• It is a science of finding evidence from digital media like a computer,

mobile phone, server, or network.

• It provides the forensic team with the best techniques and tools to
solve complicated digital-related cases.
After 40 years of history, Digital Forensics is
heading towards a crisis
Early years (1970s- „Golden years“ Era of crisis
1990s) (1990s-2000s) (2010s-...)

• Hardware, software, • The widespread use • Growing size of

and application of Microsoft storage devices
diversity Windows, and • Increasing prevalence
• A proliferation of specifically Windows of embedded flash
data file formats XP storage
• Heavy reliance on • Relatively few file • Proliferation of
time-sharing and formats of forensic hardware interfaces
centralized interest • Proliferation of
computing facilities • Examinations largely operating systems
• Absence of formal confined to a single and file formats
process, tools, and computer system • Pervasive encryption
training belonging to the • Use of the “cloud” for
subject of the remote processing
investigation and storage, splitting
• Storage devices a single data
equipped with structure into
standard interfaces elements
(IDE/ ATA)
History of Digital forensics

Here, are important landmarks from the history of Digital Forensics:

•Hans Gross (1847 -1915): First use of scientific study to head criminal investigations

•FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the USA.

•In 1978 the first computer crime was recognized in the Florida Computer Crime Act.

•Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints

•In 1992, the term Computer Forensics was used in academic literature.

•1995 International Organization on Computer Evidence (IOCE) was formed.

•In 2000, the First FBI Regional Computer Forensic Laboratory established.

•In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called
“Best practices for Computer Forensics”.

•In 2010, Simson Garfinkel identified issues facing digital investigations.

Objectives of computer forensics

Essential objectives of using Computer forensics:

•It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the
investigation agency to present them as evidence in a court of law.

•It helps to postulate the motive behind the crime and identity of the main culprit.

•Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not
corrupted.

•Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the
evidence and validate them.

•Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious
activity on the victim

•Producing a computer forensic report which offers a complete report on the investigation process.

•Preserving the evidence by following the chain of custody.

Process of Digital forensics

• Identification
• Preservation
• Analysis
• Documentation
• Presentation
Identification
It is the first step in the forensic process. The identification process mainly includes things like what evidence is
present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.

Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital device
so that digital evidence is not tampered with.

Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence found.
However, it might take numerous iterations of examination to support a specific crime theory.

Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime scene and reviewing
it. It Involves proper documentation of the crime scene along with photographing, sketching, and crime-scene
mapping.

Presentation
In this last step, the process of summarization and explanation of conclusions is done.
Several commercial and open source tools for digital
forensics are available

EnCase Open DFF

Commerical
source

FTK LiveView

The
Helix
Sleuth Kit

... ...
 Types of Digital Forensics
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network traffic to collect
important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to collect and analyze
the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses, worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then carving the data
from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone and SIM contacts, call
logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Challenges faced by Digital Forensics

Here, are major challenges faced by the Digital Forensic:

•The increase of PC’s and extensive use of internet access

•Easy availability of hacking tools

•Lack of physical evidence makes prosecution difficult.

•The large amount of storage space into Terabytes that makes this investigation job difficult.

•Any technological changes require an upgrade or changes to solutions.

Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type of cases:

•Intellectual Property theft

•Industrial espionage

•Employment disputes

•Fraud investigations

•Inappropriate use of the Internet and email in the workplace

•Forgeries related matters

•Bankruptcy investigations

•Issues concern with the regulatory compliance

Advantages of Digital forensics

•To ensure the integrity of the computer system.

•To produce evidence in the court, which can lead to the punishment of the culprit.
•It helps the companies to capture important information if their computer systems or networks are compromised.
•Efficiently tracks down cybercriminals from anywhere in the world.
•Helps to protect the organization’s money and valuable time.
•Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal action’s in the court.

Disadvantages of Digital Forensics

•Digital evidence accepted into court. However, it is must be proved that there is no tampering
•Producing electronic records and storing them is an extremely costly affair
•Legal practitioners must have extensive computer knowledge
•Need to produce authentic and convincing evidence
•If the tool used for digital forensic is not according to specified standards, then in the court of law, the evidence
can be disapproved by justice.
•Lack of technical knowledge by the investigating officer might not offer the desired result
Summary:

•Digital Forensics is the preservation, identification, extraction, and documentation of computer evidence which can
be used in the court of law

•Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4) Documentation and, 5)

Presentation

•Different types of Digital Forensics are Disk Forensics, Network Forensics, Wireless Forensics, Database Forensics,
Malware Forensics, Email Forensics, Memory Forensics, etc.

•Digital forensic Science can be used for cases like 1) Intellectual Property theft, 2) Industrial espionage 3)
Employment disputes, 4) Fraud investigations.
What is Incident Response?
• Incident
• “an event or occurrence”
• Data breach
• Cyber attack
• Response
• “a reaction to something”
• The process one uses to handle a cyber attack or data breach

Incident Response 15
WHAT IS INCIDENT RESPONSE?

