Module 2 : Digital Evidence, Forensic Duplication

and Digital Evidence Acquisition

Digital Evidence :
Ø Digital evidence is currently present in numerous formats and has
been collected from a variety of sources, including CCTV, body
cameras, drone cameras, home security cameras, etc. The challenge
for agencies is that the amount of digital evidence is growing
exponentially.
Ø The storage capacity of digital devices is insufficient to preserve
all types of digital evidence. Additionally, it is impossible to manually
comb through all the data spread also across many devices and file
kinds to uncover insightful information.
Ø Law enforcement organizations need a comprehensive digital
evidence management system that can automatically detect the
evidence from numerous sources and support multiple formats in order
to give a centralized portal for storage, protection, and analysis in order
to quickly resolve this issue.
ØA potent(Powerful tool) that immediately searches digital
evidence for spoken phrases, faces, and objects using
artificial intelligence.
ØIn this approach, it enables police and detectives to expedite
the entire investigative process while concentrating more on
the actual study of evidence data. With this technique, the
investigation proceeds more quickly and police and detectives
are free to concentrate on the real study of evidence data only.
Types of Digital Evidence :

To get a better understanding of handling essential types of

digital evidence during an investigation, we're going to go
through each of these and cover any details /intricacies that
might be involved :

1. Logs 2. Active data

3. Volatile data 4. Video footage and images
5. Metadata 6. Residual data
7. Replicant data 8 Archives
(1) Logs :
Logs belong to the visible data type category, which can be anything from :
A) OS logs :
Examples include events related to system access, security alerts, the duration of a user's
login session, when the device was shut down, etc.
Typically, OS logs are stored in a particular system directory (the exact location depends on
the operating system in use).
B) Database logs :
Since they mostly reveal what changes were made to a particular database, these can be a
vital /important source of crime evidence as well as a useful approach for debugging and
troubleshooting in the unfortunate event of any technical issues with the database in
question.
C) Email logs :
Often presented in a CSV format, email logs can reveal certain details about the sender and
content, which includes their email address, time and date of delivery, delivery status, cc,
bee, subject, content type, and error codes (if applicable), while mostly stored in the
email's header.
Many cyber criminals use email as their go-to communication channel for the purposes of
extortion, financial crime, and distributing illegal materials.
Alongside email logs, any file attachments also count as one of the evidence types, so they
should be closely examined, right along with the server logs through which the email was
sent.
Software logs
• Just like the OS logs, so too do certain software logs count as one of
the most important sources of digital evidence.
• Among other things, they contain details regarding what action was
performed while the program was running as well as indicate any
errors or crashes that can be used for debugging purposes.
• Every software can store these in its own pre-defined location,
which may or may not be the installation directory.
Network logs
• These can be viewed as different types of evidence because they also
contain clues about what an individual was doing on the internet,
including what websites that person has visited, what messages were
exchanged with another party, and what the content of the messages
was.
• A digital forensics examiner should let evidence reveal the truth, so
be on the lookout for timestamps and IP addresses - two crucial
evidence types that will serve as proof in a court of law.
Door access records :
In case the investigation involves analyzing smart home or corporate
security and finding out who accessed the premises and at what time,
door access records are good crime scene evidence examples of digital
nature that will help you solve complex property-related cases like
burglary.

Phone logs :
• A phone's infrastructure encompasses various kinds of evidence,
including photos taken, videos recorded, system logs, app logs, and
call logs, the latter of which contain crucial details such as the duration
of a call, inbound and outbound numbers, etc.

• Mobile forensics experts also analyze and examine other types of

digital evidence that can be found on a mobile device, including geo
indicators (where the device has traveled) and EXIF data the photos
may store
IP logs :
• Since everyone who browses the internet gets assigned a unique
IP address, knowing this crucial detail allows a digital forensics
investigator to trace their real identity and physical location by
cooperating with ISPs.
• IP logs are often a crucial source of evidence when trying to hunt
down a cyber- criminal.
Server logs :
• These kinds of logs are like digital journal that records the
events taking place on a server. Examples include IP addresses
that connected to the server at any point in time and also the
duration of each session, any error logs, usernames that were
used during the time of access, etc.
• Drilling further down into sub-categories of server logs, these can
be error logs, availability logs, resource logs, event logs, change
logs, authorization logs, system logs, and threat logs.
Device fingerprints :
• There are many forensic categories of devices where evidence can be
found, and each device can generate a unique fingerprint that consists of
its hardware specs, the OS it's running (down to the exact version),
and even other odd bits and pieces such as the graphics drivers it's
running or what fonts are installed.
• Therefore, even if a cybercriminal attempts to mask their IP when
connecting to a server, the device fingerprint can be collected
regardless. To effectively conduct log forensics, the key thing a log
forensics investigator should know about logs of any kind is that they are
automatically placed on the device, either by some kind of software that
is installed or by the operating system itself.
• Their primary purpose is not only to record the events that
happened within the scope of the user's actions but also automated
processes such as updates and maintenance and other system events.
• At the same time, software and system logs also contain a wealth of
information about access or security errors as well as warnings and
notifications
(2) Video footage and images
• Out of all the types of digital evidence, video footage and images can
be classified as the visible data type, just like the logs we discussed
earlier.
• There are many types of digital evidence that fall into this category,
including CCTV footage, videos recorded on a mobile device, digital
camera footage, voice recordings, etc.
• However, unlike your typical logs, multimedia files may require
specialized tools to investigate that go beyond typical multimedia
players.
Retrieving video evidence - a practical example
• To give you a practical example, let's suppose your law enforcement
department is tasked with having to retrieve CCTV footage from a no-
name brand surveillance system.
• Even if you manage to dismantle the device and retrieve the files in a
forensically sound manner, you're still going to need to find a way to
open them somehow to examine their contents.
(3) Archives :
Ø Since archives are regular files accessible straight from the file
explorer, they fall into the visible data type group.
Various types of evidence can come in the form of an archive,
whether it be:
1. Zip/Rar/similar files 2. Databases 3. Backups
4 Software-specific archives, etc

