CSC123 DIGITAL FORENSICS ESSENTIALS

Introduction

The use of computer in our daily lives has tremendous advantages. However, this
achievement has created opportunities for e-commerce, distance learning,
education, research, entertainment, and digital financial services. Similarly, this
advancement has also created huge concerns such as computer related crime,
cybercrime and digital crime.
This advancement has also led to the need for Cybersecurity. According to ITU-T
X.1205 Cybersecurity is the collection of tools, policies, security concepts,
security safeguards, guidelines, risk management approaches, actions, training,
best practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets. Organization and user’s assets
include connected computing devices, personnel, infrastructure, applications,
services, telecommunications systems, and the totality of transmitted and/or stored
information in the cyber environment.

Cybersecurity strives to ensure the attainment and maintenance of the security

properties of the organization and user’s assets against relevant security risks in the
cyber environment.

The general security objectives comprise the following:

• Confidentiality

• Integrity

• Availability

These objectives are referred to as CIA Triad. The CIA Triad (Confidentiality,
Integrity, Availability) is a foundational concept in cybersecurity and digital
forensics. It helps understand the goals and principles behind securing and
investigating digital information.
• Confidentiality: Ensuring that sensitive information is accessed only by
authorized individuals.
• Integrity: Ensuring the accuracy and completeness of data.
• Availability: Ensuring that information and resources are available to authorized
users when needed.
Another concept important in cybersecurity is Access Control. Access control
mechanisms are critical in both cybersecurity and digital forensics. They help
prevent unauthorized access to systems and data, ensuring the protection and
reliability of digital evidence.
Three aspects of Access Control Authentication, Authorisation and Audit.
1. Authentication: Authentication is the process of verifying the identity of a
user, device, or entity attempting to access a system. It ensures that the entity is
who it claims to be.
Types of Authentication
• Something You Know: Passwords, PINs, or answers to security
questions.
• Something You Have: Smart cards, security tokens, or mobile
devices.
• Something You Are: Biometrics such as fingerprints, facial
recognition, or iris scans.
Role in Digital Forensics

Securing Access: Authentication mechanisms protect forensic tools and evidence

from unauthorized access, ensuring only verified individuals can handle sensitive
information.

Tracking Access Attempts: Logs of authentication attempts can provide valuable

information in forensic investigations, helping to identify unauthorized access or
suspicious activities.
2. Authorization: Authorization determines what an authenticated user is allowed
to do. It involves granting or denying permissions to resources based on the
user's identity and roles.
Types of Authorization:
• Role-Based Access Control (RBAC): Access permissions are
assigned based on user roles within an organization (e.g., admin,
user, guest).
• Attribute-Based Access Control (ABAC): Access is granted
based on attributes (e.g., time of day, location, type of device).
• Policy-Based Access Control (PBAC): Access decisions are
made based on defined policies and rules.
Role in Digital Forensics:
Protecting Evidence: Proper authorization ensures that only authorized personnel
can access and modify digital evidence, preserving its integrity.
Segregation of Duties: Differentiating access based on roles helps prevent conflicts
of interest and reduces the risk of tampering or misuse of forensic tools and data.
3. Audit: Auditing involves recording and analyzing activities within a system to
ensure compliance with security policies and detect any anomalies or
unauthorized actions.
Components of Audit:
• Logging: Collecting detailed logs of user activities, access
attempts, and system events.
• Monitoring: Continuously observing system activities to identify
 suspicious behavior or security breaches.
• Reviewing: Regularly examining logs and audit trails to detect and
investigate irregularities.
Role in Digital Forensics:
Traceability: Audit logs provide a traceable record of all actions taken on digital
evidence, crucial for maintaining the chain of custody and ensuring accountability.
Incident Response: Auditing helps forensic investigators identify and respond to
security incidents by providing a detailed account of events leading up to and
following the incident.
Compliance: Ensuring that forensic practices comply with legal and regulatory
requirements, maintaining the admissibility of evidence in court.

DIGITAL FORENSICS
What is Digital Forensics
Digital forensics also came into existence as a result of the growing incidence of
computer and cyber related crimes, as well as the increased adoption of digital
devices. Digital forensics has gained significant importance in the recent times as a
result of the rise. This concept was firstly defined in 2001 by the Digital Forensics
Research Workshop (DFRWS) as “The use of scientifically derived and proven
methods toward the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence derived from
digital sources for the purpose of facilitating or furthering the reconstruction of
events found to be criminal or helping to anticipate unauthorized actions shown to
be disruptive to planned operations”

Definition 2

Digital forensics is a branch of forensic science that uses scientific understanding

to acquire, evaluate, record, and present digital evidence related to computer crime
in court. The main goal is to figure out what happened, when it happened, and
who did it.

Definition 3

Digital Forensics is also defined as the process of preservation,

identification, extraction, and documentation of computer evidence which
can be used by the court of law.

Importance of Digital Forensics

Cybersecurity and digital forensics are two closely related fields within the roader
domain of information security. They complement each other in protecting and
investigating digital assets, systems, and networks. The importance of digital
forensics in cybersecurity are highlighted and also compare to the cybersecurity
activities.

1. Prevention and Detection

Cybersecurity: Focuses on preventing unauthorized access, attacks, and breaches

through measures such as firewalls, intrusion detection systems (IDS), encryption,
and secure coding practices. Digital Forensics: Comes into play when prevention
measures fail. It involves detecting and investigating security incidents to
understand what happened, how it happened, and who was responsible.

