What is Digital Forensics?

Digital forensics is a set of methodological procedures and techniques that:

• Identify
• Gather
• Preserve
• Extract
• Interpret
• Document
• Present evidence from digital devices and systems

Ensures discovered evidence is acceptable during legal and/or administrative proceedings.

What is Digital Forensics? : Another Def

The application of science to prove or disprove a given set of factors and circumstances.

1’s and 0’s NEVER LIE

Objectives of Digital Forensics

• Track and prosecute perpetrators of cybercrime
• Gather evidence in a forensically sound manner
• Estimate the impact of malicious activity and assess attacker intent
• Minimise both tangible and intangible losses
• Protect the organisation from future incidents

Need for Digital Forensics

• Ensure the integrity and continuity of IT systems & infrastructure
• Extract, process, and interpret evidence to prove attacker actions in court
• Track down perpetrators globally
• Protect organisational financial resources and time

When Do We Use Digital Forensics?

• Whenever a cyber or digital crime occurs

Cybercrime

Any illegal activity involving a computing device, network, system, or its applications.

Could be Internal/inside or external attacker

Challenges in Digital Forensics

• Rapidly evolving technology - new devices & platforms appear constantly
• Encryption & security measures - strong encryption and data hiding techniques
• Cloud computing - distributed storage and services
• Anti-forensic techniques - e.g., steganography, obfuscation
• Volatility of digital evidence - data can change or disappear quickly

Data & Storage Challenges

• Explosive growth in storage capacity (GB → TB → PB)
• One investigation may involve terabytes of evidence
• A single 80 GB hard drive = ~1.8 miles of paper if printed
• Key issues:
  • Search efficiency
  • Evidence preservation
  • Prioritisation (triage vs full analysis)

Organisational & Legal Challenges

• Lack of standardisation - varied tools and procedures
• Skill shortages - demand for forensic professionals > supply
• Incident response - rapid response is crucial to preserve volatile data
• Under-reporting - e.g., only ~17% of major corporate breaches reported
• Global jurisdictional issues - cross-border investigations create legal barriers

The Bottom Line

Digital forensics faces multi-dimensional challenges:

• Technical (encryption, volume of data, anti-forensics)
• Operational (skills, tools, response time)
• Legal/ethical (jurisdiction, admissibility, reporting)

Investigators must constantly adapt tools, methods, and collaborations.

Do We Need Some Help?

• Forensic Software Tools
  • Essential for handling massive amounts of digital evidence
  • Automate tasks: acquisition, search, analysis, reporting
    However:
  • Examinations using these tools can still take weeks or even months

Triage in Digital Forensics

• Prioritises where to look first
• Helps balance time vs completeness
  • Known good/bad file lists
  • Keyword searching (Internet, Email)
  • File signature/extension mismatch detection
  • Focusing on “low-hanging fruit” first
• Stronger proof may lie deeper

Understanding Digital Evidence (101)

“Any information of probative value that is stored or transmitted in a digital form.”

• Circumstantial and fragile in nature
• Difficult to trace due to volatility and complexity
• Linked to Locard’s Exchange Principle:

  Anyone or anything entering a crime scene takes something away and leaves something behind.

Types of Digital Evidence

Volatile Data (lost when powered off):

• Network connections, ports, ARP cache
• Active processes, logged-on users
• Open/hidden files, rootkits

Non-volatile Data (persistent storage):

• Files, system configs, registry settings
• Logs, swap/slack space, hidden partitions
• Investigated only from a read-only copy

Sources of Potential Evidence

User-Created Files

• Documents, databases, media, bookmarks

User-Protected Files

• Encrypted, compressed, misnamed, hidden files
• Password-protected files, steganography

Computer-Created Files

• Backups, logs, config files, cookies, temp files
• System files, printer spools, history

Rules of Evidence

For digital evidence to be admissible, it must be:

1. Understandable - clear to judges
2. Admissible - related to facts of the case
3. Authentic - real and linked to the incident
4. Reliable - no doubt about integrity
5. Complete - proves actions or innocence

Locard’s Exchange Principle

• Interacting with a system changes evidence
• Example: two computers connected via a network
• Even when idle, systems change over time (evidence dynamics)
• Running programs alters memory and disk data
• Like rain washing away evidence at a physical crime scene

The Crime Scene

• A crime has been committed → what happens next?
• Collect evidence in a forensically sound manner
• “Evidence is the proof of a fact about what did or did not happen.”
• All evidence must be reliable and relevant to be admissible in court

Types of Evidence

• Testimony of a witness

• Physical evidence - autopsy, bullet, wound, footprint, DNA

• Electronic evidence - IP address, virus, email, voicemail, cookies, log files

• E-evidence - gathered using computer/IT autopsy

• Digital activity leaves a footprint

Problems with Digital Evidence

Hearsay concerns: Computer-stored files often treated as hearsay. Computer-generated artefacts (e.g., timestamps, logs) may be admissible. Business-records exception allows routine records (emails, memos, reports). Intrinsic challenges: Data exists as 1’s and 0’s → easily modified or duplicated. Copies indistinguishable from originals. Fragile/volatile: routine use alters state (evidence dynamics). Authenticity & integrity can be questioned without strict CoC.

Chain of Custody (CoC)

Definition: A legal document showing the progression of evidence. Purpose: Tracks evidence from collection → forensic lab → courtroom. Must include: Case number Name/title of person transferring evidence Address & contact details Location & date/time of collection Item description & quantity CoC ensures evidence is authentic, reliable, and admissible.

CoC Example

Lab

• Review your lab from here.