Modern Forensic Tools and Devices E-Book

Table of Contents

Cover

Series Page

Title Page

Copyright Page

Preface

1 Computer Forensics and Personal Digital Assistants

1.1 Introduction

1.2 Digital Forensics Classification

1.3 Digital Evidence

1.4 Information Used in Investigation to Find Digital Evidence

1.5 Short History of Digital/Computer Forensics

1.6 The World of Crimes

1.7 Computer Forensics Investigation Steps

1.8 Report Generation of Forensic Findings Through Software Tools

1.9 Importance of Forensics Report

1.10 Guidelines for Report Writing

1.11 Objectives of Computer Forensics

1.12 Challenges Faced by Computer Forensics

References

2 Network and Data Analysis Tools for Forensic Science

2.1 Introduction

2.2 Necessity for Data Analysis

2.3 Data Analysis Process

2.4 Network Security and Forensics

2.5 Digital Forensic Investigation Process

2.6 Tools for Network and Data Analysis

2.7 Evolution of Network Data Analysis Tools Over the Years

2.8 Conclusion

References

3 Cloud and Social Media Forensics

3.1 Introduction

3.2 Background Study

3.3 Technical Study

3.4 Methodology

3.5 Protection Against Leakage

3.6 Conclusion

3.7 Future Work

References

4 Vehicle Forensics

4.1 Introduction

4.2 Intervehicle Communication and Vehicle Internal Networks

4.3 Classification of Vehicular Forensics

4.4 Vehicle Identification Number

4.5 Serial Number Restoration

4.6 Conclusion

References

5 Facial Recognition and Reconstruction

5.1 Introduction

5.2 Facial Recognition

5.3 Facial Reconstruction

5.4 Techniques for Facial Recognition

5.5 Techniques for Facial Reconstruction

5.6 Challenges in Forensic Face Recognition

5.7 Soft Biometrics

5.8 Application Areas of Facial Recognition

5.9 Application of Facial Reconstruction

5.10 Conclusion

References

6 Automated Fingerprint Identification System

Abbreviations

6.1 Introduction

6.2 Ten-Digit Fingerprint Classification

6.3 Henry Faulds Classification System

6.4 Manual Method for the Identification of Latent Fingerprint

6.5 Need for Automation

6.6 Automated Fingerprint Identification System

6.7 History of Automatic Fingerprint Identification System

6.8 Automated Method of Analysis

6.9 Segmentation

6.10 Enhancement and Quality Assessment

6.11 Feature Extraction

6.12 Latent Fingerprint Matching

6.13 Latent Fingerprint Database

6.14 Conclusion

References

7 Forensic Sampling and Sample Preparation

7.1 Introduction

7.2 Advancement in Technologies Used in Forensic Science

7.3 Evidences

7.4 Collection of Evidences

7.5 Sample Preparation Techniques for Analytical Instruments

7.6 Conclusion

7.7 Future Perspective

References

8 Spectroscopic Analysis Techniques in Forensic Science

8.1 Introduction

8.2 Spectroscopy

8.3 Spectroscopy and Forensics

8.4 Spectroscopic Techniques and their Forensic Applications

8.5 Conclusion

References

9 Emerging Analytical Techniques in Forensic Samples

9.1 Introduction

9.2 Separation Techniques

9.3 Mass Spectrometry

9.4 Tandem Mass (MS/MS)

9.5 Inductively Coupled Plasma-Mass Spectrometry

9.6 Laser Ablation–Inductively Coupled Plasma-Mass Spectrometry

9.7 Conclusion

References

10 DNA Sequencing and Rapid DNA Tests

10.1 Introduction

10.2 DNA – The Hereditary Material

10.3 DNA Sequencing

10.4 Laboratory Processing and DNA Evidence Analysis

10.5 Rapid DNA Test

10.6 Conclusion and Future Aspects

References

11 Sensor-Based Devices for Trace Evidence

11.1 Introduction

11.2 Immunosensors in Forensic Science

11.3 Genosensors and Cell-Based Biosensors in Forensic Science

11.4 Aptasensors in Forensic Science

11.5 Enzymatic Biosensors in Forensic Science

11.6 Conclusion

References

12 Biomimetic Devices for Trace Evidence Detection

12.1 Introduction

12.2 Tools or Machines for Biomimetics

12.3 Methods of Biomimetics

12.4 Applications

12.5 Challenges for Biomimetics in Practice

12.6 Conclusion

References

13 Forensic Photography

13.1 Introduction

13.2 Forensic Photography and Its Purpose

13.3 Modern Principles of Forensic Photography

13.4 Fundamental Rules of Forensic Photography

13.5 Camera Setup and Apparatus for Forensic Photography

13.6 The Dynamics of a Digital Camera

13.7 Common Crime Scenarios and How They Must be Photographed

13.8 Conclusion

References

14 Scanners and Microscopes

14.1 Introduction

14.2 Scanners in Forensic Science

14.3 Microscopes in Forensic Science

14.4 Conclusion

References

15 Recent Advances in Forensic Tools

15.1 Introduction

15.2 Classification of Forensic Tools and Devices

15.3 Conclusion and Future Perspectives

References

16 Future Aspects of Modern Forensic Tools and Devices

16.1 Introduction

16.2 Forensic Tools

16.3 Forensic Devices

16.4 Conclusion

References

Index

End User License Agreement

List of Tables

Chapter 3

Table 3.1 Mobile phones and OS version.