Ø Technically, since they can contain all sorts of extractable file

formats, archives can be regarded as a wildcard source of evidence,
which contains anything from :
1. Images 2. Text files 3. Source codes 4.Videos
5. Documents 6. or even other archives.

Ø The main purpose of archives is to prevent data loss in the

unfortunate event that the original files get damaged, deleted, or
corrupted, thus serving as a source of backup to restore them to their
prior functional state.
Ø At the same time, these can serve as a vital source of evidence that could
contain data that is in one or more ways relevant to cracking the case at hand.
ØHowever, what makes working with this type of digital evidence
particularly challenging is the fact that a lot of times these archives can be
password protected, thus results in rendering/extracting their contents
inaccessible.
(4) Active data
Ø Have you ever noticed how popular content editors and word processors
like Microsoft Word often create temporary files on your hard drive while
you're in the midst of typing and working on a document?
This is what's referred to as active data and it's a visible data type.
Ø In fact, many operating systems and applications can create this type of
file, including:
1. Email clients 2. Scanners 3. Image viewers 4. Word processors
5. Archives, etc.
Ø The key thing to realize about active data is that cyber criminals are often
smart enough to delete the originals, but they sometimes forget to wipe the
temporary files that get left behind by various software and operating
systems. These can contain residual data and traces of digital evidence that
can be extracted and analyzed later on.
(5) Metadata
Ø Unlike the previous types of digital evidence we've discussed,
metadata falls into the invisible data type category because it typically
requires special software to be able to view it.
Ø For instance, a photo file on a hard drive or storage media can
contain additional data regarding the file's creation such as where the
photo was taken, otherwise known as EXIF data.
This data is attached to the file and reveals details such as :
§ Where the photo was taken
§ The time and date the photo was taken
§ What lens was used during the process
§ The camera's model and brand
§ Color profile and space and more.
Some operating systems may provide a direct view of it simply by
right-clicking on it, but in general, special software will be required to
examine it.
Ø The reason why any kind of metadata is such a valuable source of evidence
is that not only does it contain information regarding when the data was created
and last accessed (down to the exact second), but it also reveals who its owner
is.
Ø In a court of law, you can use this digital evidence to prove that a file was
created on someone's device and, if the context is right, that a certain
individual is linked to or otherwise involved in a crime.
(6) Residual data
Ø Residual data is deleted or overwritten data that may contain digital
evidence if successfully recovered. Since it's not typically visible through a file
browser, it's classified as an invisible data type.
Ø To understand the concept, you have to keep in mind that when someone
deletes a file from a device, the data is still there - it's just unlinked from the
file structure itself so it doesn't show up in a search or when viewing the
contents of a hard drive or storage device through a file browser.
ØNote that every deleted file has the risk of being overwritten by other data,
which is particularly true if the hard drive space is running out. That's why
it's of key importance to act quickly if you want to recover data that was
deleted.
(7) Volatile data :
Ø Volatile data is the kind of data that is not being written to the disk
itself, hence belonging to the invisible data type category.
Ø Some viruses, for example, don't write themselves to the hard
drive to leave minimal traces behind and avoid detection by
antivirus software. Therefore, in order to detect them, the RAM
needs to be checked and its contents analyzed by a qualified digital
forensics analyst.
Ø For obvious reasons, volatile data needs to be checked before the
device is powered off; otherwise, it can be lost forever. To add
additional complexity to the challenge, even the very act of launching
a digital forensics tool and loading it into the dev device's RAM can
change the RAM’s contents, the very same thing we're trying to
analyze.
ØThis is why analyzing volatile data can be especially tricky and
often requires forensic RAM imaging to preserve its contents in their
original state.
(8) Replicant data
Ø For the final entry on our digital evidence list, we have replicant data,
another invisible data type.
ØOn some occasions, various types of software or system processes will
leave temporary backup files or directories behind to prevent the
unfortunate scenario of losing data. (e.g if the user forgets to save
whatever they were working on and closes the program).
ØAn example of this would be Photoshop files and even temporary web
cache files.
Other examples of replicant data include :
1. Web cache and cookies
2. Data blocks
3. Temporary directories
4. Memory etc.
In a digital forensic investigation, examining replicant data can reveal
crucial details such as what the suspect was most recently doing on a
device. In case the suspect tries to hide incriminating evidence by
deleting the relevant files, replicant data can be retrieved and used as a
source of evidence to prove their guilt.
 Challenges In Acquiring Digital Evidence
Digital forensics' skills will be improved by the expanding digital
ecosystem, but it will also present new difficulties.
Here, we talk about the difficulties the area of digital forensics is
currently facing, including concerns with data complexity, diversity,
consistency, and volume. We also see prospective problems the sector
may face in the future.

