USA: +1(669)289-8683 
Sign in
Answer the following questions (1 to 6) below. All youranswers must be submitted/uploaded in a SINGLE word/pdf document.Provide detailed answers and examples to demonstrate your understanding.Use at least 3 diagrams, if necessary. Specify any assumptions that youare making.
Each question should be 3 pages long.The log in for teejlab is xguo14@nyit.edu gxb3158307Question 1:
Explain two or more prominent Standards or Frameworks in the field of Computer Forensics. As part of your response:
(A) Discuss the methodologies, principles, and characteristics of the standards or frameworks.
(B) Draw a detailed comparison between them, highlighting their strengths and weaknesses.
Question 2:
Prepare a comprehensive Digital Forensic checklist for an incident related to
an application. Your checklist must cover key aspects about the incident as
well as the anticipated investigation response. You can choose one of the following scenarios to prepare your checklist and other investigation details.
(A) A compromised SaaS* application.
(B) A compromised marketing website.
(C) A compromised mobile application/device.
Note: *SaaS means Software as a Service.
Question 3:
Conduct an API Forensic study on a provider (vendor). You may selectmultiple vendors from API Marketplace in the API Discovery platform.Your study must achieve the following objectives:
(A) Investigate at least one vendor.
(B) List all APIs found related to that vendor(s).
(C) Provide details of at least one API, e.g., legal terms, hosts, endpoints, etc.
(D) Execute an API endpoint to record its response (API output) [BONUS MARK]
Note: Refer to your API Discovery account for conducting this investigation. Provide screen shots of your work, if necessary. API Marketplace link is here:
https://apidiscovery.teejlab.com/edsn/knowledgebase
Question 4:
Imagine a scenario where a company suspects an insider Data Breachand seeks your services as a Digital Forensics expert to investigate. Ina concise manner:
(A) Outline the necessary steps you would like to take in this Digital Forensic investigation.
(B) Highlight the critical stages, tools, and key considerations toemphasize on the importance of adhering to legal/ethical standards.
Note: Provide detailed answers and examples to demonstrate your understanding. Specify any assumptions that you are making.
Question 5:
Suppose you are analyzing a computer containing fragments of graphicsfiles. Discuss the challenges and techniques involved in identifyingand reconstructing fragmented graphics, you should consider:
(A) File fragmentation mechanism in computer file systems
(B) The tools and techniques to identify and reconstruct fragmented graphics
(C) How to analyze file metadata and file headers
Note: Provide detailed answers and examples to demonstrate your understanding. Specify any assumptions that you are making.
Question 6:
Suppose that you are investigating cases of policy violationsinvolving e-mails. Describe a detailed procedure for yourinvestigation. You must consider the following aspects:
(A) Tools and techniques
(B) What kind of data you will be investigating
(C) How to perform source tracing
Note: Provide detailed answers and examples to demonstrate your understanding. Specify any assumptions that you are making. INCS-712: Computer Forensics
Course Syllabus and Introductions
Baljeet Malhotra, PhD
Course Instructor
Baljeet Malhotra, PhD
Founder & CEO
TeejLab
• VP Research, Black Duck Software
(acquired by Synopsys for $565MM)
• Research Director at SAP; Computer
Scientist (EOS Lab) Software
Engineer (Tech Mahindra)
• PhD (Univ. of Alberta, Canada), PDF
(NUS, Singapore)
• Adjunct Professor at the Universities
of British Columbia, Victoria, UNBC,
and New York Institute of Tech.
• Advisors to PhD and MSc students ar
various institutes/universities
• Global Young Scientist (Singapore);
NSERC Scholar (Canada)
Contact
Email: bmalho02@nyit.edu
LinkedIn: baljeetmalhotra
Course TA
Sixing Lu
Email: slu13@nyit.edu
LinkedIn: sixing-lu-77992825b
About You?
Course Outline
Topic Name
Basics of Computer Forensics
Data Analysis / Investigations
Digital Investigation Process
Hands-on Project (Instructor)
Hands-on Project (Instructor)
Mid-Term
Hands-on Project (Students)
Weekly Schedule
W1
W2
W3
W4
W5
W6
W7 – W12
Course Resources and Acknowledgements
• Required: Laptop
• Reference Books
1. Sherri Davidoff and Jonathan Ham, “Network Forensics: Tracking Hackers
through Cyberspace,” Edition 1, Prentice Hall; June 18, 2012.
2.Brian Carrier, “File System Forensic Analysis,” Addison-Wesley Professional;
Edition 1, March 27, 2005. ISBN-10: 0321268172; ISBN-13: 978-03212681.
3.Fernando Carbone, “Computer Forensics with FTK,” Packt Publishing ISBN-10:
1783559020; ISBN-13: 978-1783559022.
4.Bill Nelson, Amelia Phillips, Christopher Steuart, Guide to Computer Forensics
and Investigations Processing Digital Evidence.
• Previous Instructors: Wei Li, PhD and Juseop Lim
Course Grading
Activity Name
Activity Weightage
Class Participation
10%
Quizzes (5 in total)
20%
Mid Term Exam (take-home)
30%
Hands-On Project
40%
Report (3-5 pages)
Presentation (of features/functions)
Scenario (Problem/Definition)
Creativity (Originality of Scenario)
Peer Review (of others’ presentations)
15%
10%
05%
05%
05%
Course Etiquettes
• Be quiet in the classroom
• Attend classes & exams (no exceptions)
• Plagiarism or Cheating is not acceptable
• Emails asking for marks will be ignored
INCS-712: Computer Forensics
Part 1 – Introduction to Computer Forensics
Baljeet Malhotra, PhD
Introduction to Computer Forensics
Part One: What is Computer Forensics
Forensic Sciences
• DNA analysis
• Fingerprint analysis
• Blood stain pattern
analysis
• Tool mark analysis
• Serology
• Toxicology
• Hair and fiber analysis
• Entomology
• Firearms examination
and ballistics
•
•
•
•
•
•
Questioned documents
Anthropology
Odontology
Pathology
Epidemiology
Footwear and tire
analysis
• Drug chemistry
• Paint and glass analysis
• Digital Forensics (text
audio and video data)
4
What is Computer Forensics
• The collection, preservation, analysis and
presentation of computer-related evidence.
• Determining the past actions that have taken place
on a computer system using forensic techniques.
4
6
Computer Forensics Standards/Frameworks
• The application of computer science and investigative procedures for a
legal purpose involving the analysis of digital evidence after proper search
authority, chain of custody, validation with mathematics, use of validated
tools, repeatability, reporting, and possible expert presentation.
• In October 2012, an ISO standard for digital forensics was ratified ISO 27037 Information technology – Security techniques.
• The US Federal Rules of Evidence (FRE) was created to ensure
consistency in federal proceedings.
• The Fourth Amendment to the U.S. Constitution protects everyone’s right
to be secure from search and seizer.
7
Brief History of Computer Forensics
• In early 1990s, the International Association of Computer Investigative
Specialists (IACIS) introduced training on software for digital forensics.
• IRS (Internal Revenue Service) created search-warrant programs.
• ASR Data created Expert Witness for Macintosh.
• AccessData Forensic Toolkit (FTK) is a popular commercial product.
Purpose of Computer Forensics
• Forensics: scientific tests or techniques used
in connection with the detection of crime.
• Computer forensics uses technologies to
search for digital evidence of a crime.
• Retrieve information even if it has been
altered or erased to be used in the pursuit of
an attacker or a criminal.
5
Motivations – Cybercrime Losses
Source: World Economic Forum, Global Risk Report 2023. Amounts in trillions.
12
$10.50
10
8
6
4
$4.96
$3.00
$3.45
2
0
2010
2015
2020
2025
Motivations – Cybercrime Losses
Source: Investopedia, 2022. Amounts in trillions.
25
20
$19.49
15
$12.24
10
$6.55
$4.87
5
0
USA
China
Cybercrime
Japan
8
Basis of Computer Forensics – File Management
• Windows Operating System
File Allocation Table (FAT)
Master File Table (MFT)
• FAT/MFT tells the computer where the file begins and ends
• Deleted pointers to the file
FAT/MFT space occupied by the file is mark as available
• The actual data that was contained in the file is NOT deleted
Unallocated space
10
Basis of Computer Forensics – Media and Data
• Desktop computers and laptops
• iPads, iPods, etc.
