Skip to main content

Step 2 : Collection & Preservation of evidence



Step 2 :  Collection  & Preservation of evidence  
The collecting process in digital forensics is a critical phase of the investigation. It involves the systematic and careful acquisition of digital data from electronic devices or storage media in a manner that preserves the integrity and authenticity of the evidence. The following are the steps involved in the collecting process:

Collection: This step involves the actual acquisition of the data from the device or storage media. This can be done by using a variety of techniques, including

  •  Imaging: The first step in the collection process is to create a forensic image of the digital device or media that is being investigated. This involves creating an exact copy of the device or media, including all data, file systems, and metadata. The imaging process ensures that the original evidence is preserved and can be examined without altering it.
  •  Live analysis: In some cases, it may be necessary to conduct a live analysis of the digital device or media in order to collect additional information or to gather volatile data that could be lost during imaging. Live analysis involves examining the operating system and applications in real-time and can include tasks such as searching for open files, network connections, and running processes.
  •  Remote acquisition: Remote acquisition is a collection method used when the device or media being investigated is located at a remote location. This involves establishing a remote connection to the device or media and creating a forensic image over the network. The remote acquisition can be challenging due to network latency, bandwidth limitations, and security considerations.

  •  Validation: This step involves verifying the integrity and authenticity of the acquired data. This can be done by comparing the original data with the acquired data to ensure that no changes or modifications were made during the acquisition process.
There are several key elements of validation in digital forensics, including:

  •  Verification of tools and procedures: Forensic tools and procedures should be tested and verified to ensure that they are functioning correctly and producing accurate results.
  •  Reproducibility: The results of a forensic examination should be able to be reproduced by another examiner using the same tools and procedures.
  •  Chain of custody: The chain of custody for digital evidence should be maintained throughout the forensic process to ensure that the evidence has not been tampered with or altered.
  •  Peer review: The results of a forensic examination should be subject to peer review by other experts in the field to ensure that the analysis is sound and valid.
  •  Standards and guidelines: Digital forensic examiners should adhere to recognized standards and guidelines for forensic analysis, such as those published by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO).

  •  Documentation: This step involves documenting the entire collecting process, including the identification of the devices or storage media, the preservation techniques used, the collection techniques used, and the validation process.

NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response

Manuals and Guidelines | NIST



ISO/IEC 27037:2012 info_isoiec27037{ed1.0}en.pdf

ISO/IEC 27042:2015

ISO/IEC 27043:2015


 Preservation of Evidence

1.Preservation of Evidence: one of the main in the digital forensics process is to preserve the evidence in its original form to ensure that it is not altered or damaged during the investigation. This may involve making a copy of the digital evidence or taking steps to prevent any changes to the original data.

Digital forensics involves the preservation, collection, and analysis of digital data as evidence in a wide range of criminal and civil investigations. The goal of preserving evidence is to maintain its integrity and authenticity, so that it can be used in a court of law.

The following are some best practices for preserving digital evidence:

1. Identify the scope of the investigation: Before starting the investigation, it's important to clearly define the scope of the investigation and the types of evidence that will be collected. This will help ensure that all relevant evidence is preserved and collected.

2. Document the evidence: All evidence collected during the investigation should be properly documented, including where and when it was collected, who collected it, and any other relevant information.

3. Use forensically sound methods: It's important to use forensically sound methods when collecting and analyzing digital evidence. This includes ensuring that the original data is not modified, and that all copies are made using verified and authenticated tools.

4. Preserve the chain of custody: The chain of custody refers to the documentation of all persons who have had custody of the evidence from the time it was collected until it is presented in court. This helps ensure that the evidence is not tampered with or altered in any way.

5. Store the evidence securely: All digital evidence should be stored securely to prevent unauthorized access or modification. This includes storing the evidence in a secure location, using encryption to protect sensitive data, and ensuring that only authorized personnel have access to the evidence.

6. Follow legal and ethical guidelines: Finally, it's important to follow all legal and ethical guidelines when collecting and analyzing digital evidence. This includes obtaining necessary warrants or permissions, and ensuring that the investigation is conducted in an ethical and unbiased manner.



By following these best practices, digital forensics professionals can ensure that evidence is properly preserved and collected, and that it remains admissible in court.

There are a number of tools and techniques used in digital forensics to preserve evidence, including:

1. Imaging tools: These tools create an exact duplicate of a storage device, such as a hard drive, so that the original data can be analyzed without changing it.(4ex: dd tool)

2. Hashing tools: Hashing tools generate a unique "fingerprint" of a file, which can be used to verify that the file has not been altered.(4ex:md5 tool)

3. Data recovery tools: These tools can help recover deleted or lost data, which can be important in an investigation. (4ex: Foremost )

4. Analysis tools: Digital forensics analysts use a variety of tools to analyze data, including forensic software, decryption tools, and other specialized software. (4ex:Autopsy)

5. Chain of custody documentation: Keeping a clear and comprehensive record of the handling of evidence is critical in digital forensics to ensure that the evidence is admissible in court.

It's important to note that the specific tools used in digital forensics will vary depending on the nature of the investigation and the type of evidence being collected.

1. Imaging tools

Imaging tools are software applications used in digital forensics to create exact copies or images of digital media, such as hard drives, memory cards, and other storage devices. These tools create a bit-by-bit copy of the original media, which is then used for analysis and investigation.

1.1 Here are some commonly used imaging tools in digital forensics:

1. dd: dd is a command-line tool used in Linux and other Unix-based operating systems to create images of digital media. It is a simple and powerful tool that can create exact copies of disks, partitions, and files.