Table 3.2 Applications used for analysis (with versions and device installed o...

Table 3.3 Activities performed on each application.

Table 3.4 Information obtained from the activity of forwarding the link.

Table 3.5 Information obtained from the activity of opening the forwarded link...

Chapter 4

Table 4.1 Various systems embedded in modern vehicles [2].

Chapter 5

Table 5.1 Application area of facial recognition.

Table 5.2 Application area of facial reconstruction.

Chapter 6

Table 6.1 Latent fingerprint databases.

Chapter 7

Table 7.1 Different sampling methods for different evidences [7, 9].

Table 7.2 Types of evidences and instrumental methods [8].

Table 7.3 Sample matrices and different extraction methods used.

Chapter 8

Table 8.1 Spectroscopic technique according to the spectral region.

Chapter 9

Table 9.1 Different types of detectors and detection limits [6].

Chapter 10

Table 10.1 The procedure required before DNA analysis in the ANDE instrument.

Chapter 11

Table 11.1 SPR-based immunosensor for forensic applications.

Table 11.2 Optical biosensors for detection of biological warfare agents (Repr...

Table 11.3 Applications of aptasensors in trace evidence analysis.

Chapter 13

Table 13.1 Road traffic accidents photography guidelines [9].

Chapter 15

Table 15.1 Sensors for illicit drugs.

Table 15.2 Different body fluids biosensors.

Table 15.3 Illustration of the various applications in forensic science of HPL...

Table 15.4 Showing where to retrieve information from a drone.

List of Illustrations

Chapter 1

Figure 1.1 Forensics investigation steps.

Chapter 2

Figure 2.1 Network security and forensics.

Figure 2.2 Computer and network data analysis process.

Figure 2.3 Digital forensic investigation process.

Chapter 3

Figure 3.1 Social networks vs. messaging apps. (Source: BI Intelligence).

Figure 3.2 Entry Recorded in iplogger for Android Phone (One plus 5) (Source: ...

Figure 3.3 Entry recorded in iplogger for iPhone (iPhone X) (Source: iplogger....

Figure 3.4 Percentage of private information leaked for activity of forwarding...

Figure 3.5 Percentage of private information leaked for activity of opening th...

Chapter 4

Figure 4.1 Digital evidences collected from vehicles.

Figure 4.2 Vehicle internal network [2].

Figure 4.3 Vehicle identification number [20].

Chapter 5

Figure 5.1 Steps for facial recognition.

Figure 5.2 Classification of techniques used in facial recognition.

Figure 5.3 Techniques used in facial reconstruction.

Figure 5.4 Challenges in forensic face recognition.

Chapter 6

Figure 6.1 Fingerprint classification.

Figure 6.2 Steps for automated method of analysis.

Chapter 7

Figure 7.1 Classification of evidences.

Figure 7.2 SPE cartridge [20].

Figure 7.3 Soxhlet apparatus [23].

Figure 7.4 SPME syringe [31].

Chapter 8

Figure 8.1 Analytical techniques used in forensics.

Figure 8.2 Electromagnetic spectrum.

Figure 8.3 Classification of spectroscopic techniques based on energy transfer...

Figure 8.4 Application of spectroscopy.

Figure 8.5 Instrumentation of x-ray absorption spectroscopy.

Figure 8.6 Application of x-ray absorption spectroscopy in forensics.

Figure 8.7 Instrumentation of UV/Vis spectroscopy.

Figure 8.8 Application of UV/Vis spectroscopy in forensics.

Figure 8.9 Instrumentation of atomic absorption spectroscopy.

Figure 8.10 Application of atomic absorption spectroscopy in forensics.

Figure 8.11 Instrumentation of infrared spectroscopy.

Figure 8.12 Instrumentation of Raman spectroscopy.

Figure 8.13 Application of Raman spectroscopy in forensics.

Figure 8.14 Instrumentation of electron spin resonance spectroscopy.

Figure 8.15 Application of electron spin resonance spectroscopy in forensics.

Figure 8.16 Instrumentation of nuclear magnetic resonance spectroscopy.