• Smartphones and most other cell phones
• MP3 music players, CD-ROMs & DVDs
• Hard Drives
• Digital Cameras
• USB Memory Devices, memory cards
• Backup Tapes
• ….
11
Capabilities of Computer Forensics
• Recover deleted files
• Find attached/external devices and who accessed them
• Determine what programs were run
• Recover webpages
• Recover emails and users who read them
• Recover chat logs
• Determine file servers used
• Discover document’s hidden history
• Recover phone records and SMS from mobile devices
• Find malware and data collected
9
Typical Computer Forensic Investigations
• Theft of Company Secrets
• Employee Sabotage
• Credit Card Fraud
• Financial Crimes
• Economic Crimes
• Harassment
• Child Pornography
• Major Crimes
• Identity Theft
Users of Computer Forensics
• Law Enforcement
• Private Computer Forensic Organizations
• Military
• University Programs
• Computer Security and IT Professionals
12
13
Computer Forensic Users – Law Enforcement
• Local, State and Federal levels
• Detectives at local levels
• State or provincial police
• FBI’s Computer Analysis and Response Team (CART)
• Regional Computer Forensics Laboratories (RCFLs)
• EnCase is a popular tool
14
Computer Forensic Users – Organizations
• Canadian Forensics Inc. (RCMP Fingerprinting /
Background Checks / Paternity DNA Tests )
• The Centre of Forensic Sciences
• Computer Forensics Associates
• Empire Investigation LLC
• Advanced Forensic Recovery of Electronic Data
• Philadelphia Computer Forensics
• Philadelphia Computer Forensics Analysis and
Investigations
• New York Computer Forensic Services
15
Computer Forensic Users – Military
• Test, identify, and gather evidence in the field
Specialized training in imaging and identifying multiple sources
of electronic evidence
• Analyze the evidence for rapid intelligence gathering and
responding to security breach incidents
Desktop and server forensic techniques
16
Digital Forensics and Other Related Disciplines
• Investigating digital devices
Collecting data securely
Examining suspicious data to determine details such as origin
Presenting digital information to courts
Applying laws to digital device practices
• Digital forensics is different from data recovery
Recovery involves retrieving information that was deleted by mistake or
lost during a power surge or server crash
Forensics looks for evidence.
17
Digital Forensics and Other Related Disciplines
• Forensics investigators often work as part of a team to
make computers and networks secure, known as the
investigations triad.
18
Digital Forensics and Other Related Disciplines
• Vulnerability/threat assessment and risk
management
Tests and verifies the integrity of stand-along workstations and
network servers
• Network intrusion detection and incident
response
Detects intruder attacks by using automated tools and
monitoring network firewall logs
• Digital investigations
Manages investigations and conducts forensics analysis of
systems suspected of containing evidence
Understanding Case Law
• Existing laws can’t keep up with the rate of
technological change.
• When statutes don’t exist, case law is used.
Allows legal counsel to apply previous similar cases to current one
in an effort to address ambiguity in laws
• Examiners must be familiar with recent court
rulings on search and seizure in the digital world.
19
20
Digital Forensics Tools and Resources
Name
Description
Exiftools
Metadata analysis
Hashmyfiles
Hash analysis
TRID
Signature analysis
Autopsy Forensic Analyzer
Data Carving, Analysis
FTK Image, Arsenal Image Mounter, CAINE Forensic Imaging & Mounting Image files
KAPE, Redline
Collection for Incident Response
EricZimmerman Tools
Event Log Analysis
EricZimmerman Tools
Prefetch File Analysis
EricZimmerman Tools
MFT Parsing, timeline creation
Regripper
Registry Analysis
EricZimmerman Tools
Jumplist, Link File
Timeline Explorer
Event Log Analysis
Volatility
Memory Forensics
Sysinternals
Live Forensics
MITRE ATT@CK
IR Framework
WireShark
Packet analysis
Assigned Person
Presentation Date
20
Digital Forensics Tools and Resources
Name
Description
EnCase Forensic
Collect/organize metadata from devices
ProDiscscover Forensics
Collect/organize metadata from devices
ArcSight Logger
Digital Forensic tool by MicroFocus
Netwitness Investigator
Malicious Activity Detection
Change Auditor
Active Directory tracker by Quest
Forensic Toolkit (FTK)
Digital Forensic tool by AccessData
Physical Analyzer
Digital Forensic tools by Cellebrite
Lantern
Katana Forensics for iPhone/iPod/iPad
WinHex
Data Recovery and Digital Forensics by XWays AG.
National Software Reference Library (NSRL) Database of hashed files managed by NIST
Assigned Person
Presentation Date
Next Class
INCS-712: Computer Forensics
Part 2 – Digital Crime Scenes
Baljeet Malhotra, PhD
INCS-712: Computer Forensics
Part 2 – Crime Scene Analysis – Investigations
Baljeet Malhotra, PhD
Agenda
Incident Response
Definitions
Incident Goals
Incident Activities
Responsible Disclosure
Systematic Approach
Initial Assessment
Preliminary Design
Resource Assessment
Data Collection/Analysis
Case Studies
Company Policy Violation
Private/Industrial Investigation
13
3
Incident and Response
3
• What is an Incident ?
– Older definition: Any unlawful, unauthorized, or unacceptable action that involves a
computing system or computer network
– Recent definition: Any unlawful, unauthorized, or unacceptable action that involves a
computer system, cell phone, tablet, and any other electronic device with an operating
system or that operates on a computer network
– NIST definition: Any observable occurrence in a system or network
– Resource: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
• What is a Response ?
– Definition: A coordinated and structured approach to manage an incident from
detection to resolution
Responsible Disclosure
3
• What is a Response Disclosure ?
– Definition: Ethical practice of reporting security vulnerabilities or issues discovered
during digital forensic investigations to the relevant parties, such as software developers,
hardware manufacturers, law enforcement agencies or other affected entities, in a manner
that allows them to address the issue before it is publicly disclosed or exploited.
3
Responsible Disclosure – Key Principles
Privacy
Timeliness
Collaboration
Transparency
Posturing
Ensuring that
sensitive information
related to the
vulnerability is shared
only with the entity
responsible for
addressing it,
protecting the details
from potential
misuse.
Reporting the
vulnerability
promptly after
discovery, allowing
for a reasonable
timeframe for the
issue to be fixed
before any public
disclosure.
Working together
with the affected
entity to understand
the severity of the
issue, validate the
vulnerability, and
assist in mitigating
any potential
impacts..
Following up with the
affected entity to
monitor the progress
and, if agreed upon,
publicly disclosing
the vulnerability
details in a way that
benefits the wider
community, once a
fix has been
implemented..
Presenting stance or
readiness to address
vulnerabilities and
engage with the
ethical disclosure
process.
Positioning itself to
respond to
disclosures, plays a
crucial role in
building trust.
Why Digital Forensics ?
3
• Computers can contain information that helps law enforcement
determine
Chain of events leading to a crime
Evidence that can lead to a conviction
• Law enforcement should follow proper procedure when acquiring
evidence
Digital evidence can be easily altered by an overeager investigator
• Information on might be protected or encrypted so forensics tools
may be necessary in your investigation
Goals of an Incident Response
3
• Investigate: A systematic way to collect and process information about an incident.
– Attack Vector
– Malware and Tools
– Affected Systems
– Damage Assessment
– State of Attack
– Time Frame
• Present: Presenting evidences to a competitive authority.
• Remediate: A systematic way to manage an incident and its aftereffects.
– Developing a plan
– Implementing a plan
5
Activities of an Incident Response
1. Confirm
5. Determine and 9. Manage the
whether an
promote facts and public perception
incident occurred
actual information of the incident
2. Provide rapid 6. Minimize
10. Allow for
detection and
disruption to
criminal or civil
containment
business and
actions against
3. Determine and
network
perpetrators
document the
operations
11. Educate senior
scope of the
7. Minimize the
management
incident
damage to the
12. Enhance the
4. Prevent a
compromised
security posture of
a compromised
disjointed,
organization
entity against
noncohesive
8. Restore normal
response
operations
future incidents
3
Incident Response Team Structure
Compliance
IT Support
Legal
Core Team
Human
Resource
Business
Managers
Information
Security
Taking a Systematic Approach
5
• Make an initial assessment about the type of case you are investigating
• Determine a preliminary design or approach to the case
• Determine the resources you need
• Obtain and copy an evidence drive
• Create a detailed checklist/report
• Present your analysis/investigation
5
Systematic Approach – Initial Assessment
• Understand the nature of the incident or crime.