A) The difficulty of Data complexity

• Digital technological advancements have made it possible to collect
and analyze ever- larger data collections. Data in its most basic
format, binary, is now being gathered in vast, diverse volumes.
• To p r epa r e dat a f or an a l y s i s f r o m s u c h l a r g e d a t a s e t s ,
sophisticated data reduction technologies are needed.
• This creates a complexity challenge for digital forensics, as new
data reduction algorithms must keep up with the volume and
variety of data being received.
B) The difficulty of variety
• The complexity challenge and the diversity challenge are related. A
lack of uniformity of digital evidence storage and formatting is arising
because technological advancements enable increasing volumes of data
to be collected quicker than the development of data reduction tools to
optimize and simplify analyses.
• As a result, law enforcement organizations around the world are
keeping and formatting information in various ways, which makes it
challenging for national and international authorities to share digital
evidence. Standardization would make it easier to share data effectively,
which is essential for. successful criminal investigations.
C) The problem with volume
• The field of digital forensics is challenged by the volume issue as both
the number of devices and the volume of data increase.
• Investigators may gather unheard-of volumes of data / Large
unknown data now more than before. Automation systems for storing
and analyzing this data, however, are not keeping up
The problem with volume

• The field of digital forensics is challenged by the volume issue as

both the number of devices and the volume of data increase.
• Investigators may gather unheard-of volumes of data now more
than before. Automation systems for storing and analyzing this data,
however, are not keeping.

D) The common time-lining problem

• The unified time-lining challenge is the forth and last significant issue
that the discipline of digital forensics is currently confronting.
• This occurs when several sources provide contradictory
timestamp interpretations, time zone references, and clock
skew/drifts. To harmonise / link timelines across data sources,
sophisticated analytical tools are needed.
 Admissibility of Evidence
Ø T h e us e o f t ec h n o l o g y t o o l s f o r i n f o r m a t i o n s h a r i n g a n d
communication has dramatically increased in the modern era. The use of
tools like computers, smart phones, and other technologies is at the
heart of the digital world.
Ø There are many possibilities to do crimes in the digital age. A
s i gni fica nt fact or an in-q ues ti on f a ct m a y b e s u pp o rt ed o r
refuted/unsupported using such information in electronic form.
Ø According to the Black's Law Dictionary, evidence is "anything
that tends to confirm or deny the truth of a stated fact." As a result,
the Information Technology Act, 2000 (often known as the IT Act),
was passed. Electronic evidence is now admissible in both criminal and
civil proceedings thanks to revisions made to the Evidence Act.
Ø In Indian courts, there were only two sorts of evidence that could be
used: oral evidence and documentary evidence. Following the change,
electronic records are now included under the Evidence Act's definition
of "evidence “.
Ø Electronic records are those that are "data, record or data
generated, image or sound stored, received or communicated in
an electronic form or micro film or computer generated micro
fiche," according to the IT Act. Electronic evidence can be any data
that has been kept or transferred electronically and has some value
as evidence.
Ø Evidence is defined as either oral or documented in Section 3 of
the Indian Evidence Act of 1872. Oral testimony is defined as the
declarations that witnesses make in front of the honorable court,
while documentary testimony is any evidence that is presented to
the court for review, including electronic data. If it is examined in
more detail, we learn more about the types of evidence used in
legal proceedings.
However, the categories of evidence could be as follows:
1. Oral, or Documentary; 2. Primary, or Secondary.
Primary evidence : Primary evidence is the initial electronic
record being produced, or the actual document being produced.
Ø Secondary ev i d e nc e i s on l y ad m i s si b l e i n cer ta in
circumstances, according to Section 65 of the Indian
Evidence Act. The process for proving the contents of
electronic documents that have been prescribed under Section
65B is outlined in Section 65B.

