FORGE Course

Full Height |  Two columns |  Parts | 

Digital Forensics

Digital Forensics AEGIS LTD 02/11/2017 English

Digital Forensics Theory

Digital Forensics Theory 02/11/2017

Introduction to Digital Forensics

Digital Forensics: the term 

Generally, the definition of digital forensics is “…the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.” Following this definition, digital forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is very common among modern information security programs. The goal of digital forensics is to support the elements of troubleshooting, monitoring, recovery, and the protection of sensitive data. Moreover, in the event of a crime being committed, cyber forensics is also the approach to collecting, analyzing, and archiving data as evidence in a court of law.

Investigations before the digital era and the current status

In the past forensics analysis consisted of the following steps:

  • law enforcement get search warrant
  • confiscate all documents, records, tapes etc.
  • examine them
  • build case based on findings
    • evidence presented in court
    • both sides may question authenticity - validity
    • experts called to help
    • e.g. hand-writing experts

According to NIST, over the last decade the number of crimes that involve digital evidence has grown, spurring an increase in companies and products that aim to assist law enforcement in using computer-based evidence to determine the who, what, where, when, and how for crimes.  As a result, Digital Forensics (cyber forensics) has evolved to assure proper presentation of computer crime evidentiary data into court. Compounded by a wide variety of proprietary technologies and protocols, as well as critical system technologies with no capability to store significant amounts of event information, the task of creating a ubiquitous and unified strategy for technical digital forensics is far from trivial. To date, no direction regarding digital forensics as it has been produced other than what might be privately available from commercial vendors. Current materials have been designed to support event recreation (event-based), and although important, these requirements do not always satisfy the needs associated with incident response or forensics that are driven by cyber incidents.

To make a long story short the current situation for the digital forensics domain is the following:

  • still a lot of physical evidence
    • even digital info gets printed
  • BUT, a lot stored in digital format
    • BUT, a lot stored in digital format
  • Issues
    • need to examine the data
      • what if its hidden?
    • need to convince court that the evidence is real
      • did we fake it outright?
      • did we accidentally modify something (e.g. access dates)
      • need to maintain the chain of custody

Digital Forensics: the basics


Electronic record: Any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.

Computer Forensics: The scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.

Chain of custody: Evidence is accounted for at all times

                                Passage from one party to another is fully documented

                                Passage of evidence from one location to another is fully documented

The critical note: Requests for forensic data (inputs for the forensics investigation) should be considered something like a shopping list. Thus, the focus will be on the definition of the format (structure) of the supplied information rather than the tools that are used to collect the info.

Properties of digital evidence

Digital evidence is:

  • any data stored or transmitted using a computer that supports or refutes a theory of how an offense occurred or that addresses critical elements of the offense such as intent or alibi. (Casey, Eoghan. Digital Evidence and Computer Crime, p12).

  • extremely fragile, similar to a fingerprint.

  • is “Latent” which means it cannot be seen in it’s natural state, much like DNA. Any actions that can alter, damage or destroy digital evidence will be scrutinized by the courts.

  • often constantly changing and can be very time sensitive.

  • data that can transcend borders with ease and speed.

Types of investigation and incidents

There are three types of digital investigation:

  • Internal: no search warrant or subpoena needed, quickest investigation

    • Corporate investigation that involves IT administrator reviewing documents that they should not be viewed.

  • Civil: other side may own the data, may need subpoena

    • One party sues another over ownership of intellectual property, must acquire and authenticate digital evidence so it can be submitted in court.

  • Criminal: highest stakes, accuracy and documentation must be of highest quality, slowest moving

    • Child porn investigation that involves possession and distribution of contraband.

The most well-known types of incidents a forensics process can be utilized for are the following:

  • Malicious code
  • Unauthorized Access
  • DOS (denial of service)
  • Misuse of resources
  • Espionage
  • Hoaxes

The Digital Forensics methodology

According to NIST, digital forensics process consists of four phases:

  • Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.
  • Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
  • Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
  • Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

Figure 1. Digital Forensics Methodology.

Data Acquisition


Data acquisition is distinguished between “Live system analysis” and “Dead analysis”. The dead analysis is more common to acquire data and one of the most important processes during a forensic investigation. For both processes the critical aspect is the way the data are collected. It must be done in a way that will not reduce expressiveness. During data acquisition an exact (typically bitwise) copy of storage media is created.

Dead versus Live acquisition

  • A dead acquisition copies the data without the assistance of the suspect’s (operating) system. 
  • A live acquisition copies the data using the suspect’s (operating) system.
    • Risk: During the data acquisition an attacker can modify data or software can produce tampered data=>The image has no evidence
  • If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
    • Take care to not mount drives or modify data.
    • Consider: A suspect may have modified the hardware so that it returns tampered data

Reading the source data

Two methods to access data on a storage medium:

  • Direct access of software to the hard disc controller:
    • OS or acquisition software accesses the controller.
    • The controller communicates with the disc.
    • Software must be able to address controller and to issue commands to it (e.g. read commands).
  • BIOS access:
    • OS or acquisition software accesses the hard disc through the Basic Input/Output System (BIOS) hard disc services.
    • Interrupt command 0x13 (INT13h function): Category of functions to read, write, ... to hard disc:
    • Original INT13h addresses via CHS: Max. 8 GiB.
    • Extended INT13h addresses via 64-bit LBA: Max. 2 TiB.

Error Handling

An acquisition tool must be able to handle read errors.

  • Sample error sources:
    • Physical problem where the storage drive no longer works
    • Limited number of HDD blocks are damaged
  • General behavior to handle errors:
    • Log the addresses of damaged sectors
    • Writing 0s for not readable data
      • Further data is at the correct location

Figure 2. General error handling of acquisition tools.

Forensics Visualization

The critical role of forensics visualization