CHARTER 1:FOUNDATIONS OF DIGITAL FORENSICSBUI TRUNG DUNG8/01/2014

INTRODUCTION1. CRIME AND DIGITAL EVIDENCE2. DIGITAL EVIDENCE3. INCREASING AWARENESS OF DIGITAL EVIDENCE4. DIGITAL FORENSICS: PAST, PRESENT AND FUTURE5. PRINCIPLES OF DIGITAL FORENSICS6. CHALLENGING ASPECTS OF DIGITAL EVIDENCE7. FOLLOWING THE CYBERTRAIL

CRIME AND DIGITAL EVIDENCE• With the internet explosion, there is a need to create complete procedures for investigators to solves challenges in cases have crime committed on internet.

• Types of crime committed via internet:• Information theft• Illegal intrusion• Terrorist• Launder money• Share information illegally.

They all try to use tools, techniques to avoid detection and apprehension from the

police

CRIME AND DIGITAL EVIDENCE• Main targets of network-based attacks are the critical infrastructure of organizations such as government, financial, health…

• Digital evidence is useful for all computer-related crime:• Homicide• Sex offenses• Missing person • Child abuse• Drug dealing• Fraud• Theft of personal information

CRIME AND DIGITAL EVIDENCE

• Digital evidence:

• ---------------------------------------------------------------------------------------

• Make clear:

Reveal how a crime was committed

Provide investigative leads

Disprove or support witness statements

Identify likely suspects

When events occurred Where victims and suspects wereWhom they communicated

Whether crime committed with intention

DIGITAL EVIDENCE• Definition:

Any data Stored or transmitted using a computer Support or refute a theory of how an offense occurred Or that address critical elements of the offense such as intent or

alibi

• Other defines: • Provide a link between a crime and its victim or a crime and its perpetrators

• Probative value

• Be relied on court

DIGITAL EVIDENCE• Sources of digital evidence are devided into 3 categories:1: OPEN COMPUTER SYSTEMInclude: Hardware, keyboard,

mornitor(desktop, laptops, server obey standards)

Information: Contain incriminating information useful for investigation.

2: COMMUNICATION SYSTEMInclude: Traditional telephone systems, wireless tele-communication systems,

internet, networks.Information: Contain useful information: details of a message was sent(time, who

sent, its content); log files from intermediate servers and routers.

3: EMBEDDED COMPUTER SYSTEM

Include: mobile devices, smart cards…

Information: Contain communication information,

digital photograph, video... or other personal

details

INCREASING AWARENESS OF DIGITAL EVIDENCE• An increasing number of organizations are faced with the necessity of collecting evidence when they meet the situation, illegal information theft…

DIGITAL FORENSICS: PAST, PRESENT AND FUTURE• There are needs for qualified practitioners in three areas of specialization:

To reduce the risk of mishandled evidence or errors in analysis and interpretation.

Preservation of digital evidence

Extraction of usable information from digital evidence

Interpretation of digital evidence to gain insight into key aspects of offense

DIGITAL FORENSICS: PAST, PRESENT AND FUTURE

Three main remaining challengesDo not have an agreed

certification program or

list of qualificatio

ns for digital forensic

examiners.

Some places treat

examination of digital evidence as

an investigative rather than a

forensic activity.

Wide variability

and uncertainty

about education, experience

and training of those

practicing this

discipline

DIGITAL FORENSICS: PAST, PRESENT AND FUTURE

Requirements for practitioners

Competence of individual experts for both the

defense and prosecution

The training experts

3 levels of competence in

terms of electronic evidence –

basic retrieval, analysis, and

the interpretation of data.

PRINCIPLES OF DIGITAL EVIDENCEa) Evidence exchange

b) Evidence characteristics

Follow the trails that offenders leave during the commission of a crime and to tie perpetrators to the victims and crime scenes.

Class characteristics

They are common traits in similar items

They are more specific with unique traits that determine a specific object. They are rarer but we can find if we get closer analysis.

Individual characteristics

PRINCIPLES OF DIGITAL EVIDENCEc) Forensic soundness

The measure of forensic soundness does not require the original to be left unaltered.

Digital evidence must be preserved and examined in a forensically sound manner.

Forensic soundness

PRINCIPLES OF DIGITAL EVIDENCEd) Authentication ( tính đúng đắn)

Authentication is actually a two-step process: an initial examination of the evidence to determine what should be examined.

Closer analysis to determine its probative value

The contents of the record have remained unchanged

The information in the record does originate from its purported source

The apparent date of the record is accurate

PRINCIPLES OF DIGITAL EVIDENCEe) Chain of custody• Wikipedia: “The documentation showing the full process of

requisition, tranfer handling, deposition of physical on electric value”

• To demonstrate that digital evidence has not been altered since it was collected.

PRINCIPLES OF DIGITAL EVIDENCEf) Evidence integrity• To show that evidence has not been altered from the time it was collected support the authentication process.

• NOTICE: have basic comprehension about: Message Digest & Cryptographic HASH Values.

g) Objectivity• Let the evidence speak for itself as much as possible.

h) Repeatability

CHALLENGING ASPECTS OF DIGITAL EVIDENCE• As a physical evidence, digital evidence creates several challenges for analysts:

It is messy so it is difficult to handleAn abstraction

D.E is usually circumstantial D.E can be manipulated or destroyed.

CHALLENGING ASPECTS OF DIGITAL EVIDENCE

Evidence dynamics and the introduction of error• Evidence dynamics(thay đổi):

Any influence that changes, relocates, obscures, or obliterates evidence• Some examples of Evidence Dynamics• Installing software on origional evidential computer to attempt to recover deleted files.

• Installing a pirated version of a forensic tool then altered and overwrote data on the evidential computer.

Evidence dynamics created investigative and legal challenges

FOLLOWING THE CYBERTRAIL• Crime on internet actually sometimes ties to a crime in the physical world.

Cybercrime reflects a crime in physical world

Criminals feel safe on the internet

A crime on physical world may relate digital evidence on the internet

Causes

THANKS FOR WATCHINGBui Trung Dung