Figure 8.17 Application of nuclear magnetic resonance spectroscopy in forensic...

Figure 8.18 Instrumentation of atomic emission spectroscopy.

Figure 8.19 Application of atomic emission spectroscopy in forensics.

Figure 8.20 Instrumentation of x-ray fluorescence spectroscopy.

Figure 8.21 X-ray fluorescence spectroscopy application in forensics.

Figure 8.22 Fluorescence spectroscopy instrumentation.

Figure 8.23 Fluorescence spectroscopy application in forensics.

Figure 8.24 Instrumentation of phosphorescence spectroscopy.

Figure 8.25 Phosphorescence spectroscopy application in forensics.

Figure 8.26 Instrumentation of atomic fluorescence spectroscopy.

Figure 8.27 Atomic fluorescence spectroscopy application in forensics.

Figure 8.28 Instrumentation of chemiluminescence spectroscopy.

Chapter 9

Figure 9.1 Basic instrumentation of gas chromatography [6].

Figure 9.2 Design of split/splitless injection [8].

Figure 9.3 Packed column [10].

Figure 9.4 Flame ionization detector [12].

Figure 9.5 Electron capture detector [13].

Figure 9.6 Flow diagram of HPLC system [16].

Figure 9.7 Capillary electrophoresis [22].

Figure 9.8 Block diagram of mass spectrometer [25].

Figure 9.9 MALDI [29].

Figure 9.10 Quadrapole [30].

Figure 9.11 Faraday cup [31].

Figure 9.12 Block diagram of ICP-MS [34].

Figure 9.13 Flow diagram of laser ablation [36].

Chapter 10

Figure 10.1 The procedure involved throughout the criminal investigation.

Figure 10.2 The classification of DNA sequencing.

Figure 10.3 The process of Maxam and Gilbert approach.

Figure 10.4 Sanger’s or chain termination sequencing methodology.

Figure 10.5 Whole-genome sequencing process.

Figure 10.6 RFLP methodology.

Figure 10.7 Procedure of PCR.

Figure 10.8 Types of PCR.

Figure 10.9 The Rapid DNA test procedure.

Chapter 11

Figure 11.1 An account of different sensor-based devices for trace evidence an...

Figure 11.2 Direct immunosensors and their application in forensic science.

Figure 11.3 A pictorial representation of aptamer based biosensing platforms.

Chapter 12

Figure 12.1 Flow representation of canine sniffing using the nose of a dog.

Chapter 13

Figure 13.1 Different parts of a digital camera.

Chapter 14

Figure 14.1 Different types of scanners and their applications.

Figure 14.2 Microscopes in forensic science.

Figure 14.3 Ray diagram of a compound microscope.

Figure 14.4 Comparison microscope in analysis of forensic evidences.

Figure 14.5 Applications of AFM. Reproduced with permission from [37].

Chapter 15

Figure 15.1 Illustration showing the classification of forensic tools and devi...

Figure 15.2 Schematic illustration of different analytical tools used in exhib...

Figure 15.3 Application of drones in forensic science.

Figure 15.4 Utilization of UAV’s in forensic investigation

Chapter 16

Figure 16.1 Forensic tools and devices.

Guide

Cover Page

Series Page

Title Page

Copyright Page

Preface

Table of Contents

Begin Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

ii

iii

iv

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

Modern Forensic Tools and Devices

Trends in Criminal Investigation

Edited by

and

This edition first published 2023 by John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA and Scrivener Publishing LLC, 100 Cummings Center, Suite 541J, Beverly, MA 01915, USA© 2023 Scrivener Publishing LLCFor more information about Scrivener publications please visit www.scrivenerpublishing.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

Wiley Global Headquarters111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Limit of Liability/Disclaimer of WarrantyWhile the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials, or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read.

Library of Congress Cataloging-in-Publication Data

ISBN 978-1-119-76041-2

Cover image: Pixabay.ComCover design by Russell Richardson

Preface

Technology has played a pivotal role in advancing forensic science over the years, particularly in modern-day criminal investigations. In recent years, significant advancements in forensic tools and devices have enabled investigators to gather and analyse evidence more efficiently than ever. Modern Forensic Tools and Devices: Emerging Trends in Criminal Investigations is a comprehensive guide to the latest technologies and techniques used in forensic science.

This book covers a wide range of topics, from computer forensics and personal digital assistants to emerging analytical techniques for forensic samples. A section of the book provides detailed explanations of each technology and its applications in forensic investigations, along with case studies and real-life examples to illustrate their effectiveness.

The book starts with an introduction to forensic science, providing an overview of its history, significance, and current state. It then delves into the aforementioned topics, exploring each in-depth, including the latest advancements, emerging trends, and future prospects. The editors have carefully researched each topic, combining the latest research and case studies from around the world to provide readers with a complete understanding of the subject matter.

