L12. Digital Forensics BS.pptx
- 2. Page 1
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Foreword
Today, computers are used the world over. The pervasiveness of computers
has led to an ever-increasing number of computer-related court cases,
such as electronic commerce disputes and cybercrimes. In the process of
judging or handling disputes and criminal cases, a new form of litigation
evidence has emerged, namely, digital evidence. The characteristics that
distinguish digital evidence and digital forensics from traditional physical
evidence and forensic methods pose new research topics in the field of law
and computer science.
This document describes the digital forensic process.
- 3. Page 2
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. Overview
Cybercrime
Overview of Digital Forensics
2. Digital Forensic Process
- 4. Page 3
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Cybercrime
Definition:
In violation of legal regulations, a bad actor deliberately:
Invades a computer information system or compromises the functionality of the system and
its related data and applications
Produces or disseminates computer viruses
Affects the normal operation of a system or causes detrimental effects
Cybercrimes usually take two forms:
Use of computers to store information related to criminal activities
Direct use of computers as a crime tool to launch criminal activities
- 5. Page 4
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Characteristics of Cybercrimes
Over the past decade or so, the number of cybercrimes have risen year on
year. Cybercrimes generally have the following characteristics:
Professional
means
Complex and
diverse
motives
Covert forms
Transnational
Huge
potential
damage
Many
members and
lowering ages
Characteristics of
Cybercrimes
- 6. Page 5
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Cybercrime Motives
The motives of cybercrime are complicated and diverse.
Trick Revenge
Profit
Prestige
Political
action
Motives
Idle and dull people with
some skills who want to
access all interested
websites
People who want to prove
their competence and win
respect and recognition from
their counterparts
Suspended, dismissed,
demoted, or unjustly treated
people who take revenge to
cause maximum impact
People who are learning about
computers and networks
perform misoperations or
accidentally discover a
vulnerability that may affect
data
People who are employed to
intrude into a target system to
steal or tamper with information
for huge financial gains
Destruction, theft of
intelligence, and information
warfare
Ignorance
- 7. Page 6
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Forms of Cybercrime
Cybercrimes take various forms. Common forms are listed as follows:
Trojan horse Hacker Backdoor
DDoS
Virus
Worm Internal and external
information leakage
Cyber
Crime
Forms
- 8. Page 7
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. Overview
Cybercrime
Overview of Digital Forensics
2. Digital Forensic Process
- 9. Page 8
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Overview of Digital Forensics
Digital evidence
Digital evidence is information stored or transmitted in binary form during the operation of a
computer or computer system and is used in a court case.
Digital evidence is also known as electronic evidence and computer evidence.
Digital evidence
Text
Graphs
Images
Animations
Audios
Videos
- 10. Page 9
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Sources of Digital Evidence
Common digital evidence in judicial practices falls into three categories:
Digital evidence related to modern communications technologies
Digital evidence related to other modern information technologies, such as broadcasting, television,
and film
Digital evidence related to computer technologies or network technologies
Communications • Mobile phone audio records
• Chat history
• Digital data
• Fax data
• TV series
• Video
• Movie
Broadcasting, television, and
film
• Database operation record
• Browser cache
• Network monitoring traffic
• Operating system logs
Computer and
network
- 11. Page 10
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Characteristics of Digital Evidence
Digital evidence depends heavily on
computer and storage technologies.
Without high-tech equipment, digital
evidence cannot be saved or
transmitted.
Digital evidence is not a single piece of
data, images, or sound, but a
combination of data, images, sounds,
graphs, animations, and text.
Digital evidence may be easily
compromised during generation and
transmission due to its dependence on
electronic digital devices such as
computers. This may damage or even
prevent the use of the digital evidence.
Attackers use hacker methods to invade
computer systems and steal passwords
in order to arbitrarily tamper with
electronic data, making it difficult to
validate evidence.
Unlike traditional evidence, which can
be directly seen, heard, or touched,
digital evidence is stored in optical,
electronic, or magnetic form on various
types of electronic devices.
