Collecting digital evidence is not as an easy job as some evidence are volatile and fragile, It is of utmost importance to handle the evidence carefully. For example, electronic memory in a laptop, or RAM, has contents that are lost when the power is removed from that device – so it’s volatile. In case in a running machine, We might need to collect that evidence over the network from another host, or using specialized tools locally. Also we do not want the data to be destroyed or contaminated, So to make sure we may use physical write blockers, when working with original hard disk evidence, to make sure that system, date, and time stamps aren’t modified. It is must to work from a forensic image of the original evidence. It is important to preserve the original copy of the data along with the have multiple copies of that original evidence.
Since digital evidence can be volatile or fragile it can be destroyed or contaminated unintentionally. It is essential that system times and time stamps aren’t changed and by using physical write blockers so that the original digital evidence is safe.
While working with the digital media it is essential to create and work from a forensic image of the original data.
Deleted data can be recovered by Data Recovery tools and series of techniques. Even when a file is deleted the data blocks are still available on the Hard Disk. The system can be scanned with the help of some forensic tools to identify the deleted information. Window Server may be the master file table for an NTFS partition. Or in Unix and Linux, it might query the inode table in an attempt to identify deleted items. Make sure that Hashing of data is used as it produces a unique value based on the data that’s fed into that algorithm. Hence Hash Collisions would be a rare possibility. Integrity can be proved with the help pf Hashing. As evidence of a file can be modified on a given date and time, doesn’t mean it really happened then hence when it comes to date and time verification, we need to be careful. Date and time can be manipulated at the operating system level, network level, hardware level, and so on. So if we’re going to rely on a date or a time , make sure to correlate it with other time sources, so have some kind of consistency.
To recover items that have been deleted from a hard disk various techniques for data recovery ca n be used . Hashing of data is a technique for maintaining and proving the integrity of original data.
To determine time zone information time verification needs to executed.
A malicious user can actually make changes even to access times. . For example, on a Windows computer from an elevated command prompt, we could use the fsutil command to make changes to the behavior of that Windows system, so it doesn’t track when files are accessed. With the help of series of Forensic Tools can enable a physical write block against media, and the data can be achieved from that media in a a forensically sound manner. What we expect is the original data remains intact while we can do the Forensic analysis on the copy. This can be derived from hard drives – including external drives or solid state drives. It can also be gathered from optical media like CDs, or DVDs. Or in the case of a mobile device or a camera, we might have to refer to the data stored on it, which is an SD card. The storage available in mobile devices, and tablets and USB thumb drives are other options.
when data is collected in an investigation ,Access dates need to be verified. from an elevated command prompt in a Windows Computer the commands fsutil and disablelastaccess 1 can be used to disable tracking when files are accessed.
Other source of data includes hard drives, like external drives and solid state drives, CDs/DVDs, SD cards, thumb drives, mobiles, and tablets.
The NIST – that’s the National Institute of Standards and Technologies – publishes a database that contains unique hashes of many versions of commercial operating system and application files. So So a forensic investigator can compare a suspect’s file system with hashes to this database, to identify any seemingly standard files that have been created or modified by the suspect. Data can be stored in in a virtual server, or on a storage area network, where the storage is not physically attached to the device where the user works with the data. A storage area network might be done with iSCSI, or Fiber Channel. And of course, at the consumer, and also at the enterprise level, we might be talking about cloud storage – such as Dropbox, or Microsoft One Drive, where we store data up in the Cloud. It’s not stored on the device. In some cases, we might synchronize data that actually is stored on the device, so it’s available in offline mode.
Network Based Digital Media
Its quite possible that the data that’s stored somewhere else over the network might have been encrypted in transit, but it might actually not be encrypted when it’s stored. For example : Suppose if we’ve seized a suspect’s computer, and we’re able to locate that person’s username and password for a public cloud storage web site. So this comes about sometimes when we’re analyzing large volumes of data. In this case, we found somebody’s username and password for a cloud storage web site, can we use this? To log in, to look for incriminating evidence, we need to be sure that we can legally use those credentials to log in to their cloud account to access their files. With software analysis, we should consider examining software code itself, and also analyze its behavior while it’s running . This can be difficult, as we do not want to disturb the any potential evidence. Let’s assume the law enforcement finds a computer running a script that’s in the midst of executing a distributed denial of service attack. As crazy as it sounds, if there’s anything visible on the suspect’s screen at the time like taking a photograph, and applying the proper chain of custody to that photograph, could prove Important in the process.
Software analysis includes looking at program code, analyzing it and examining it .
So it is essential to view the software software – both its code, how it’s been programmed, and also what happens while it’s running. To see the embedded devices, as you know the term ‘digital forensics’ covers any type of digital device : smartphone, a tablet, a GPS device, and so on. we should never alter the data on the devices themselves and instead work with a copy. It is good to have multiple copies, each with hashes, so as to preserve the original item. To ensure things are completely under our control it is good to have documented everything related to a digital forensic investigation. Engage experts in a specific forensics field if required
Software code needs to be investigated for its programming style, language, and comments. It also needs to be analyzed for its content and context.
Digital forensics includes smartphones, PDAs, tablets, GPS and any other digital device.
when dealing with embedded devices , keep data on devices unaltered, preserve the original , be able to exhibit continuity, document all actions and include computer forensic experts.