Digital Forensics
Marian Svetlik
svetlik@df-pro.cz
svetlik@fi.muni.cz
www.digital-forensic.pro
06.11.2019 1
Digital Forensics Course Concept
06.11.2019 2
• Expert Witness in Digital Forensics
• Information Security Expert
• Vice-president a CEO of The Academy of Forensic Sciences
• Digital Forensic Review - Journal Editor
• ISMS Lector at University of Economics Prague
• Comuter Crime Lector at University of Finance and
Administration Prague
• Cybercrime Lector at CEVRO Institute
• Digital Forensic Special Expert C4e at MUNI
• Programme Committee member of the DFRWS EU
• IDFA Management Board Member
06.11.2019 3
Marian Svetlik
Course Content
• DF definition, relation to the cybersecurity and
to the cybercrime
• Digital Traces & Digital Evidence, properties,
documentation
• Sources, Handling, Gathering and Protection
• DF Examination Principles
• DF Lab creation and management,
Assessment, Certification, Accreditation
• DF in Law, Electronic Evidence
06.11.2019 4
• Where the digital traces are?
– Integrated (Permanent (static) and Volatile (dynamic));
External/Removable; Remote (Local
network storage (file server, NAS), Cloud storage); Data
lines (dynamic)(Electric current/wires, light, elmag
filed, ….)
• Seizing order (based on level of control over the seized
data)
• Bit Copy vs Logical Copy
• General rules for handling
Recap
06.11.2019 5
Process of the Digital Forensic Examination
Today outline
06.11.2019 6
06.11.2019 7
Digital Forensic Examination Model
PREPARING
SEARCH
&
SEIZURE
EXAMINATION ANALYSIS REPORTING PRESENTATION
General Forensic Investigation Model
Models
https://en.wikipedia.org/wiki/Digital_forensic_process
DF Lab Process Model
DF Lab Process Model
06.11.2019 10
DF Lab Process Model
CRM
Subsystem
Production
Subsystem
Reporting
Subsystem
Accounting
Subsystem
Event Record
System
DF Lab
Internal
Resources
DF Lab IS - Basic Structure
06.11.2019 11
06.11.2019 12
12
35
06.11.2019 13
• Description of the case
– describes the reason / purpose of the inquiry request
• Questions
– Specific problem specification
• Traces / samples
– They determine standard procedures
The specificity of forensic work can therefore be described by the definition:
Knowledge of input objects (footprints / samples) and
activities that need to be done in a way appropriate to
the purpose of the task in order to solve the given
problem
06.11.2019 14
• DF Laboratory view
06.11.2019 15
6 step of digital forensic exam
PREPARING
SEARCH
&
SEIZURE
EXAMINATION ANALYSIS REPORTING PRESENTATION
General Forensic Investigation Model
• Preparation
• Identification
• Collection / seizing
• Integrity
• Examination
• Analysis
• Reporting
• Presentation
• Archiving / deleting / returning
06.11.2019 16
9 steps of digital forencic exam
• Assumptions
– Organizational (efficiency and work organization)
– Technical (tools, devices, HW and SW, venue …)
– Qualifying (relevant expertise and experience)
– Material (few cases vs too many cases)
06.11.2019 17
Preparation
At the crime scene…
06.11.2019 18
Identification
IDENTIFICATION SEIZURE EXAMINATION
EVIDENCE
LEGAL ACT
INVESTIGATOR TECHNICIAN EXPERT
CONSISTENT PROCESS
Kngowledge? Kngowledge?Kngowledge?
The nature of the case is crucial
The essential role of the investigator
It should always be the responsibility of the investigator to consult possible
traces / information in ICT with expert.
Information is crucial to the investigation, and at present digital means are
one of the essential sources of information for investigating virtually any
crime.
Diversity of information character
“Documents” are only a fraction of the information that can help in the
investigation (see “Fatal error”, DFJ 2/2005, p. 20)
The result of the identification assessment is a strategy of seizing digital
information
06.11.2019 19
Identification
• The seizing strategy determines:
– Individual seizure activities
– Selection of appropriate methods and procedures
– Qualification of a technician who realize data
seizing
– Used technical and logistic means
• … everything so that the data can be examined effectively
06.11.2019 20
Collection/Seizing
• Integrity of data traces
• Integrity of physical traces
• Computer seizing procedure
06.11.2019 21
Integrity
• Unidentified and subsequently not seized
traces cannot be examined
• Poorly seized traces can give poor, misleading
or even false results
• Bad traces (both in terms of complexity and
quality) multiply the difficulty of examination
(Digital Forensic Triage processes)
06.11.2019 22
Examination
06.11.2019 23
Analysis
06.11.2019 24
Reporting
06.11.2019 25
Presentation
06.11.2019 26
Archiving / Deleting / Returning
06.11.2019 27
DFMS
06.11.2019 28