ØSection 65B of the Indian Evidence Act,. which deals with

the admissibility of electronic records, states that copies of
electronic records that have been printed on paper or
created on optical or magnetic media shall also be
considered secondary evidence documents if they meet the
requirements set forth in section 65B.
ØThe original source of the information, an electronic device,
shall also be admissible without further proof in any
proceeding.
Challenges In Evidence Handling :
All investigations are increasingly relying on digital evidence, which is growing
in volume and posing a number of handling and management challenges due to
its complexity.
A case may benefit from digital evidence in one of two ways:
Ø Indirectly using data from various sources, such as CCTV cameras or
mobile phones, in a typical criminal case.
Ø Directly involved in a cyber-crime, such as a virus attack or a cyber-scam,
when digital proof is crucial because the crime was done online.
A) Major Obstacles In Evidence Handling
Threats from cyber attacks, tampering, and data breaches:
Ø In most situations, gathering digital proof is simple. Its security and
protection from hacking, data breaches, and other threats is challenging. As the
tampering is done covertly to make it appear as though it is still intact, it is
exceedingly difficult to stop these attacks and identify it.
Ø Law enforcement organizations should choose premium enterprise-level
digital evidence management solutions with strong security measures for
evidence protection and tamper detection to prevent this issue.
Ø It ought to assist in keeping audit logs to monitor the evidence lifecycle,
guarantee chain of custody, and keep digital evidence in its original condition.
When storing data, it's critical to use encrypted file formats and devices with
built-in security procedures.
Ø Finding a cloud provider with high-grade security in its data centers, like
AWS or Azure cloud, is a smart alternative. Diverse Digital Devices, Types of
Data, and Volume.
Ø Digital evidence is currently present in numerous formats and has been
collected from a variety of sources, including CCTV, body cameras, drone
cameras, home security cameras, etc. The challenge for agencies is that the
amount of digital evidence is growing exponentially.
Ø The storage capacity of digital devices is insufficient to preserve all types of
digital evidence. Additionally, it is impossible to manually comb through all the
data spread across many devices and file kinds to uncover insightful
information.
Ø Law enforcement organizations need a comprehensive digital evidence
management system that can automatically ingest the evidence from numerous
sources and support multiple formats in order to give a centralized portal for
storage, protection, and analysis in order to quickly resolve this issue.
Ø A potent tool that immediately searches digital evidence for searches
phrases, faces, and objects using artificial intelligence. In this approach,
it enables police and
Ø detectives to expedite the entire investigative process while
concentrating more on the actual study of pertinent data.
Ø With this technique, the investigation proceeds more quickly and
police and detectives are free to concentrate on the real study of pertinent
data.
B) Access Control
Ø When handling digital evidence, organizations frequently run across
this issue, especially when there are a lot of them. Agencies need to
restrict access based on user responsibilities while keeping the data in a
virtual environment to ensure that only authorized workers have access
to the evidence.
Ø Additionally, preserving audit logs makes it possible to determine who
examined the evidence and when. Select a digital evidence management
system that enables this user and content segregation through secure,
independent portals and case files.
C) Mistakes & Errors :
Ø Because no one is flawless, mistakes will inevitably occur owing to factors
including unconscious prejudice, an overwhelming workload, improper use of
technology, chance events, etc.
Ø Having qualified staff with the necessary expertise and experience is
essential. In order to avoid harming the inquiry, the workload should be well
handled. Any mistake could result in the evidence being excluded from use in
court. To manage their workload and assist them concentrate on the right
information, investigators should make good use of technology and automated
processes.
Ø Everyone but the principal investigator can be given view-only access to
prevent errors from happening and accidental file deletion or modification.
Additionally, pick a digital evidence management program that enables you to
access the original file in the event that something goes wrong with the shared
copy.
ØAdditionally, it is crucial to regularly teach the investigators on how to handle
evidence, follow protocols, and use technology.
D) Data Transfer

Ø Data breaches, exposure, and tampering are more likely to occur

during the transfer of evidence. Digital evidence is notoriously difficult
to keep secure while in transit.

Ø Storing on conventional media like USB drives or laptops is not

sufficient because these can be easily stolen and compromised. Even
risky is a simple online transfer via email.

Ø It is suggested that data should be encrypted during the transmission

of criminal justice information to ensure security.
E) Presenting In Court :
Ø Finally, if there are issues handling the digital evidence properly and it is
ruled inadmissible in court. Agencies should be aware of the various ways in
which the evidence can be presented, dependent on the technology
configuration and internet connectivity of the court. On the basis of it,
evidence should be presented and carried safely.
Ø If you can't display the evidence in person, download it and present it. All
other documents and photos should be submitted in print form in addition to the
digital presentation, and if at all possible, image stills from video evidence
should be captured and printed.
Ø To ensure that all procedures are rigorously followed, prosecutors must be
aware of all the evidentiary criteria for admitting various types of digital
evidence. Here is a primer for prosecutors outlining the advantages, difficulties,
and recommendations for using video evidence in court.
Ø To further demonstrate in court that the evidence was kept in its original
form and was not manipulated in any way, accurate documentation of the chain
of custody of digital evidence is needed.
Types of Digital Forensic Examination Process:

A) Seizure :
§ Prior to the actual examination, digital media will be seized. To
ensure the preservation of evidence in criminal cases, this is
frequently carried out by law enforcement professionals who have
received technical training.

§ It will typically be a corporation officer, who is frequently unskilled,

in civil cases. Material seizure is governed by a number of laws. The
law governing search warrants is relevant in criminal cases.

§ In civil cases, it is presumed that a business can look into its own
machinery without obtaining a warrant as long as the employees'
privacy and human rights are protected.
B) Acquisition
1. A write blocking device is typically used to generate an exact sector
level duplicate (sometimes known as a "forensic duplicate") of the
media after exhibits/evidences have been seized. Imaging or
acquisition terms are used to describe the duplicating process.

