This document discusses digital forensics and the transition from traditional document forensics to examining digital evidence from computers and other devices. It provides details on the types of cases examined from 2008-2015, which evolved from issues like stolen designs and threatening emails to cases involving social media, terrorism, and data leaks. The document also outlines best practices for seizing digital evidence, examining computers, mobile devices, and CCTV footage while maintaining a chain of custody. It discusses challenges and requirements for forensic examinations.
2. DOCUMENT FORENSIC
TO
DIGITAL DOCUMENT FORENSIC
• PRESENCE OF SCANNED AND PRINTED DOCUMENTS
DURING EXAMINATION OF FORENSIC DOCUMENTS.
• EXAMINATION OF COMPUTERS CONTAINING DIGITAL
COPY THOUGHT TO BE A WAY TO FIX RESPONSIBILITY.
*first case of computer forensic was taken up in the year
2004
3. TYPE OF CASES EXAMINED
AROUND 2008-10
• THEFT OF DESIGNS AND CUSTORMES LIST BY PARTNERS/
EMPOYESS WHILE LEAVING COMPANY AND OFFERING LOW
PRICE TO EXISTING CUSTOMERS FROM OLD COMPANY
EMAIL.
• THREATNING EMAIL.
• CUSTOMERS DUPED BY TRAVELLING AGENCY FOR FOREIGN
TOUR.
• FLIGHT/ RAIL TICKETS PURCHASED ONLINE BY CREDIT CARD
DETAILS OF OTHERS
• *20-25 cases in year
4. CHANGE IN NATURE OF CASES IN
2011-2013
• Cases related to fake account in social site(orkut, facebook,
skype, twitter)
• Terrorist communications by internet
• Computers used for transaction of fictitious companies
online/ offline.
• Data of national interest leaked vide internet.
• Online circulation Of defamatory material.
• Mobile communication by sms/ mms/voice recording/ still
and video recording
* 150 cases per year
5. Elaborate planning, more details and diverse tools requirement
for examination.
*210 cases received
6. 2014-15
• mobile used as communication for all social network and
email activities.
• Laptop replaced desktops.
• Laptop size grew smaller
• Request for CCTV footages increased.
• New applications/ apps on mobile for social networking
(whatsapp, viber, line)
• Apps for financial transaction/ banking /billing.
• Server examination requirements
7. Seizure of digital evidence
• Why they are called best practices.
• Practices differ(depends on working
environment).
• Need to adopt a Guideline.
• Stringent or Diverse.
• Need to Document.
8. CHAIN OF CUSTODY
of computer evidence
• Physical(sl. No, IMEI)
• Digital(Hash value)
9. SCENE OF CRIME
• WHEN DESKTOP COMPUTER IS OFF
• WHEN DESKTOP COMPUTER IS ON
• ANY HARD DISK INSIDE?
• WHEN LAPTOP COMPUTER IS ON?
• WHEN LAPTOP COMPUTER IS OFF?
• WHTHER ACCUSED SHOULD BE ALLOWED TO
BACKUP DATA?
10. HOW DAMAGING FOR INVESTIGATION
READ LABELS(os, hard disk capacity, repairs in
between)
11. SEIZURE OF MOBILE/ SIM / MEMORY CARD
• ONE SIM vs DUAL SIM
• REMOVE BATTERY
• FLIGHT MODE/ BLOCK SIM
• SIM LOST
• MEMORY CARD.
• PATTERN LOCK/ PASSWORD ON SCREEN
• MEMORY CARD LOCKED.
• SEIZE POWER CABLE/ CONNECTORS
12. CCTV SEIZURE
• TIME / DATE CHECK BEFORE SWITCHING OFF.
• CHECK CAPACITY OF THE HARD DISK INSIDE.
• DVR BOX IS REQUIRED ALONGWITH
POWERCORD .
• BACKED UP FOOTAGE ACUIRED AT THE CRIME
SCENE.
13. NETWORKED COMPUTER
• DELEGATE EXPERTS TO ACUIRE DATA
• ADVICE OF THE NETWORK ADMINISTRATOR /
SERVICE PROVIDER NEEDED.
• POWERING ON AT ORIGINAL SITE IS
REQUIRED.
14. ONLY HARD DISK/ WHOLE
COMPUTER
• ONLY HARD DISK IF DATA IS QUESTINED
• DESKTOP/LAPTOP CONCERNED IF FUNCTIONS
OF COMPUTER IS QUESTIONED/ SPECIAL.
15. TOOLS REQUIRED FOR
PREVIEW/DUPLICATION
• WRITE BLOCKERS
• IDENTIFICATION OF DIFFERENT OS
• NEW HARD DISK/ PROPERLY WIPED HARD
DISK
• VALIDATION OF HARDWARES/ SOFTWARES
• HASH VALUE
16. CLONING VS BIT STREAM IMAGE
• CLONING FOR REBOOT
• BIT STREAM IMAGE FOR RESTORE.
• HASH VALUE
17. WHAT MAY ESCAPE DURING
PURVIEW
• SLACK SPACE
• WEB MAIL
• INTERNET ACTIVITY
• HIDDEN FILES
• FILES NOT SUPPORTED BY SOFTWARE.
