UNIT-III: DIGITAL INVESTIGATION

Digital evidence and computer crime are closely related topics within the field of digital forensics and
cybersecurity. Digital evidence refers to any information or data that is stored or transmitted
electronically and can be used as evidence in criminal investigations or legal proceedings. Computer
crime, on the other hand, refers to criminal activities that involve the use of computers and digital
technology.

1. Digital Evidence:
-Types of Digital Evidence: Digital evidence can take various forms, including emails, text messages,
documents, images, videos, log files, metadata, and more. It can be stored on computers, mobile
devices, servers, cloud storage, or transmitted over networks.

Importance: Digital evidence is crucial in modern criminal investigations and legal cases. It can help
establish facts, prove or disprove alibis, identify suspects, and provide a timeline of events.

Collection and Preservation: Proper collection and preservation of digital evidence are essential to
maintain its integrity. Specialized techniques and tools are used to create forensic images of digital
devices to ensure the evidence remains unaltered.

2. Computer Crime:
- Types of Computer Crimes: Computer crimes encompass a wide range of illegal activities, including:

- Hacking: Unauthorized access to computer systems or networks.

- Malware: Creating, distributing, or using malicious software to compromise systems or steal data.

- Identity Theft: Stealing personal information for fraudulent purposes.

- Cyberbullying and Online Harassment: Using digital platforms to harass or harm individuals.

- Online Fraud: Engaging in fraudulent activities on the internet, such as phishing and online scams.

- Intellectual Property Theft: Unauthorized copying or distribution of copyrighted material.

- Motivations: Computer criminals may be motivated by financial gain, political ideologies, revenge,
curiosity, or simply the thrill of hacking.

3. Digital Forensics:
- Definition: Digital forensics is the process of collecting, analyzing, and preserving digital evidence in
a way that ensures its admissibility in court.

- Role: Digital forensic experts play a critical role in criminal investigations by retrieving and analyzing
digital evidence to support law enforcement agencies and legal proceedings.
 - Challenges: Digital forensics faces challenges such as encryption, data hiding techniques, and
rapidly evolving technology that can make evidence collection and analysis more difficult.

4. Legal Aspects:
- Admissibility: Digital evidence must meet certain legal standards to be admissible in court, including
authenticity, relevance, and reliability.

- Chain of Custody: Maintaining a clear chain of custody is essential to demonstrate that evidence
has not been tampered with during the investigation process.

- Privacy Concerns: Balancing the need for digital evidence with individuals' privacy rights is an
ongoing legal and ethical challenge.

History and Terminology of Computer Crime Investigation

The history of computer crime investigation and the associated terminology have evolved over time as
technology and cyber threats have advanced. Here's an overview of the history and some key
terminology:

Early History (Pre-1980s):

In the early days of computing, computer crimes were relatively rare and often involved insider threats,
such as employees or students tampering with computer systems. Terminology was limited, and
computer crime investigation was not a formalized field.

1980s: Rise of Hacking:

The 1980s saw the rise of hacking as individuals began exploring vulnerabilities in computer systems.

Terminology such as "hacker" and "cracker" emerged. "Hacker" originally referred to those who
explored and tinkered with computer systems for intellectual curiosity, while "cracker" referred to
those with malicious intent. Prominent cases like the "414s" and the "1983 Chicago Tylenol Murders"
(where computer records were used to trace the source of poisoned Tylenol bottles) brought attention
to the need for computer crime investigation.

1990s: Proliferation of Cybercrime:

The 1990s saw a proliferation of cybercrime as the internet became more accessible. Terminology
evolved to include terms like "cybercrime," "cybercriminal," and "cybersecurity." Prominent cases
included the Morris Worm (1988), which led to the Computer Fraud and Abuse Act (CFAA), a significant
piece of legislation in the United States.

2000s: Cyberattacks and Cyberterrorism:

The 2000s witnessed an increase in cyberattacks and cyberterrorism. Terminology expanded to include
terms like "botnets," "phishing," "ransomware," and "hacktivism." High-profile cases included the
"Code Red" and "Nimda" worms, as well as the September 11 attacks, which raised concerns about
cybersecurity and national security.
2010s and Beyond: Advanced Threats:

The 2010s brought more advanced cyber threats, including state-sponsored cyberattacks and data
breaches. Terminology continued to evolve, with terms like "Advanced Persistent Threats (APTs),"
"zero-day vulnerabilities," and "machine learning in cybersecurity" becoming common. High-profile
cases included the Stuxnet worm, the Target data breach, and numerous nation-state-sponsored
hacking incidents.