1. A hard drive duplicator or software imaging tools like ddfldd,

IXimager, Guymager, TrueBack, EnCase, FTK Imager, or FDAS are
used to generate the copy. The original drive is then put back into a
safe place to guard against tampering.

3. The SHA-1 or MD5 hash functions are used to validate the acquired
image. The media is checked again at key times throughout the
research to make sure the data is still accurate. Hashing is the
process of using a hash function to validate the image.
C ) Analysis :
Following the acquisition, the contents of (the HDD) image files are examined to find
evidence that either confirms or refutes a theory or for indications of tampering (to
hide data).
1. This phase was described as "an in-depth systematic search of evidence relevant
to the suspected crime" in the International Journal of Digital Evidence from 2002.
2. In contrast, Brian Carrier proposes a more "natural procedure" in which
"exhaustive searches are done to start filling in the blanks" when evident evidence
is first recognized.
D) Reporting :
1. When an investigation is finished, the information is frequently conveyed in a way
that non-technical people may understand. Reports may also contain meta-
documentation and audit information.
2. When an investigation is finished, reports are often sent to the parties who
commissioned it, such as law enforcement (in criminal instances) or the
employing corporation (in civil cases), who will then determine whether to utilize
the findings as evidence in court.
3. Typically, the report package for a criminal court will include both the evidence
itself and a written expert assessment of the evidence (often presented on digital
media).
 Necessity of Forensic Duplication
1. ''NEVER EXAMINE THE ORIGINAL" The first thumb rule in a cyber-forensic
Investigation. This is where these duplication tools come in picture.
Remember there are few things any investigator should keep in mind first
digital evidence is highly fragile and can easily be altered and destroyed
through normal operation of the computer, network, software, malware
etc or due to fault on part of the investigator, this could possibly destory
the whole case.
2. For example, say you are investigating the original evidence and suddenly
there is a power surge / power cut and boom!! The hard drive crashes,
now there is no way to recover data or equivalent data from a crashed
hard drive as you cloud have from a normal one.
3. Secondly, the definition of Computer Forensic says "Computer forensics is
the collection, preservation, analysis, and presentation of computer
evidence related to an incident that may or may not be a "crime“.
4. Notice the words "may or may not be a crime" and hence the person
whose digital evidence is being examined may not necessarily be a
criminal just, yet we consider them suspects during the course of
investigation and hence there may be situation where we have to consider
that his normal work is not effected during our investigation.
5 What do we do here, so we make two clones of this evidence one goes to
the suspect the other for examination and the original is sealed and
stored in the evidence room Now in this particular case which is the
standard procedure is a win-win situation,
Ø The original evidence is securely stored to prevent tampering,
Ø you are investigating the clone (which is a bit by bit copy of the original, we
will come to this later) , so now even somehow if the clone drive you are
working on goes faulty or some data gets deleted you can always make a
new clone using the original and
Ø The suspect's normal work is also not affected.
Forensic Image Formats:
§ There are several ways of creating a forensic copy, but they all have one
thing in common. The source must be writing protected. This usually involves
using a write blocker, a device that enables the investigator to read the drive,
but not write to it Some write-blockers have a build in cache that enables you
to "write" to the device , all changes made are temporary however and only
exist in the write-blocker.
§ Never, in any case, should you be able to actually write to the evidence.
Image Types :
When creating the actual image, there are basically two types of images you
can create. A physical image or a logical image.
A) Physical Image :
1. A physical image is a complete image of all the contents of a storage
device, a so called bitstream copy. A Bitstream copy involves the copy
of all areas of a storage device. Because a bit stream copy is a bit-by-bit
copy of the original storage device it will also include the unallocated
areas of a storage device.
2. This means you will be able to perform data recovery on this copy,
something that is not possible with a normal copy or clone made by
"normal" disk cloning software (e.g. Norton Ghost etc)
3. Another great "feature" of a physical image is the possibility to write
the image back to a disk. Since a physical image is a bitstream copy of
a storage device you will be able to write this image back to the other
storage device and create an identical copy of the original.
4. This can be extremely useful if you want to boot up the original system
(e.g. for live examination of the system). The system will perform
exactly as if the original drive has been inserted
B) Logical image :

1. A logical image is a file system level image. These images are

usually created when you are unable to create a physical image
(e.g. device limitations) or when you just want to image a
certain folder (e.g. a users mailbox, or a user directory on a
server).
2. It's possible due to legal constraints you are not allowed to
capture anything more than the files located in a certain folder.
Creating a logical image is the best way to only capture the data
in a folder, a nothing more.
3. One major drawback of a logical image is that you do not
capture any unallocated data. If the suspect has deleted
important files prior to the creation of the logical image, there
is no way to recover them with a logical image. You should
always try to create a physical image when it is suspected that
the user might have deleted important data.
Imaging formats :
When creating the image you also have several options regarding the format you store
your image in. There really isn't a good or bad format, it mainly depends on your
personal preferences and the software you are going to use. The most common
options offered by tools are:
A) Raw (DD) :
1. The RAW image format is basically a bit-for-bit copy of the RAW data of
either the disk or the volume stored in a single or multiple files.
2. There is no metadata stored in the image files.
3. Most tools create a separate text file containing all the details regarding the
image file including the used hardware/software, source and destination
details and hash values.
4. The main advantage of the RAW image format is the fact the files only
contain unmodified source data, nothing else. This means almost every tool
supports raw images. Even non-forensic tools.
5. The main disadvantage of the RAW image format is the lack of any metadata,
without the text file there is no way to determine the source of the image. It
also lacks any form of compression making the images as large as the source
drive, even if only a few GB's have been used.
6. Raw images are also sometimes called dd images since the raw image format
has its origins in the dd tool.
B) E01
1. The EnCase Evidence File is next to the RAW image format EO1
the most commonly used imaging format.