2. Incident Response

Cybersecurity: Includes preparing for, detecting, and responding to security

incidents. This involves creating incident response plans, conducting regular drills,
and deploying security technologies. Digital Forensics: Is a critical part of the
incident response process. Forensic investigators collect and analyze digital
evidence to determine the extent of the breach, identify compromised systems, and
provide insights for remediation.
3. Evidence Collection and Analysis
Cybersecurity: Security teams often collect logs, alerts, and other data from
various security tools to monitor and analyze network activity for potential threats.
Digital Forensics: Forensic experts collect similar data but with a focus on
preserving evidence for legal proceedings. They use specialized tools to analyze
and reconstruct events, ensuring the integrity and admissibility of the evidence.

Why digital forensics

4. Evidence Collection and Analysis

Cybersecurity: Security teams often collect logs, alerts, and other data from
various security tools to monitor and analyze network activity for potential threats.
Digital Forensics: Forensic experts collect similar data but with a focus on
preserving evidence for legal proceedings. They use specialized tools to analyze
and reconstruct events, ensuring the integrity and admissibility of the evidence.

5. Tools and Techniques:

Cybersecurity: Utilizes tools such as antivirus software, SIEM (Security

Information and Event Management) systems, and vulnerability scanners to protect
systems and data. Digital Forensics: Uses tools like EnCase, FTK (Forensic
Toolkit), and Autopsy forevidence collection, analysis, and reporting.
Brief History

Early Days (1980s): Digital forensics emerged in the 1980s as computers became
more prevalent in both businesses and homes. Initial efforts focused on recovering
deleted files and analyzing computer activities for evidence of crimes

Formalization and Legal Recognition (1990s): The 1990s saw the formalization
of digital forensics as a distinct field. Law enforcement agencies began developing
specialized units to handle digital evidence. Key cases during this period, such as
the investigation of computer hacker Kevin Mitnick, highlighted the importance of
digital forensics.

Development of Tools and Standards (2000s): With the rapid advancement of

technology, the 2000s witnessed the development of specialized tools and software
for digital forensics. Organizations like the National Institute of Standards and
Technology (NIST) began creating guidelines and standards to ensure the
reliability and admissibility of digital evidence in court. Tools like EnCase and
FTK (Forensic Toolkit) became widely used for examining digital devices.
Rise of Mobile and Cloud Forensics (2010s): The proliferation of smartphones
and cloud computing in the 2010s brought new challenges and opportunities for
digital forensics. Mobile forensics tools were developed to extract and analyze data
from smartphones and tablets. Cloud forensics emerged to address the
complexities of investigating data stored in remote servers and distributed across
multiple locations.

Modern Era (2020s - Present): Today, digital forensics encompasses a wide

range of disciplines, including network forensics, database forensics, and IoT
(Internet of Things) forensics. The field continues to evolve with advancements in
artificial intelligence and machine learning, which are being integrated into
forensic tools to enhance data analysis and automate repetitive tasks. Cybersecurity
incidents, data breaches, and sophisticated cybercrimes underscore the importance
of digital forensics in contemporary law enforcement and corporate security.

In summary, digital forensics continues to be a critical aspect of modern

investigations, playing a vital role in uncovering digital evidence and ensuring
justice in an increasingly digital world.

Digital Forensics Investigator/Specialist

A Digital Forensics Investigator or Specialist is a professional who is trained and
skilled in identifying, preserving, analyzing, and presenting digital evidence in a
manner that is legally admissible. They play a crucial role in investigating
cybercrimes, data breaches, and other incidents involving digital devices and
networks.
Roles and Responsibilities:
1. Evidence Collection:
Collecting data from digital devices such as computers, smartphones, tablets, and
servers. Ensuring that evidence is collected in a forensically sound manner to
maintain its integrity and admissibility in court.

2. Preservation of Evidence:
Creating forensic copies (images) of digital media to prevent data alteration during
analysis. Maintaining a proper chain of custody to document how evidence is
handled and stored.
3. Data Analysis:
Using specialized tools and techniques to recover and analyze data. Examining file
systems, logs, emails, internet history, and other data sources to uncover relevant
information. Decrypting files and recovering deleted or hidden data.
4. Incident Response:
Assisting in responding to security incidents and breaches by identifying the extent
of the compromise. Providing insights into how the breach occurred and
recommending remediation steps.
5. Reporting and Documentation:
Documenting findings in detailed reports that can be used in legal proceedings.
Presenting evidence and expert testimony in court when required.
6. Collaboration:
Working closely with law enforcement agencies, legal teams, and cybersecurity
professionals. Coordinating with other investigators and stakeholders during
complex investigations.
7. Staying Current:
Keeping up to date with the latest developments in digital forensics tools,
techniques, and legal requirements. Attending training sessions, workshops, and
conferences to continuously improve skills and knowledge.
Skills and Qualifications
1. Technical Proficiency:
Strong understanding of computer systems, networks, and various operating systems.
Proficiency with digital forensics tools like EnCase, FTK, Autopsy, and others.
1. Analytical Skills:
Ability to think critically and solve complex problems and pay keen attention to
detail to identify subtle clues and anomalies in digital evidence.
2. Legal Knowledge:
Understanding of legal principles and procedures related to digital evidence is
essential. Also, familiarity with laws and regulations governing data privacy and
cybersecurity is a vital knowledge to have.Skills and Qualifications
3. Communication Skills:
Strong written and verbal communication skills for report writing and presenting
findings is a skill required and as ability to explain technical information to non-
technical stakeholders clearly.
4. Certifications:
Relevant certifications such as Certified Computer Examiner (CCE), Certified
Forensic Computer Examiner (CFCE), and GIAC Certified Forensic Analyst
(GCFA) that can enhance credibility and expertise should be taken.

Typical Employers of Digital Forensics Expert

1. Law enforcement agencies
2. Government organizations
3. Private investigation firms
4. Corporate security departments
5. Cybersecurity consulting firms
Digital Forensics Process
1. Identification

This is the first step where potential sources of digital evidence are identified.
This includes recognizing what data might be relevant to the case, where it is
stored, and how it can be accessed.

