UNDERSTANDING DIGITAL FORENSICS

Philippine National Police

Anti-Cybercrime Group

By: PSINSP MICHAEL T VIRTUDAZO

Chief, Regional Anti-Cybercrime Office 7
 Name : PSINSP. MICHAEL T VIRTUDAZO

Office: PNP Anti-Cybercrime Group

Designation: Chief, Regional Anti-Cybercrime Office 7
Email: mtvirtudazo.7rdfl.vfu.acgroup@gmail.com

o Certified Cellebrite UFED Mobile Device Examiner

o Certified Cellebrite UFED Physical Examiner

2
SEQUENCE OF PRESENTATION

o PNP ACG Technical Capabilities

o Defining Digital Forensics

o Who Uses Digital Forensics

o Why Digital Forensics

o Best Practices Guide (ACPO Principles)

o Steps of Digital Forensics Process

o Evidence Processing Guidelines

o Digital Forensic Hardware and Software

o Common Evidence Recovered

PNP ACG TECHNICAL CAPABILITIES
TECHNICAL CAPABILITIES

STRATEGIC ESTABLISHMENT OF REGIONAL DIGITAL

FORENSIC LABORATORIES (RDFL)

NORTHERN LUZON
FIELD UNIT

SOUTHERN LUZON
FIELD UNIT

VISAYAS
FIELD UNIT

EASTERN MINDANAO
FIELD UNIT

WESTERN MINDANAO
FIELD UNIT
TECHNICAL CAPABILITIES

INTERNATIONAL STANDARD CERTIFICATION AND

TRAININGS OF PERSONNEL
o 6 personnel are Certified EnCase Forensic
Examiner (EnCE).
o 12 personnel are currently undergoing
EnCase Forensic Training and Certification
Program.

o 12 personnel are Certified CelleBrite Cellphone

Forensic Examiner
TECHNICAL CAPABILITIES
INTERNATIONAL STANDARD CERTIFICATION AND
TRAININGS OF PERSONNEL

o 3 personnel are CompTIA (Computing

Technology Industry Association) Security +
Certified.

o 6 personnel are Microsoft Certified

Professional

o 3 personnel are Microsoft Certified Systems

Administrator

o 2 personnel are Microsoft Certified Systems

Engineer
 TECHNICAL CAPABILITIES

Cellphone/
Computer Computer Video
Incident Cybercrime Mobile
Network Forensic Forensic
Response Investigations Forensic
Log Analysis Examination Examination
Examination
DIGITAL FORENSICS

- Digital Evidence
DEFINITION
o What is Computer ?
o Refers to an electronic, magnetic, optical, electrochemical, or
other data processing or communications device, or grouping
of such devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes any storage
facility or equipment or communications facility or equipment
directly related to or operating in conjunction with such
device. It covers any type of computer device including devices
with data processing capabilities like mobile phones, smart
phones, computer networks and other devices connected to the
internet. (R.A. 10175)

o Computer Data?
o Refers to any representation of facts, information, or concepts
in a form suitable for processing in a computer system
including a program suitable to cause a computer system to
perform a function and includes electronic documents and/or
electronic data messages whether stored in local computer
systems or online.
DEFINITION

o What is Digital Forensics?

o The scientific examination and analysis of data held on or
retrieved from computer storage media and its presentation in a
manner legally acceptable to a Court.

o What Constitutes Digital Evidence?

o Any information being subject to human intervention or not, that
can be extracted from a computer.
o Must be in human-readable format or capable of being interpreted
by a person with expertise in the subject.

o What is Electronic Document?

o Refers to information generated, sent, received or stored by
electronic, optical or similar means.
o The term "electronic document" may be used interchangeably with
"electronic data message”. (Rules on Electronic Evidence A.M. No. 01-7-01-SC)
DIGITAL FORENSICS EXAMPLES

o Recovering thousands of deleted emails and chat

messages
o Recovering evidence from formatted hard drive
o Performing computer related crime investigation
o Performing investigation after multiple users had
taken over the computer system
WHO USES DIGITAL FORENSICS ?

o Prosecutors
o Rely on evidence obtained from a computer to
prosecute suspects and use as evidence.

o Civil Litigations
o Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases.

o Insurance Companies
o Evidence discovered on computer can be used to
mollify costs (fraud, worker’s compensation, etc)
WHO USES DIGITAL FORENSICS ?

o Private Corporations
o Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
theft cases.

o Law Enforcement Officers

o Rely on computer forensics to backup search
warrants and post-seizure handling.

o Individual/Private Citizens
o Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination from
employment.
 REASONS FOR EVIDENCE

o Law enforcement authorities collect evidence for

computer related crimes and traditional crimes such as:

o Fraud o Theft of or destruction of

o Possession of pornography intellectual property
o Hacking o Trafficking in Persons
o Virus/Trojan distribution o Illegal Drugs investigation
o Homicide investigations o Sexual harassment
o Access Device investigation o Software Piracy
o Forgery
WHY DIGITAL FORENSICS ?

