 Okay, so this week we are starting to talk about digital forensic science and before we can actually start with digital forensic Investigations we have to understand what is a digital forensic investigation. How is it different than other types of investigations? So first off we define digital investigation a digital investigation as a process to answer questions about digital states and Events so what does that mean think about? You using your computer right now You might want to search for a file on your computer. Well, you want to understand how is that file on your computer? Where is it at? How can you get the data, right? So you can start a digital investigation on your computer just by looking for a file You're trying to figure out the state of the data stored on your computer Well, that's a little bit different than what investigators do whenever they're doing a digital forensic investigation More than just accessing the data directly or searching the data directly We have to use special procedures to make sure that our results are always correct Whereas if you can't find your file the data may still be there, but it's a little bit harder to access so a digital forensic investigation is a special a special case of digital investigation where we use procedures and techniques that allow the evidence to be accepted in court and That means that the standards that court have to accept the data as evidence Need to be a little bit more reliable than a search function on your computer that finds a file We have to make sure that that search function is correct all of the time and is resulting in the data that we expect So a digital forensic investigation is formally defined as the collection preservation analysis and presentation of computer related evidence For a court of law Everything we're doing in digital forensic investigations is specifically for court Whereas if you're trying to find a file on your computer You're not going to be submitting that file to court probably right you're just interested in your own files But court has a much higher standard. So whenever we're talking about criminal investigations and digital forensic investigations We're always talking about court any time you hear the word forensic We're basically using procedures and processes that can be accepted in a court of law So all procedures and techniques must be what we call Forensically sound to be considered to be admissible in court So we are submitting into court digital evidence and you might have heard about evidence for example a bloody knife If somebody was attacking somebody else, but what is digital evidence and how is it different? Digital evidence is any data that supports or refutes a hypothesis that was formulated during an investigation We'll talk about what a hypothesis is an investigation in the next lecture But for now just think about it as something that supports or denies a claim Okay, so digital evidence is a little bit different than traditional Evidence in the fact that we can't touch it directly. So for example the knife we can touch a knife we can touch Any type of traditional evidence that would normally be submitted physically to court, but data we can't touch so digital evidence must be Translated into human readable form the fact that we can't touch it means we can't observe it directly We have to go through this translation process first. So think of it kind of like languages we have data that's in a certain form and Before we can make sense of it. It has to be converted into another form that humans can actually Read and interact with and understand so each layer of Abstraction can introduce information loss. So in computers one of we're investigating computers. We're starting at basically the physical layer, which is a more or less electronic signals or Magnetic fields and we're converting that into ones and zeros. We're converting those ones and zeros into Some type of data structure and then we make sense of that data structure To figure out what the data is actually telling us what information Does this data contain? So whenever we're going through that abstraction process this conversion or translation process We might lose some information or we might translate it a little bit Incorrectly and lots of programs translate information incorrectly a lot of the time But in digital investigations because the requirements of court are so high We have to make sure that we are minimizing the amount of mistakes that this translation process introduces Think about traditional evidence again the knife if if anyone looks at a bloody knife Everyone can understand what that is But with data because we have to go through this translation process It's not immediately clear what information that data contains until we translate it and even then it's a little bit vague sometimes So The point of this is that we have to test our tools to make sure that we're not Translating data incorrectly or improperly. We have to do what's called data or Evidence validation a lot of validation needs to take place during your investigation Whenever you're dealing with data Can you get the same information using multiple tools? Can everyone kind of agree on that particular translation of the information? So we have to do a lot of result validation during our investigations digital evidence just like traditional evidence is also subject to changes that might be Destructive but are not necessarily malicious. So for example evidence dynamic. We call this evidence dynamics And this applies also to traditional evidence so evidence dynamics is any influence that changes evidence regardless of intent So think about again our knife if somebody stabs someone else and drops the knife and it rains The rain is actually washing away evidence, but the rain didn't intend to wash away the evidence So this applies to digital evidence too if we do a crime and