Incident response is a coordinated and structured approach to go from incident

detection to resolution. Incident response may include activities that:

• Confirm whether or not an incident occurred

• Provide rapid detection and containment
• Determine and document the scope of the incident
• Prevent a disjointed, noncohesive response
• Determine and promote facts and actual information
• Minimize disruption to business and network operations
• Minimize the damage to the compromised organization
• Restore normal operations
• Manage the public perception of the incident
• Allow for criminal or civil actions against perpetrators
• Educate senior management
• Enhance the security posture of a compromised entity against future incidents
WHAT IS A COMPUTER SECURITY INCIDENT?

We define a computer security incident as any unlawful, unauthorized, or unacceptable

action that involves a computer system or a computer network.
Such an action can include any of the following events:

▼ Theft of trade secrets

■ Email spam or harassment
■ Unauthorized or unlawful intrusions into computing systems
■ Embezzlement :theft or misappropriation of funds placed in one's trust
■ Possession or dissemination of child pornography
■ Denial-of-service (DoS) attacks
■ Interference of business relations
■ Extortion

Any unlawful action when the evidence of such action may be stored on computer
media such as fraud, threats, and traditional crimes.
Phases of an Incident Response
• Includes preparation time, from even before the breach occurs
• Identifying the incident
• Cleaning up the incident and remediation
• A period to look back at the lessons learned during the incident

Incident Response 18
GOALS OF INCIDENT RESPONSE?
• Confirm whether an incident occurred
• ■ Promotes accumulation of accurate information
• ■ Establishes controls for proper retrieval and handling of evidence
• ■ Protects privacy rights established by law and policy
• ■ Minimizes disruption to business and network operations
• ■ Allows for criminal or civil action against perpetrators
• ■ Provides accurate reports and useful recommendations
• ■ Provides rapid detection and containment
• ■ Minimizes exposure and compromise of proprietary data
• ■ Protects your organization’s reputation and assets
• ■ Educates senior management
• ▲ Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
WHO IS INVOLVED IN THE INCIDENT RESPONSE PROCESS?

• Incident response is a multifaceted discipline usually require

resources from several different operational units of an
organization.
Human resources personnel, legal counsel, technical experts, security
professionals, corporate security officers, business managers, end users, help desk
workers, and other employees may find themselves involved in responding to a
computer security incident.
• Most organizations establish a team of individuals, often referred to as a Computer
Security Incident Response Team (CSIRT), to respond to any computer security
incident.
The CSIRT is a multidisciplined team with the appropriate legal, technical, and other
expertise necessary to resolve an incident
INCIDENT RESPONSE METHODOLOGY
• In our methodology, there are seven major components of incident response:
■ Pre-incident preparation: Take actions to prepare the organization and the CSIRT before an
incident occurs.
■ Detection of incidents : Identify a potential computer security incident.
■ Initial response: Perform an initial investigation, recording the basic details surrounding the
incident, assembling the incident response team, and notifying the individuals who need to know about the
incident.
■ Formulate response strategy : Based on the results of all the known facts,determine the best
response and obtain management approval. Determine what civil, criminal, administrative, or other
actions are appropriate to take,based on the conclusions drawn from the investigation.
■ Investigate the incident :Perform a thorough collection of data. Review the data collected to
determine what happened, when it happened, who did it, and how it can be prevented in the future.
■ Reporting :Accurately report information about the investigation in a manneruseful to decision
makers.
▲ Resolution :Employ security measures and procedural changes, record lessons learned, and develop
long-term fixes for any problems identified.
 Pre-Incident Preparation
• During this phase, your organization needs to prepare both the organization itself as a whole and the
CSIRT members, prior to responding to a computer security incident.

• Preparing the Organization

• Implementing host-based security measures

• ■ Implementing network-based security measures
• ■ Training end users
• ■ Employing an intrusion detection system (IDS)
• ■ Creating strong access control
• ■ Performing timely vulnerability assessments
• ▲ Ensuring backups are performed on a regular basis
Preparing the CSIRT

Organization will assemble a team of experts to handle any incidents that

occur. Preparing the CSIRT includes considering at least the following:

The hardware needed to investigate computer security incidents

■ The software needed to investigate computer security incidents
■ The documentation (forms and reports) needed to investigate computer
security incidents
■ The appropriate policies and operating procedures to implement your
response strategies
▲ The training your staff or employees require to perform incident response
in a manner that promotes successful forensics, investigations, and
remediation
Detection of Incidents

Initially, the incident may be reported by an end user, detected by a system administrator,
identified by IDS alerts, or discovered by many other means.

Some of the functional business areas involved in detection and some common in-
dicators of a computer security incident are