One critical aspect of this book is its focus on emerging trends in forensic science. The book covers new technologies such as cloud and social media forensics, vehicle forensics, facial recognition and reconstruction, automated fingerprint identification systems, and sensor-based devices for trace evidence, to name a few. Its thoroughly detailed chapters expound upon spectroscopic analytical techniques in forensic science, DNA sequencing, rapid DNA tests, bio-mimetic devices for evidence detection, forensic photography, scanners, microscopes, and recent advancements in forensic tools.

The book also provides insights into forensic sampling and sample preparation techniques, which are crucial for ensuring the reliability of forensic evidence. Furthermore, the book explains the importance of proper sampling and the role it plays in the accuracy of forensic analysis.

In addition to discussing the latest technologies, the book also looks toward the future of forensic science. It provides an overview of the potential advancements in forensic tools and devices and the impact they could have on criminal investigations.

Overall, Modern Forensic Tools and Devices: Emerging Trends in Criminal Investigations is an essential resource for forensic scientists, law enforcement officials, and anyone interested in the advancements in forensic science. It offers a comprehensive overview of the latest technologies and techniques used in forensic investigations and highlights the potential impact of these advancements on the field.

1Computer Forensics and Personal Digital Assistants

Muhammad Qadeer1, Chaudhery Ghazanfer Hussain1 and Chaudhery Mustansar Hussain2*

1Computer Science and Technology, Department of Education, Punjab, Pakistan

2Department of Chemistry and Environment Science, New Jersey Institute of Technology, Newark, NJ, USA

Abstract

Across the world organizations and corporates are spending huge budget on information security as increasing security risks. Spreading usage of computers and mobile devices such as PDAs, smart phones is generating opportunities for business and creating a lot of benefits for organizations. On the other side they are posing new challenges for policing cybercrimes. Digital forensic a new science has been introduced to handle cyber and digital crimes. The forensic science deals with digital crimes as well as crimes involving digital devices like computers, PDAs etc. Most of the processes are being automated due to rapid development and advancement of digital computing and communication technologies. With increasing of information and internet technologies confidential information is stored on computer based systems and majority of people share their information on popular social media networks such as Twitter, Instagram, Facebook, Linkedin, Youtube, etc. There is a significant growth in crimes in the whole world due to the progression of communication and information technology. Criminals convict like kidnapping, murders, extortion, drug dealing, gambling, robbery, sexual assault, cyber terrorism, weapon dealing, economic crimes, and criminal hacking such as theft of computer files, Web defacements through computers and mobile digital devices. So, these technologies have to become an important part of forensic sciences. By using of scientific knowledge and procedures to pursue, find, analyze, and preserve evidence of a crime to present well in a court are forensic sciences or criminalistics. The matching of DNA, comparing finger prints and examining body are the latent evidences to analyze and recovery in a crime and these are major concern of forensic sciences. Computer and other digital devices such as personal digital assistant have the great serving position in forensics to support justice today. Digital evidences through these devices to ensure truth have become significant part a legal process. So, the analysis of computer forensics and personal digital assistant has great importance and its analytical research is necessary to a part of this chapter.

Keywords: Cyber forensics, criminal investigations, digital evidences, child abusing, criminal behaviors, geographical boundaries, internet gambling, court of law, pro-active investigation, ICT – Information and Communication Technology

1.1 Introduction

Computer forensics or cyber forensics is the branch of digital measureable science which can identify and measure the computerized storage media. Its goal is to search out computerized media carefully in a forensically concrete basis for detecting, recuperating, distinguishing, investigating, protecting and presenting realities about the data related to an event or crime committed [1].

In a court, computer-based criminological confirmation may be presented as a standard requirement for digital probe. It needs that the data must be real, admissible, dependably acquired. Different nations apply variety of rules to practice the recuperation of digital probe. For instance in UK, analysts recurrently follow guidelines of Association of Chief Police Officers that support them to assure the honesty and credibility of proof. The considered rules are broadly acknowledged in British courts. The central and state governments both have a great contribution in the Information and Communication Technology (ICT) for improving their working.

1.1.1 Computer and Digital Forensics

Computer forensic is the part of digital forensics and it can be defined as:

“The process of identification, extraction, documentation, and preservation of digital evidence which may be used by the court of law is referred as digital forensics.”