Any person can gather information from a

computer
“ BUT “
The Forensic element means it has to be gathered
in a manner which makes it reliable to a Court
or other body and the information has to become

“ EVIDENCE ”
 MANY TYPE OF EVIDENTIAL DATA
Graphics Internet

Correspondence

Database & data files

web mail Communications

e-mail Home accounts etc.

Reports
Finance
Life Style ?
Diary Faxes
Address book
Organizer
BUT NO MATTER WHAT TYPE OF DATA, IT IS JUST….

1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
WHY CAN’T I JUST TURN IT ON ?

Windows XP alters over

1,000 files on start up !!!
TYPE OF COMPUTER DATA

o Volatile Data

o This data is temporarily stored in the Memory (RAM) of

the Computer system.
o This data will be deleted once power is removed from
the computer.
TYPE OF COMPUTER DATA

o Non-Volatile Data

o This data is stored in a non-volatile storage media

(hard disk drive, USB flash drive, optical storage
media) and it will remain saved regardless if the power
of the computer is On or Off.
ORDER OF VOLATILITY

 Collect the data that is most susceptible to change (volatile)

first

 If the computer is off, no volatile data exists

Less Volatile More Volatile

WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:

23
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:

24
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:
 FILE SLACK

Hard Disk split into

hhjj#bnbnmb Clusters in this example each one
nnncsan is 8K in size
nnnn,nm

l
e
U LETTER.DOC
LETTER.DOC t
N then deleted
5K t 5K U it becomes
S
e
r
E ?ETTER.DOC
.
D BUT...
d Data Remains there
o until overwritten
c 3K
 FILE SLACK

klkkkk
bhh Remains of File can be viewed.
bjhjkjhk

Invoice.doc 3K

INVOICE.DOC 5K
3K
S 2K remains of
l letter.doc
a
c
k 3K
 A BEST PRACTICES GUIDE

Not Law but…..

Non Compliance
Will often make
evidence
inadmissible

http://www.7safe.com/electronic_evidence/A
CPO_guidelines_computer_evidence.pdf
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 1 The Primary Rule…..

o No action taken by the law enforcement agencies

or their agents should change the data held on a
computer or other media which may subsequently
be relied upon in Court.
o Where possible computer data must be ‘imaged’
and that version be examined.
WHAT IS A FORENSIC IMAGE?

o A forensic image refers to verifiable

and unaltered complete copy of the
contents of original storage device.

o Creating a forensic image ensures:

o The integrity of the evidence

o No unintentional changes or
damage to the original data
WHY OBTAIN A FORENSIC IMAGE?

o Provides access to additional (non volatile) data:

o Log files
o Temporary files
o Compromised applications
o Page and swap files
o Information in registry
o Defeats log-on request and passwords

o Distribute to Forensic Specialists

ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 2

o In exceptional circumstances it may be

necessary to access the original data held on a
target computer.

o However it is imperative that the person doing

so is competent and can account for their
actions.
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 3

o An audit trail or other record of all processes applied to

digital evidence should be created and preserved. An
independent third party should be able to examine these
processes and achieve the same result.
DIGITAL FORENSIC REPORT AND WORKING NOTES

Digital Evidence Examination Report

Working Notes
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 4

o The person in charge of the case has overall responsibility

for ensuring that a computer has been correctly examined
in accordance with the law and these principles.
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Digital Forensics involves the following:

o Identification,
o Acquisition/Imaging,
o Analysis,
o Reporting, and
o Court Presentation
 STEPS OF COMPUTER FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
STEPS OF DIGITAL FORENSICS

o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Acquisition/ Imaging
o Physically or remotely obtaining possession of the
computer data from the original digital storage
media through digital forensic imaging process.

o Imaging is the second phase and requires

forensically-sound procedures and validated tools.

o This should be processed by trained technicians

using validated hardware and software tools.
STEPS OF DIGITAL FORENSICS

o Hardware-Base Imaging Tools:

o Write blocker (physical bridge)

o Stand-alone imaging device

(multifunction tool with dedicated
forensic capabilities)

Protecting data integrity

is the top priority!
STEPS OF DIGITAL FORENSICS

o Software-Base Imaging Tools:

o Write-blocker: Specialized application

o Forensic Imager: Multi-function tools

that assist with hard drive preparation
and duplication, forensic imaging, and
verification
 STEPS OF DIGITAL FORENSICS

HARD DISK DRIVE

750 Gb

Sector[A] Sector[X]

Sector[0]

C:\ E:\
Sector[Z]

Sector[B] Sector[Y]

Partition Boundary
STEPS OF DIGITAL FORENSICS

PHYSICAL VERSUS LOGICAL

Sector[0]  Sector [Z] Sector[A]  Sector [B]

