Cyber Forensics

From DataTo

Digital Evidence

Book by - A. Marcella, F. Guillossou

The Role and Responsibility of a Cyber Forensic Investigator

1. Accurately report upon actions taken (warrants etc…)

2. To expertly identify, extract, and analyze data3. Keep a detail log of procedures

As an Expert

A Cyber Forensic Investigator who relies upon automated, generated results of a forensic software tool, without an in-depth knowledge of how the results have been achieved, is risky to your professional reputation but also to a successful outcome to the investigation.

Chapter Goals

• Take you from the very beginning of data being an electrical impulse to it becoming data to storage to potential evidence.

• As a Cyber Forensic Investigator, it is extremely important you understand this process.

Evolution of Bits and Bytes

• The evolution of bits and bytes into data and finally into human understanding text might be somewhat technical but not that hard.

The How, Where and Why

• We will be discussing the following:– How data become digital forensic evidence– Where to look for this evidence, buried beneath

hundreds of million of bytes of data.– Why specific data may lead the investigator to the

smoking gun.

In Court to Testify

• So when the lawyer questions you, and ask you “How did you identify the specific data you examined to reach your conclusion,” knowing the How’s, Where’s and Why’s and the theory and logic behind your answer will help you get favorable results.

Data Flow Intro.

• We will start small, in fact very small “bits & bytes” small. • We will explain the following:

– Bits & Bytes– Origin of Data– Data Storage– Boot Records– Partitions– Volumes– File Systems

Data Flow Intro.

• We will discuss how each of the topics are interrelated and essential in a cyber forensic investigation. The role each plays in an investigation and what type of evidential data may be identified within each of the areas.

• We will look at Cases involving forensics.

The Fundamentals of Data

• To be a professional in cyber forensics one must have a foundation rooted in:

1. Basics of information technology2. Data Storage3. Handling4. Processing5. How data is moved6. How data is manipulated

Data is Evidence

• Understanding how evidence emerges from data is pivotal. One must articulate how evidence data was:1. Identify2. Collected3. Processed

Cyber Forensic Investigator

• As a cyber forensic investigator, simply pressing buttons and checking options in a forensic software suite can create a potential liability. Understanding the “Life Cycle” of data is very important from its beginning as electronic bits, evolving into bytes characters, then words, finally emerging as a language, as information and eventually as evidence.