1. It contains a physical bitstream (bit by bit) copy stored in a

single or multiple files enriched with metadata, this metadata
includes Case information, Examiner name, notes, checksums
and an MD5 hash. It also offers compression and password
protection.

3. The main advantage of this file format is the compression,

password protection and per file checksum. The main
disadvantage of this file format is the fact it's an
undocumented closed format. While most forensic tools
support this file format, it's not supported by other (non-
forensic) tools.
C) SMART :

The SMART image format is mainly used by the SMART tool for
Linux. The image is stored in a single or multiple segment files
each with metadata. This image format isn't commonly used
anymore.

D) Advanced Forensics Format (AFF) :

1. The Advanced Forensics Format (AFF) is an extensible open
format for the storage of disk images and related forensic
metadata.
1. Extensible format for the storage of disk images with or
without compression, together with related metadata that may
be stored within disk images or separately. Forensic disk images
often play a role in law enforcement and legal investigations,
and the embedded metadata provides facts for a chain of
evidence or audit trail.
 Acquiring Volatile Memory from Windows System
So far we have got the basic understanding of the initial response
process. We will now focus upon the volatile data collection process.
We will see which vital information we should collect before turning
the system off. At a minimum, we collect the following volatile data
prior to forensic duplication process which we will see later.
• System date and time
• A list of the users who are currently logged on
• Time/date stamps for the entire file system
• A list of currently running processes.
• A list of currently open sockets.
• The applications listening on open sockets.
• A list of the systems that have current or had recent connections
to the system. Let us have a look into the steps to collect the volatile
data from a windows system.
(A) Execute a trusted command shell cmd.exe :
• Sometimes it may happen that you encounter a really smart attacker
who has setup a trap at the victim's computer system. While you are
establishing a netcat virtual channel using the victim's command shell
to execute command, you are not aware that the cmd shell you are
using is already rigged and it is nothing but a spoofed version created
by the attacker so as to carry out a malicious activity without your
knowledge.
• Such as you are actually executing the del *.* command in
the \ WINNT \ System32 directory, rendering the system virtually
inoperable. To avoid such an embarrassment it is always advised to use
a trusted cmd shell from within your response toolkit i.e run the cmd
from within the toolkit and execute the commands.
(B) Record the system time and date :
The next step is to record the system time and date. This will allow the
investigators to have a timeline. Synchronization could be maintained
and an exact date and time at which the investigation process began
could be produced later on if needed.
(C) Determine who is logged in to the system (and remote-access users, if
applicable).
The next step is to determine which user accounts have active connections to
the system. This can be done with another response tool PsLoggedOn, an
utility that shows all users connected locally and remotely. Similarly, to
enumerate the number of users connected to the system via remote
connections, command line tool rausers is used.
(D) Record modification, creation, and access times of all files :
• Use the dir command to get a directory listing of all the files on the target
system recording their size, access, modification, and creation times. This is
often the most important and critical step to incident response. If you can
identify the relevant timeframe when an incident occurred, the time/date
stamps become the evidence of which files an attacker touched, uploaded,
downloaded, and executed.
(E) Determine open ports :
To determine the number of open ports and the respective port numbers use
the windows based netstat command. This command lists the various open
ports along with the local and foreign IP addresses and the current state of
the connection.
(F) List applications associated with open ports :
At times it becomes very crucial to differentiate between the legitimate
applications and the rogue applications which may harm our system.
Using the FPORT command developed by Foundstone, the applications
associated with specific port numbers could be recognized and hence those
applications which are not authorized to use some specific ports could be
stopped.
(G) List all running processes :
Before you power off a target system, it is important to record all of the
processes currently running on that system. You cannot obtain this
information if you simply unplug the power cord. When a process is executed
on a Windows system, a kernel object and an address space that contains the
executable code are created. You can use the PsList utility to enumerate all
running processes on the target system.
(H) List current and recent connections :
Netstat, arp, and nbtstat are useful utilities for determining who is connected
or has recently connected to a system. Many Windows NT/2000 workstations
have audit policies that do not log successful or failed logons. Therefore, these
three utilities may be your only way to identify a remote system
connecting to a workstation.
(I) Record the system time and date :
It is the penultimate step in which we need to record the date and
time once again. This is used to indicate the conclusion of the data
gathering process from a live windows system. This step is also
important as it provides a timeframe between which the data
collection phase began and concluded. So that if anything is
changed on the system outside this timeframe, you will know that
you are not responsible for the alteration.