It is a complete science of discovering the evidences about crimes from all types of digital devices like computers, servers of different kinds, PDAs (personal digital assistants), networks, or mobile phones and networks. It provides opportunity to forensic teams with the latest digital tools and best techniques to solve complicated cases related today’s digital world. It also helps to identify, inspect, analyze, and preserve the evidence found from various electronic digital devices. Different commercial organizations have been using computer or digital forensics in diverse types of cases like industrial espionage, intellectual property theft, fraud investigations, employment disputes, inappropriate internet and email use in workplaces, bankruptcy investigations, forgeries related matters and issues related to the regulatory compliance. As digital forensics or computer forensics is the need of time it has a list of advantages and disadvantages as well. Advantages are as it helps the investigators or companies to collect worthy information from computers and networks relevant to an event or case. It can ensure integrity of the investigation system as well as computer and network related systems. It can produce evidence which can be presented in front of court of justice that may lead toward punishment of the culprit. It can efficiently track down the cybercriminals from anywhere in the world. It can help in protecting the valuable time and money of institutions, organization even states. It permits to accumulate, extract, process, and interpret the factual digital evidence to prove criminal action in the court of justice. The draw backs of the digital or computer forensics are that evidence found from digital devices is not accepted as a whole in the court. However, it is must be proved that there is not any kind of tampering, the production and storage of electronic records are an extremely expensive matter, legal practitioner must have enough knowledge computer to understand and present digital evidence. There always need of an authentic and convincing evidence is to be produced, If the tools used in digital forensics are not compatible to the specified standards, then the evidence may be disapproved or rejected by justice in the law court, if investigating officers have lack of computer or technical knowledge may not depict the desired results [2].

1.2 Digital Forensics Classification

i) Computer Forensics

Examining computer systems in scientific manners to identify, analyze, present, preserve, and recover the facts related to an offense is computer forensics.

The major part of computer to store data is different kinds of disks such as hard disk, compact disk, floppy disk (old medium). So in a part of computer forensics, disk forensics is given a great focus and importance.

“Disk forensics is the extraction of the data from storage media by examining the active, deleted, or modified files.”

Another major part of computer is memory which stores data temporarily in computer on different steps. So, its forensics can be sometime necessary part of investigation.

Disk image is formed as bit-stream which is extracted physically. It plays an essential role in forensic investigation. It may be extracted from the computers and smart mobile devices. Currently images of disk data are broadly used by forensics investigators for conserving the activities, maintaining the data integrity and custody chain while aiding in access to possibly valuable data [3].

The disk images are ultimately sector to sector copies of the residing data. They can be named as “snapshot” and included allocated files, file names, file created dates and other metadata related to the volume of the disk. Upon the time of creation, data is stored as a sole file or set of files depending on application used, the simple action of turning on the device or booting up system can result in change of data and possibly destruction of some files. It includes modifications in metadata and some supplementary features of the original data objects like character encoding, byte order, file sizes, file system information, MAC (modified, accessed, created/changed) and permissions. Because of this, programs which can manipulate the image use low level input/output operations without intervention of the host operating systems. At the present time free and commercial solutions are available such as FTK Imager or Macintosh Disk Utility for such purposes [4].

“Memory Forensics deals with collecting and examining data from memories such as system cache, registers, RAM in the raw form then carving that data from raw dump.”

Analysis of the volatile memory is considered a noteworthy part of digital investigation due to compulsory formation of digital evidence over memory such as RAM, cache or registers. Nothing can be written on any disk without using memory. Witty, SQL Slammer, and Code Red are common examples of the worms, their existence form an evident in RAM and not on disk. The acquirement of data is the first steps in any incident handling executed in the containment phase. A renowned incident handling guide highlights the importance of digital evidence acquisition based on volatile order in timely manner [5].

An approach to implement open source tool of the Volatility framework as an extension to detect characteristics and the presence of any hypervisor used the Intel VT-x technology. It supports nested virtualization analysis and it is able to suppose the hierarchy of numerous hypervisors and virtual machines. Ultimately, a tool by manipulated these techniques can recreate the virtual machine address space to support any volatility plugin which allows analysts to reuse their codes for analysis [6].

ii) Personal Digital Assistants and Mobile devices Forensics

The inspection and analysis mobile devices such as PDAs, mobile phone, tabs, and laptops are also considered in forensics. It helps in retrieving data from PDAs, phones, SIM contacts, call logs, outgoing and incoming SMS/ MMS, Audios, videos calls, and messages [7].

Mobile phone technology has been using in criminal activity since invention. In the crime such as terrorism it was being used as undetected communication tool in the beginning. Terrorists could prevent their communications from being traced through simply using snatched, stolen or prepaid mobile devices (phones or PDAs). The terrorists who attacked by bombs in 2004 on trains in Madrid used this technique in organizing these attacks. The criminals organized their crime groups by using various prepaid mobile phones during their daily operations. They discard these phones after use. When telecommunication mass retention including fixed telephone and mobile phone and electronic data communications were debated in the European Parliament in 2005, the members of this political organization passionately argued about the measures which could be avoided easily by criminals [8]. Mobile devices such as personal data assistants (PDAs), mobile phones, and laptops may provide valuable evidence which can support the civil and criminal investigations. These devices can guide investigators and prosecutors. Additionally, they can be considered as same or different from desktop or mini computers. We examine the techniques and processes for collecting and identifying evidences from these devices without tainting or altering. Furthermore, the analysis of tools and techniques used in them which can be a part of computer forensics investigations.