Example: In a hacking investigation, identifying all compromised computers,

servers, and network devices where traces of the attack might be found.

2. Preservation

Ensuring that the data is protected from alteration or destruction. This involves
creating a forensically sound copy of the data, often referred to as an image,
which can be analyzed without affecting the original data.

Example: Using a write-blocker to create an image of a suspect's hard drive,

preventing any changes to the original drive during the imaging process.

3. Collection

Gathering all the relevant data from identified sources while maintaining the
integrity of the evidence. This can involve both physical collection (e.g., seizing
a computer) and logical collection (e.g., copying files).

Example: Collecting log files from a web server that was used in an
unauthorized access incident.

4. Examination

A detailed and systematic search to find hidden, deleted, or encrypted data. This
step involves sorting through large amounts of data to find pieces of evidence.

Example: Using forensic tools to uncover deleted emails on a suspect’s laptop.

5. Analysis

Interpreting the extracted data to draw conclusions about the incident. This step
involves making sense of the data and reconstructing events.

Example: Analyzing internet history and email records to determine if an

employee was leaking company secrets.
6. Interpretation

Description: Providing meaning to the analyzed data. This involves

understanding the context of the findings and determining their relevance to the
case.

Example: Determining whether a suspicious file found on a computer is

malware and how it was introduced into the system.
 7. Documentation

Keeping detailed records of all the steps taken during the investigation. This
includes maintaining a chain of custody and creating comprehensive reports that
detail the findings.

Example: Documenting the exact procedures used to image a hard drive and the
results of the analysis in a written report

8. Presentation

Presenting the findings to stakeholders, which could include law enforcement,

legal teams, or management. This step often involves testifying in court or
presenting a detailed report.

Example: Explaining the results of a forensic investigation in court, including

how evidence was collected and analyzed to support the prosecution’s case.

Understanding and following these steps ensures that digital evidence is handled
properly, maintaining its integrity and admissibility in legal proceedings.

Digital forensics is an important aspect of Cybersecurity that deals with

handling digital crimes with a focus on how the crime occur, where it occurred
and who committed the crime.

Digital Crime
There will be no need for digital forensics if no crime is committed using digital
devices. In essence, the presence of digital led to the need to carry out
investigation.

Digital crime, also known as cybercrime, refers to any criminal activity that
involves the use of computers, networks, or digital devices. These crimes can
target individuals, companies, governments, and organizations, and they often
involve the unauthorized access, theft, manipulation, or destruction of data. It is
important to note that digital crime exploits technology, it can be financially
motivated, politically driven, or performed for personal gain, and lastly digital
crimes are often difficult to detect and trace.

Examples of digital crime

1. Hacking: Unauthorized access to computer systems to steal data or disrupt
services.
2. Phishing: Fraudulent attempts to obtain sensitive information by pretending
to be a trustworthy entity.
3. Identity Theft: Stealing someone's personal information to commit fraud.
4. Ransomware: Malicious software that locks a user's data until a ransom is paid.
5. Distributed Denial of Service (DDoS): Overloading a system with traffic to
make it unavailable.
 Elements of Digital Crime
Understanding the elements of digital crime is essential for effectively
preventing, detecting, and responding to these threats. By examining the
elements, digital forensics professionals can better detect malicious activities on
systems and data

Target
This is the specific entity that the cybercriminal aims to exploit. Targets can
range from individuals to large corporations or even governmental systems.
Examples:
• Individual: A person targeted for identity theft by stealing their personal
information.
• Organization: An online banking system targeted for financial theft.
• Government: A country's critical infrastructure systems targeted by
cyberterrorists.
Means
This refers to the techniques, tools, and methods used to carry out the digital crime.
This can include software, hardware, and social engineering tactics.
Examples:
• Malware: Malicious software like viruses, worms, or ransomware used to
damage or gain control of systems.
• Phishing: Sending fraudulent emails to trick individuals into revealing
sensitive information.
• Hacking Tools: Software designed to exploit vulnerabilities in systems or
networks.
Intent
The underlying motivation or purpose behind committing the digital crime.
Understanding intent helps in predicting potential targets and methods.
Examples:
• Financial Gain: Stealing credit card information to make unauthorized
purchases.
• Political Goals: Disrupting the digital infrastructure of a rival nation.
 • Personal Revenge: A disgruntled employee leaking company secrets.
Opportunity
This refers to the favorable conditions or situations that make committing the
crime possible. Criminals often exploit weaknesses in security measures.
Examples:
• Weak Passwords: Using simple or default passwords that are easy to guess.
• Unpatched Systems: Failing to update software and hardware, leaving
known vulnerabilities exposed.
• Human Error: Employees clicking on phishing links or inadvertently
sharing sensitive information.
Harm
The damage or negative impact resulting from the digital crime. This can affect
individuals, organizations, and even entire nations.
Examples:
• Financial Loss: Direct monetary loss due to fraud or theft.
• Data Breach: Compromising sensitive information like personal details or
trade secrets.
• Reputation Damage: Loss of trust and credibility following a cyber attack,
affecting customer and investor confidence.

Sources of Digital Crime

Digital crime can stem from both internal and external sources, each posing unique
challenges to organizations. Understanding these threats helps digital forensics
professionals to better detect wide range of digital crimes.

Internal Threats and External Threats

Internal Threats

1. Insider Threats
Threats that originate from individuals within the organization, such as employees,
contractors, or business partners.
Examples:
• Dissatisfied Employees: Employees who feel wronged by the
organization and seek revenge by stealing or destroying data.
• Malicious Insiders: Employees who deliberately misuse their access
to sensitive information for personal gain or to harm the
organization.
• Negligent Insiders: Employees who inadvertently cause security
breaches through careless actions, such as clicking on phishing
links or mishandling sensitive data.
2. Third-Party Vendors
These are external partners or vendors who have access to the organization’s
systems and data.
Examples:
• IT Service Providers: A compromised vendor network leading to a
 data breach in the client organization.
• Outsourced Contractors: Contractors mishandling sensitive
information or introducing malware into the organization's network.