Digital evidence can reflect a dynamic
and continuous process that vividly
reproduces the scene.
Vulnerable and
fragile
Fabricated
Characteristics of
digital evidence
- 12. Page 11
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Concept of Computer Forensics
Computer forensics is also known as digital forensics or electronic forensics.
Definition:
Computer forensics refers to the process of confirming, protecting, extracting, archiving,
and presenting at a court digital evidence that exists in computers and related
peripherals. This evidence must be reliable, persuasive, and acceptable by the court.
- 13. Page 12
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Regulations and Standards for Digital Forensics
US
Since the release of the Federal Rules of Evidence in 1976, a
number of laws have emerged in the US to address the problems
brought by digital evidence:
Economic Espionage Act of 1976: deals with business secret
thefts.
Electronic Communications Privacy Act of 1986: deals with the
eavesdropping of electronic communications
Computer Security Act of 1987 (Public Law 100-235): deals with
security problems in government computer systems.
Early in February 2002, the IETF released the RFC 3227
Guidelines for Evidence Collection and Archiving. The ITU
released the draft Digital Evidence Act and Understanding
Cybercrime: A Guide for Developing Countries in April 2009
and Understanding Cybercrime: Phenomena, challenges and
legal response in September 2012.
IETF
The Information Security Technical Committee
of the International Organization for
Standardization (ISO) released the Guidelines
for identification, collection, acquisition and
preservation of digital evidence in October
2012 (ISO/IEC27037: 2012)
China
The Electronic Data Identification Rules for Public Security Authorities issued in 2005
explicitly require that the electronic data appraisers of the public security organs
should fulfill and comply with the industry standards and obligations stipulated in
inspection and appraisal procedures.
The Measures on Registration and Administration of Public Security Agency
Authentication Institutes (order No. 83 of Ministry of Public Security) issued in 2006
explicitly incorporates the technical standards compliance of authentication
institutes into the annual appraisal of public security registration and administration
departments.
The General Rules on the Procedures for Judicial Authentication (order No. 107 of
the Ministry of Justice) issued in 2007 poses detailed requirements on the adoption
of technical standards by appraisers.
International Organization for
Standardization (ISO)
- 14. Page 13
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Status and Trend of Digital Forensics
Status
Situation
Trend
Status
1. China/Pakistan was a late adopter of computers and therefore relevant laws and
regulations are insufficient.
2. Academic research on cybercrimes mainly focuses on its characteristics, preventive
measures, and impact on people. Forensics technologies are no longer sufficient to
combat cybercrimes or to protect network and information security.
3. China/Pakistan must independently develop computer forensic tools and software
that can meet its specific requirements and comprehensively check computers and
network systems.
Trend
1. Integration of other theories and technologies (such as AI, machine learning, neural
network, data mining, and information security technologies) into forensic
technologies
2. Specialization and automation of forensic tools
3. Sufficient information reserved during network protocol design for potential
forensic activities
- 15. Page 14
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. Overview of Digital Forensics
2. Digital Forensic Process
- 16. Page 15
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Principles of Digital Forensics
Integrity
Principles
Collect evidence as soon as
possible and ensure it is not
damaged.
Explain changes in evidence
from when it is initially collected
to when it is officially presented.
The entire examination and
forensic process must be
supervised.
Search all files in the target
system,
comprehensively analyze
them, and provide
necessary expert testimony.
During forensic examination, protect target
computer systems to avoid any change, data
damage, or virus infection.
- 17. Page 16
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Digital Forensic Process
According to the characteristics of digital evidence, it is essential to collect
evidence as soon as possible during digital forensics to ensure that it has
not been damaged. Digital forensics usually involves the following steps:
Protect the
scene
Obtain
evidence
Preserve
evidence
Verify
evidence
Analyze
evidence
Trace
Present
evidence
- 18. Page 17
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Summary
Overview of Digital Forensics
Cybercrime
Overview of Digital Forensics
Digital Forensic Process
- 19. Page 18
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com