• Identify potential sources of digital evidence.
• Determine the scope of the investigation (e.g., timeframe, involved parties).
• Assess the potential complexity of the case (e.g., types of devices involved,
encryption, data volume).
5
Systematic Approach – Preliminary Design
• Develop a strategy tailored to the specificities of the case.
• Decide on the tools and methods to be used for data collection, preservation,
and analysis.
• Plan the sequence of actions to minimize data loss and contamination.
• Determine how to handle challenges like encrypted data or large data sets.
5
Systematic Approach – Resource Detrmination
• Identify the human resources required (e.g., software security engineer, digital
forensic analysts, legal advisors).
• Determine the technical resources needed, such as forensic software, hardware,
and specialized tools.
• Evaluate the need for additional resources like cloud storage access or expertise
in specific software/hardware.
5
Systematic Approach – Evidence Drive
• Securely acquire the physical or logical storage media (hard drives, SSDs,
mobile devices, cloud storage, etc.).
• Create forensic images of the media, ensuring that they are exact bit-by-bit
copies.
• Use write blockers to prevent any modification of the original evidence during
the copying process.
• Verify the integrity of the forensic images through hash values.
5
Systematic Approach – Detailed Checklist
• List every step of the forensic process from initial assessment to final reporting.
• Include specific actions for evidence handling, documentation, and analysis.
• Create sub-checklists for different phases like collection, examination, and
analysis.
• Ensure that the checklist covers legal compliance, chain of custody, and quality
control measures.
5
Digital Forensic Checklist – Generic
1. Date and time of the
currently
11. Unique identifier and
ongoing/stopped
incident
location of affected
2. Date and time the
8. Affected resources resources – IP address
may not be unique
incident detection
data or resources that
3. Personnel documenting
may have been affected 12. Categorization of the
9. Requirement to keep
the incident
incident – malware,
4. Personnel reporting the
iknowledge of the
phishing, failed logins,
incident
incident on a “need-tounauthorized access
5. Personnel detecting the
know” basis
13. Incident detection
ncident
10. Personnel accessing
method – antivirus
6. Personnel aware of the
affected resources
alert, an IDS alert, user
(since the detection)
incident
reported suspicious
and their activities
7. State of incident behavior
5
Digital Forensic Checklist – Individual System
1. Physical location
10. Whether backups exist for the
2. The asset tag number
system
3. The system’s make and model 11. Whether the system is still
4. The operating system installed
connected to the network
5. Primary function of the system 12. A list of malware detected,
6. The responsible system
from the time of investigation
administrator or user
back to the beginning of logs
7. The assigned IP addresses
13. A list of any remediation steps
8. The system’s host name and
that have been taken
domain
14. Data being preserved – what
9. The critical information stored
process is being used and
where it is being stored
on the system
5
Digital Forensic Checklist – Network
1. Network monitoring 4. A list of all external
status
malicious IP addresses
2. Updates to network
or domain names
diagrams and
involved
5. Data preserved, what
configurations
3. A list of any
process is being used
remediation steps that
and where it is being
have been taken
stored
5
Digital Forensic Checklist – Network
1. Network monitoring 4. A list of all external
status
malicious IP addresses
2. Updates to network
or domain names
diagrams and
involved
5. Data preserved, what
configurations
3. A list of any
process is being used
remediation steps that
and where it is being
have been taken
stored
5
Digital Forensic Checklist – Malware
1. The date and time
manually or
connections
8. Analysis status –
of detection.
through a
2. Method of
any analysis
quarantine
malware detection
conducted for
process
3. A list of systems 6. Detection
network and host
where the
mechanism
indicators of
malware was
findings, such as
compromise
9. Submission status
found
the name and
4. Name of the
to 3rd parties – via
family of the
malicious file, and
automated
malicious file
7. Status of malware
their directory
processes or direct
during the IR
information
action by an
5. Preserved copy of
process – presence
employee
the malware of active network
4
Case Study – Company Policy Violations
Company Policy Violations
4
• Employees misusing resources can cost companies millions
of dollars
• Misuse includes:
Surfing the Internet
Sending personal e-mails
Using company computers for personal tasks
Usage of unapproved resources leading to business risks
4
Unapproved Resources Leading to Risks
Taking a Systematic Approach
• Identify the risks
• Mitigate or minimize the risks
• Test the design
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case
6
Assessing the Case
7
• Systematically outline the case details
Situation
Nature of the case
Specifics of the case
Type of evidence
Known disk format
Location of evidence
• Based on these details, you can determine the case requirements
Planning Investigation
8
• A basic investigation plan should include the following activities:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport the evidence to a computer forensics lab
Secure evidence in an approved secure container
Planning Investigation
9
• A basic investigation plan (cont’d):
Prepare your forensics workstation
Retrieve the evidence from the secure container
Make a forensic copy of the evidence
Return the evidence to the secure container
Process the copied evidence with computer forensics tools
Planning Investigation
10
• An evidence custody form helps you document what has
been done with the original evidence and its forensics copies
Also called a chain-of-evidence form
• Two types
Single-evidence form
Lists each piece of evidence on a separate page
Multi-evidence form
Single Evidence Form
11
Multi Evidence Form
11
Single Evidence Form
12
Multi Evidence Form
11
Securing Evidence
13
• Use evidence bags to secure and catalog the evidence
• Use computer safe products when collecting computer evidence
Antistatic bags
Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
CD drive bays
Insertion slots for power supply electrical cords and USB cables
Securing Evidence
14
• Write your initials on tape to prove that evidence has not been
tampered with
• Consider computer specific temperature and humidity ranges
Make sure you have a safe environment for transporting
and storing it until a secure evidence container is available
Employee Termination
• The majority of investigative work for termination cases
involves employee abuse of corporate assets
• Incidents that create a hostile work environment are the
predominant types of cases investigated
Viewing pornography in the workplace
Sending inappropriate e-mails
• Organizations must have appropriate policies in place
15
4
Case Study – Internet Abuse Investigation
Internet Abuse Investigation
• To conduct an investigation, you need:
Organization’s Internet proxy server logs
Suspect computer’s IP address
Suspect computer’s disk drive
Your preferred computer forensics analysis tool
16
Internet Abuse Investigation
• Recommended steps
Use standard forensic analysis techniques/procedures
Use appropriate tools to extract all Web page URL
Contact the network firewall administrator and
request a proxy server log
Compare the data recovered from forensic analysis to
the proxy server log
Continue analyzing the computer’s disk drive data
17
Email Abuse Investigation
• To conduct an investigation you need:
An electronic copy of the offending e-mail that
contains message header data
If available, e-mail server log records
For e-mail systems that store users’ messages on a
central server, access to the server
Access to the computer so that you can perform a
forensic analysis on it
Your preferred computer forensics analysis tool
18
Email Abuse Investigation
• Recommended steps
Use the standard forensic analysis techniques
Obtain an electronic copy of the suspect’s and
victim’s e-mail folder or data
For Web-based e-mail investigations, use tools
such as FTK’s Internet Keyword Search option to
extract all related e-mail address information
Examine header data of all messages of
interest to the investigation
19
INCS-712: Computer Forensics
Part 2 – Private/Industrial Investigation
Baljeet Malhotra, PhD
21
Attorney-Client Privilege Investigation
• Under attorney-client privilege (ACP) rules for an attorney
You must keep all findings confidential
• Many attorneys like to have printouts of the data you have
recovered
You need to persuade and educate many attorneys on
how digital evidence can be viewed electronically
• You can also encounter problems if you find data in the
form of binary files
22
Attorney-Client Privilege Investigation
• Steps for conducting an ACP case
Request a memorandum from the attorney
directing you to start the investigation
Request a list of keywords of interest to the
investigation
Initiate the investigation and analysis
For disk drive examinations, make two bit-stream
images using different tools for each image
Compare hash signatures on all files on the original
and re-created disks
23
Attorney-Client Privilege Investigation
• Steps for conducting an ACP case (cont’d)
Methodically examine every portion of the disk drive and
extract all data
Run keyword searches on allocated and unallocated disk space
For Windows OSs, use specialty tools to analyze and extract
data from the Registry
For binary data files such as CAD drawings, locate the
