Digital Evidence India
Types of digital evidence India
- Digital Evidence India
- The Court and Rule of Evidence – Digital Evidence Rules of Procedure (Data compaction, Data Duplication/Authentication by Expert
- Data Compilation
- Information Discoverable
- Verification/validation, Standard followed
- The Court and Rule of Evidence – Digital Evidence Rules of Procedure (Data compaction, Data Duplication/Authentication by Expert
- Digital Forensic Science tool, technique, Approach, analysis and Process the digital evidence
- These evidence help reconstruct the Incident
- Proof in court of Law
- Types of file systems forensics
- Disk file systems
- Flash file systems
- Database file systems
- Transactional file systems
- Network file systems
- Shared disk file systems
- Special purpose file systems
- File systems available in India for forensics
- FAT, ExFAT, NTFS, EFS
- ISO 9660, Universal Disk Format (UDF)
- ext2, ext3, ext4, ReiserFS, Reiser4
- Hierarchical File System (HFS), HFS+
- Unix Filing System (UFS)
- Logical Volume Management (LVM)
- Next3 file system
- Data File – Active Data, Archival data, Backup Data, Residual Data (Free Space, File Slack, RAM Slack, Swap Files, Temp File, Unallocated Space, E-Mail, Background Data (Audit Trail, Access control, Metadata)
Active Data
- word, spreadsheet, database
- Photographs, calendar
- Archival Data
- Not an active data but is stored in fee Space on HDD, media
- Backup data
- Data copied in safe area/media
- Win95/98 – c:-5.cab
- WinNT/XP/2K – c:setting.dat
- Win7 “Backup & Restore”
- Residual Data
- May be deleted file on file structure
- RAM, File Slack (unallocated cluster space), swap file (hidden), temp file, unallocated space
- Rules of Digital Evidence
- (1) Digital Information can be recovered including deleted files
- (2) Expert must be allowed to retrieve the recoverable files
- (3) Duplicate of digital evidence is admissible as long as someone knowledgeable can authenticate it
- Different types of Data Files
- (a) Active Data || Readily available eg word,spreadsheets, web pages
- (b) Archival Data Files that have been sent for storage as that data is not used frequently
- (c) Back Up Data||copied to safe area to ensure recovery in case of system failure
- (d) Residual Data ||Not visible to end user but recoverable from digital media
- (1) Free Space
- (2) File Slack
- (3) RAM Slack
- (4) Swap Files
- (5) Temp Files
- (6) Unallocated Space
- Data Files
- MetaData||data points such as date, time, author and relevant details of document author
- Electronic Mail
- Background Data|| such as audit trails, system logs, ACL records
Digital Forensic Protocols :- The protocol spells out necessary guidelines and methodologies to ensure reliability, consistency, integrity/accuracy/precision of data in an investigation. This approach ascertains that evidential information acquired or analyzed as a course of examination are admissible in the court of law with reasonable assurance about its authenticity/origin.
- Forensic Science – The Application of Science to law
- It utilized for Identifying, recovering, reconstructing or analyzing evidence during a criminal and civil investigation.
- It diverges from traditional area because of rate of advancement of technologies
- Analyze available evidence Create hypothesis,Perform test This process will lead to Strong possibility about what have occurred
- Cardinal Rules of Digital forensic
- Never mishandled Evidence
- Never work on original evidence
- Never trust the system Document
- Document all action.
- Alpha 5
- Assessment
- Acquisition
- Authentication – may use MD5, SHA1
- Analysis & Reporting
- Archives
- Keyword search is the most important aspect of digital forensic
- Examine executable files & run suspicious application in a standalone environment
- Digital Forensics
- The four guiding principles of any examination are:
- Safe handling of evidences to ensure they are intact.
- The originating evidence/suspect should not be tampered or worked upon.
- The suspect host OS should not be trusted, as it may have rootkits, malicious software installed likeanti-forensic.
- All the audit trails of examination should be retained and recorded in substantiating documents
- The four guiding principles of any examination are:
Types of digital evidence in India
- Physical Evidence
- Large Scale Digital Evidence
- Computers
- Desktops
- Laptops
- Servers
- Tablets
- Netbooks
- Grids
- Clusters
- Computers
- Small Scale Digital Evidence
- Mobile phones
- PDAs
- Digital Music Players
- Smart Phones
- Embedded Devices
- GPS Devices
- Storage Devices
- USB Thumb Drives
- External Hard drives
- Digital Cameras
- Network Devices
- Routers
- Switches
- Hubs
- Firewalls
- IDS
- Wireless AP
- Peripherals
- Printers
- Scanners
- Copiers
- Storage Media Evidence
- Magnetic
- Floppy
- Tapes
- Optical
- CD
- DVD
- Blu-ray
- Transistor
- Memory Cards
- Smart Cards
- RFID Tags
- Obscure Evidance
- Gaming Devices
- Xbox
- PlayStation
- Wii
- PSP
- Recording Devices
- Camcorders
- Audio recorders
- Surveillance cameras
- Network enabled appliances
- Gaming Devices
- Logical Evidance
- Operating Systems
- Registry
- System Logs
- System Files
- Printer Spool
- Swap files
- Applications
- Application Logs
- Security Logs
- Browser History
- Application Files
- Cookies
- Configuration Files
- Executables
- File Systems
- Files
- Images
- Data
- Documents
- Audio
- Video
- File metadata
- MAC-times
- Permissions
- Memory
- RAM
- Cache
- Virtual Memory
- External
- Telecom network
- Phone Records
- Internet logs
- Internet
- Clouds
- Online Storage
- Cloud Apps
- Domain Name records
- Social networks
- Webpages
- Clouds
- Access Control Systems
- Passport control logs
- Building security logs
- Electronic Commerce Services
- Credit Card comany logs
- Bank logs
- E-payment logs
- Webshop logs
- Telecom network
- Files
- Application Logs
- Operating Systems
- Magnetic
- Large Scale Digital Evidence