External Threats
1. Cybercriminals
These are individuals or groups who engage in illegal activities using digital
means. These actors often operate outside the organization and use various
techniques to exploit vulnerabilities.
Examples:
• Hackers: Individuals breaking into systems to steal data, install
malware, or disrupt services.
• Fraudsters: Criminals engaging in online scams, identity theft, or
credit card fraud.
2. Organized Crime Groups
Criminal organizations that use digital methods to conduct large-scale illegal
activities. These groups are well-funded and organized.
Examples:
• Ransomware Gangs: Groups that deploy ransomware to extort
money from victims.
• Dark Web Marketplaces: Organized groups operating illegal online
markets for drugs, weapons, and stolen data.
3. Automated Tools and Botnets
Networks of infected computers controlled remotely to carry out large-scale
attacks. These tools can significantly amplify the impact of digital crimes.
Examples:
• DDoS Attacks: Using a botnet to flood a target’s server with traffic,
causing it to crash.
• Spam Campaigns: Sending massive amounts of unsolicited emails
to spread malware or phishing links.
• Credential Stuffing: Using automated tools to test stolen username
and password combinations on various websites to gain
unauthorized access.

Digital Evidence

Digital evidence refers to any information or data that is stored or transmitted in a

digital form and can be used in a court of law to proof a digital crime. This
evidence is crucial in investigating and prosecuting digital crimes. Digital evidence
can be found on various devices such as computers, smartphones, tablets, and other
electronic devices.

Types of Digital Evidence

Digital evidence comes in various forms, depending on the source and nature of
the information.
1. Computer Files
Digital documents, spreadsheets, presentations, images, videos, and other file types
stored on a computer or digital storage device.
2. Emails
Electronic messages exchanged between individuals or groups, often stored on
email servers or local email clients.
3. Internet Browsing History
Records of websites visited, searches made, and online activities conducted by a
user.
4 System Logs
Automated records of events and activities that occur within a computer system or
network.
5. Network Traffic Data
Information about data packets transmitted over a network, including source
and destination IP addresses, ports, and protocols.
6. Mobile Device Data
Information stored on smartphones, tablets, and other mobile devices, including
text messages, call logs, app data, and location information.
7. Social Media Data
Content posted on social media platforms, including messages, posts, images,
videos, and metadata.
8. Cloud Storage Data
Files and information stored on cloud services like Google Drive, Dropbox, and
iCloud.
9. Database Records
Information stored in databases, often accessed through database management
systems (DBMS). E.g Transaction Records, Customer Data
10. External Storage Devices
Data stored on USB drives, external hard drives, CDs, DVDs, and other portable
storage media.

Digital Evidence Preservation

It is essential to keep any digital evidence ceased safe so that it cannot be tampered
with. Preservation is the second step in the digital forensics process and focuses on
protecting digital evidence from alteration, corruption, or destruction to maintain
its integrity. The goal of evidence preservation is to ensure that digital evidence
remains intact and unchanged from the moment it is identified until it is analyzed
and presented in the court of law. There are various actions that can be taken to
preserve digital evidence.

Digital Evidence Preservation Actions

1. Isolate the Device: Prevent the device from being tampered with by
isolating it from any networks or external connections. This may involve
disconnecting it from the internet or using Faraday bags to block wireless
signals.
2. Document the Scene: Take photographs and make detailed notes about the
state of the device and its surroundings at the time of collection. This
 includes noting any running processes, open files, and connected
peripherals.
3. Use Write Blockers: When accessing storage devices like hard drives, use
write blockers to prevent any modifications to the data.
4. Create Forensic Copies: Make bit-by-bit forensic copies of the storage
media to work on using forensic software like EnCase or FTK Imager. This
preserves the original data in its unaltered state.
5. Secure Storage: Store the original evidence and forensic copies in secure,
access-controlled environments to prevent unauthorized access or
tampering.
6. Maintain Chain of Custody: Keep detailed records of everyone who
handles the evidence, including the date, time, and purpose of each transfer,
to ensure accountability and traceability.

Chain of Custody of Digital Evidence

Definition and Importance
Definition: The chain of custody is a chronological documentation that records the
sequence of custody, control, transfer, analysis, and disposition of digital evidence.
Importance:
• Integrity: Ensures that the evidence remains unchanged from the
time it was collected to its presentation in court.
• Admissibility: Proper documentation and handling are required for
evidence to be accepted in court.
• Accountability: Tracks who has handled the evidence and when,
providing transparency and accountability.
The chain of custody process are intrinsically tied to the digital forensics process.
Each step in the digital forensics process must be meticulously documented and
handled to ensure that the evidence's integrity and authenticity are maintained.
Digital Chain of Custody Action Example
Forensics
Process

Identification 1. Document the initial Logging the discovery

discovery of the of a suspect's
evidence. smartphone and
2. Record details such as taking initial
the type of device, photographs.
location, and condition
when found.

Preservation 1. Ensure that the Noting in the chain of

evidence is protected custody log that a
from alteration or computer was placed
damage. in a Faraday bag to
2. Document any steps prevent remote
taken to preserve the access.
evidence, such as
isolating devices or
using write blockers.

Collection 1. Create detailed records Filling out a collection

of the evidence form and tagging a
collection process. USB drive with a
2. Use evidence collection unique ID number.
forms to capture
specifics about how and
when the evidence was
collected.
3. Label evidence with
unique identifiers.

Examination 1. Document the methods Logging the use of

and tools used during forensic software to
the examination of the analyze a hard drive
evidence. and noting the
2. Record who performed analyst's name and
the examination and the date of analysis.
when.