correct software product
For unallocated data recovery, use a tool that removes or
replaces nonprintable data
24
Attorney-Client Privilege Investigation
• Steps for conducting an ACP case (cont’d)
Consolidate all recovered data from the evidence bit-stream
image into folders and subfolders
• Other guidelines
Minimize written communications with the attorney
Any documentation written to the attorney must contain a header
stating that it’s “Privileged Legal Communication—Confidential
Work Product”
Assist the attorney and paralegal in analyzing data
4
Case Study – Industrial Espionage Investigation
25
Industrial Espionage Investigation
• All suspected industrial espionage cases should be
treated as criminal investigations
• Staff needed
Computing investigator who is responsible
for disk forensic examinations
Technology specialist who is knowledgeable
of the suspected compromised technical data
Network specialist who can perform log analysis
and set up network sniffers
Threat assessment specialist (typically an attorney)
26
Industrial Espionage Investigation
• Guidelines when initiating an investigation
Determine whether this investigation involves a
possible industrial espionage incident
Consult with corporate attorneys and upper
management
Determine what information is needed to
substantiate the allegation
Generate a list of keywords for disk forensics and
sniffer monitoring
List and collect resources for the investigation
27
Industrial Espionage Investigation
• Guidelines (cont’d)
Determine goal and scope of the investigation
Initiate investigation after approval from
management
• Planning considerations
Examine all e-mail of suspected employees
Search Internet newsgroups or message boards
Initiate physical surveillance
Examine facility physical access logs for
sensitive areas
28
Industrial Espionage Investigation
• Planning considerations (cont’d)
Determine suspect location in relation to the
vulnerable asset
Study the suspect’s work habits
Collect all incoming and outgoing phone logs
• Steps to conducting an industrial espionage case
Gather all personnel assigned to the
investigation and brief them on the plan
Gather resources to conduct the investigation
29
Industrial Espionage Investigation
• Steps (cont’d)
Place surveillance systems at key locations
Discreetly gather any additional evidence
Collect all log data from networks and e-mail servers
Report regularly to management and corporate attorneys
Review the investigation’s scope with management and
corporate attorneys
4
Case Study – Private Sector Investigation
30
Procedures for Private Sector Investigations
• As an investigator, you need to develop formal
procedures and informal checklists
To cover all issues important to high-tech
investigations
Ensures that correct techniques are used in an
investigation
31
Interviews and Interrogations in Investigation
• Becoming a skilled interviewer and interrogator can
take many years of experience
• Interview
Usually conducted to collect information from a
witness or suspect
About specific facts related to an investigation
• Interrogation
Process of trying to get a suspect to confess
32
Interviews and Interrogations in Investigation
• Role as a computing investigator
To instruct the investigator conducting the interview
on what questions to ask
And what the answers should be
• Ingredients for a successful interview or interrogation
Being patient throughout the session
Repeating or rephrasing questions to zero in on
specific facts from a reluctant witness or suspect
Being tenacious
Next Class
INCS-712: Computer Forensics
Part 3 – Crime Scene Analysis
Baljeet Malhotra, PhD
INCS-712: Computer Forensics
Part 3 – Digital Crime Scene Analysis
Baljeet Malhotra, PhD
Agenda
Crime Scenes
Physical
Digital
Virtual
Digital Forensic Process
Activities
Methodology
Limitations
Case Study – IoT
Need for IoT Forensic
IoT Forensic Challenges
IoT Forensics Opportunities
13
3
Crime Scene
3
6
• Physical Crime Scenes vs. Cyber/Digital Crime Scenes
• Overlapping principals
• Acquiring evidence
• Authenticating evidence
• Analyzing evidence
• Applying evidence
• The basics of criminalistics are constant for both physical and cyber/digital
• Locard’s Exchange Principle
•
When a person commits a crime something is always left at the scene of the crime that was not
present when the person arrived
Digital Crime Scene
• Digital Evidence
• Digital data that establish that a crime has been committed, can provide a
link between a crime and its victim, or can provide a link between a crime
and the perpetrator (Carrier & Spafford, 2003)
• Digital Crime Scene
• An electronic environment where digital evidence can potentially exist
(Rogers, 2005)
• There could be Primary & Secondary Digital Scene(s):
• Primary: an electronic environment where the crime took place
• Secondary: an electronic environment other than the primary electronic
environment, which is in some way related to the crime
3
7
Digital Crime Scene
• Physical Crime Scene
• A physical environment where digital evidence exist
• Important to pay attention to surroundings for clues
• Virtual Crime Scene (Augmented Reality)
• Augmented reality layers computer-generated enhancements atop an
existing reality
• Exploiting AR platform for malicious purposes, such as stalking or
unauthorized data collection.
• Scenario: Consider an augmented reality game that allows users to explore
real-world locations while interacting with virtual objects, characters, and
other players through their mobile devices. A user discovers that an
unknown individual is using the game’s features to track their movements,
send threatening messages, and harass them both within the game
environment and through linked social media accounts.
3
7
Digital/Cyber Evidence
3
8
• Digital/Electronic evidence is extremely volatile!
• Once the evidence is contaminated it cannot be de-contaminated!
• The courts acceptance is based on the Best Evidence Rule (BER)
• BER: a legal principle that holds an original of a document as a superior evidence
• With computer data, printouts or other output readable by sight, and bit stream
copies adhere to this principle
• Chain of Custody is crucial
Digital Forensic Activities
3
5
• Cyber forensics activities commonly include.
• Secure collection of digital data
• Identify suspect data
• Examine suspect data, e.g., to determine origin and content
• Present the case (hypothesis, evidence, and analytics) to courts
• Apply country/company specific laws/policies
Digital Forensic Methodology
3
5
• The Basic methodology consists of 4 As.
• Acquire the evidence without altering or damaging the original
• Authenticate the evidence (e.g., image collected from crime scene)
• Analyze the data without modifying it
• Apply the data/analytics to substantiate
3
9
Digital Forensic – Six Principles
1. Completeness: All general forensic and procedural principles must be
applied when dealing with digital evidence.
2. Unaltered: Any action taken during investigation should not alter/change
the evidence.
3. Training: Any person accessing original digital evidence should be trained
for the purpose.
4. Review: Any activity to seizure, access, store or transfer digital evidence
must be fully documented, preserved and be available for review.
5. Ownership : Any person taking actions with respect to digital evidence
whilst the digital evidence is in their possession is held responsible.
6. Compliant: Any entity responsible for seizing, accessing, storing or
transferring digital evidence is also responsible for being compliance.
Digital Forensic Process
• Identification
• Collection
• Preservation
• Examination
• Analysis
• Presentation
• Report
10
3
Digital Forensic Process
3
5
11
3
Digital Forensic Process – Identification
•
The first step is identifying evidence and
potential containers of evidence
•
More difficult than it sounds
Small scale devices
Non-traditional storage media
Multiple possible crime scenes
12
3
Digital Forensic Process – Identification
• Context of the investigation is very important
• Do not operate in a vacuum!
• Do not overlook non-electronic sources of evidence
Manuals, papers, printouts, etc.
13
3
Digital Forensic Process – Collection
• Care must be taken to minimize contamination
• Collect or seize the system(s)
• Create forensic image
Live or Static?
Do you own the system?
What does your policy say?
13
14
3
Digital Forensic Process – Preservation
13
15
3
Digital Forensic Process – Preservation
• Take detailed photos and notes of the computer / monitor
If the computer is “on”, take photos of what is displayed on the
monitor – DO NOT ALTER THE SCENE
• Make sure to take photos and notes of all connections to the
computer/other devices
13
17
3
Digital Forensic Process – Collecting Images
• Rule of Thumb: make 2 copies and don’t work from the original (if possible)
• A file copy does not recover all data areas of the device for examination
• Working from a duplicate image
Preserves the original evidence
Prevents inadvertent alteration of original evidence during examination
Allows recreation of the duplicate image if necessary
13
18
3
Digital Forensic Process – Collecting Images
•Digital evidence can be duplicated with no degradation from copy to copy
This is not the case with most other forms of evidence
13
19
3
Digital Forensic Process – Collecting Images
• Write blockers
Software
Hardware
• Hardware write blockers are becoming the industry standard
USB, SATA, IDE, SCSI, SIM, Memory Cards
Not BIOS dependent
But still verify prior to usage!
13
20
3
Digital Forensic Process – Collecting Images
• Forensic Copies (Bitstream)
Bit for Bit copying captures all the data on the copied media
including hidden and residual data (e.g., slack space, swap,
residue, unused space, deleted files etc.)