Eg. Scenario: we need to clone usb drive

· make sure USB is present with USB 3

· open terminal : $ sudo fdisk -l

· create image using dd command : sudo dd if=/dev/sdb1 of=/home/sansforensics/Desktop/cases/usb_image.img bs=4M

FTK Imager: FTK Imager is a popular imaging tool used in digital forensics. It supports a wide range of file formats and allows investigators to create images of disks, partitions, and individual files. It also has advanced features such as the ability to view and extract data from memory dumps.

· Scenario: we need to dump memory from running suspect machine and finf store password in ram

Eg. https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/

· First download FTK from Accessdata website to windows machine

· Copy the entire "FTK Imager" installation folder (default installation folder is in C:Program FilesAccessDataFTK

· run FTK one victim

· Capture memory

· Open analyze machine

· FTK open memory dump location

· Right-click on ASCII

· Find example www to search open site , password ……


2. Hash image file

In digital forensics, a hashing tool is a software application used to calculate and verify hash values of files, data, and other digital artifacts. Hashing is a process of generating a unique fixed-size digital fingerprint of a file or data set, which can be used to identify and verify the integrity of the original data. Hashing tools are used extensively in digital forensics investigations to verify the authenticity of digital evidence, ensuring that the data has not been tampered with or altered. These tools can also be used to compare the hash values of different versions of the same file, helping investigators to determine if any modifications have been made.

Some commonly used hashing tools in digital forensics include:

· FTK Imager: A popular digital forensics tool that includes a hashing module, allowing investigators to quickly generate hash values for files and data sets.

· Md5sum

· sha256sum

In summary, a hashing tool is an essential component of any digital forensics’ investigation, allowing investigators to verify the integrity and authenticity of digital evidence.

Eg. Scenario: generate a hash value for evidence to make sure no one alter it

1. Md5sum

$ md5sum filename. Extensions

8be0a2700ed6e587ee9c6d5bd89b8ce2 reg.reg


Note : for big file it take time


Eg. Scenario: make sure file content not change: create text file and generate hash value for it then modify file and create new hash the compare:

$ md5sum cv.txt

fd2b2ef1f3f3f7f5da52623f8b84fa3d cv.txt


Change some content

$ md5sum cv.txt

d6b29ea623deb3fdb1a6314be853b032 cv.txt

$ sha256sum cv.txt

27a72ef1f0236d7e3a1d406723f9c58c3427c6979934d4c37fee09f0bb7005e5 cv.txt

$ sha256sum cv2.txt

f137f03fc4543c8158b1607012e44e3286bedd280c6795a9c5fb4727b429589d cv2.txt



Note that the likelihood of two different files having the same hash value is extremely low, which makes hash values a useful tool for verifying the integrity of files.


Compare 2 results

To compare two MD5 checksum results, you can follow these steps:

You can compare the checksums manually by visually inspecting them, or you can use a software tool to compare them automatically. Most file comparison tools have the ability to compare checksums, and they will indicate if the checksums are identical or different.

It's worth noting that MD5 checksums are not 100% reliable for verifying the integrity of files, as it is possible for two different files to have the same MD5 checksum (known as a "collision"). For stronger security, you can use a more secure hashing algorithm like SHA-256.



$ diff -u cv.txt cv2.txt

If no result that mean two files identical

To perform the verification function using md5sum, simply run the command:

$ md5sum cv.txt > cv.md5

$ md5sum -c cv.md5

cv.txt: OK

when we change some content:

$ md5sum -c cv.md5

cv.txt: FAILED

md5sum: WARNING: 1 computed checksum did NOT match



3. Data recovery tools

In the context of digital forensics, data recovery tools can be useful in recovering evidence that has been deleted or damaged on a digital device. Some commonly used data recovery tools in digital forensics include:

FTK Imager: FTK Imager is a free data recovery tool that can be used to create forensic images of a device, allowing investigators to analyze the data without risking the integrity of the original data. It can also be used to recover deleted or damaged files.



EnCase: This is a popular forensic tool that can be used to recover data from a variety of devices, including computers, smartphones, and tablets. EnCase is known for its advanced file carving capabilities, which allow it to recover data even if the file system has been damaged or deleted.

Recuva: Recuva is a free data recovery tool that is useful for recovering deleted files from a variety of devices, including hard drives, memory cards, and USB drives. It is easy to use and can recover a wide range of file types.

· TestDisk: TestDisk is an open-source data recovery tool that can be used to recover lost partitions and repair damaged file systems. It can also be used to recover deleted files from a variety of devices, including hard drives, USB drives, and memory cards.

PhotoRec: PhotoRec is another open-source data recovery tool that is useful for recovering deleted files, particularly photos and videos. It can be used to recover data from a variety of devices, including hard drives, memory cards, and USB drives.



E.g: Scenario : check USB for deleted file include Arabic word and ISO image

· FTK Imager

· Add evidence item

· Select Physical drive

· Select USB

· Browse to root

· Select file with red cross

· Export files

· Select location



Recuva: is windows tools https://recoverit.wondershare.net/ad/data-recovery.html?gclid=CjwKCAiAr4GgBhBFEiwAgwORreArYxolXEAnPyIsFgsi0rlfBcqNO07joHKm095LHb8qQoOnCaBs3BoC0gQQAvD_BwE

Test Disk

$sudo fdisk -l

$ sudo testdisk /dev/sdb1

$ select un deleted



***PhotoRec, its recovery many types of files.

$sudo fdisk -l

$ sudo photorec /dev/sdb1













Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more