Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Digital Forensics by Mind Map: Digital Forensics
0.0 stars - 0 reviews range from 0 to 5

Digital Forensics

This is just a demo map that you can delete right away, if you feel like it...

The Alpha 5 principles are: Assessment of the suspect area/workplace to have preliminary walkthrough and to crystalize the scope of examination. Acquisition of applicable evidences in a non-intrusive way to prevent tampering Authenticate the acquired evidences through Hash or digital sign or any other crypto checksum to verify the data integrity. Analysis of evidential data to connect them in a logical and intelligible manner in order to arrive at conclusion. Archiving of all evidential data and reports to ensure high and secure availability

the 4 guiding principles of any examination are: Safe handling of evidences to ensure they are intact. The originating evidence/suspect should not be tampered or worked upon. The suspect host OS should not be trusted, as it may have rootkits, malicious software installed likeanti-forensic. All the audit trails of examination should be retained and recorded in substantiating documents

Digital Incident Response - Deepak

Initial Assesment -Parties Involved, Location & Available resources

Type Of Incident

Parties Involved

Equipment Location

Available Response resources

Securing Digital Evidence

Chain of Custody

Potential Digital Evidence

Computer Forensic Incidents - Afzal

What is computer forensic- Gathering of digital evidence in a manner which should be untainted, authentic and can be admissible in the court of law

What is the legal system. Different laws and criminal cases in the digital forensics as case study and different section and act for the same., Criminal incidents like Identity Theft, online auction, Child pornography, Network Intrusions etc., Computer Frauds. Frauds can be Internal and External. Internal frauds can be done in a company by the internal users by using company resources.External frauds are done by outsiders mostly by hackers for financial gains.For eg;Denial of service, Intrusions etc., Investigating challenges are like growing hard disk space and more GBs mean for overall acquisition and analysis time

OS / Disk Storage Concepts - Hari

CHS Cylinders, Heads and Sectors; LBA-Logical Block addressing. A cluster is a minimum unit the OS uses to store info. (4096 byte cluster for only 1 byte).

Master Boot Record - initial disk sector consists of 1. Master bootstrap loader code (466 bytes); next 4 partition records and the hexadecimal signature 55AA completes a valid MBR; The FAT / MFT are Master File Indexes storing info about disk's directory stru and what clusters are used.

When a file is deleted, the OS rewrites the info in the file index about the file's clusters freed. Data remains on the disk till rewritten. Slack space is where many deleted files may reside and be recovered as evidence;

File Mgt Concept is important for forensic; 0s and 1s (1 is on and 0 is off); - basic unit of binary info is bit; basic unit of memory is byte; location of the byte is memory address

1 byte=8 bits; 1 KB= 1024 bytes; 1 MB=1000 KB; 1 MB=1000 KB; 1GB=1000 MB; 1 TB=1000 GB; 1 PB-Petabytes= 1000 TB; 1 Exabyte- EB=1000TB; 1 Zettabyte = 1000EBs

Format is set of rules referred by appln for saving; Quickviewplus, outside-in and ACDSee etc allow direct access to varios file formats

DOS was the first operating system used on early IBM PCs - use of disks is an inherent part; FILE ALLOCATION TABLE File system is used. Last standalone version is MS DOS 6.22; MS DOS 7.0 runs underneath the first windows 95 ver while 7.1 or later underlie windows vers from Windows 95 OEM Service Rel or later. MS DOS 7.1 supports VFAT and FAT32 New Tech File system was brought in to avoid crippling windows NT and is not based on FAT. NTFS shares stage with UNIX and LINUX .Files contain any info - Code or Data and Prog files.Directories are special kind of files that contain list of file names. and can be nested.

Each track is broken into smaller units called sectors; each sector holds 512 bytes of user data. A hard disk is made up of multiple platters; each platter uses 2 heads to record and read data - 1 for top and 1 for bottom (Instead of track no. referred as cylinder no.) Cylinder is the set of all tracks that all the heads are currently positioned.

New node

Digital Acquisition and analysis tools - Maddy

Goal - Protect & Preserve the evidence to ensure authenticity & integrity


Acquisition : Process of extracting digital evidence by following properly laid out procedures.

Copy : An exact replica of the digital evidence. Only the contents are replicated not the attributes.

Duplicate : An accurate digital reproduction of all the data in the electronic storage including the content and attributes, Document Everything, Take Macro photographs, Ensure the target media is sterile and atleast of the same size as the evidence media, Authenticate, In Lab, More Controlled, More Time, Using specialized hardware, Software based duplicators, FTK Imager, With Segmentation no Compression in Raw binary mode, DD, Command line utility, WinHex, No Segmentation & compression in raw binary mode, Encase, Supports segmentation & compression in raw binary mode, On Scene, Less Controlled, Less Time, Using Hand Held disc duplicator, Network Based Imaging using specialized software, Ensure the original evidence media is write blocked

Authentication Methods : Digital Fingerprints

Hashing : CRC32, SHA1, MD5, SHA2

RAVI- Forensic Examination Protocols>>>>>>>>>>>>>The protocol spells out necessary guidelines and methodolgies to ensure reliability, consistency, integrity/accuracy/precision of data in an investigation. This approach ascertains that evidential information acquired or analyzed as a course of examination are admissible in the court of law with reasonable assurance about its authenticity/origin.

Digital Evidence Protocol - Abhishek

Rules of Evidence

(1) Digital Information can be recovered including deleted files

(2) Expert must be allowed to retrieve the recoverable files

(3) Duplicate of digital evidence is admissible as long as someone knowledgeable can authenticate it

Different types of Data Files

(a) Active Data || Readily available eg word,spreadsheets, web pages

(b) Archival Data Files that have been sent for storage as that data is not used frequently

(c) Back Up Data||copied to safe area to ensure recovery in case of system failure

(d) Residual Data ||Not visible to end user but recoverable from digital media, (1) Free Space, (2) File Slack, (3) RAM Slack, (4) Swap Files, (5) Temp Files, (6) Unallocated Space

(e) MetaData||data points such as date, time, author and relevant details of document author

(f) Electronic Mail

(g) Background Data|| such as audit trails, system logs, ACL records

Digital Evidence Presentation - Ateet

Ways of presenting Digital evidence to Higher Authorites.

Always consult with corporate Attoreny like ravi

Gather as much evidence that can be admissible digital evidence.

Copy of evidence should be kept intact for proceeding with the investigation.

Gathering of information should be dealt with extra precaution and chain of custody be maintained as opponent can always challenge the authenticity of evidence submitted to court.