• Often the “smoking gun” is found in the residual data.
• Imaging from a disk (drive) to a file is becoming the norm
Multiple cases stored on same media
No risk of data leakage from underlying media
• Remember avoid working for original
• Use a write blocker even when examining a copy!
13
21
3
Digital Forensic – Image Authenticity
How do we demonstrate that the image is a true unaltered copy of the original?
o Hashing (MD5, SHA 256)
A mathematical algorithm that produces a unique value (128 Bit, 512 Bit)
o Can be performed on various types of data (files, partitions, physical drive)
The value can be used to demonstrate the integrity of the data
o Changes made to data will result in a different value
The same process can be used to demonstrate the image has not changed from
time-1 to time-n
Digital Forensic Examination
3
• The scientific examination and analysis of digital evidence in such a
way that the information can be used as evidence in a court of law.
• Examinations include:
•
•
•
•
•
•
Code Analysis (Software composition, Static and Dynamic code analysis)
Investigating various types of storage media (Computer Forensics)
Investigating computer networks/systems (Network Forensics)
Investigating small scale digital devices (Mobile Forensics)
Investigating internal/external APIs (API Forensics)
Investigating forensic data (Forensic Data Analysis)
Digital Forensic Examination
13
22
3
• Higher level look at the file system representation of the data on the media
• Verify integrity of image
• MD5, SHA1 etc.
• Recover deleted files & folders
• Determine keyword list
• What are you searching for
• Determine timelines
• What is the time zone setting of the suspected system
• What time frame is of importance
• Graphical representation is very useful
Digital Forensic Examination
• Examine directory tree
What looks out of place
Steganography tools
Evidence Scrubbers
• Perform keyword searches
• Indexed
• Slack & unallocated space
13
23
3
• Search for relevant evidence types
•
•
•
•
•
Hash sets can be useful
Graphics
Spreadsheets
Hacking tools
Email/Phone messages
• Look for the obvious first
• When is enough enough??
13
24
3
Digital Forensic – Known Issues
•
•
•
•
•
•
•
Lack of certification for tools
Lack of standards
Lack of certification for professionals
Lack of understanding by Judiciary
Lack of curriculum accreditation
Rapid changes in technology!
Immature Scientific Discipline
4
Case Study – IoT Forensic Analysis
Layers of IoT Forensic Analysis
Hany F. Atlam, Ezz El-Din Hemdan, Ahmed Alenezi, Madini O. Alassafi, Gary B. Wills
Internet of Things Forensics: A Review
4
IoT Forensic Examination
3
Device Forensic
Physical devices such as, camera and locks
Identify the targeted IoT device and their limitations
Collect the required evidence, such as images, video, audio, etc.
Network Forensic
Various communication networks connecting IoT devices to each other over the Internet.
Identify and extract various sources of attacks from network traffic logs
Different forms of networks in the IoT environment
o
o
Body Area Networks (BAN) / Personal Area Networks (PAN)
Local Area Networks (LAN) / Wide Area Networks (WAN)
Cloud Forensic
Cloud main part of the IoT forensics investigation process
Constrained devices with limited storage and computation capabilities
Data generated are transmitted to clouds for further processing and storage
Advantages are accessibility on request, large capacity, scalability, and convenience
IoT Forensic Process
Hany F. Atlam, Ezz El-Din Hemdan, Ahmed Alenezi, Madini O. Alassafi, Gary B. Wills
Internet of Things Forensics: A Review
3
IoT Forensic Challenges
3
Device Challenges
Heterogeneous devices with their own OS, communication protocols, and data formats
Getting well-versed in various device types and their associated forensic techniques
Extracting data from a SmartWatch different than extracting data from a SmartCamera
Data Challenges
IoT devices generate an enormous amount of data
Data must be collected, processed, and analyzed.
Volume, velocity, and variety of this data overwhelm traditional forensic technique
Need to develop new methodologies and tools to handle the massive scale of IoT data.
Privacy Challenges
Significant privacy and security concerns
IoT devices collect and transmit vast amounts of personal and sensitive data
Speakers recording conversations
Fitness trackers tracking every move
Navigate legal and ethical considerations when accessing and analyzing IoT data
IoT Forensic Opportunities
3
Cloud Forensic
Cloud-based forensics involves the collection and analysis of data stored in the cloud
Understand the intricacies of cloud service providers and their associated APIs
Use of encryption and multi-tenancy in cloud environments presents unique challenges
ML and AI Forensic
Machine learning (ML) and Artificial Intelligence (AI) can analyze large datasets from
IoT devices, identifying patterns and anomalies that may indicate malicious activity
AI-powered tools can automate forensic tasks, such as data extraction and analysis
Freed-up time to focus on more complex aspects of an investigation.
Ethical considerations surrounding the use of AI in forensics
Blockchain Forensic
IoT blockchains can be used to create an auditable trail of interactions between devices
Blockchain technology can provide an immutable/tamper-proof ledger
Ensuring the integrity and authenticity of IoT data
Enhance the trust in digital evidence and streamline the forensic investigation process
INCS-712: Computer Forensics
Next – Digital Investigation Process
Baljeet Malhotra, PhD
INCS-712: Computer Forensics
Part 4 – Digital Investigation Process – Tools
Baljeet Malhotra, PhD
Agenda
Investigation Process
Home Exercise: Blockchain Analysis
Digital Forensic: Real Case Studies
Forensic Tools
Imaging and Mounting
Meta Data Analysis
Event Log Analysis
Registry Analysis
Memory Analysis
Hash Analysis
Packet Analysis
Case Study – Packet Analysis
Need for Packet Forensic
Packet Analysis Challenges
Packet Analysis Opportunities
13
3
Recall – Basic Methodology
• Acquire the evidence (without altering/damaging)
• Authenticate the evidence (of crime scene)
• Analyze the data (without modifying it)
• Apply the analytics to substantiate
3
5
10
3
Recall – Digital Forensic Process
• Identification
• Collection
• Preservation
• Examination
• Analysis
• Presentation
• Report
4
Home Exercise – Blockchain Case Study
Real Case Studies
13
3
21
8
William Macquarie Caste Study: http://www.youtube.com/watch?v=vJdME6vczeo
Bin Laden Forensic Case Study: https://www.youtube.com/watch?v=4W_P_Yxhnt0
OpenText Foresic Toolss: https://www.guidancesoftware.com/encase-forensic#digital
Forensic Processes and Tools
ACQUIRE
Im a g e Cre a t io n,
Au t h e n t ic a t io n,
Mo u n t ing
DISCOVER
Da t a , Me t a d a t a ,
Ac c u ra t e Bill o f
Ma t e ria ls (Bo Ms )
IDENTIFY
Se c u rit y, Le g a l
Te c hnic a l, a nd
Co m p lia nc e It e m s
• Imaging and Mounting
• Memory Analysis
• Registry Analysis
• Packet Analysis
• Hash Analysis
VALIDATE
Sc e n a rio s a n d
Hyp e t he s is
Pe rio d ic a lly
ALERT
St a ke ho ld e rs fo r
Bu s in e s s -Crit ic a l
Im p a c t
13
3
21
8
RECOMMEND
Ac t io n s , Po lic ie s ,
Co m p e n s a t io n t o
Affe c t e d Pa rt ie s
• Metadata/Secondary Data
• Compliance/Statuary Data
• Laws and Regulations
• Reports and Memos
• Communications
Categorization of Forensic Tools
Imaging and Mounting
FTK Image
Arsenal Image Mounter
WinHex
Memory Forensic
Volatility
ExifTools
Registry Analysis
Regripper
Data Carving
Hash Analysis
HashMyFiles
Packet Analysis
WireShark
API Discovery
13
3
Imaging and Mounting Tools
13
3
Provide the means to capture, preserve, analyze, and present digital evidence in a manner that is both
efficient and legally acceptable. Their importance can be highlighted in several key aspects:
Preservation of Evidence: Create exact bit-for-bit copies of digital media (hard drives, flash drives, etc.).
•
Capture all data on the device, including deleted files and unallocated space, forensic investigators can analyze all potential evidence.
Analysis Efficiency: Enable analysis without the need for the physical media, which can be stored securely to prevent any tampering.
•
Mount the image as a drive on forensic workstation, and search for specific information and recover deleted or hidden files.
Non-Intrusive Examination: Ensures state of the original evidence.
•
The non-intrusive approach is fundamental in digital forensics, as any modification to the original data could potentially compromise the case.