PDAs and mobile phones both have been used in crimes since last two or three decades but currently most of the PDAs are functioning as mobile phones too. Consequently, their use in unlawful activities also has been cumulating. So, they can be a major part of the digital investigations in several ways. They are also becoming targets of attacks of malicious software and hackers.

In 2004 Cabir a well-known worm hit the mobile phone software. It was displaying a message on mobile phone screen frequently and required to accept some offers or options to use the mobile phone. Skulls Trojan horse attacked the Symbian an operating system and prevented the mobile applications from running. They also replaced the icons of applications with crossbones or skull. Duts virus hit Windows CE operating systems that required a positive response of the user to the message displayed on screen of the system; the affirmative response then allowed Duts to spread to the files on mobile devices running Windows CE. One more “Curse of Silence” virus targeted the mobile devices, which sent a text message to unsuspecting users. After receiving the message users became unable to receive Short Message Service (SMS) or Multimedia Messaging Service (MMS) [9]. Some models of mobile phone were able to work properly after factory reset but that depended upon their operating system. Moreover, worms like “Duh” and “ikee” were used against expensive mobile phones such as iPhones. These worms pursue to build botnet and steal user’s personal and secret data, such as passwords and banking information [10]. Criminals may clone the cell phones to different private networks and communicate which was burden of proof on the victims. The cloning may occur when the device identity is copied to the suspect’s phone or device. For cloning an existing device or mobile phone, two data pieces are stolen for using by the suspect: the electronic serial number (ESN) and the mobile identification number (MIN). In the case, the operatives of a Colombian drug cartel cloned the phone number of the U.S. Drug Enforcement Agency (DEA) and made phones calls within Colombia. Authorities discovered it after finding a large unusual numbers of calls to Colombia and reviewing the phone bills. Mobile phone has also become a tool for cyber bullying. When one student in a school does not like the victim passes the victim’s number to other bullies, bullying occurs in the school by phone calls or text. Subsequently, the victim is humiliated [11]. The SIM and mobile forensics are state of the art tools to acquire, examine and report data including Cell Seizure, MOBILedit! Forensic, GSM.XRY, TULP 2G, Forensic Card Reader, ForensicSIM, SIMCon, and SIMIS. An observation is that most of the information such as the SMS/EMS and IMSI could be retrieved by these tools [7].

iii) Network forensics

Network forensics is the sub-branch of a contemporary digital forensics. It is associated with monitoring and examining of the traffic on computer network for gathering information to develop legal evidence. It is a comparatively novel type in forensic science but its popularity is growing due to internet in offices and homes that means computing is network-centric now and data is available outside the disks. Network forensics handles dynamic and volatile information. It is pro-active investigation because traffic on a network is transmitted and lost in lost in moments.

Generally two types of network exist on ground wired and wireless. This division of network makes some forensics distinction in wired and wireless network. The wired network forensics is to deal the tools and techniques needed to collect and analyze the information from wired network traffic and the aim of wireless forensics is to propose the tools and techniques compulsory for collecting and analyzing the data from the traffic on wireless network. Network forensics usually has dualistic use. The first use of network forensics is related to security, it involves the monitoring of a network for anomalous data traffic and finding intrusions. Attacker may erase log files on a conceded host; the network-based evidence may be the only evidence available for investigation and forensic analysis. The second use is relates to the law enforcement. The case analysis of the traffic captured from network may include the tasks such as transferred files reassembling, keywords searching and parsing the human communication like chats sessions or emails.

Two algorithmic systems are mostly used to data from network; a brute force “catch it as you can” and a more intelligent “stop look listen” method. Netfox detective is a novel network forensics analysis tool available as open-source [12].

iv) Email forensics

Email is one of the major tools of communication today and it is top positioned since invention of information and communication technologies. It is considered weak against increasing numbers of cybercrimes. Forensics provides the insight about the e-mails, policies, architecture of email system through investigation techniques used by forensic investigators. Many organizations implement certain standard e-mail policies but it is not enough to prevent and handle digital crimes. There is a big need to monitor the email system to prevent and control digital crimes. Some prominent techniques and tools are available through which experts can collect and examine data about suspected email accounts for the purposes of investigation that can be produced as evidence in the court of law [13].

