Digital Forensics & Electronic Evidence

What You’ll Learn:

 Legal permissions needed to collect electronic evidence.

 Proper procedures to preserve the integrity of digital evidence.

 Techniques to collect evidence from computers and mobile devices.

 Methods of analyzing electronic evidence.

 Identifying potential digital evidence types on devices.

 Elements required in a court-usable forensic report.

 Recognizing weaknesses in evidence and its collection process.

Purpose of the Course:

 Provide non-technical individuals a strong foundation in digital

forensics.

 Enable learners to identify important areas in digital evidence

handling.

 Clarify the difference between digital forensics and

cybersecurity.

Who Should Take It:

 Legal professionals.

 Individuals involved in legal cases.

 Curious learners or those exploring digital forensics as a career.

Types of Crimes and Potential Digital Evidence

FRAUD & COUNTERFEITING

 Documents & IDs: Money order images, counterfeit currency, false

identification, images of signatures

 Personal Data: Customer information, address books, contact

details, credit card numbers

 Digital Evidence: Emails, letters, internet activity history,

databases
HARASSMENT & STALKING

 Communication Records: Emails, letters, contact details,

telephone records

 Tracking & Research: Internet history logs, maps, GPS records,

victim background research

 Supporting Evidence: Diaries, legal documents, financial records,

images

SOFTWARE PIRACY

 Piracy Tools: Torrents, cracking utilities, software serial numbers

 Shared Content: Video and audio files, file sharing websites

 Digital Trails: Internet history logs, emails, letters, chat logs

NARCOTICS

 User & Supplier Data: Contact details, databases, financial

records

 Illegal Content: Drug recipes, false IDs, prescription form images

 Digital Communications: Emails, letters, internet history logs

DOMESTIC VIOLENCE

 Personal Records: Diaries, medical records, financial records

 Communication Evidence: Emails, letters, contact details,

telephone records

TELECOMMUNICATIONS FRAUD

 Technical Evidence: Cloning software, electronic serial numbers

 User Data: Customer databases, mobile numbers

 Communications: Emails, letters, internet history logs, financial

records

IDENTITY THEFT
  Fake Documents: Counterfeit IDs, certificates, insurance, loan, and
sales documents, driver’s licenses, birth certificates

 Digital Tools: Credit card cloning software, electronic signatures

 Evidence of Use: Online orders, online trading info, emails, deleted

documents, internet history logs, images of victims, checks

File Deletion and Recovery

File Allocation Table (FAT):

Computers use an indexing system (like FAT) to locate files on a storage
device.

1. What Happens During Deletion:

Deleting a file doesn't erase it; only the index is marked as
available. The data remains until overwritten.

2. Undeleting Files:

o If data hasn’t been overwritten, it can be recovered.

o Even formatted drives can still hold recoverable data.

3. File Signatures:

o File types have fixed byte patterns (signatures) at the

beginning and end.

o Recovery tools search for these signatures to retrieve files.

4. Limits of Recovery:

o Encrypted drives: File signatures are not readable, so recovery

fails.

o Complete prevention: Overwrite deleted areas with patterns

(e.g., zeros).

Digital Forensics and Electronic Evidence – Study Notes

1. File Deletion and Indexing

 Computers use an indexing system (like a File Allocation Table -

FAT) to manage files on storage devices.

 Deleting a file doesn't erase the data—it only marks the space as
available for reuse.

 The file is hidden from the OS, but still resides on the disk until
overwritten.
2. Undeleting Files

 File recovery is possible if the space hasn’t been physically

overwritten.

 Recovery tools can access and read data from the index, even if
marked as deleted.

3. Recovery After Formatting

 Files can often be recovered even after the drive is formatted.

 A file not listed in the FAT may still be recoverable if its data exists
on the disk.

4. File Signatures

 Each file type has a unique signature at the start and end.

 Recovery tools scan the storage for these byte patterns

(signatures) to identify files.

5. Data Recovery Process

 On finding a file signature, recovery software copies data from

start to end signature.

 This enables recovering files not listed in the FAT.

 Even partial files can be recovered if their signature remains

intact.

6. Encryption and Recovery

 On encrypted devices, file signatures are unreadable to recovery

tools.

 Thus, deleted file recovery is not possible under normal conditions

on encrypted drives.

7. Preventing File Recovery

 Overwriting disk space with patterns (e.g., zeros) ensures data is

irretrievable.

 Used before selling devices or by criminals to hide evidence.

Authorization for Acquiring Electronic Evidence

1. Legal Authorization is Essential before acquiring electronic

evidence.

2. Three Types of Authorization:

 o Consent:

 Simplest form.

 Must be in writing.

 Should include:

 Full description of evidence.

 Consent to search all devices involved.

o Search Warrant:

 Commonly used by law enforcement.

 Issued by a court.

 Must authorize both:

 Seizure and

 Search of computers, hardware, software, or

storage media.

 Plain view rule:

 Allows seizure of visible evidence.

 Does not authorize search of devices.

o Anton Piller Order (Civil Matters):

 Granted without notice to the defendant.

 Like a civil search warrant.

 Hard to obtain; requires proving:

1. Strong prima facie case.

2. Serious damage from misconduct.

3. Defendant possesses incriminating evidence.

4. Risk of evidence destruction before formal

discovery.

3. Once authorized, evidence collection should be done by a trained

digital forensic specialist.

Chain of Custody

The chain of custody is defined as the witnessed written records of all the
individuals who maintained unbroken control over the items of evidence.
It establishes proof that the items of evidence collected at the crime
scene is the same evidence that is being presented in court.