Time-Stamping and Logging: Imaging and mounting tools often include features that log all actions taken during the forensic process.
•
•
Creates an audit trail that documents the integrity of the investigation, showing that the evidence was handled in a manner consistent with standards.
Time-stamping ensures that each step of the process is recorded, providing a chronological trail that can be important in legal proceedings.
Legal Admissibility: Depends largely on the methods used to collect, analyze, and present evidence.
•
•
Imaging and mounting tools that follow accepted forensic standards help ensure that digital evidence is considered valid and admissible in court.
Help demonstrate that evidence has NOT been tampered with and that the procedures used are reliable and repeatable.
Versatility and Compatibility: Compatible with a wide range of digital storage devices and file systems.
•
Crucial as investigators may encounter different devices and technologies.
Data Recovery and Analysis: Recovery from damaged/formatted drives, decryption/encrypted files, and analysis of complex file systems.
•
Capability is essential for thorough forensic investigations where access to all possible data is necessary for uncovering the truth.
Memory Analysis Tools
13
3
Examining the volatile data in a computer’s RAM (Random Access Memory) to uncover evidence that might
not be found through traditional hard drive analysis. Information about running processes, open files,
network connections, and potentially malicious code. Some of the key functions are:
Access to Volatile Data: Data that are not stored on disk and would otherwise be lost upon power off or reboot.
•
Access data such as running processes, network connections, open files, and system and user memory.
Identification of Malicious Activities: Many types of malware are designed to leave minimal footprints on persistent storage.
•
Detect and analyze malicious processes, including rootkits and memory-resident malware, providing evidence of compromise or attacks.
Recovery of Cryptographic Keys and Passwords: Captures sensitive information like passwords, encryption keys, and other credentials.
•
These details aid in decrypting encrypted files or communications intercepted during investigations.
Real-time Incident Response: Memory analysis is a critical component of identifying the scope of a breach or attack.
•
Allows quick identification of compromised systems, attacker methodologies, and containment of threats by analyzing the memory of live systems.
Timeline Analysis: Help construct timelines of system and application activities.
•
•
Imaging and mounting tools that follow accepted forensic standards help ensure that digital evidence is considered valid and admissible in court.
Help demonstrate that evidence has NOT been tampered with and that the procedures used are reliable and repeatable.
Discovery of Ephemeral Data: Reveal ephemeral data such as clipboard contents, data in transit, or the state of running applications.
•
Critical in investigations, offering insights into user actions and intentions.
Legal and Regulatory Compliance: Crucial that an organization has taken measures to investigate and respond to security incidents.
Registry Analysis Tools
13
3
Play a crucial role in investigations involving Windows operating systems. The Windows Registry is a
hierarchical database that stores low-level settings for the operating system and for applications that opt to
use the Registry. The importance of Registry analysis tools can be summarized as follows:
Revealing System Information and Configuration: Information about the configuration of the operating system
•
•
Including installed software, system settings, and hardware devices.
Detect changes made to the system, applications that were installed or removed, and the configuration of devices, which can be critical in an investigation
User Activities and Behavior: Data on user profiles, login times, and network access.
•
Understand the actions taken by users on a system, potentially revealing intentions, habits, or evidence of malicious activity.
Tracking User Accounts and Login Activities : Captures sensitive information like passwords, encryption keys, and other credentials.
•
Identify who accessed the system, when they accessed it, and what actions they may have taken.
Recovering Passwords and Decryption Keys: Configuration data, including encrypted passwords or keys, within the Registry.
•
Recovering passwords or keys, provides access to encrypted files or communications.
Determining Program Execution : Information related to program execution through, UserAssist, ShimCache, and RecentFileCache.bcf.
•
Determine what programs were run on a system, which is particularly useful in malware investigations and unauthorized software usage cases.
AutoStart Extensibility Points (ASEPs) Analysis: Malware/applications use Registry keys to ensure their auto-execution.
•
Identify potentially malicious software that was intended to persist between reboots, aiding in malware detection and eradication.
Hash Analysis Tools
13
3
Fundamental for ensuring the integrity, authenticity, and non-repudiation of digital evidence. Generates
unique digital fingerprints for files, data segments, or entire storage devices. Importance of hash analysis:
Integrity Verification: Verifies that digital evidence has not been altered from the time of acquisition to its presentation in court
•
Comparing initial hash value of digital evidence with its current hash value, can confirm that the data remains unchanged, ensuring its integrity.
Identifying Known Files: Rapid identification of known files, legal documents, or known illegal content (e.g., child exploitation material).
•
•
Use hash databases, like the National Software Reference Library (NSRL) database, to filter out known legitimate files from their investigations,
Helps on focusing on unknown or suspicious files, accelerating investigation process and aids in identifying illicit materials.
Detecting Duplicate Files: Finding duplicate files across different devices or locations is crucial.
•
Identify duplicates by comparing hash values, which can indicate file copying, distribution of specific content, or the presence of backup/storage devices.
Evidence Correlation: Correlate files and data across multiple devices and systems involved in an investigation.
•
Useful in complex cases involving multiple suspects or locations, where establishing links between different pieces of evidence is essential.
Data Recovery and Carving: Hash analysis can verify the integrity of recovered files.
•
Ensures that the files are complete and have not been corrupted during the recovery process.
Malware Analysis: Hash values of files can be compared against databases of known malware signatures.
•
Allows rapid identification of infected files or malicious software on a system.
Case Study – Packet Analysis
4
13
3
Packet Analysis with API Discovery
Packet Analyzer Setting
Scan start/end dates
Scan send frequency
Scan update frequency
Repository Creation
Project Name
Network/Server Name
NIC/Interface Selection
Managing Results
Detected Services
Analyzing IPs
Analyzing hosts
Case Study – Packet Analysis
4
Case Study – Packet Analysis
4
Other Computer Forensic Tools
• ArcSight Logger
• Netwitness Investigator
• Quest Change Auditor
• Cellebrite
• Physical Analyzer
• Lantern
• Access Data’s Forensic Toolkit (FTK)
• EnCase Cybersecurity
• EnCase eDiscovery
• EnCase Portable
• EnCase Forensic*
13
3
7
EnCase Forensic
13
3
8
• Acquisition
• Reporting
• EnScript :
• Scripting facility
• Various API’s for interacting with evidence
• Collect, Analyze and examine data
• Deleted files
• Unallocated space
• File slack
• Duplicates of original data (Imaging)
• Accuracy can be verified by hash and Cyclic Redundancy
Check values
EnCase Forensic
• Many operating systems
Windows
Linux
Apple iOS
Sun/Oracle Solaris
• Supported smartphones
• Recommended to run on
Window 7 (64 bit)
13
3
8
9
EnCase Forensic
13
3
10
8
File Signatures
13
3
11
8
EnCase Gallery
13
3
12
8
EnCase Document View
13
3
8
INCS-712: Computer Forensics
Next – Digital Investigation Process – Reports
Baljeet Malhotra, PhD
INCS-712: Computer Forensics
Part 5 – Digital Investigation Process – Reports
Baljeet Malhotra, PhD
Agenda
Report Writing Objectives
Primary – Legal and Professional
Secondary – Educational and Training
Types of Reports
Incident/Technical Report
Expert Witness Report
Malware Analysis Report
E-Discovery Report
Investigation Summary Report
Post Investigation Report
Risk Assessment Report
Policy Compliance Report
Audit Report
Case Study – Audit Report
API Bill of Material
13
3
Report Writing Objectives
Primary Objectives – Legal and Professional
Enable Legal Admissibility
Form Basis of Testimony
Document Evidence
Bring Transparency
Enforce Accountability
Enable Reproducibility
Secondary Objectives – Management and Training
Facilitate Understanding
Aid Decision Making
Provide Recommendations
Support Training and Education
13
3
3
5
Report
Objective – Admissibility
Objectives
Report can be submitted as part of court proceedings. A well-prepared report
can help demonstrate that the investigation was conducted in a professional and
legally acceptable manner, thus supporting the admissibility of the evidence.
3
5
Report
Objective – Basis of Testimony
Objectives
Report serves as the foundation for a testimony when a forensic analyst is called
to testify in court. It helps in preparing for cross-examination as well.
3
5
Report Objectives
Objective – Documenting Evidence
Document the evidence found during the investigation. Serves as a permanent
record that can be referred back to for clarity or for future proceedings.