Some of these software tools are Xtraxtor, OST Viewer, Advik Email Forensic, Systools MailPro, Advik MBOX. Xtraxtor is specifically developed to extract e-mail addresses, messages and contact numbers from multiple file formats. OST Viewer is another versatile utility that allows previewing and examining OST file in a one-piece manner. With OST Email Viewer software investigators can easily view OST file data including email messages, contact list, calendar etc. without any e-mail software such as Outlook installation. It permits the investigator to view OST file even password protected, corrupt, encrypted without any trouble [14].

1.3 Digital Evidence

“Data or information stored on digital storage devices of computer or mobile devices that is seized by law enforcement agency of a state as a part of criminal investigations is named as digital evidence.”

Digital evidence is usually associated with a crime conducted with the help of digital devices credit card or money transfer frauds or child abusing or pornography. The evidence stored in binary codes and can be transferred from computer storage drives, smart phones or other electronic devices. It is presentable in a court of law by forensic responders. This evidence may include data files images audios or videos on computers, mobile phones or on emails of a suspect, which can be critical to track their location and intent of crime [15].

1.4 Information Used in Investigation to Find Digital Evidence

Mobile devices are rated as smart devices because of their high processing speed and huge storage capacities which may able to store a bulk of valuable information as digital evidence for investigation of crimes or incidents. Following different types of information may be retrieved from mobile phones or PDAs used in investigation but not limited to:

Personal notes, digital diary, memo pads.

List of attending events, appointments, calendar marks, datebook and reminders.

Tasks to accomplish which is normally called “To-do list”.

The dialed numbers, the numbers from which calls were received, missed calls, and the dates and times of these calls.

Messages such as SMS, MMS (can include text and image, video, and/or sound), EMS (Enhanced multimedia messages).

Data can be collected from service provider.

Contacts list in the phone book which usually contains names, phone numbers (home, work and/or mobile), home addresses, email addresses.

Emails account which contains data such as emails sent, received and draft stored in PDA, or cell phone.

Voice mail account data of the user is also valuable.

Web browsing data accessed through the mobile phone or PDA. Photographs, Images, sounds, or audio files, audio recordings, and video clips can be stored in the storage or memory card. Memory cards are additional storage media that allows user to store additional data or files beyond the built-in storage capacity of device and provide an avenue for sharing data between compatible devices.

Applications for examples programs used to view and create documents, spread sheets, and presentations.

Subscriber identifiers which may be used for authentication of the user to verify the services secured to an account or a network.

The personal identification number (PIN) and financial information (e.g., debit and credit card numbers) in PDA or mobile phone.

Investigator may use the personal unlock key (PUK). The PUK is unique to each subscriber identity module (SIM) card. The SIM card stores information identifying the subscriber to a particular network.

International mobile equipment identifier (IMEI) uniquely identifies mobile devices phones and matches them to subscribers. IMEI number is requested when a service provider wants to determine whether a mobile phone has been stolen or not. IMEIs may be manipulated easily by the users, or manufacturers may assign multiple times these numbers. Accordingly, the accurate mobile terminals identification and subscribers base on these numbers might be difficult.

Most service providers do not use IMEI numbers to identify the users of mobile phone they use the international mobile subscriber identity (IMSI) number assigned by provider and stored on the customer’s chip (SIM) card.

Today data related to the location of an individual can be retrieved from mobile devices. Smart phones or PDAs pinpoint the user’s location with some feet difference because GPS (Global Positioning System) functionality has been included in most of them. GPS navigation system can record the home address, work address, and other areas of a user to which he/she travels. Additionally, Google gives mapping capabilities which allow the mobile phone or PDA user to pinpoint the locations of his or her contacts.

Some popular company’s phones like Motorola Droid have a feature that enables other users to find the exact locations of their Droid-user friends as long as their phones are turned on. This capability can prove enormously useful in cases of missing children, as long as the phone of child remains on the law enforcement authorities can identify the child location. This feature can be useful if Motorola Droid phone has been stolen. The Droid tracking feature can also be used to trunk individuals.

Most of the PDAs and smart phones have digital image and video capabilities and the images or recordings of crime evidence, victims and accomplices may be stored in them. A well-known example of usage involved Robert P. Hanssen an agent of the FBI who received a sentence of life in prison for selling secrets to Moscow, “used his Palm-III (PDA) to keep track of his schedule to pass information to his Russian contacts [

16

].

1.5 Short History of Digital/Computer Forensics

The target readers are computer forensic examiners, system administrators and managers, analysts, students, business professionals, law enforcement personnel, and someone who involved in computer security. Computer or digital crimes are understood as criminal acts in which computer or digital devices are the objects of offence or tools for commission.