To prove chain of custody, the documentation should contain at least the

following:

 A description of the evidence that is comprehensive enough to

identify the item properly.

 How the item was obtained.

 When the item was collected.

 Who has handled it.

 The purpose.

 Why that person handled it.

 How and where it was transported.

 And where it was ultimately stored.

Digital evidence is different from physical evidence in that a properly

made image of a hard drive is as good as the original hard drive in the
eyes of the court.

The first image made of a hard drive is known as the best evidence, and
the chain of custody documentation should be attached and stored with
the best evidence in a safe environment.

After the best evidence is gathered, a second copy should be made either
from the original or from the best evidence. This is the working copy that
investigators will use for their investigation.

Every time the best evidence changes hands, the chain of custody
documentation needs to be updated so that there are no gaps in the
records of where it came from or where it went.

Following proper procedures from the handling of evidence reduces or

even rules out the possibility that the authenticity of the evidence will be
questioned.

7. Hash Coding

Concept:

 A hash code (or hash value) is a fixed-size alphanumeric string

generated from data using a cryptographic hash function.

 Common algorithms: MD5, SHA-1, SHA-256.

  Even a single bit change in the input data produces a different hash
—this ensures data integrity.

Usage in Forensics:

 Hashes are used to:

o Verify that evidence has not been tampered with.

o Identify duplicates in massive data sets.

o Create digital fingerprints of evidence.

 Forensic tools compute hash values before and after imaging a drive
to ensure accuracy.

Key Principle:

If the hash value remains the same, the data has not been altered.

8. Forensic Imaging

Concept:

 Forensic imaging is the process of creating an exact, bit-by-bit

copy of digital storage media.

 It captures all data: visible files, deleted files, and even hidden
partitions.

Purpose:

 To preserve original evidence while allowing analysis on a separate

copy (working image).

Imaging Types:

 Logical image: Captures only active files.

 Physical image: Captures everything, including deleted or hidden

data.

Tools:

 FTK Imager, EnCase, Autopsy, dd (Linux), etc.

Best Practice:

Always image and analyze copies, never the original evidence.

9. Computer Hard Drive Imaging Demonstration

Demonstration Focus:

 Step-by-step practical view of imaging a hard drive.

 Showcases:

o Selection of source drive.

o Destination for image file.

o Setting hash options (MD5, SHA-1).

o Creating and verifying the image.

Takeaway:

 Ensures students know the exact procedure and tool usage to

capture admissible evidence.

10. Mobile Devices

Challenges:

 Mobile devices store vast and varied types of data (SMS, call logs,
app data, GPS, photos).

 Constant updates and diverse OS versions complicate extraction.

Forensic Considerations:

 Use write-blockers to prevent modifying device data.

 Must obtain legal authorization (warrant or consent).

Extraction Types:

 Logical extraction: Normal file access.

 File system extraction: File system structure + hidden data.

 Physical extraction: Raw image of flash memory.

Tools:

 Cellebrite, XRY, Oxygen Forensic Detective.

11. Mobile Phone Imaging Demonstration

Demonstration Focus:

 Shows how forensic professionals extract data from a mobile phone.

 May include:
 o Setting up tools (e.g., Cellebrite).

o Connecting phone.

o Selecting extraction method.

o Viewing parsed data.

Key Insight:

 Chain of custody and proper documentation must be maintained at

all stages.

12. Social Media & Web Pages

What’s Collected:

 Public and private posts, messages, metadata, timestamps, shared

files.

Collection Methods:

 Screenshots (least reliable).

 API-based tools.

 Browser-based acquisition using forensic browsers.

Tools:

 Hunchly (for web investigations), X1 Social Discovery.

Challenges:

 Dynamic content.

 User deletions.

 Jurisdiction issues (data hosted abroad).

13. Messenger Applications

Applications Involved:

 WhatsApp, Signal, Telegram, Messenger, etc.

Evidence Types:

 Text messages, voice notes, images, attachments, contact lists.

Forensic Tools:

 Oxygen Forensic Detective.

  Elcomsoft Explorer.

 Magnet AXIOM.

Important Notes:

 End-to-end encryption makes acquisition difficult.

 Tools need root/jailbreak access for full extraction.

14. Email

Types of Data:

 Content of email, headers, attachments, timestamps, metadata.

Forensic Value:

 Reveals communication trails, timelines, and intent.

 Email headers can identify:

o Source IP.

o Sending server.

o Timestamps.

Common Evidence Scenarios:

 Phishing attacks.

 Insider threats.

 Corporate espionage.

Tools:

 MailXaminer, Paraben Email Examiner, FTK.

Best Practice:

Capture and preserve full headers and source; never forward the email as
it loses integrity.

IMAGING TOOLS

 FTK Imager

 OSFClone

 Belkasoft Acquisition Tool (Including mobile)

  Magnet Acquire (Including mobile)

DATA RECOVERY

 Photorec

 Recuva

MOUNTING FORENSIC IMAGES AS A DRIVE OF A COMPUTER

 OSFMount

 FTK Imager

INDEXING and SEARCHING COMPLETE DRIVES INCLUDING

CONTENTS OF FILES

 Docfetcher

 Bulk-Extractor

 Duckcapture

 FAW

 HTTRACK

SCREEN CAPTURE TOOLS

 Duckcapture

CAPTURING WEBSITES

 FAW

 HTTrack

FORENSIC SUITES WITH TRIAL VERSIONS

 OSForensics

 Belkasoft