3
5
Report
Objective – Transparency
Objectives
It details the procedures followed during the investigation, ensuring
transparency in the methods used to obtain and analyze digital evidence.
3
5
Report
Objective – Accountability
Objectives
The report holds the forensic investigator accountable for the actions taken
during the investigation and for the conclusions drawn. It provides a means for
peer review and scrutiny.
3
5
Report
Objective – Reproducibility
Objectives
The report provides sufficient detail for another forensic investigator to
reproduce the steps taken during the investigation. This is essential for verifying
the findings and is a cornerstone of scientific methodology.
3
5
Report Objective
Objectives – Develop Understanding
Reports often need to be understood by individuals who may not have technical
expertise, such as lawyers, judges, or jury members. The report must present
complex technical findings in a manner that is accessible to non-specialists.
3
5
Report Objective
Objectives – Aiding Decision Makers
The findings and conclusions in the report can assist decision-makers in
understanding the implications of the digital evidence, which can be crucial for
both legal and organizational outcomes.
3
5
Report Objective
Objectives– Provide Recommendation
A forensic report may also include recommendations based on the findings,
such as security improvements, policy changes, or actions to be taken against
involved parties.
3
5
Report
Objective – Support Training
Objectives
Reports can serve as educational materials for law enforcement, legal
professionals, and students of digital forensics, providing real-world examples
of forensic analysis.
Types of Reports
Primary Reports – Legal and Professional
Incident Response Report
Technical Analysis Report
Expert Witness Report
Malware Analysis Report
E-Discovery Report
Secondary Reports – Management and Training
Investigation Summary Report
Post Investigation Report
Risk Assessment Report
Policy Compliance Report
Audit Report (Case Study)
13
3
Other Types of Reports
Verbal Report
o Less structured
o Attorneys cannot be forced to release verbal reports
Preliminary Report
o Addresses areas of investigation yet to be completed
– Tests that have not been concluded
– Interrogatories
– Document production
– Depositions
Final Report
o Mostly used for closing investigation
3
5
3
5
Summary – Importance of Reports
Communicate the results of your investigation
• Including expert opinion
Forensic reports can:
• Provide justification for collecting more evidence
• Be used at a probable cause hearing
• Communicate expert opinion
Canadian (provincial/federal) courts require expert testimonials
U.S. district courts require expert witnesses to submit written reports
• State courts are starting to also require them
Expert Witness Report
Objectives
Used in legal proceedings, providing a detailed
explanation of findings for the court.
3
5
Sample Examination Plan
3
5
Importance of Disclosures
3
5
Rule 26 – Duty to Disclose; General Provisions Governing
Discovery
Federal Rules of Civil Procedure requires submission of the
expert’s written report that includes:
o Testimony is based on sufficient facts or data
o Testimony is the product of reliable principles and methods
o Witness has applied the principles and methods reliably to the facts of
the case
Written report must specify fees paid for the expert’s services
List all civil or criminal cases in which the expert has testified
Importance of Subpoena
Subpoena Act: https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/96442_01
Keep a copy of any deposition notice or subpoena so
that you can include the following:
• Jurisdiction
• Style of the case
• Cause number
• Date and location of the deposition
• Name of the deponent
Deposition banks
• Examples of expert witness’ previous testimonies
3
5
Guidelines for Writing Reports
• Written report
o Affidavit or declaration
o Limit what you write and pay attention to details
– Include thorough documentation and support
• Hypothetical questions based on factual evidence
o Guide and support your opinion
o Can be abused and overly complex
• Opinions based on knowledge and experience
• State the facts needed to answer the question
o Don’t include any unnecessary facts
3
5
Preliminary Report Cautions
3
5
• Anything you write down as part of your examination for a report
o Subject to discovery from the opposing attorney
o Discovery: the process of opposing attorneys seeking
information from each other
• Written preliminary reports are considered high-risk
documents
o It’s better if there’s no written report to provide
• Destroying the report could be considered destroying or
concealing evidence (spoliation)
3
5
Structure of Preliminary Report
• Include the same information as in verbal reports
• Additional items to include in your report:
• Summarize your billing to date and estimate costs to
complete the effort
• Identify the tentative conclusion (rather than the
preliminary conclusion)
• Identify areas for further investigation and get confirmation
from the attorney on the scope of your examination
Structure of Final Report
• Structure
o Abstract (summary)
o Table of contents
o Body of report
o Conclusion
o References
o Glossary
o Acknowledgements
o Appendixes
3
5
Structure of Final Report
• An abstract condenses the report to concentrate on the
essential information
• The body consists of the introduction and discussion sections
• The conclusion starts by referring to the report’s purpose,
states the main points, draws conclusions, and possibly
renders an opinion
• References and appendixes list the supporting material to
which your work refers
3
5
3
5
Report Writing – General Guidelines 1
• As an expert witness, you may testify to an opinion or
conclusion, if four basic conditions are met:
o Opinion, inferences, or conclusions depend on special
knowledge, skills, or training
o Witness should qualify as a true expert in the field
o Witness must testify to a reasonable degree of certainty
o Experts must know facts on which their opinions are
based, or they must testify to a hypothetical question
3
5
Report Writing – General Guidelines 2
• Consider
o Communicative quality
o Ideas and organization
o Grammar and vocabulary
o Punctuation and spelling
• Lay out ideas in logical order
• Build arguments piece by piece
• Group related ideas and sentences into paragraphs
o Group paragraphs into sections
3
5
Report Writing – General Guidelines 3
• Avoid jargon, slang, and colloquial terms
• Define technical terms
• Consider your audience
• Considering writing style
o Use a natural language style
o Avoid repetition, vague language, and generalizations
o Avoid presenting too many details and personal observations
3
5
Report Writing – General Guidelines 4
• Considering writing style (cont’d)
• Project objectivity
– Communicate calm, detached observations
• Including signposts
o Draw reader’s attention to a point
o Assist readers in scanning the text quickly by
highlighting the main points and logical development of
information
3
5
Report Writing – General Guidelines 5
• Two numbering systems are typically used
• Decimal numbering structure
o Divides material into sections
o Readers can scan heading
o Readers see how parts relate to each other
• Legal-sequential numbering
o Used in pleadings
o Roman numerals represent major aspects
o Arabic numbers are supporting information
Preparing for Presentation
• Providing supporting material
o Use material such as figures, tables, data, and
equations to help tell the story as it unfolds
• Formatting consistently
o How you format text is less important than being
consistent in applying formatting
• Explaining examination and data collection methods
o Explain how you studied the problem, which should
follow logically from the report’s purpose
3
5
Preparing for Presentation
• Including calculations
o If you use any hashing algorithms, be sure to give the
common name
• Providing for uncertainty and error analysis
o Protect your credibility
• Explaining results and conclusions
o Explain your findings, using subheadings to divide the
discussion into logical parts
o Save broader generalizations and summaries for the
report’s conclusion
3
5
Preparing for Presentation
• Providing references
o Cite references by author’s last name and year of
publication
o Follow a standard format
• Including appendixes
o You can include appendixes containing material such as
raw data, figures not used in the body of the report, and
anticipated exhibits
o Arrange them in the order referred to in the report
3
5
3
5
Generating Report with Forensic Tools
• Forensics tools generate reports when performing analysis
o It is still your responsibility to explain the significance of the
evidence
• Report formats
o Plaintext
o Word processor
o Spreadsheet
o HTML format
3
5
Case Study – Software Bill of Materials
3
5
Case Study – Software Bill of Materials
Background of Software Bill of Material or SBoM
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Report Generation – API SBoM
3
5
Report Generation – API SBoM
3
5
Homework
• Go to API Discovery platform
• Scan projects from GitHub
• Conduct due diligence
• Produce SBoM
3
5
3
5
Report Generation – API Security Report
3
5
Report Generation – API Security Report
Report Generation – Autopsy
3
5
Report Generation – Autopsy
3
5
Report Generation – Autopsy
3
5
Reporting Summary
3
5
• All U.S. district courts and many state courts require expert
witnesses to submit written reports
• Rule 26 of the FRCP requires expert witnesses who
anticipate testifying to submit written reports
• Attorneys use deposition banks to research expert
witnesses’ previous testimony
• Reports should answer the questions you were retained to answer
Reporting Summary
3
5
• A well-defined report structure contributes to readers’ ability to
understand the information you’re communicating
• Clarity of writing is critical to a report’s success
• Convey a tone of objectivity and be detached in your observations
INCS-712: Computer Forensics
Next – Case Study – API Forensics
Baljeet Malhotra, PhD
INCS-712: Computer Forensics
Part 6 – Case Study – API Forensics
Baljeet Malhotra, PhD
Agenda
Why API Forensics
Growing APIs
Connected Systems
Challenges for API Forensics
Enterprise API Ecosystems
Discovery of APIs
API Authentications
API Forensics Process
Collecting Analytics
Practicing examples
API Forensics Challenges
Laws and Regulations
Enterprise Challanges
13
3
Why API Forensics
13
3
13
3
API Forensic Challenges – Complex Enterprises
Acknowledgement: Above demonstration/representation of an API Ecosystem is the copyright of TeejLab Inc.