DIGITAL EVIDENCE
Process involved in Digital Evidence Collection:

The main processes involved in digital evidence collection are given below:

Data collection: In this process data is identified and collected for investigation.

Examination: In the second step the collected data is examined carefully.

Analysis: In this process, different tools and techniques are used and the collected evidence is analyzed
to reach some conclusion.

Reporting: In this final step all the documentation, reports are compiled so that they can be submitted
in court.

The investigator must pick the suitable tools to use during the analysis. Investigators can encounter
several problems while investigating the case such as files may have been deleted from the computer,
they could be damaged or may even be encrypted, So the investigator should be familiar with a variety
of tools, methods, and also the software to prevent the data from damaging during the data recovery
process.

There are two types of data, that can be collected in a computer forensics investigation:

Persistent data: It is the data that is stored on a non-volatile memory type storage device such as a
local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc. the data on these
devices is preserved even when the computer is turned off.

Volatile data: It is the data that is stored on a volatile memory type storage such as memory, registers,
cache, RAM, or it exists in transit, that will be lost once the computer is turned off or it loses power.
Since volatile data is evanescent, it is crucial that an investigator knows how to reliably capture it.

Types of Digital Evidence:

Documents: Digital documents, including emails, text messages, spreadsheets, and word processing
files, are commonly used as evidence.

Multimedia: Images, videos, audio recordings, and animations can provide visual or auditory evidence.

Metadata: Information about digital files, such as creation dates, authorship, and edit history, can be
important for establishing the authenticity and origin of evidence.

Databases: Digital databases can contain records related to financial transactions, customer
information, or other critical data.

Social Media: Posts, comments, and messages from social media platforms can be used to establish
timelines, character, or intent.

Digital Devices: Computers, smartphones, tablets, and other digital devices can be seized and
examined for evidence related to a case.

Challenges Faced During Digital Evidence Collection:

• Evidence should be handled with utmost care as data is stored in electronic media and it can
get damaged easily.
• Collecting data from volatile storage.
• Recovering lost data.
• Ensuring the integrity of collected data.

Recovering information from devices as the digital shreds of evidence in the investigation are becoming
the fundamental ground for law enforcement and courts all around the world. The methods used to
extract information and shreds of evidence should be robust to ensure that all the related information
and data are recovered and is reliable. The methods must also be legally defensible to ensure that
original pieces of evidence and data have not been altered in any way and that no data was deleted or
added from the original evidence.

Digital Evidence in the Courtroom

Digital evidence plays a critical role in modern courtrooms, as it can provide crucial information in
various types of legal cases, including criminal, civil, and administrative proceedings. Here are some
key aspects of digital evidence in the courtroom:

Authentication:

Establishing the authenticity of digital evidence is crucial. It must be demonstrated that the evidence
has not been tampered with or altered. Hash values, digital signatures, and chain of custody records
are used to prove the integrity and authenticity of digital evidence.

Admissibility:

Digital evidence must meet certain legal criteria to be admissible in court. It must be relevant, material,
and not subject to privileges or exclusionary rules. The court must ensure that the evidence is reliable,
which often involves establishing the trustworthiness of the methods used to collect, store, and
analyze the evidence.

Expert Witnesses:
Digital forensics experts are often called upon to testify in court about the handling and analysis of
digital evidence. They provide explanations regarding the tools and techniques used to retrieve and
examine digital data and help interpret the findings for the court.

Challenges:

The fast-paced evolution of technology presents challenges for the handling of digital evidence. New
types of devices, software, and encryption methods can complicate investigations. Privacy concerns
and the protection of sensitive information are also important considerations when dealing with digital
evidence.

Presentation:

Digital evidence is typically presented in court using technology, such as projectors and computer
screens, to display documents, videos, or other digital materials to judges and juries. Presentation
software and tools may be used to highlight key points or details.

Jury Education:

Judges often need to provide instructions to the jury on how to consider digital evidence, especially if
it's complex or technical in nature. Clear explanations and expert testimony can help jurors understand
the significance of digital evidence in the case.

Legal Framework:

Laws and regulations governing the use of digital evidence can vary by jurisdiction. Courts must apply
the relevant legal framework when admitting and evaluating digital evidence.

