.

Preserving Timestamp using command-prompt

This is one of the manuals and simplest technique which does not require any fancy, expensive, or automated software to transfer files from one location to the other in a windows system with just using a command in the command prompt. The Robocopy command stands for ‘Robust File Copy’, which was introduced in Windows NT and has been popular ever since to copy files from one location to another robustly. You can type;

After the copying is completed, you can manually see that has been no difference in the date time stamp in the copy of the file.

Preserving Timestamp using ForensiCopy

ForensiCopy is an automated evidence copying software that is quite different from imaging.  It can be downloaded from here. This tool copies the file from one location to the other without changing the timestamps. All you have to do is, add the path of the file, the destination of the file to copy and click on start. On completion, it will generate a log file.

Once the copy is over, you can compare the source and destination properties of the files and you will see that the time was not changed.

Preserving Timestamp using OSForensics

OSForensics has always been a legendary tool in forensics investigation and provides the option to make a ‘Forensic Copy’. You can download it from here.

Here in this software, it is called as Forensics Imaging by creating a Logical Image. In Logical Image, only a portion of a drive is copied bit by bit and keeps the timestamp of the file/folder intact. Add the source and destination path of the folder and click on start.

Here, you can see that the source and destination path have not changed and are intact.

Preserving Timestamp using Copy Files with Dates

This again is a crucial software when it comes to preserving the date and timestamps of any files in the Windows file system. You can download it from here. All you have to do is put a source file and the destination file and click on start.

A log file will be generated which can be opened in the command prompt using

Preserving Timestamp using SafeCopy

It is a software which can be used to perform forensics as well as anti-forensics. You can download it from here. Add the source and the destination path and keep the same date and time of the file to preserve it and then click on copy.

You will see below, that the timestamps for these files that have been copied to a new destination are intact.

Preserving Timestamp using TeraCopy

It is a quite simple tool and barely any consumes very little time to copy the files to the destination without changing the date and time of the original document. You can download it from here.

Preserving Timestamp in Linux

So here you can switch on your Linux machines and open your terminal as root. Go to the directory of the source of the file to be copied and type

To copy the file without changing time stamp, use command;

You can see that it has been copied to a new destination without the timestamp changing, to see the file information at the new path, type;

Conclusion: Hence, here in this article you have learnt about various methods and tools to copy files from one location to the other without changing the timestamp.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here

USB Forensics: Detection & Investigation

Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigation. The digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed. So, let us get started with the Forensics Investigation of USB.

Table of Contents

  • Detecting last attached USB flash drives in the Windows system
  • Using Registry Editor
  • Using PowerShell
  • Using USBDeview
  • Detecting last attached USB flash drives using Metasploit
  • Investigating USB flash drives for deleted files
  • Creating Disk Image
  • Analysing Disk Image

Detecting last attached USB flash drives in the Windows system

The usage of USB drives in place of work may let nasty employees remove sensitive or confidential information from a system without any authorization. To resolve this issue, forensic examination of systems comes into the picture. So, let’s start investigating;

To detect the artifacts of the USB in the windows machine, we can use the manual as well as automated methods.

Using Registry Editor

It is a manual method to easily list the information of the last plugged in USB storage devices. Press ‘Windows+R’ and type Registry Editor.

This information can be found in the Windows registry at:

The details like last plugged in USB devices, the vendor of the USB, name of the product, serial number, and version name can be seen.

Using PowerShell

This a manual method to find artifacts. The same path can be used in the PowerShell to get the information on last plugged in USB, with the following command;

Using USBDeview

To use an automatic method to find artifacts, you can download USBDeview. This tool gives you an automated and a graphical representation understanding of what USB devices were connected to the system.

Detecting last attached USB flash drives using Metasploit

When the USB flash drives history need to be investigated remotely, we can make use of modules in Metasploit in the Kali Linux This module will enumerate USB Drive history on a target host. To use this module, switch on your Linux machine, start msfconsole, and type command;

Set the session number and exploit. Here you will be able to see a history of various USB connected previously.

Now you have also obtained the meterpreter session, so in order to use the powershell remotely to get the history of USB flash drives connected you can use the following command;

Once the PowerShell is loaded, you can type,

You can hence see the list of USB Flash drives connected to the system remotely.

Investigating USB flash drives for deleted files.

After we have detected all the USB connection to the system and if the USB Flash drive is available at the scene of the crime. It can be carefully collected in Faraday Bag and now the forensic investigator can investigate the evidence.

At first, it is important to create an image of the USB flash drive that was retrieved from the crime scene. To create an image and to analyse, we can use FTK® Imager, which can be downloaded from here.

Creating Disk Image

Step 1: Install and run AccessData FTK imager

Step 2. Create a disk image of the USB Drive

A disk image is a bit-by-bit or a sector-by-sector copy of a physical storage device like USB Flash drive, which includes all files, folders and unallocated, free and slack space etc.

Step 3: As it as USB Flash drive, select Physical Drive and its source to create an image and click on finish.

Step 4: Add the destination of the image file, check the box which say verify images that are created.

Step 5: After adding the destination of the image file to be created, type the name you want to give to the image file and click on finish.

Step 6:  You can see that the image destination is ready, then click on Start to begin imaging.

Step 7: You see that the image of your USB flash Drive is being created.

Step 8: After the imaging is completed, you will be prompted with MD% image verification details where a compared and verified hash is generated.

Here the imaging part is over, so we can now move to the analysis of the USB Flash Drive.

Analysing Disk Image

Note: Investigation is to be performed only on the Disk image of the original evidence.

Step 9: Click on add evidence item and add the source of the created image file.

Step 10: Here you see that an evidence tree is created and the root folder has deleted folders. Here we will try to retrieve them by clicking on ‘Export files’

Step 11: You see that the deleted folder and the contents of the deleted folder have been retrieved.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here