© TeejLab Inc.
13
3
API Forensic Challenges – Variety and Volume
Unknown APIs
External APIs
• Centralize inventory
• Custodianship
• Access control
• License management
• Pricing management
• Continuous security check
Internal APIs
• Centralize inventory
• Custodianship
• Version control
• Access control
• Govern usage
• Centralize documentation
• APIs from Open Source
• APIs from M&A
• Security and quality
• Legal compliance
• Changing terms of service
• Continuous security checks
13
3
API Challenges – Authentication Problems
Unprotected APIs that are “internal”
Weak API keys that are not rotated
Credentials and keys included in URLs
Passwords that are default, weak, plain text, poorly hashed, shared
Authentication susceptible to brute force attacks and credential stuffing
Weak authentication that does not follow industry best practices
Lack of access token validation (including JWT validation)
Unsigned or weakly signed non-expiring JWTs
13
3
API Challenges – Authorization (Object Level)
API call parameters use the ID of the resource accessed through the API
/api/dept1/financial_info.
Attackers replace the IDs of their resources with a different one which they
guessed through /api/dept2/financial_info.
The API does not check permissions and lets the call through.
Problem is aggravated if IDs can be enumerated /api/123/financial_info.
13
3
API Challenges – Authorization (Function Level)
Administrative functions exposed as APIs.
Non-privileged users accessing functions without authorization.
Matter of knowing the URL, or using a different verb or a parameter:
o /domain/api/users/v1/user/myinfo
o /domain/api/admins/v1/users/all
13
3
Challenges of API Forensics – Summary
Thousands of APIs
What data APIs are exchanging
Where APIs hosted (server/locations)
Which teams/products use which APIs
One team/product may use multiple APIs
One API may be used in/by multiple products/team
Hundreds of API Providers
Vendors may provide free or commercial APIs
Which APIs are more secure and compliant
Terms of Use may change at any time
Tens of API Tools and Processes
Manage 100s of APIs specific test cases
CIS top-20, OWASP top-10 security tests
PCI, SOC2, HIPPA, ISO27001 compliance
Digital Forensic – Challenges
4
DigitalProliferation
Forensic Challenges
– Open Source
of Digital Applications
Digital Forensic
Challenges
– Open Source
Global Trends
– Open Source
Growth of Open Source (Usage) Acknowledgement – Black Duck Software
1998
2005
2010
2020
10%
20%
50%
90%
Digital Artificial
Forensic
Challenges – AI
Intelligence
Forensic
Challenges
– AI
ArtificialDigital
Intelligence
– Enhancing
Human Capabilities
Vision Intelligence
Speech Intelligence
Artificial
Intelligence
Generative AI – Data Models
Touch/Gesture Intelligence
Digital
Forensic
Challenges
– Connectedness
Connected
Digital
Technologies
– Role of APIs
Digital
Challenges
– AI andAPIs
APIs
AI and Forensic
API Relationship
– AI Empowered
API
AI
API Forensics Challenges
13
3
Volume and Diversity of APIs
Different standards and practices, make it challenging to monitor and
analyze APIs comprehensively
Dynamic and Complex Data Flows
Real-time data exchange between different systems, makes tracing
incidents and breaches across various data flows difficult
Lack of Standardized Logging
Unstandardized logging mechanisms make it challenging to gather
consistent forensic evidence across different systems
Rate Limiting and Access Restrictions
Rate limiting and access restrictions designed to protect APIs from abuse
can also obstruct investigative efforts
API Forensics Challenges
13
3
Obfuscated Code and Data
Understanding the data and logic behind API calls is more difficult
API Abuse and Malicious Use
Malicious actors may exploit APIs in subtle ways that are hard to detect
without deep analysis
Rapid Evolution and Deployment
Keeping up with API technologies, protocols, and practices is challenging
Integration with Legacy Systems
APIs interacting with outdated/legacy systems can pose additional
Cross-Jurisdictional Legal Challenges
Investigating incidents pose legal challenges, such as jurisdictional disputes
and compliance with various data protection laws (e.g., GDPR, CCPA)
4
API Forensic – Legal Challenges
API Forensics
Legal
– USA
Executive
Order 13859
onChallenges
Artificial Intelligence
API
Forensics
Legal Challenges
– USA
Guidance
for Regulation
of AI Technologies
Review authorities relevant to applications of AI
Development of regulatory and non-regulatory
approaches to empower/enable AI
National Institute of Standards and Technology
to develop a plan for technical standards
API ForensicsAILegal
Challenges – USA
Standards
API Forensics
Challenges
Canada
Canada
– Artificial Legal
Intelligence
and Data- Act
(AIDA)
https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading
API Forensics
Legal
Challenges
– Canada
Status
of the
Bill C-27
Bill C-27 passed second reading in the House of
Commons
Currently being considered by the Standing
Committee on Industry and Technology
API Forensics
Legal Challenges
Requirements
of AIDA – Canada
New requirements for organizations to ensure the safety and
fairness of high-impact AI systems in three key areas:
Design/Record: Required to identify and address the risks of their AI
system about harm and bias and to keep relevant records.
Development/Understanding: Required to assess the intended uses and
limitations of their AI system and make sure users understand them.
Deployment/Monitoring: Required to put in place appropriate risk
mitigation strategies and ensure systems are continually monitored.
API Forensics
Legal Challenges
Requirements
of AIDA – Canada
High-Impact System: An AI is a technological system, autonomously or partly
autonomously, processes data related to human activities through the use of a
genetic algorithm, a neural network, machine learning or another technique in
order to generate content or make decisions, recommendations or predictions.
Harm: (a) physical or psychological harm to an individual;
(b) damage to an individual’s property; or
(c) economic loss to an individual.
Bias: Content that is generated, or a decision, recommendation or prediction that
is made, by an artificial intelligence system and that adversely differentiates,
directly or indirectly and without justification, in relation to an individual on one or
more of the prohibited grounds of discrimination set out in section 3 of the
Canadian Human Rights Act.
API Forensics
Legal
Challenges
EU Artificial
Intelligence
Act – EU
API Forensics
Challenges – EU
High Legal
Risk Systems
Biometrics
Law enforcement
Critical infrastructure
Access to essential services
Education and vocational training
Migration, asylum and border control management
Employment, self-employment and HR management
Administration of justice and democratic/legislative processes
APIRequirements
Forensics Legal
Challenges
– EU
for High
Risk Systems
Must not pose a significant threat to health, safety and fundamental rights
Must practice risk management, data governance, monitoring and SoRs
Must provide docs on transparency and human oversight obligations,
Must provide standards for accuracy, robustness and cybersecurity.
Must be registered in an EU-wide public database.
4
API Forensic – Enterprise Legal Challenges
API ForensicsEnterprise
Legal Challenges
Frameworks- Enterprises
Privacy Policy/Statement
Data collection and use approach in a specific country. Also what type of information
is collected, and how it’s used, and whether it’s shared or sold.
Global Privacy Policy/Statement
Data collection and use approach(es) in a global context
API Terms of Use
API’s allow software programs to to exchange data in an easy and secure way.
A legal agreement between API producer and consumer for API usage.
Platform Policy
A platform refers to a digital ecosystem that uses the internet to connect
individuals, processes and tools to facilitate interactions between them.
Examples: Facebook, Uber, Airbnb
API Forensics Legal Challenges – Enterprises
API Forensics Legal Challenges – Enterprises
API Forensics Legal Challenges – Enterprises
Mid Term
4
Publication Date – 15th March at 11:59pm
Submission Date – 20th March at 11:59pm
INCS-712: Computer Forensics
Next – API Forensics (cont.)
Baljeet Malhotra, PhD