(J) Document the commands used during initial response :

This is the last step in which we prepare a document which
basically contains the various command used during the initial
response phase. We use the "doskey /history" command to
display the command history of the current command shell on a
system. We also use "doskey /history" to keep track of the
commands executed on the system during a response.
(K) Scripting your initial response :
Many of the steps taken during the initial response can be
incorporated into a single batch script. We often script our
response, and then use netcat to transfer the results of the script to a
forensic workstation. Simply create a text file and add a .bat
extension to it to make it a batch file.
Here is a sample script that can be used when responding to
incidents on Windows NT/2000 systems :
time /t
Ødate /t
Øpsloggedon
Ønetstat -an fport
Øpslist
Ønbtstat -c time /t
Ødate /t
Ødoskey /history
 Live Data Collection from UNIX System
• The volatile data includes currently open sockets, running processes, the
contents of system RAM, and the location of unlinked files. The unlinked files
are files marked for deletion when processes that access it terminate.
• The files marked for deletion will "disappear" when the system is powered
down.
Therefore, the initial response should recover each type of volatile evidence,
including the files marked for deletion. To collect the live data from a UNIX
workstation, the following steps are carried out:
(1) Execute a trusted shell
• The target UNIX system may be working in the following two modes:
(a) The System running in native console mode.
(b) The system running in X Windows mode, A GUI similar to a windows
desktop.
The X Windows mode is similar to the Windows and has some vulnerabilities
which allows the attacker to gain access and record the keystrokes. To avoid
this, exit the X Windows mode and a local login needs to be performed at the
victim's UNIX workstation. Then only carry on with the connection
establishment process.
(2) Record the system time and date :
This phase is same as Windows. To capture this information, use the date
command : [root@vrb/root]# date
Fri Oct 20 16:55:43 UTC 2017
(3) Determine who is logged on to the system :
Determining who is logged on is quite simple. Just execute the w (what)
command. The w command displays the user IDs of logged-on users,
what system they logged on from, and what they are currently executing
on the system. It also provides the date and system time.
[root@vrb/root]# w
11:39pm up 3:11, 3 users, load average: 1.27, 1.43, 1.84
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
nada ttypO jitter.rahul.net 8:30pm 3:02m 1:08 0.14s
telnet bothosti
Bovine ttyp 1 shelll.bothostin 8:35pm 3:02m 1:01 0.12s -bash
mandiak ttyp2 adsl-225-75.poto 11:38pm 0.00s 0.25s 0.11s w
[root@vrb/root]#
(4) Record modification, creation, and access times of all files :

• You will want to retrieve all the time/date stamps on the file system.
As with Windows systems, Unix systems have three time/date stamps to
collect for each file and directory: access time (atime), modification time
(mtime), and the Mode change time (ctime).
• You can use a trusted is command with the proper command-line
arguments to obtain these times for each file. The following lines
demonstrate how to obtain the time/date stamps and save the output on a
trusted floppy disk:

Is -alRu / > /floppy/atime

Is -alRc / > /floppy/ctime

Is -a1R / > /floppy/mtime

(5) Determine open ports :
Use the netstat —an command to view all open ports. The -n option tells
netstat to not resolve hostnames, which reduces the impact on the system and
speeds the execution of the command. The following is an excerpt from the
output of netstat :
[root@vrb /root]# netstat –an

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 176 66.192.0.66:22 66.192.0.26:20819 ESTABLISHED

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

udp 0 0 0.0.0.0:69 0.0.0.0:*

(6) List applications associated with open ports.
On Linux, the netstat command has a -p option that maps the name of
the application and its process ID (PID) to the open ports.
[root@vrb/root]# netstat –anp

Proto Recv-Q Send-Q Local Foreign State PID/PrOgran

Address Address name
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 385/inetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 395/sshd
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN 385/inetd
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 385/inetd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 385/inetd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 385/inetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 385/inetd
udp 0 0 0.0.0.0:69 0.0.0.0:* 385/inetd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
(7) Determine the running processes :
The running processes can be listed using the standard ps command as
compared to the PSList command used in windows. The output varies a bit
among the different UNIX flavors. We use ps -eaf on Solaris systems, and we
use ps -aux on FreeBSD and Linux systems.
(8) List current and recent connections :
The netstat command can come handy here as well as it could be used to find
out the most recent and your current network connections. It can also help in
identifying a rogue connection if any and help eliminating it.
(9) Record the system time
The DATE command is fired again to record the session concluding system date
and time. The objectives are same as that of a windows system.
(10) Record the steps taken
Using the history command, similar to the "doskey /history" command of
Windows, all the commands entered during investigation using the trusted
UNIX shell are documented and stored in accordance to the time they were
fired. The objectives of this step are same as that for a Windows
documentation step.
 Acquiring Non Volatile Memory (Static Acquisition)
• Static data acquisition" refers to non-volatile data, or information that
does not change when a system is shut down. The practise of removing
and gathering unaltered data from storage medium is known as static data
collection.
• Hard drives, DVD-ROMs, USB drives, flash cards, smart phones, external
hard drives, and other storage devices are examples of non-volatile data
sources. Emails, word processing files, web activity, spreadsheets, slack space,
swap files, unallocated drive space, and numerous deleted items are
examples of this type of data. The static acquisitions can be repeated by
investigators using well-preserved disc evidence.