Interpretation 1. Record the conclusions Writing a summary

drawn from the report that ties the
analysis. evidence to specific
2. Maintain documentation actions or suspects.
of the reasoning and
evidence supporting
these conclusions.

Documentation 1. Compile all records, Assembling a

forms, logs, and notes comprehensive case
related to the handling file that includes all
and analysis of the chain of custody logs,
evidence. analysis reports, and
2. Ensure that all supporting
documentation is documentation.
thorough and up-to-
date.

Presentation 1. Prepare the evidence Organizing evidence

and documentation for for trial and preparing
presentation in court. to testify about the
2. Ensure that the chain of handling and analysis
 custody is clear and processes.
complete to support the
evidence’s admissibility

In conclusion, understanding the elements of digital crime is essential for

effectively preventing, detecting, and responding to threats from digital crime
activities. Digital crime can stem from both internal and external sources, each
posing unique challenges to organizations. Understanding digital evidence and the
processes involved in handling, preserving, and presenting it is crucial for digital
forensics professionals. The chain of custody ensures that each step, from
identification to presentation, is properly documented and managed, maintaining
the integrity and authenticity of the digital evidence.

Digital Forensics Tools

Digital forensics tools are essential for investigating and analyzing digital
evidence. They can be classified based on their functionalities, nature of their
availability and they can be either hardware or software tool.

Functions of Digital Forensics Tools

1. Data Acquisition
2. Validation and Verification
3. Extraction
4. Reconstruction
5. Reporting

Function Definition Purpose

- Preservation: Create a
Capturing and preserving digital
copy of the data that
evidence from various sources
Data Acquisition reflects the original state.
to maintain the integrity of the
- Integrity: Ensure
original data.
evidence is not altered.
- Validation: Confirm tools
Ensuring that the evidence and methods are effective.
Validation and
collected is accurate, complete, - Verification: Ensure data
Verification
and has not been altered. integrity by comparing
cryptographic hashes.
- Focused Retrieval:
Extract relevant
Retrieving specific data or
information from large
Extraction evidence from acquired digital
datasets.
media or devices.
- Data Recovery: Retrieve
data from damaged media.
- Event Reconstruction:
Piecing together fragmented or
Understand the sequence
incomplete data to create a
Reconstruction of events.
coherent view of events or
- Evidence Correlation:
activities.
Link different pieces of
Function Definition Purpose
evidence.
- Documentation: Provide
a record of the
Creating detailed
investigative process.
documentation of findings from
Reporting - Presentation: Present
the digital forensic
evidence in a format
investigation.
suitable for legal
proceedings.

This table provides a clear and organized overview of each function, its purpose,
and examples of tools used for that function.

Types of Digital Forensics Tools

It is important for an investigator to have the right set of tools for conducting a
digital forensic investigation. The forensics specialist is also responsible for
deciding the tool appropriate for the case. The tools to be used depends on the
entity to act on (hardware and software), availability and licensing, and
functionality of the tool.

Based on Availability and Licensing

Category Description Examples

Commercial tools developed and sold by EnCase, FTK
Proprietary
companies. Often well-supported with (Forensic Toolkit),
Tools
updates and customer service. Cellebrite UFED
Free tools with publicly available source Autopsy, The
Open Source
code. Often developed by the community Sleuth Kit (TSK),
Tools
and can be modified by users. Volatility
Free tools that are not open source but
Freeware Recuva,
available at no cost. Often limited in features
Tools Wireshark
compared to proprietary tools.
Data Rescue,
Shareware Tools that require payment after a trial
Paraben’s Device
Tools period or offer limited functionality for free.
Seizure
Custom tools developed by forensic experts
Custom scripts,
Self-Created for specific investigations. They are typically
Python-based
Tools designed to address unique challenges or
analysis tools
niche requirements.

Based on Functionality
Type of
Digital
Functionality Examples
Forensics
Tool
Create exact copies (bit-by-bit) of storage
Disk Imaging FTK Imager, dd, X1
devices to preserve original data for
Tools Social Discovery
analysis, ensuring data integrity.
Type of
Digital
Functionality Examples
Forensics
Tool
Recover deleted, lost, or corrupted files
File Recovery Recuva, R-Studio,
from storage media, often bypassing file
Tools PhotoRec
system structures to locate hidden data.
Capture and analyze network traffic to
Network Wireshark,
identify suspicious activities or security
Forensics NetworkMiner,
breaches, and reconstruct sessions from
Tools tcpdump
network packets.
Mobile Extract and analyze data from mobile
Cellebrite UFED,
Device devices, including call logs, messages, app
Oxygen Forensic
Forensics data, and GPS information, often
Suite, XRY
Tools bypassing security features.
Analyze the contents of a computer’s
Memory
RAM to uncover running processes, open
Forensics Volatility, Rekall
network connections, and detect malware
Tools
residing in memory.
Extract and analyze data from the
Registry
Windows Registry to uncover system and RegRipper, Registry
Analysis
user activities, such as installed software Recon
Tools
and recently accessed files.
Collect and analyze log data from various
Log Analysis sources to identify patterns, anomalies,
Splunk, LogRhythm
Tools and correlate events across different logs
for incident reconstruction.
Examine email data, including headers,
Email
bodies, attachments, and metadata, to EnCase, X1 Social
Forensics
trace the source and authenticity of Discovery
Tools
emails and identify email-related crimes.

Based on Hardware and Software

Hardware Forensics Tools

Physical devices or equipment used in digital forensics to handle and analyze
digital evidence. These tools are tangible and typically involve direct interaction
with the hardware components of digital systems.
Software Forensics Tools
Programs or applications used for analyzing digital evidence. These tools are
intangible and run on computer systems to perform various forensic tasks.

