Mumbai | Pune | Hyderabad | New Delhi | Chennai | Bengaluru
DIGITAL FORENSIC
A practitioners perspective
Forensic Accounting ConferenceICAI Bangalore BranchFeb 2016
© 2015 SKP Business Consulting LLP. All rights reserved.
WE AND THE DIGITAL WORLD
© 2015 SKP Business Consulting LLP. All rights reserved.
DATA DEVICES & TYPES
Digital DevicesDevices that we use on a daily basis
Digital ApplicationsApplications/ Software's we use on a daily basis
Actions/ ActivitiesWe assist in collating necessary evidence for litigations
© 2015 SKP Business Consulting LLP. All rights reserved.
Digital DevicesPopular Types1. Laptop / Desktop 2. Hard-disk 3. Pen drive 4. Printer 5. Projector6. Mobile
Where do we use them?
Digital devices are used by Business,professionals and individuals spread overvarious fields.
Homes, Offices, Schools and even Trainsstations or Airports, Digital devices arebeing used for education, entertainmentor just for sharing of information
DATA DEVICES & TYPES
© 2015 SKP Business Consulting LLP. All rights reserved.
Digital ApplicationsPopular Types1. ERP2. Mobile App 3. Web Browsers4. Social Media 5. Skype / Chatting 6. E-mail
How do we use them?
Applications are developed to makehuman life simpler.
Distance and efforts are reduced.Thereby work which would have takendays is completed in mere hours.
DATA DEVICES & TYPES
© 2015 SKP Business Consulting LLP. All rights reserved.
Actions/ ActivitiesPopular Types1. Update 2. Converse 3. Account checking4. News 5. Browsing6. Banking
Why do we use them?
Information that surround us needs to beconstantly monitored for either updating,modification or simple knowledgepurposes.
Creating, Deleting, Updating, Modifyingor Formatting are some purposes forwhich applications are used.
DATA DEVICES & TYPES
© 2015 SKP Business Consulting LLP. All rights reserved.
WHAT DATA IS STORED?
- Web Browsers- E-Mails- Image Editors
- Message Logs- Event Logs- Transaction Logs
Stores raw data
Stores application
Stores logs of use of application/ data
- Created- Modified- Deleted
© 2015 SKP Business Consulting LLP. All rights reserved.
HOW DATA IS STORED?
A. Track
B. Geometrical sector
C. Track sector
D. Cluster
Source: https://en.wikipedia.org/wiki/Disk_sector
Updates happen based on FAT 32
The data stored in sectors
© 2015 SKP Business Consulting LLP. All rights reserved.
DIGITAL FORENSIC EVIDENCES
Start
Reports and documents
Applications installed eg. software used to
wipe information
Emails
Internet activity Chat Log
Media info (Photo, scan
doc, video etc)
Usage of USB
WiFi usage
Specific Folders
Secured information
Draft agreements
Deleted Information
Personal Identity
info
Network information
Downloaded content
Hard disk / OS information
Access logs/ windows event
logs
© 2015 SKP Business Consulting LLP. All rights reserved.
DIGITAL FORENSIC EVIDENCES
Internet history/ activities
Key chat exchanges
Mails/files downloaded to mobile
Search history/ flagged places
Files uploaded/ downloaded from storage sites
Contact list and frequently contacted indications
Social media cache memory
Call and text history
© 2015 SKP Business Consulting LLP. All rights reserved.
EVIDENCE COLLECTION GUIDELINE
Determine the necessary equipment to take to the scene.
Review the legal authority to collectthe evidence, ensuring anyrestrictions are noted.
Individuals who may haverelevant information should beidentified and interviewed.
When evidence cannot beremoved, it should be copied orimaged on-site.
Consult with the investigator.
Source: SWEDGE guideline
© 2015 SKP Business Consulting LLP. All rights reserved.
Document the condition of Photograph and/or make a sketch of the computer connections and surrounding area.
EVIDENCE HANDLING GUIDELINE
Document the external component connections.
Determine if the computer is in stand-by mode and follow procedures as if it was powered on.
Source: SWEDGE guideline
© 2015 SKP Business Consulting LLP. All rights reserved.
