What is the Digital Evidence?
Digital evidence is the main element of the digital forensic
Digital evidence is the collective term used to describe information or materials stored or transmitted in digital form that is to be tendered as an exhibit in a court of law.
Digital evidence features:
•It should be linked with human actions (who is guilty?)
•It should has understandable by person who don’t have expert knowledge in digital forensic or it should be interpreted by a person with expertise in the subject
•It should be collected according to the local laws
11
Typical investigation phases
•Data collection (imaging, live forensic, logs gathering, etc)
•Evidences extraction (recovering files, searching for hidden traces, extracting logs, decrypt data, etc)
•Evidences analysis (reconstructing of events, step by step analysis of the chain, creating time line, etc)
•Evidences presentation (report writing, presentation of the results for the curt)
12
Difficulties of digital forensics
•Easy to destroy
•starting a PC updates hundreds of timestamps and modifiies many fiiles
•attaching a hard disk or USB stick will modify fiile system timestamps
•volatile memory is lost when a machine is powered off
•Hard to get
•anti-forensic activity may prevent collection
•network traffic only exists on the wire for milliseconds
•attacks may be cleverly devised
•anti-forensic activity may prevent collection
Scenario of attacks:
-Hacking
-spam
-malware
-DoS
-carding
-dialers
-MIM
-phishing
-deface
-attacks on DNS
-cybersquatting …
Investigation of SSD
Investigation of operating systems
(Windows OS , Linux OS ,
Mac OS)
who, how, when, where |
|
|
|
evidence for the court |
|
attacked |
|
|
|
|
|
|
|
|
comprehensive analysis of information
|
|
|
|
Investigation of |
|
|
|
|
artifacts of servers |
|
|
Investigation of |
|
|
Investigation of RAM |
|
|
||
|
|
(HTTP, FTP, SMTP…) |
||
|
artifacts of routers |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Investigation of file |
|
Investigation of traffic |
|
Investigation of |
systems |
|
(pcap (sniffers, |
|
artifacts of |
(Windows OS (FAT, NTFS), |
|
wireshark)) |
|
subsystems (IDS, IPS, |
Linux OS (Ext), Mac OS |
|
|
|
firewall…) |
|
|
|||
(HFS, HFS+) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Computer Systems
Desktop/Tower System
Mainframe Computer
Laptop Computer
15
Tablet Devices
A tablet computer is a device that is operated by touching the screen rather than using a keyboard or mouse
Tablet PC’s
16
Storage Devices
Hard Disks and Solid State Disks
• Hard drives are the major storage device within computer systems
Solid State Disk
Computer Hard Disk
Internal View
17
Storage Devices
SSD VS HDD
18
Storage Devices
Removable Media
•Compact Disk (CD)
•Digital Video Disk (DVD)
•Blu-ray Disks (BD)
Compact |
Digital Video |
Blu-ray |
Disk (CD) |
Disk (DVD) |
Disk (BD) |
19
Storage Devices
Memory Cards
•Memory cards, also known as flash cards are devices for storing digital information
Secure Digital |
Micro SD Card |
Compact Flash |
Card (SD) |
And Adapter |
Card (CF) |
20