Software Purpose (Software Hardware Purpose

Tools Tools) Tools (Hardware Tools)
Data Acquisition, Tableau Data Acquisition,
FTK Imager Validation, and Forensic Validation, and
Verification Bridge Verification
Autopsy Data Acquisition, Cellebrite Data Acquisition,
Software Purpose (Software Hardware Purpose
Tools Tools) Tools (Hardware Tools)
Extraction, Reporting UFED Touch Extraction,
Reporting
Data Acquisition,
Data Acquisition, Logicube
EnCase Validation, and
Extraction, Reporting Falcon
Verification
CRU Data Acquisition,
Data Extraction,
Volatility WiebeTech Validation, and
Reconstruction
Ditto Verification
Data Acquisition,
The Sleuth Data Acquisition, Atola Insight
Validation, and
Kit (TSK) Extraction Forensic
Verification
Data Acquisition, Data Acquisition,
Forensic
Wireshark Validation, and Validation, and
Duplicator
Verification Verification
Digital Data Acquisition,
Cellebrite Data Acquisition,
Intelligence Extraction,
UFED Extraction, Reporting
FRED Reporting
Data Recovery, Paraben’s Data Acquisition,
Recuva
Extraction Device Seizure Extraction
X1 Social Data Acquisition,
Discovery Extraction, Reporting
Data Recovery,
R-Studio
Extraction
Oxygen
Data Acquisition,
Forensic
Extraction
Suite
Data Extraction,
RegRipper
Reconstruction
Data Extraction,
Splunk
Reporting

Forensics Tool Validation

One of the main non-profit organizations that helps in this regard is the National
Institute of Standards and Technology (NIST). This institute is charged with the
responsibility of publishing articles, suggesting tools, and creating reports, and
procedures utilizing the ISO (International Organisation for Standadisation) 17025
criteria for testing and validating forensics software.

For the successful validation of digital forensics tools, investigators must achieve
the following:
1. Classify the available digital forensics software in groups e.g Nework
forensics tool or Memory forensic tool
2. Identify the main requirements and the technical features of each group
3. Create several tests to validate the tool.
4. Identify a number of cases that can be used to test the forensic tool.
 5. Specify how to test the validation method- Combine the test results into a
report

To achieve consistency during the validation process, investigators must keep the
OS and the digital forensics tools up to date by

1. Installing all new system update releases and patches

2. Keeping the OS in a healthy condition all the time
3. Checking the tools’ Website for new updated versions or patches.

Digital Evidence Validation

Validating digital evidence is critical in digital forensics to ensure that the data
being analyzed has not been tampered with and is identical to the original. There
are several methods for validating digital evidence, each with its own strengths and
weaknesses. Below are the primary methods:
1. Forensic Hashing
Forensic hashing involves generating a unique hash value (a fixed-size string or
number) for a piece of data using a cryptographic hash function (e.g., MD5, SHA-
1, SHA-256). This hash value acts as a digital fingerprint for the data.
Advantages:
o Integrity Verification: If the hash value of the original evidence
matches the hash value of the copy, it confirms that the evidence
has not been altered.
o Speed and Efficiency: Hash functions can process large amounts of
data quickly and produce a unique hash value, making it a fast and
efficient method.
o Widely Accepted: Hashing is a standard method widely accepted in
courts for validating digital evidence.
Weaknesses:
o Collision Vulnerability: Some hash functions (e.g., MD5, SHA-1)
are susceptible to collision attacks, where two different inputs
produce the same hash value. This can compromise the reliability of
the validation.
o No Context: Hash values do not provide context or content of the
data; they only validate the integrity of the data.
2. Checksum Validation
A checksum is a simpler form of data validation that involves summing the values
of data blocks. Checksums are often used to detect errors in data transmission.
Advantages:
o Simplicity: Checksum algorithms are straightforward and require
minimal computational resources.
o Error Detection: Useful for detecting accidental errors during data
transfer or storage.
Weaknesses:
o Not Cryptographically Secure: Checksums are not designed to be
secure against intentional modification; they can be easily
manipulated.
 o Limited Use in Forensics: Due to their lack of security, checksums
are not typically relied upon for forensic validation in legal
contexts.
3. File System Metadata Analysis
This method involves analyzing the metadata of files, such as timestamps
(creation, modification, access), file size, and permissions, to verify that the data
has not been altered.
• Advantages:
o Contextual Information: Provides additional context about the
file’s history and usage, which can be valuable in forensic analysis.
o Built-In Feature: File systems inherently store metadata, so no
additional tools are needed for basic validation.
• Weaknesses:
o Easily Manipulated: Metadata can be altered without affecting the
content of the file, making it unreliable as a sole method of
validation.
o Partial Validation: This method validates only the metadata, not
the actual content of the file.
4. Visual Validation
This involves manually inspecting the evidence or its digital representation to
confirm its authenticity, such as comparing screenshots or examining file contents.
Advantages:
o Human Insight: Allows for the recognition of subtle details that
automated methods might miss.
o Useful for Complex Data: Especially effective for validating
evidence that includes multimedia or complex data formats.
Weaknesses:
o Subjectivity: Relies on human judgment, which can introduce bias
or errors.
o Time-Consuming: Manual inspection is labor-intensive and
impractical for large datasets.
5. Timestamp Validation
This method involves checking the timestamps associated with files and
comparing them with expected values or events. This can indicate whether the
evidence has been accessed or modified.
Advantages:
o Contextual Validation: Can help establish a timeline of events and
verify the integrity of data based on expected activity.
o Low Overhead: Requires minimal computational resources.
Weaknesses:
o Easily Altered: Timestamps can be easily modified using various
tools or system settings.
o Limited Scope: This method only validates the temporal aspect of
data, not its content.
Forensic Hashing as a Standard Approach
Forensic hashing, as mentioned earlier, is the most widely used method for
validating digital evidence due to its ability to produce a unique and reproducible
digital fingerprint of data. Here’s why it stands out:
Advantages:
o High Reliability: The cryptographic nature of hash functions
makes it extremely difficult for two different pieces of data to
produce the same hash (collision).
o Widely Recognized: Forensic hashes generated by strong
algorithms (like SHA-256) are accepted by courts and law
enforcement agencies worldwide as reliable proof of data integrity.
Weaknesses:
o Collision Risk with Older Algorithms: Older hash functions like
MD5 and SHA-1 are no longer considered secure against collision
attacks, necessitating the use of stronger algorithms.
o Limited Contextual Information: While forensic hashing is
excellent for verifying data integrity, it doesn't provide information
about the content or context of the data.
Each validation method has its place in digital forensics, depending on the nature
of the evidence and the context of the investigation. However, forensic hashing
remains the cornerstone of digital evidence validation due to its balance of
efficiency, reliability, and broad acceptance.

