An Introduction to Digital
Forensics
Madli Kaju, 104992IABM
MSc in Business Information Technology
Agenda





Introduction
Approach and process of Digital Forensics
Digital Forensics tools
State of play of Digital Forensics
Conclusion
Digital Forensics is processes of analysing
and evaluating digital data as evidence
The science of locating, extracting and analysing
different types of data from different devices,
which specialists then interpret to server as legal
evidence (Marcella, Menendez 2008)
The practice of scientifically derived and proven
technical methods and tools toward the preservation,
collection, validation, identification, analysis, interpretation,
documentation and presentation of after-the-fact digital
information derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events as
forensic evidence (Willassen, Mjolsnes 2005)
After 40 years of history, Digital Forensics
is heading towards a crisis
Early years (1970s1990s)
•Hardware, software,
and application
diversity
•A proliferation of data
file formats
•Heavy reliance on
time-sharing and
centralized
computing facilities
•Absence of formal
process, tools, and
training
„Golden years“
Era of crisis
(1990s-2000s)
(2010s-...)
•The widespread use
of Microsoft
Windows, and
specifically Windows
XP
•Relatively few file
formats of forensic
interest
•Examinations largely
confined to a single
computer system
belonging to the
subject of the
investigation
•Storage devices
equipped with
standard interfaces
(IDE/ ATA)
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010
•Growing size of
storage devices
•Increasing prevalence
of embedded flash
storage
•Proliferation of
hardware interfaces
•Proliferation of
operating systems
and file formats
•Pervasive encryption
•Use of the “cloud” for
remote processing
and storage, splitting
a single data structure
into elements
Agenda





Introduction
Approach and process of Digital Forensics
Digital Forensics tools
State of play of Digital Forensics
Conclusion
Digital Forensics consists of various steps
and techniques
The process of digital forensics is typically as follows:
Preservation
of the state of
the device
Survey and
analysis of the
data for
evidence
Event
reconstruction
Main techniques used are forensic
duplication and live incident response
Forensic
investigation
Forensic
duplication
Live incident
response
Agenda





Introduction
Approach and process of Digital Forensics
Digital Forensics tools
State of play of Digital Forensics
Conclusion
Several commercial and open source tools
for digital forensics are available
Commerical
EnCase
Open source
DFF
FTK
LiveView
Helix
The
Sleuth Kit
...
...
Agenda





Introduction
Approach and process of Digital Forensics
Digital Forensics tools
State of play of Digital Forensics
Conclusion
Digital Forensics tools have not kept up
with technology and cyber crime

Current digital forensics tools were designed



to help examiners find specific evidence, not to assist in
investigations
for solving crimes committed against people where the
evidence is located on a computer, not to assist in solving
typical crimes committed with computers or against
computers
Today's tools cannot deal with increasing complexity
arising due to the cloud era
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010
Agenda





Introduction
Approach and process of Digital Forensics
Digital Forensics tools
State of play of Digital Forensics
Conclusion
Conclusion

Digital forensics is important for solving crimes





with digital devices
against digitial devices
against people where evidence may reside in a device
Several sound tools and techniques exist to search and
analyse digital data
Regardless of existing tools, evolving digital age and
development of technology requires heavier research in
digital forensics
Thank you for your attention!