EVIDENCE EXAMINATION GUIDELINE
Review documentation
Examination of the mediashould be completed
Review the legal authority
Examination on theoriginal evidence mediashould be avoided ifpossible
Appropriate controls andstandards should be used
Evidence
Source: SWEDGE guideline
© 2015 SKP Business Consulting LLP. All rights reserved.
APPROACH FOR EVIDENCE EXAMINATION
Evidence is available
Evidence is extractible
Evidence is admissible
Understanding the subject
Preliminary Profiling
Pattern/ Exception Analysis
Key Word Searches
Revisit Profiling &
Analysis
Evidence Principles
• Contextual knowledge about the subject and the environment• Understanding the folder structure/ email pattern and broader understanding
use of digital device
• Broad nature, response time, approach towards communication• Understanding the extent of private conversations and the nature of the
information shared in private communications
• Inconsistent nature of communication received with reference to role, ‘Bcc’communication, information shared with private email addresses, unusualpattern of conversations with external domains
• Evaluate the number of search hits, the nature of outcomes in those searchhits for preliminary key words
• Use GREP, Whole word, Case Sensitive and Boolean searches as required
• Revisit the procedures based on the outcomes after the keyword searches• Consolidate timeline and red flags together
© 2015 SKP Business Consulting LLP. All rights reserved.
TOOLS IN DIGITAL FORENSIC
Imaging tool (write protector)Tableu
Imaging and processing toolEncase
Mobile forensic toolOxygen
Key word search toolIntella, Nuix
Email review platformClearwell
© 2015 SKP Business Consulting LLP. All rights reserved.
PRACTICAL APPLICATIONS
Data theft
Procurement fraud
Senior management fraud/ financial statement fraud
• System logs• Access data• Lynk files
• Emails• Excel workings
• Transactional data• Communications• Excel workings
© 2015 SKP Business Consulting LLP. All rights reserved.
CHALLENGES - IN DIGITAL FORENSIC
Evidence
Deletion/ formatting of data
Privacy and other issuesEncryption
Damaged hard disk
Overwriting of dataInadmissible evidence
© 2015 SKP Business Consulting LLP. All rights reserved.
THE FUTURE
Emerging digital devices
And many more
Smart WatchesDrones
GPS coordinates
Emerging Digital Services
CONTACT US
19 Adi Marzban Path Ballard Estate FortMumbai 400 001Indiat: +91 22 6730 9000
Mumbai
VEN Business CentreBaner-Pashan Link RoadPashanPune 411 021Indiat: +91 20 6720 3800
Pune
6-3-249/3/1 SSK BuildingRanga Raju Lane Road 1, Banjara Hills Hyderabad 500 034Indiat: +91 40 2338 6912
Hyderabad
B-376Nirman ViharNew Delhi 110 092Indiat: + 91 11 2242 8454
New Delhi
3 Crown Court128 Cathedral RoadChennai 600 086Indiat: +91 44 4208 0337
Chennai
312/313 Barton CentreMahatma Gandhi RoadBengaluru 560 001Indiat: +91 80 4140 0131
Bengaluru
269 The East MallToronto ONM9B 3Z1Canadat: +1 647 707 5066
Toronto
www.skpgroup.com
Connect with us
Subscribe
© 2015 SKP Business Consulting LLP. All rights reserved.
The contents herein are solely meant for communicating information and notas professional advice. It may contain confidential or legally privilegedinformation. The addressee is hereby notified that any disclosure, copy, ordistribution of this material or the contents there of may be unlawful and isstrictly prohibited. Also the contents can not be considered as anyopinion/advice and should not be used basis for any decision. Before takingany decision/advice please consult a qualified professional adviser. While duecare has been taken to ensure the accuracy of the information containedherein, no warranty, express or implied, is being made by us as regards theaccuracy and adequacy of the information contained herein. SKP BusinessConsulting LLP shall not be responsible for any loss whatsoever sustained byany person who relies on this material.
DISCLAIMER
© 2015 SKP Business Consulting LLP. All rights reserved.
Credits: Icon and Shapewww.flaticon.comwww.duarte.com
Top Related