Digital Evidence Storage format

In digital forensics, digital evidence storage formats are crucial for preserving,
organizing, and analyzing data collected from various sources. These formats
ensure that evidence is stored securely, maintains its integrity, and can be easily
accessed for forensic analysis. Below are some common digital evidence storage
formats:
1. Raw (dd) Format
The Raw format is essentially a bit-by-bit copy of a disk or storage device. It is
often created using tools like dd in Unix/Linux environments, which copies the
entire contents of a disk, including unallocated space, slack space, and file system
metadata.
Advantages:
o Simplicity: The raw format is straightforward and does not
compress or alter the data, ensuring that it is an exact replica of the
original.
o Universal Compatibility: Raw images can be easily read by most
forensic tools.
o Full Disk Capture: Captures everything on the disk, including
deleted files and unallocated space.
Disadvantages:
o Large File Size: Because it captures everything without
compression, raw images can be very large, making storage more
challenging.
o No Metadata: Raw images do not store additional metadata (e.g.,
case details, investigator notes) alongside the data, which can be a
 limitation in managing and organizing evidence.
2. Expert Witness Format (EWF) or EnCase Evidence File (E01)
The Expert Witness Format, commonly known as E01, is a proprietary format
developed by Guidance Software (now OpenText) for use with their EnCase
forensic software. It supports compressed and segmented storage of evidence and
includes metadata.
Advantages:
o Compression: E01 files can be compressed, which reduces the
storage space needed for evidence.
o Metadata Support: Stores additional metadata such as case
information, notes, checksums, and investigator details within the
evidence file.
o Error Detection: Includes built-in error detection and correction,
which helps ensure the integrity of the data.
o Widespread Use: Supported by many forensic tools, making it a
widely accepted format in the forensic community.
Disadvantages:
o Proprietary Format: As a proprietary format, it may require
specific software (like EnCase) for full compatibility and access to
all features.
o Complexity: The additional features and metadata can make the
format more complex and slower to process compared to raw
formats.
3. Advanced Forensic Format (AFF)
The Advanced Forensic Format is an open-source format developed by Basis
Technology. AFF was designed to be a flexible and extensible format that supports
both compressed and uncompressed storage of forensic images, along with
metadata.
Advantages:
o Open Source: As an open format, AFF is free to use and can be
supported by a wide range of forensic tools.
o Compression and Encryption: Supports both compression to save
space and encryption to protect the data.
o Extensible Metadata: Allows for the storage of extensive metadata
within the image file, including case information, investigator notes,
and hash values.
o Error Checking: Includes mechanisms for verifying the integrity
of the stored data.
Disadvantages:
o Less Widespread: Although gaining traction, AFF is not as
universally supported as raw or E01 formats.
o Potential Compatibility Issues: Some forensic tools may not fully
support AFF, requiring conversion or additional software.
4. Proprietary Formats (e.g., L01, AD1)
Several forensic tools have their proprietary evidence formats. For example, the
L01 format is used by FTK Imager (Forensic Toolkit), and the AD1 format is used
by Access Data tools.
 Advantages:
o Tool Integration: These formats are tightly integrated with the
forensic tools that created them, offering seamless functionality and
additional features like indexing, compression, and encryption.
o Metadata Support: Similar to E01, proprietary formats often
include detailed metadata, which helps manage and organize
forensic evidence.
Disadvantages:
o Proprietary Nature: These formats are often restricted to the
software that created them, limiting flexibility and requiring
specific tools for access.
o Limited Compatibility: Not all forensic tools support every
proprietary format, which can complicate evidence sharing and
collaboration.
5. Apple Disk Image Format (DMG)
DMG is a disk image format used by macOS to store compressed software
installers and disk images. It is sometimes used in Mac-related forensic
investigations.
Advantages:
o Native Support: DMG is natively supported on macOS, making it
a convenient format for storing and analyzing evidence from Apple
devices.
o Compression and Encryption: DMG supports compression and
encryption, which can be useful for securing and reducing the size
of evidence files.
Disadvantages:
o Platform-Specific: DMG is primarily used in Mac environments,
which can limit its utility in cross-platform forensic investigations.
o Compatibility: Non-Apple forensic tools may have limited support
for DMG files, requiring conversion to more widely accepted
formats.
6. Virtual Machine Disk Format (VMDK, VHD)
VMDK (used by VMware) and VHD (used by Microsoft Hyper-V) are formats for
storing virtual machine disk images. These formats are sometimes encountered in
forensic investigations involving virtual environments.
Advantages:
o Direct Analysis: Forensic investigators can mount and analyze
VMDK or VHD files directly within a virtual environment, making
it easier to recreate and examine the state of a system.
o Metadata: These formats store data in a way that can include
metadata about the virtual machine's state and configuration.
Disadvantages:
o Size: Virtual disk images can be very large, which can make storage
and analysis challenging.
o Complexity: Analyzing virtual environments can be more complex
than traditional physical disks, requiring specialized tools and
expertise.
Summary
The choice of digital evidence storage format depends on the specific requirements
of the forensic investigation, including the need for compression, encryption,
metadata support, and tool compatibility. While raw and E01 formats are widely
used due to their simplicity and reliability, advanced formats like AFF offer
additional features that can be valuable in complex cases. Understanding the
strengths and weaknesses of each format is crucial for forensic professionals to
ensure the integrity and accessibility of digital evidence throughout the
investigation process.

