Q1:

Define digital evidence:

Digital evidence: -A digital object that contains reliable information that supports or refutes a hypothesis or Information of probative value stored or transmitted in digital form. Digital evidence includes: computer evidence, digital audio, digital video, cell phones, smsdata, digital fax machines, etc

Describe the environments where cyber forensics examinations are carried out and the range of offences and issues examined. The environments where cyber forensics examinations are carried out:
Public investigations: Involve government agencies responsible for and prosecutions

criminal investigations And

Private investigations corporate and individual. Private organisations are not governed by criminal law. They usually involve litigation disputes Private investigations seek evidence to support allegations of abuse of an organisations assets. On occasions the information gleaned may be used for intelligence, review or disciplinary purposes

The range of offences and issues examined.

1- Public investigations: These organisations work within the framework of criminal law Public investigations seek evidence to support allegations of criminal activity. They are granted search and seizure powers under relevant criminal locate and capture devices suspected of: Being used in crimes, or Used to facilitate crimes laws that enable them to

2- Private investigations: Most cyber forensic investigations in the corporate sector involve misuse of computing assets Often referred to as employee violation of company rules Usually centre on email and Internet misuse by employees May also include using company resources to produce a product for personal profit Excessive use of assets for personal use Posting malicious, threatening or disruptive emails Viewing, downloading and sending adult content, web-surfing, etc

Q2:

Describe and discuss chain of custody of the evidence:

Definition: The term "chain of custody" refers to documentation that identifies all changes in the control, handling, possession, ownership, or custody of a piece of evidence. You need to be able to trace the route that evidence takes from the moment you collect it until the time it is presented in court or at a corporate briefing. This requires each case to be approached methodically This allows the evidence to be evaluated fully and creates the chain of custody or chain of evidence This is the route the evidence took from the time the investigator locates it to the time is presented in court or other proceedings.

Explain why chain of custody of the evidence plays a critical part in cyber forensic investigations.
To ensure that the extracted evidence was not contaminated

Not altered during the process of its extraction Not altered between the time of its extraction and its presentation in proceedings.

When identifying and capturing digital evidence there are some common pitfalls

It is easy for an over-zealous investigator to unintentionally alter evidence when attending the scene. For example, the last accessed date/time may be unintentionally deleted or overwritten.

How would you preserve the digital evidence you have identified at the suspects home you investigated in Assignment 1, to the highest professional standards?

Picture of seized equipments. (Computer). Picture of computer serial number. Figure prints lifting. Keeping sticky notes in a save place.
Collecting the volatile data Record the system data and time. Check for suspicious processes on the system and record them if they are existed.

Unplug the network cable, best practice is to connect it to an empty hub or switch to prevent log messages about a down link. Provide a time line to record all the steps. Record Network connection details Create a forensic image of the computer with write blocker
Keeping the evidence in a safe location.

Q3

Describe and explain live analysis and dead analysis of digital evidence. Discuss advantages and disadvantages of using each process to acquire AND preserve digital evidence located on your suspects home. Live analysis:

A live analysis is where the suspect operating system is still running and being used to copy data

Advantages:

Goal of any live analysis is to extract and preserve the volatile data on a system while it is running, to the best extent possible, preserving the state of the system.

Some disk editing programmes such as Norton Diskedit are able to capture the entire contents of RAM. Something else to consider disk encryption software: If a live analysis was available, useful information would allow potential access to the encryption key/password.

Disadvantages:

With a live analysis there is a distinct risk of obtaining false and incomplete evidence because of software that may be untrustworthy and may hide or falsify data. Also an attacker may has modified the operating system.

Dead analysis

Dead analysis requires termination of all processes by turning the system off. Dead acquisition analysis is undertaken when running trusted applications in a trusted operating environment to find evidence. Following that, duplicate copies of data may be made Write blockers may be used to prevent evidence from being overwritten.

Advantages:

Avoid any modification could occur during live acquisition, i.e. an attacker may has modified the operating system or other software to provide false data during the acquisition. Write blockers may be used to prevent evidence from being overwritten. Least chance of modifying data on disk.

Disadvantage:

Although less chance of modifying data on disk, but live data is lost forever. Much data may be lost when this occurs. For example: Data that was stored on the clipboard Malware that only exists in memory.

In many case it may not be desirable or necessary to shut a system down as the first step Volatile data may need to be collected before a suspect system is shut down but when the system is shut down the volatile data is lost forever.

Q4: Define the terms inculpatory evidence AND exculpatory evidence as they relate to cyber forensic investigations.
- inculpatory evidence: It is a legal term used to describe evidence that shows, or tend to show a persons involvement in an act, or evidence that can establish guilt. - exculpatory evidence: It is the evidence favourable to the defenders in a criminal trial, which clears the accused of guilt.

The objectives, importance and benefits of developing alternative hypotheses when reconstructing a cyber crime. Alternative hypotheses will help the investigator to see if he is leading the investigation correctly. The suspect may have been framed by someone or maybe he is going on the wrong track. Thus having an alternative hypothesis will clear all doubts. He may as well find new suspects.

Provide examples of exculpatory evidence you found in the investigation you undertook of the crime scenes in completion of Assignment 1. Cyber forensic investigation poorly conducted. Trojan planted. OS differ from seizure OS. Pictures were edited using some photo editing tools. Remote control software was installed in the suspect PC. GPS files were modified.

Q5:

Define the term, validation of digital evidence.

Validation: is the confirmation by examination and the provision of objective evidence that a tool, technique or procedure functions correctly and as intended. During the validation stage the evidence is tested to determine its validity, namely if the assertion drawn from the digital evidence can be verified.

Validation of digital evidence relevance and importance in cyber forensics.

When presenting a legal case based on what appears to be convincing digital evidence, the case can collapse if the defence can show that the security integrity of the network is defective and shows contamination or alteration of the digital evidence it is supposed to protect. Therefore, if the validity of the evidence can be established its weight in legal argument is enhanced. Otherwise, if its validity is uncertain or invalidated then weight of the evidence is diminished or negated.

Describe the processes you used to validate evidence metadata in the crime scene you examined in Assignment 1.
By using ProDiscover software which provides metadata information such as creation, modification, and accessed date of a file.