Static data recovered from a hard drive includes:

(1) Temporary (temp) files (2) System registries
(3) Event/system logs (4) Boot sectors
(5) Web browser cache (6) Cookies
(7) Hidden files
• Never conduct a forensic investigation or any other procedure on
the original evidence or source of evidence since doing so could
change the data and render the evidence inadmissible in court.

• Instead, make a duplicate bit-stream image of a questionable

device or file to see and manipulate the static data on. This
procedure will safeguard the original proof and give the
opportunity to generate a copy in case something goes wrong.

• Always produce two copies of the original media before starting

the investigation process for the following purposes:

(1) One copy is the working copy, for analysis

(2) One copy is the library/control copy stored for disclosure
purposes or in the event that the working copy gets corrupted.
 Hard Drive Imaging (Disk Imaging) - what is it?
• Disk imaging is the process of making an exact replica of a drive's contents
and saving it as one compressed file. There are numerous unique kinds of disc
images. They can be utilised for system deployment, virtual machine
creation in a hypervisor (VMWare, Hyper-V, etc.), and file backup.
• Disk images can run on several operating systems, including Linux, MacOS,
and Windows.
What is a disc image capable of?
• The most frequent application is to deploy an image of one computer that
has been captured to other machines. In this manner, all of the source
machine's files and applications will be present when the destination computer
powers up for the first time.
• When you onboard new employees and provide them new equipment,
such laptops or desktop PCs, that is a typical use case. IT can develop
disc images for each role or department to guarantee that all employees
in a given role start out with the same fundamental configuration.
(A)The Benefits of disc imaging :
(1) The primary benefit of imaging is the ability to build a single reference system that
is precisely configured for your environment's requirements and then capture it for
widespread deployment. Additionally, you may "bake in" programmes and
customizations using this technology to make deployments simpler.
(2) The settings, applications, and configurations from the referenced device will be
carried across to every computer that has the image deployed. The IT team at your
firm will no longer have to spend hours manually installing software, setting up
printers, copying files, etc.
(B) Challenges of Disk Imaging :
1. The biggest drawback is that since system disc images are snapshots of
configurations taken at specific points in time, they have a tendency to become
outdated.
2. The device will begin using security patches that are six months old if you take a
disc image today and apply it to a fresh one in six months. You will have to wait while
the OS and applications download and install all of the recent security updates after you
have deployed. In other words, it will take a long time for the device to be secure and
prepared for provisioning.
3. The introduction of newer versions of applications that you've "baked in" to your
environment presents another difficulty with images. It is necessary to take action to
update the image to account for those changes. In essence, this forces you to
constantly create, update, and test your photos.
 Network Acquisition
• Sometimes, you think that your organization's computer systems
have been attacked or compromised. In such a case you cannot accuse
an individual or a group for sabotaging without any valid proof. In
such a case you need to have a valid documented proof which
could be presented in the court of law as and when required.
• Network based monitoring is a process which is carried out to
analyze the incoming and outgoing traffic of a network with the use
of utilities such as tcpdump or windump.
• Catching the traffic is only a portion of the work, extracting
meaningful results is the other challenge. After you have collected
the raw data that composes your network based evidence, you must
analyze that data.
• The analysis of network-based evidence includes reconstructing
the network activity, performing low-level protocol analysis, and
interpreting the network activity.
(A) Types of Network Monitoring :
(i) Event Monitoring
• Event monitoring is based on certain rules or thresholds employed
on the network-monitoring platform. Events are simply alerts that
something has occurred on your network.
• Traditional events are generated by a network IDS, but events can also
be created by network health monitoring software like MRTG (Multi
Router Traffic Grapher) or NTOP.
(ii) Trap and Trace Monitoring:
• Trap and Trace monitoring is like an IDS which monitors the headers of
each data packet going into or away from a network. This monitoring
doesn't bother about any event, it simply monitors the headers of the
packets to filter out certain protocols and addresses such as a specific
protocol used, IP address of the source or destination, etc.
• It is similar to a packet filter in its working. It will not block or obstruct
any other normal operations. It simply performs the tasks assigned to it.
(iii) Full Content Monitoring:
• Full-content monitoring yields data that includes the raw
packets collected from the wire. It offers the highest
fidelity, because it represents the actual communication
passed between computers on a network. Full-content
data includes packet headers and payloads. The following is a
sample packet captured in its entirety and displayed using
tcpdump:

tcpdump is used to capture, filter, and analyze network

traffic such as TCP/IP packets going through your system. It is
many times used as a security tool as well. It saves the
captured information in a pcap file, these pcap files can then
be opened through Wireshark or through the command tool
itself.
Q. 1 What is a Digital Evidence? What are its various
types?

Q. 2 What are the various challenges in acquiring digital

evidences?

Q. 3 Explain the role of admissibility of evidence.

Q. 4 What are the various obstacles/challenges in

evidence handling?

O. 5 What are Live Data Collection Steps in UNIX systems.