Digital Evidence Acquisition method

These four methods are crucial in digital forensics for ensuring that data is
accurately acquired while maintaining its integrity. Here's a brief overview of each
method:
1. Disk-to-Image File:
o Description: This method involves creating an exact, bit-by-bit
copy of a disk in the form of an image file. This image file can be
stored and later analyzed without altering the original disk.
o Advantages: It preserves the entire content, including deleted files
and unallocated space, ensuring all potential evidence is captured.
o Use Case: Commonly used when the original disk needs to be
preserved as evidence, or when analysis might alter the data.
2. Disk-to-Disk Copy:
o Description: This method copies all data from one disk directly to
another disk. It is also a bit-by-bit copy but does not create an
intermediary image file.
o Advantages: Useful for making a quick and direct copy of a disk,
especially when time or resources are limited.
o Use Case: Typically used when a fast, direct copy is needed, such
as when transferring data from an old disk to a new one.
3. Logical Disk-to-Disk:
o Description: This method involves copying only the active files
and directories from one disk to another, without capturing the
deleted files or unallocated space.
o Advantages: Faster and requires less storage space compared to a
full disk copy since only the logical structure is copied.
o Use Case: Often used when the focus is on the current file system
and the contents within it, rather than recovering deleted data or
investigating unallocated space.
4. Sparse Copy of a Folder or File:
o Description: This method involves copying only the specific
folders or files of interest, rather than the entire disk or partition.
o Advantages: Highly efficient in terms of time and storage, as only
the relevant data is copied.
o Use Case: Suitable when the investigation is focused on particular
 files or directories, such as when analyzing specific documents
related to a case.
Each method serves different purposes, depending on the requirements of the
investigation and the nature of the data being acquired.

Digital Forensics on Windows Operating System (OS)

Windows OS' two primary file systems, File Allocation Table (FAT) and New
Technology File System (NTFS), play significant roles in digital forensics.
Understanding their structures and characteristics is crucial for extracting and
analyzing forensic evidence.
1. File Allocation Table (FAT)
FAT is an older file system originally designed for small disks and simple folder
structures. Variants include FAT12, FAT16, and FAT32, with FAT32 being the
most common in modern usage.
Structure:
a) File Allocation Table: FAT stores data about where files are located
on the disk and which parts of the disk are free or in use. It
maintains a table that maps each file to its corresponding clusters.
b) Directory Structure: FAT uses a simple directory structure, which
records file names, sizes, attributes, and timestamps.
Forensic Relevance:
a) Simplicity: Due to its simplicity, FAT is easier to analyze but
provides fewer features than NTFS, such as security attributes or
journaling.
b) File Recovery: Deleted files in FAT systems can often be recovered
because the system only marks the space as available without
erasing the actual data. Tools can scan the disk for remnants of
deleted files.
c) Metadata: FAT stores limited metadata, primarily timestamps
(created, modified, accessed). This simplicity can make certain
types of forensic analysis more straightforward, though less
comprehensive.
d) Application: FAT is often found on removable media like USB
drives and memory cards, which are commonly analyzed in forensic
investigations.
2. New Technology File System (NTFS)
NTFS is a more advanced and modern file system developed by Microsoft to
replace FAT. It is the default file system for Windows operating systems starting
from Windows NT onwards.
Structure:
a) Master File Table (MFT): NTFS uses an MFT, which contains
records for every file and directory on the disk. Each MFT record
stores detailed information about the file, including its attributes,
security settings, and pointers to the file's data blocks.
b) Metadata and Attributes: NTFS supports extensive metadata,
including permissions (via Access Control Lists, or ACLs),
 encryption (via Encrypting File System, or EFS), and compression.
It also records detailed timestamps, including creation,
modification, and last access times.
Forensic Relevance:
a) Data Integrity and Recovery: NTFS's use of journaling (via the
USN Update Sequence Number Journal) improves data integrity,
as it tracks changes to files, which helps in understanding the
sequence of events on the system. However, it also means that when
a file is deleted, NTFS typically removes its MFT entry, making
recovery more complex than in FAT.
b) File System Metadata: NTFS stores a significant amount of
metadata, which can provide forensic investigators with detailed
insights into file activity, including user access patterns, file history,
and the sequence of operations performed on files.
c) Alternate Data Streams (ADS): NTFS allows files to have multiple
data streams, known as Alternate Data Streams. This feature can be
used to hide data within files, making it important for forensic
investigators to be aware of and capable of detecting ADS.
d) Encrypted and Compressed Files: NTFS supports encryption and
compression natively, adding layers of complexity to forensic
analysis, as these features may need to be bypassed or decoded to
access the actual data.
e) Application: NTFS is commonly used on internal drives in modern
Windows systems, making it a central focus in forensic
examinations involving PCs, laptops, and servers.
Comparison and Forensic Implications
a) FAT is easier to understand and analyze, but it lacks many of the advanced
features that NTFS offers. This simplicity can be beneficial in certain
situations, such as analyzing removable media.
b) NTFS, with its advanced features, offers more robust forensic evidence but
also presents greater challenges due to its complexity. Understanding
NTFS is essential for forensic investigators working on modern Windows
systems, as it holds more detailed information about the system's usage and
user activities.
In digital forensics, the choice of tools and techniques often depends on the file
system in use. Investigators must be familiar with both FAT and NTFS to
effectively extract, analyze, and interpret evidence in Windows environments.