• HOST PROTECTED AREA
• DEVICE CONFIGURATION OVERLAY
• BACK UP OF DEVICES (COMPRESSED FILES, IMAGE OF CD/DVD,
BACK OF MOBILE, BACK UP OF CHAT HISTORY
18. DIFFERENT APPROACH
• REGISTRY FORENSIC
• BROWSER FORENSIC
• SYSTEM RESTORE POINT FORENSIC
• VIRTUAL MACHINE FORENSIC
• CLOUD FORENSIC
• NETWORK FORENSIC
23. EXHIBITS
CPU
HARD DISK
CD/DVD/FLOPPY
PENDRIVE/ EXTERNAL HARD DISK
MOBILE PHONE/SIM CARD/MEMORY
CARD
DIGITAL VIDEO RECOREDER
STILL/VIDEO CAMERA/MEMORY CARD
SPY CAM
24. INTERNET HISTORY
FILES DOWNLODED/UPLOADED FROM
INTERNET
COOKIES
WEBMAIL
SOCIAL NETWORK ARTIFACTS
CHAT HISTORY
FILES FROM PRIVATE
NETWORK(BLUETOOTH, WIFI)
25. INTERNET HISTORY
FILES DOWNLODED/UPLOADED FROM
INTERNET
COOKIES
WEBMAIL
SOCIAL NETWORK ARTIFACTS
CHAT HISTORY
FILES FROM PRIVATE
NETWORK(BLUETOOTH, WIFI)
26. DIFFRENCE BETWEEN DATA EXTRACTION
AND COMPUTER FORENSIC
IT MUST BE PROVED THAT CHAIN OF
CUSTODY IS PROPERLY FOLLOWED
NOTHING HAS BEEN DELETED, ADDED
OR CHANGED DURING EXAMINATION.
THE PROCESS OF SUCH ASSURANCE
STARTS FROM CRIME SCENE.
BEST PRACTICES FOR SEIZURE OF
DIGITAL EVIDENCE
HASH VALUE
27. UNCOMMON CASES
PICTURES IN EXCEL SHEET
IMAGE OF HANDWRITTEN NOTES AS
EMAIL MESSAGES
FORMATTED HARD DISK
VOICE RECORDING AS SUICIDE NOTE
33. CCTV CASES
PROPRIETORY OPREATING SYSTEM
REQUIRES OWN HARDWARE FOR
EXAMINATION.
INHERENT CLOCK SETTINGS CAN NOT
BE CROSS CHECKED
DELETED FILES CAN NOT BE
RECOVERED
34. REQUIREMENTS WHILE
SUBMITTING CASE
1. PROPER FORMAT
2. PROPER SEALING AND LABELLING OF
EXHIBITS
3. SIGNATURE AND SEAL OF AUTHORITY
4. ATTESTED COPY OF FIR
5. REQUIREMENT OF HARD DISK
39. WHEN QUERY IS IMAGE/ VIDEO
RELATED
COPY OF ALLEGED IMAGE /VIDEO
40. WHEN QUERIES DO NOT SERVE
PURPOSE.
1. MISSING NAME OF THE COMPANY.
2. ASKING RANDOM SYSTEM RELATED
QUERIES.
3. ALL EMAILS/ CREDIT CARDS/ IP
ADDREESS
4. ALL USERS
5. MISSING INTERNET HISTORY AND
KEYWORDS
41. JUDICIOUS DISTRIBUTION/
SEIZURE OF EXHIBIT
CAMERA WITH DVR
MONITOR WITH CPU
MODEM WITH LAPTOP
DETACHED HARD DISKS OF SERVER
BUNDLING 10 BRANCHES OF A COMPANY
IN 01 BIG CASE
42. REQUIREMENT OF HARD DISK
COPY
CLONE/ MIRROR IMAGE
WHAT ARE CHANCES OF MISSING
EVIDENCE WHEN INVESTIGATING
AGENCY DECIDES TO SEE EVIDENCE
THEMSELVE.
43. Multiple queries
What is ip address used in this computer
What is mac address used in this computer
What are programs installed in this computer
Who are users of this computer
Whether this computer was used for email.
Which modem was used for connecting to
internet
44. Traslate to single query
WHETHER THE MAILS AT ANNEXURE- A
WAS SENT RECEIVED FROM THIS
COMPUTER.
45. Multiple queries
What are the accounting packages installed
How many xls files are there
How many word files are there
What is opreating system of the computer
Are there any password or encrypted files
What are different types of data avillable in the
system
any deleted files are there.
46. Translate to single query
Please provide all the data related to company
and any simmilar document related to
documents at annexure a b c
47. What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Writing a file
48. What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
Writing a file
49. What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
2
E
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FATs are updated
Writing a file
50. What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
2
E
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FATs are updated
FILE contents
written to data area
Writing a file
52. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
RootC
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to
Deleting a file
53. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
FAT entries are ed
Filename Start Cluster Size
ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
2
Deleting a file
54. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root D
FAT2
Root D
Root D
Root D
FILE
FILE
FILE
FILE
Reserved
Area
FAT entries are ed
Filename Start Cluster Size
ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to
Data area is not changed !
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
2
Deleting a file
56. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Reformatting
57. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed
Reformatting
58. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Boot Record is written
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed
59. MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Boot Record is written
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed
60. Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
What are the two
types of slack?
RAM Slack
RAM Slack is the area
from the end of the file
to the end of that
sector.
- Comes from RAM
File
File
File
File
Slack Space
61. Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
RAM Slack
Residual
Slack
Residual
Slack
Residual
Slack
Residual data slack is
the area from the end of
RAM slack to the end of
the cluster – whatever
was on the media before.
File
File
File
File
Slack Space