Digit Oktavianto Web Log

Catatan Sampah si Digit

Introduction to Digital Forensic : Part 1

| Comments

This will be my 1st post in english. As my promise before in twitter and email, i will talk about digital forensic security analysis. Firstly, i will introduce basic concept and theory about digital forensic itself. Three main parts of digital forensic are : digital investigation, digital forensic investigation, and digital evidence. I will discuss the three main parts one by one.

Digital Investigation

A digital investigation is a process where we develop and test hypotheses that nswer questions about digital events, by using the scientific method where we develop a hypothesis using evidence that we find.

The digital device was either used to commit a physical crime or it executed a digital event that violated a policy or law. Examples of the case are when an attacker gains unauthorized access to a computer, a user downloads contraband material, or a user sends a threatening e-mail. When the violation is detected, an investigation is started to answer questions such as why the violation occurred and who or what caused it to occur.

Digital Forensic Investigation

A digital forensic investigation is a process that uses science and technology to analyze digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. In other words, a digital forensic investigation is a more restricted form of digital investigation.

Digital Evidence

Digital evidence is a digital object that contains reliable information that supports or refutes a hypothesis.

The important part in digital forensic is digital forensic investigation. There are procedure step-by step to do a digital forensic investigation. The procedure are :

➢ Preparation

➢ Preliminary Investigation

➢ Site Investigation

➢ Evidence Acquisition

➢ Preservation of Original Media

➢ Analysis of Data

➢ Reporting

Here the explanation about procedure in digital forensic infestigation :


1. Preparation

a. Forensic Environment

➢ Establish sterile conditions to ensure that all media is freshly prepared

  • Forensic workstation is scanned for any malware

  • Target media for forensic copy is wiped

➢ Validate all software licenses used for the investigation (obsolete or not, up to date or not, etc)

b. Documentation

➢ Establish file directories and security for investigation data and report

➢ Ready essential forms

  • Letter of Authorization or Warrant

  • Chain of Custody

  • Scope of Work

  • Non-Disclosure Agreement


2. Prelimiary Investigation

➢ Who?

Profile the target user – are they computer savvy?

➢ What?

What kind of evidence could be associated with this case? Images? Documents? Spreadsheets?

➢ When?

How long has it been since the digital activity?

➢ Where?

How do you plan on procuring the digital evidence?


3. Site Investigation

Physical Investigation

➢ Take pictures of the scene :

  • Asset tag
  • Removable media in the area
  • Connections – internal and external

➢ Inventory and describe all hardware

➢ Ensure Chain of Custody form is properly completed


4. Evidence Qcquistion

➢ If possible, make a forensic copy at the scene using

  • a bit-stream imaging program (court-certified)

➢ Make sure you use a write-blocking device!

➢ Use static-prevention wrist strap when handling evidence

➢ Record initial configuration – only change settings if necessary to provide write block, or to allow connectivity (i.e. jumpers, write block notches)

➢ Record ALL activity!!!


5. Preservation of Original Media

➢ Create a cryptographic hash of the entire disk

➢ Create bit-image copies

➢ Create a cryptographic hash of the copy and compare with the results obtained from the original. MUST MATCH..!!

➢ Be sure to lock the original disk in a limitedaccess room or container


6. Analysis of Data

➢ Only work on the forensic copy!

➢ Record the initial file structure and associated external metadata

➢ Stay within your scope of work!!!

*Analysis Data Step by step : * ➢ Timeline analysis

➢ Media analysis

➢ String or Byte search

➢ Data Recovery


7. Reporting

Four Forensic Principles = Success

➢ Minimize data loss

➢ Take notes about everything

➢ Analyze all data collected

➢ Report your findings


Oke, this is the end of part one. I will continue to Part 2 next day. Thanks :)

PS : Material taken from slide that provided by Mr. Ahmad Zaid Zam Zani, instructor in Digital Forensic Training held by ID-SIRTII/CC

Comments