digital forensic

© 2015 SKP Business Consulting LLP. All rights reserved.

WE AND THE DIGITAL WORLD


DATA DEVICES & TYPES

Digital DevicesDevices that we use on a daily basis

Digital ApplicationsApplications/ Software's we use on a daily basis

Actions/ ActivitiesWe assist in collating necessary evidence for litigations


Digital DevicesPopular Types1. Laptop / Desktop 2. Hard-disk 3. Pen drive 4. Printer 5. Projector6. Mobile

Where do we use them?

Digital devices are used by Business,professionals and individuals spread overvarious fields.

Homes, Offices, Schools and even Trainsstations or Airports, Digital devices arebeing used for education, entertainmentor just for sharing of information



Digital ApplicationsPopular Types1. ERP2. Mobile App 3. Web Browsers4. Social Media 5. Skype / Chatting 6. E-mail

How do we use them?

Applications are developed to makehuman life simpler.

Distance and efforts are reduced.Thereby work which would have takendays is completed in mere hours.



Actions/ ActivitiesPopular Types1. Update 2. Converse 3. Account checking4. News 5. Browsing6. Banking

Why do we use them?

Information that surround us needs to beconstantly monitored for either updating,modification or simple knowledgepurposes.

Creating, Deleting, Updating, Modifyingor Formatting are some purposes forwhich applications are used.



WHAT DATA IS STORED?

- Web Browsers- E-Mails- Image Editors

- Message Logs- Event Logs- Transaction Logs

Stores raw data

Stores application

Stores logs of use of application/ data

- Created- Modified- Deleted


HOW DATA IS STORED?

A. Track

B. Geometrical sector

C. Track sector

D. Cluster

Source: https://en.wikipedia.org/wiki/Disk_sector

Updates happen based on FAT 32

The data stored in sectors


DIGITAL FORENSIC EVIDENCES

Start

Reports and documents

Applications installed eg. software used to

wipe information

Emails

Internet activity Chat Log

Media info (Photo, scan

doc, video etc)

Usage of USB

WiFi usage

Specific Folders

Secured information

Draft agreements

Deleted Information

Personal Identity

info

Network information

Downloaded content

Hard disk / OS information

Access logs/ windows event

logs


DIGITAL FORENSIC EVIDENCES

Internet history/ activities

Key chat exchanges

Mails/files downloaded to mobile

Search history/ flagged places

Files uploaded/ downloaded from storage sites

Contact list and frequently contacted indications

Social media cache memory

Call and text history


EVIDENCE COLLECTION GUIDELINE

Determine the necessary equipment to take to the scene.

Review the legal authority to collectthe evidence, ensuring anyrestrictions are noted.

Individuals who may haverelevant information should beidentified and interviewed.

When evidence cannot beremoved, it should be copied orimaged on-site.

Consult with the investigator.

Source: SWEDGE guideline


Document the condition of Photograph and/or make a sketch of the computer connections and surrounding area.

EVIDENCE HANDLING GUIDELINE

Document the external component connections.

Determine if the computer is in stand-by mode and follow procedures as if it was powered on.



EVIDENCE EXAMINATION GUIDELINE

Review documentation

Examination of the mediashould be completed

Review the legal authority

Examination on theoriginal evidence mediashould be avoided ifpossible

Appropriate controls andstandards should be used

Evidence



APPROACH FOR EVIDENCE EXAMINATION

Evidence is available

Evidence is extractible

Evidence is admissible

Understanding the subject

Preliminary Profiling

Pattern/ Exception Analysis

Key Word Searches

Revisit Profiling &

Analysis

Evidence Principles

• Contextual knowledge about the subject and the environment• Understanding the folder structure/ email pattern and broader understanding

use of digital device

• Broad nature, response time, approach towards communication• Understanding the extent of private conversations and the nature of the

information shared in private communications

• Inconsistent nature of communication received with reference to role, ‘Bcc’communication, information shared with private email addresses, unusualpattern of conversations with external domains

• Evaluate the number of search hits, the nature of outcomes in those searchhits for preliminary key words

• Use GREP, Whole word, Case Sensitive and Boolean searches as required

• Revisit the procedures based on the outcomes after the keyword searches• Consolidate timeline and red flags together


TOOLS IN DIGITAL FORENSIC

Imaging tool (write protector)Tableu

Imaging and processing toolEncase

Mobile forensic toolOxygen

Key word search toolIntella, Nuix

Email review platformClearwell


PRACTICAL APPLICATIONS

Data theft

Procurement fraud

Senior management fraud/ financial statement fraud

• System logs• Access data• Lynk files

• Emails• Excel workings

• Transactional data• Communications• Excel workings


CHALLENGES - IN DIGITAL FORENSIC

Evidence

Deletion/ formatting of data

Privacy and other issuesEncryption

Damaged hard disk

Overwriting of dataInadmissible evidence


THE FUTURE

Emerging digital devices

And many more

Smart WatchesDrones

GPS coordinates

Emerging Digital Services

CONTACT US

19 Adi Marzban Path Ballard Estate FortMumbai 400 001Indiat: +91 22 6730 9000

Mumbai

VEN Business CentreBaner-Pashan Link RoadPashanPune 411 021Indiat: +91 20 6720 3800

Pune

6-3-249/3/1 SSK BuildingRanga Raju Lane Road 1, Banjara Hills Hyderabad 500 034Indiat: +91 40 2338 6912

Hyderabad

B-376Nirman ViharNew Delhi 110 092Indiat: + 91 11 2242 8454

New Delhi

3 Crown Court128 Cathedral RoadChennai 600 086Indiat: +91 44 4208 0337

Chennai

312/313 Barton CentreMahatma Gandhi RoadBengaluru 560 001Indiat: +91 80 4140 0131

Bengaluru

269 The East MallToronto ONM9B 3Z1Canadat: +1 647 707 5066

Toronto

www.skpgroup.com

[email protected]

Connect with us

Subscribe


https://www.linkedin.com/company/skp-group

https://www.linkedin.com/company/skp-group

https://www.facebook.com/SKPGroupIndia

https://www.facebook.com/SKPGroupIndia

https://twitter.com/SKPGroup

https://twitter.com/SKPGroup

https://plus.google.com/109681147780430115679/posts

https://plus.google.com/109681147780430115679/posts

The contents herein are solely meant for communicating information and notas professional advice. It may contain confidential or legally privilegedinformation. The addressee is hereby notified that any disclosure, copy, ordistribution of this material or the contents there of may be unlawful and isstrictly prohibited. Also the contents can not be considered as anyopinion/advice and should not be used basis for any decision. Before takingany decision/advice please consult a qualified professional adviser. While duecare has been taken to ensure the accuracy of the information containedherein, no warranty, express or implied, is being made by us as regards theaccuracy and adequacy of the information contained herein. SKP BusinessConsulting LLP shall not be responsible for any loss whatsoever sustained byany person who relies on this material.

DISCLAIMER


Credits: Icon and Shapewww.flaticon.comwww.duarte.com

http://www.flaticon.com/

http://www.duarte.com/