The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.
Introduction
to Digital Forensic Course
Chechulin A.
Ph.D., senior researcher St.Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences
Digital Forensic Course
The purpose of the course: This course acquaints students with computer forensics. The course is aimed to provide students with the skills of real-world cases investigation by various aspects of digital forensic, including operation systems, network, file system and memory analysis. The presence of such kind of experience will help the students in their future life not only if they work in digital forensic area, but for preventing the traces from unpremeditated damage for their further analysis by forensic specialists.
2
Digital Forensic Course
At the end of the course a successful student will have understanding in:
•General concepts of digital forensics, including brief knowledge in local legal aspects.
•The main features of various forensic tools and methods.
•How to prevent the traces from unpremeditated damage for their further analysis by forensic specialists.
•How to perform forensic investigation in various operating system environments, including Windows, Linux and Mac OS analysis.
•How to perform forensic investigation in various file systems, including FAT, NTFS, Ext and HFS file systems.
•How to perform forensic investigation in computer networks, including traffic dumps and network applications features analysis.
•How to perform live forensic investigation, including file system and memory analysis.
•The main principles and features of forensic reports writing.
3
Digital forensics includes several sub-branches various types of devices, media or artifacts
Digital forensics
Computer forensics 
relating to the investigation of
Database forensics
Mobile device forensics |
|
|
|
|
|
|
|
|
|
|
Network forensics |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Software forensics |
|
|
|
|
|
|
|
|
|
Live system forensics |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forensic data analysis |
|
||
The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium or electronic document. The discipline usually covers computers, embedded systems (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives).
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation
Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. It can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.
Forensic Data Analysis is a branch of digital forensics. It examines structured data with the aim to discover and analyses patterns of fraudulent activities resulting from financial crime.
Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata. Investigations use database contents, log files and in-RAM data to build a timeline or recover relevant information
Software forensics is a field concerned with the evidence of intention from the examination of software. The field is an outgrowth of the field of computer virus research and malware intent determination
Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
What is the Digital Forensic?
•Digital forensics involves the preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis.
•Arose as a result of the growing problem of computer crimes.
Computer crimes fall into two categories:
–Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.
•Investigation into these crimes often involves searching computers suspected to be involved.
–Computer itself is a victim of a crime – this commonly referred to as incident response.
•It refers to the examination of systems that have been remotely attacked.
Why do we need digital forensic?
•In an increasing digital world the amount of cyber crime incidents is growing from day to day
•Moreover, nowadays almost every crime creates some traces in the digital world even if the crime does not directly connected to the information security
•Digital forensic methods can be useful not only for experts, but also for regular users that want to store information for future forensic investigation
•Typically digital forensic works reactively but now it becomes more proactive
8
What is the Digital Forensic?
Different points of view
•Researchers (new approaches)
•Technicians (tools and devices)
•Legalists (laws and their application)
•System administrators (network and hosts preferences)
•Software developers (logs generation)
•Companies (logs management and storage)
•End users (fear)
•etc
9
What is the Digital Forensic?
Different areas of usage
•Military
•Police
•Private sector
•Computer science
Sources for the digital evidences
•Personal computers/notebooks (hard drives, memory, etc)
•Storage media (USB, DVD, SD, etc)
•Mobile devices (smart phones, cameras, smart wear, etc)
•Network (mail, file, access control, etc servers)
10