Physical image: A forensic Logical image: A forensic copy

copy of every addressable of every addressable sector
sector from source media between two partition
boundaries
STEPS OF DIGITAL FORENSICS

VERIFICATION OF FORENSIC IMAGE

o A Hash:

o Is a mathematical algorithm
o Produces a unique digital fingerprint
o Verifies that binary content of an acquired forensic
image is exactly the same as the source media

MD5 = ABC123 MD5 = ABC123

STEPS OF DIGITAL FORENSICS

PREPARATION OF DESTINATION STORAGE MEDIA

o Verify size requirements of original evidence

o Select storage media that meets or exceeds capacity
of source
o Sterilize destination media through wiping process
o Format storage media

Hard Drive Interfaces

46
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Analysis
o Evaluating the information or data recovered from the
storage media evidence to determine if and how it
could be used against the suspect.
STEPS OF DIGITAL FORENSICS
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Reporting
o Once the analysis is complete, a report is
generated. This report may be a written report,
oral testimony, or some combination of the two.
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Court Presentation
o This step involves the presentation of evidence
discovered, in a manner which is understood by
lawyers, non technically staff/management, and
suitable as evidence as determined by the rules on
electronic evidence or any related law.
STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

MD5 = ABC123 MD5 = ABC123

EVIDENCE PROCESSING GUIDELINES

o Recommended 16 steps in processing computer

base evidence:
o Step 1: Shut down the computer
o Considerations must be given to volatile information
o Prevents remote access to machine and destruction of
evidence (manual or anti-forensic software)

o Step 2: Document the Hardware Configuration of The

System
o Note everything about the computer configuration
prior to re-locating
COMPUTER BASE EVIDENCE PROCESSING
GUIDELINES

o Step 3: Transport the Computer System to A Secure

Location
o Do not leave the computer unattended unless it is locked in
a secure location

o Step 4: Make Bit Stream Backups of Hard Disks and any

Storage Media.

o Step 5: Mathematically Authenticate Data on All

Storage Devices
o Must be able to prove that you did not alter any of the
evidence after the computer came into your possession

o Step 6: Document the System Date and Time

o Step 7: Make a List of Key Search Words
o Step 8: Evaluate the Windows Swap File
EVIDENCE PROCESSING GUIDELINES

o Step 9: Evaluate File Slack

o File slack is a data storage area of which most computer users are
unaware; a source of significant information.

o Step 10: Evaluate Unallocated Space (Erased Files)

o Step 11: Search Files, File Slack and Unallocated Space for Key
Words
o Step 12: Document File Names, Dates and Times
o Step 13: Identify File, Program and Storage Anomalies
o Step 14: Evaluate Program Functionality
o Step 15: Document Your Findings
o Step 16: Retain Copies of Software Used
DIGITAL FORENSICS HARDWARE AND
SOFTWARE
DIGITAL FORENSICS APPLICATION

o EnCase v.6 and v.7 (Guidance Software Inc)

o Forensic Tool Kit (FTK) v.3 and v.4 ( Access Data)

ENCASE V.7
FORENSIC TOOL KIT (FTK) V.4
DIGITAL FORENSIC HARDWARE

o Tableau Write Blocking Devices and Forensic Computer

Forensic Tower.
CELLULAR PHONE AND MOBILE DEVICES FORENSIC TOOLS

o CelleBrite UFED

o MicroSystemation ( XRY/XACT)
COMMON EVIDENCE RECOVERED
COMMON EVIDENCE RECOVERED
DOCUMENTS (CONTRACTS, IDS, ETC)
DOCUMENTS (CONTRACTS, IDS, ETC)
DOCUMENTS (CONTRACTS, IDS, ETC)
PICTURES AND VIDEOS
WEB-MAIL CACHE
INSTANT MESSAGING CHAT CONVERSATION
INSTANT MESSAGING CHAT CONVERSATION
TEMPORARY INTERNET FILES
QUESTIONS

?
END

Thank you
and
Good day …
ISSUES AND CHALLENGES
o 1. Equipment and Training of Personnel.
o 2. Rapid evolution of Computer Technology.
o 3. Update of Forensic Hardware and Software and CPE of
Forensic Examiners
o 4. Limited number of Trained Digital Forensic Examiners
o 5. Limited number of field Police Officers who were trained in
seizure of digital evidence.
o 6. Only few Prosecutors and Judges who are inclined in Digital
Forensic.
o 7. Storage Media Encryption Technology
o 8. The 30 days extension period for Digital Forensic Examination
base on R.A 10175, SEC. 15
o 9. SEC. 18. Exclusionary Rule. — Any evidence procured without a
valid warrant or beyond the authority of the same shall be
inadmissible for any proceeding before any court or tribunal.
o a. (How about electronic evidence recovered through warrantless arrest
like entrapment operation)
o b. Evidence recovered from the Crime Scene such as Cellular Phone and
other form of portable storage media (SD, Micro SD)