some evidence is created on the computer Other processes that are already taking place on that system might overwrite or change or delete or somehow modify The digital evidence that we would rely on Some of those might be malicious for example hacker might be trying to cover their tracks But many of them are non-malicious. So if someone was hacked or their computer was taken over Digital evidence might be created on the system But if the the user the person doesn't know that they were attacked They might inadvertently overwrite some some traces or some evidence on that computer without knowing it They didn't intend to delete the evidence, but through not through normal processes normally using the computer They lost some information. So a lot of causes for evidence dynamics in digital investigations is First off from system administrators a lot of servers get hacked actually quite often. So system administrators Their job is to fix things, right? So they are sometimes interested they want to do investigations and find out who actually hacked into their their system But they're more interested in fixing the system and get it running again system administrators are More interested in making sure that the systems that were attacked are up and running So sometimes that means that whenever they're attempting to get those systems running again They overwrite some evidence that might be on those systems Another is offenders covering behavior. So again hackers getting into the system or viruses changing things in the system to try to hide themselves The changes might actually be malicious Obviously hackers and viruses don't want to get caught. So they might delete some traces that they've created to make sure that nobody can detect them Victim actions the users of the computers themselves Like I said don't normally know that they've been attacked or that their systems have been compromised So they continue to surf the internets install new programs Whatever they normally do and those actions may also overwrite some data on the computer secondary transfer all Computers not all most computers now are interacting with other devices So secondary transfer if your phone was attacked and you plug that into your computer Then some evidence for that attack might be downloaded to your computer Or the communication between your phone and your computer might overwrite some traces if your computer is connecting to an external server like Dropbox or something like that some changes in Dropbox might be copied over so Computers now are always talking to other computers online online So the result is that there's a lot of transfer between one computer and another not only Sinking files, but just those computers communicating over the network. So secondary transfer can cause a lot of data to be overwritten inadvertently Witnesses themselves I've worked on some cases where witnesses saw something illegal on someone's computer They wanted to and they did report the case to the police But they knew that that material was bad and they didn't want anyone else to see it So they deleted it They had all of they had good intentions They didn't want to actually or they didn't realize they were removing evidence, but they removed evidence Because they wanted to protect other people. So sometimes witnesses intervene in digital systems and can remove Digital evidence as well. So it's best if you know something is on a system Just leave it on there and call the police or in this case do your do your investigation And nature and weather of course nature and weather affect a lot of systems and Computers, especially don't like getting wet. So if you've ever had a computer hard drive or even a computer get hit by electric lightning or Was in a flood anything like that you're most likely going to lose data Obviously the weather did not intend to change any digital evidence, but nature and weather can remove or modify digital evidence So those are just some examples of The way that data normally changes in systems. It might not always be malicious and many times It's not done maliciously. It's just the way that computers work so for admissibility or Getting that digital evidence accepted in court Every country we've already talked a little bit about multiple Countries or international cases for cybercrime every country has a little bit different standards For accepting digital evidence in court. So for many jurisdictions Evidence must be at least two things we say relevant to the case or to the claim that's being made So a criminal or a suspect suspected criminal Has some charge laid against them is this Digital evidence relevant to the case that we're actually looking at in many cases whenever we're investigating someone If we find evidence of one type of crime, we might find evidence of other types of crime as well But then we have to look at what is the charge? What is the claim that we're actually investigating here? It's not always We're not always investigating every single crime that we see we might we have to focus on whatever the charge is being laid So is the digital evidence relevant to the charge that we're actually investigating and is the digital evidence? Reliable and this is where the distinction between digital investigation and digital forensic investigation comes into play a Digital investigation is less reliable. We're using other procedures That we don't necessarily need to check Or we don't need to check as thoroughly digital forensic investigation. We are using procedures and techniques that are Reliable reproducible other people can verify our findings and make sure that they're correct So for admissibility evidence must be relevant and reliable in most jurisdictions But this all depends of course on the court court's decisions judges ultimately have Their power to accept or deny Evidence depending on what they think and what they feel about