INVESTIGATION RECONSTURCTION
"Investigative reconstruction" is not a standard term or concept in the field of investigations or
forensics. However, it seems to refer to a process where investigators or forensic experts reconstruct
events or scenarios to gather information, evidence, or insights related to a specific incident. This can
be applied in various contexts, such as criminal investigations, accident investigations, or historical
reconstructions.

Here are a few examples of how investigative reconstruction might be used:

1. **Crime Scene Reconstruction: ** In criminal investigations, investigators may use investigative

reconstruction techniques to piece together the sequence of events leading up to and following a
crime. This can involve recreating the scene, analyzing physical evidence, and interviewing witnesses
to construct a detailed timeline of what happened.

2. **Accident Reconstruction: ** In cases of traffic accidents or industrial accidents, experts may

perform accident reconstruction to determine the causes and contributing factors. This often involves
analyzing skid marks, vehicle damage, and other physical evidence to recreate the circumstances
leading to the accident.

3. **Historical Reconstructions: ** Historians and archaeologists may use investigative reconstruction

to understand past events or civilizations. This can involve recreating ancient structures or reenacting
historical battles to gain insights into how people lived or how certain events unfolded.

4. **Digital Forensics Reconstruction: ** In the realm of digital forensics, experts may engage in
investigative reconstruction to recover and reconstruct digital data from compromised or damaged
devices. This can help uncover cybercrimes or security breaches.
The goal of investigative reconstruction is to piece together the available evidence and information to
form a coherent and accurate understanding of the events or circumstances in question. It often
requires a multidisciplinary approach, involving experts from various fields such as forensic science,
engineering, archaeology, or digital forensics, depending on the nature of the investigation. The
process may involve the use of technology, simulations, and data analysis to aid in the reconstruction
efforts.

Investigative reconstruction is a complex and multidisciplinary process that involves recreating events
or scenarios to gather information and evidence related to a specific incident. The steps in investigative
reconstruction can vary depending on the nature of the investigation (e.g., crime scene reconstruction,
accident reconstruction, historical reconstruction). Here is a general outline of the steps typically
involved:

1. Initial Assessment and Planning: Define the scope and objectives of the reconstruction.
Assemble a team of experts with relevant knowledge and skills. Identify available resources
and tools.
2. Data Collection: Gather all available information, evidence, and documents related to the
incident. This may include photographs, videos, witness statements, physical evidence, and
historical records. Ensure the preservation and integrity of evidence.
3. Scene Documentation: If applicable, visit and document the scene of the incident. This may
involve taking measurements, creating sketches, and photographing or recording the area.
Note environmental conditions, lighting, weather, and other relevant factors.
4. Evidence Analysis: Examine physical evidence and data collected from the scene. This could
include analyzing forensic evidence, such as DNA, fingerprints, or ballistics, or digital evidence,
such as computer logs or surveillance footage. Evaluate the quality and relevance of each piece
of evidence.
5. Witness Interviews and Statements: Interview witnesses and individuals involved in the
incident to gather their accounts of what happened. Cross-reference witness statements with
physical evidence and other data.
6. Hypothesis Development: Develop one or more hypotheses about how the incident occurred
based on the available evidence and witness statements. Consider different scenarios and
possibilities.
7. Simulation and Reconstruction: Use appropriate tools and techniques to simulate and
reconstruct the incident. This may involve computer simulations, accident reconstruction
software, or physical reconstructions. Test and refine the hypotheses to see if they align with
the reconstructed scenarios.
8. Data Analysis: Analyze the results of the reconstruction and simulations to identify
inconsistencies or discrepancies. Adjust the reconstruction as needed to align with the
evidence and witness accounts.
9. Report Preparation: Document the entire reconstruction process, including the methods
used, data analyzed, simulations performed, and results obtained. Create a comprehensive
report that outlines the findings and conclusions.
10. Peer Review and Validation: Have the reconstruction and report reviewed by other experts or
peers in the field to ensure its accuracy and validity. Address any feedback or concerns raised
during the review process.
 11. Presentation and Testimony: If the investigation is part of legal proceedings, prepare to
present the findings and conclusions in court. Provide expert testimony based on the
reconstruction and report.
12. Continued Monitoring: In some cases, ongoing monitoring or further investigation may be
necessary as new evidence or information becomes available.

Investigative reconstruction is a meticulous and detail-oriented process that requires collaboration

among experts from various fields and the use of advanced technology and tools. The ultimate goal is
to provide a clear and accurate understanding of the incident in question, whether it's a crime,
accident, historical event, or another type of scenario.