the case and the charge being made So even if evidence meets all of the criteria laid out in a jurisdiction The court may still decide to admit it or not and this is up to the discretion of the judge All an investigator, which is what we are now can do is ensure that the evidence has been Derived in a forensically sound manner that we've actually used the tools and techniques that are Tested and verified and reproducible to make sure we're always getting the best digital evidence out of our investigation So I've said I've talked a little bit about forensic soundness or what is forensically sound So forensically sound just a definition the application of a transparent digital forensic process that preserves the original meaning of the data For production in a court of law Now think about we were talking about Translation of information or going from low-level data to actually human understandable information so if something is forensically sound it's a process that Preserves the original meaning of the data Right, so we can verify that these ones and zeros actually represent this particular piece of information What once we do the translation the translation always results in the information that we expect to find and Other investigators third-party investigators can also find the same information from the same data I mean the whole point is that if somebody questions our results we can give them all of our data They can find exactly the same they can come to exactly the same conclusions as us from the evidence that's been presented so derived evidence should be reliable complete accurate and able to be tested and verified so Reliable again. Can you actually trust the information that's being presented by this data? Or once you can translate this data, can you actually trust what this information says? Is it complete? For example think about context if you found an image that looks like it might be a bad image and You only see it by itself then you might conclude that something bad has happened But if you see it with a bunch of other images, maybe the thing that it was related to isn't bad So context really matters here. We have to look at where the data is located. What data is associated with it? What actions were associated with it? Do we have a complete picture of what actually happened on the system? Is the data accurate so whenever we were copying or Analyzing the data did we have accurate representations of this information? Did we copy it completely and? Exactly the way that it was originally intended to be and with with digital evidence making sure something is accurate is a Little bit easier. We'll talk about that later and finally able to be tested and verified So this is the big one once we've copied data correctly, and we've analyzed or converted the data into information Can any other investigator follow the procedures and processes we used to come to the same conclusion? We should be able to give our Case essentially to any other investigator, and they should be able to verify our findings And this is the core part This is essentially auditing to make sure that anyone else can follow what we've done and come to the same conclusions If they can then that means our process was More trustable than if they couldn't So in the US and a couple other countries have kind of followed the standard as well There was a ruling called Dalbert or essentially the Dalbert standard there's four categories for assessing the reliability of a procedure for deriving Evidence, and this is for any type of evidence not only digital evidence, but this is the way that judges tend to Decide whether they accept evidence into court or not So first off is testing Can and has the procedure that we're using to extract the information from the computer been tested If you're using a procedure that hasn't been tested, how can you trust it? Right, so has the procedure that you're using been tested who all is testing at how was it tested? The judges the courts will Assess whether that testing is appropriate and your method actually seems to work Error rate is there a known error rate for your procedure? So we talked a little bit in translation that sometimes some things fail a little bit We need to know how often those things fail because if we're trying to derive trustable evidence What is the probability that our results might be wrong? Okay Next is publication Has the procedure actually been published this kind of goes back to testing if it's been published That means that other people have tested it and come to some conclusion and then acceptance What's the procedure or is the procedure generally accepted by the community? So in our case law enforcement corporate investigators courts Do they actually accept or generally accept what we're trying to do in this case? And finally chain of custody so chain of custody is very important for proving to courts That we've taken all procedures necessary to make sure that our evidence is Reliable and no one has modified it or tampered with it So chain of custody is an unbroken audit trail of seized exhibits to determine what was done When and by whom chain of custody is exactly the same as for traditional evidence except with digital evidence It's easier to manipulate evidence Basically changing the information that the data Tells us about the case so It's a little bit More difficult with traditional evidence to modify something without someone knowing so with digital evidence Anyone essentially can come in and modify things so we have to protect The digital evidence and we'll talk about how we actually do that protection in a little bit But chain of custody is basically basically making sure we always know Where the data is who has access to it and what were they doing with it whenever they did have access it So that's it for this lecture next time. We'll talk about the actual investigation process