Firstly, computer appeared in the 1940s, and rapid technology development followed by different computer offences. In the mid-60s Donn B. Parker an information security researcher and consultant noticed that: “When people enter the computer centers they left their ethics at the door”. In 1966 the first criminally prosecuted case was recorded in Texas, USA and resulted in five year sentence. However a bulk of offences is unreported till now, never prosecuted and unknown subsequently to the public. Annual Computer Crime and Security Surveys conducted by the CSI/FBI depict that between 1999-2006 30% to 45% responders did not report computer intrusion due to fear of negative publicity. In the era of 1970 to 1990 personal computers became relatively common and low-priced. Individuals parallel to the businesses arose to use them in their daily routines; subsequently law enforcement agencies observed the arrival of a new class of crime: individual level crimes related to the computer. By the 1990s law enforcement agencies had become aware of crimes related to computers in technological advanced countries and had developed the systems to investigate and prosecute such activities. Numerous research centers and scientific groups were designed; the software industry started to work over and offer the various specialized tools to aid in investigation of computer and digital crimes. For clear understanding crimes related to computer can be classified in three major classes: Computer centered crimes, Computer assisted crimes, Incidental computer crimes.

First of them are the activities to target the computer systems, computer networks, storage media and other devices of the computers. The activities involved hacking passwords, damaging, changing data, disturbing functions of devices, changing contents over websites etc. Second class depicts the use of computers as a tool to assist in criminal activities where the use of computers is not essential (e.g. child abusing and pornography). It can be realized as a new way to commit the conventional crimes. Third class of criminal activities is that in which the use of computer systems is incidental such as computerized accounting used to keep records of drug transferring. The use computer is to replace conventional tools like bookkeeping ledger in the form of a paper book replaced by accounting software. On the hand various tests through computers were used by courts to determine the merits of evidence presented [17]. Some important milestones of Digital Forensics from its history are here:

First Hans Gross (1847–1915) used the scientific study to head criminal investigations.

In 1892 Juan Vucetich, an Argentine chief police officer, created the first method of recording the fingerprints of individuals on file.

Sir Francis Galton a British anthropologist initiated the fingerprints observations as a means of identification in 1880’s.

FBI set up a laboratory in 1932 to offer forensics services to the agents of all field and to the other law authorities across the USA.

The first computer based crime was acknowledged in 1978 in the Computer Crime Act of Florida.

The computer forensics term was firstly used in academic literature in 1992.

International Organization on Computer Evidence (IOCE) as an institution for computer based forensics and investigation was formed in 1995.

The First FBI Regional Computer Forensic Laboratory established in 2000.

In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called “Best practices for Computer Forensics”.

Simson Garfinkel recognized issues which was facing the digital investigations in 2010.

1.6 The World of Crimes

An offense which merits public condemnation and punishment, generally by the mode of fine or detention is a crime. Criminal offense is generally prosecuted by the State, while it is typically up to an individual to take an action to a court in state. The individual may begin criminal proceedings, but it is rare. Some matters (like assault) can be both civil and criminal wrongs at same time. The police may prosecute for that, the victim can take civil action for recovering money or any other compensation for injury may be suffered. The expansion in computer, internet, and mobile technologies is spawning newer criminal behaviors and creating diversified environments for criminals to commit technology based crimes which are named as cybercrimes.

“The criminal activities through computers, internet, mobile digital devices and other related technologies or use of these devices and technologies in committing of crimes are known as cybercrimes.”

Technology specific crimes have taken a huge space in criminal world and they are not possible without the use of digital devices such as computers, PDAs (mobile technologies) and internet technologies. Traditional crimes are also being committed with the assistance of these technologies as well. So, digital and internet technologies have raised the range of crimes [18].

1.6.1 Cybercrimes vs. Traditional Crimes

Cybercrimes deviate from traditional crimes in different ways. Major difference is that the traditional crimes are committed in a specific geographical location but cybercrimes have no geographical boundaries because internet facilitates criminals to the individuals, institutions and businesses across the world. The other difference of ease and speed in crime commitment. The computational and communication technologies not only created easiness but also amplified the speed to conduct the criminal activities. Before these technologies era if someone wanted to rob a bank, he/she had to commit it in the routine operation or working hours and if someone wanted to steal money from a financial institution, had to wait for closing hours. In both activities physical involvement was necessary. But now due to online activities physical restrictions do not applied longer and billions of dollars can be robbed or stolen through online hacking accounts or related activities remotely from banks, companies or other financial institutions within minutes. Correspondence among the individuals has exponentially increased due to these faster technologies. It also raised fake and fraud communication among people such as fake e-mails, messages, advertisements, videos and audios which are also criminal activities and can be part or as a whole cybercrimes [19].

In the past theft of information was difficult because it was presented on papers and stealing papers was a physical act and involved risks but in these days by hacking of computer, PDAs or e-mail accounts through some keywords any type of information can be stolen without any hard physical participation. Social media such as Instagram, Facebook, Twitter, MySpace made easier this type of access. Social networking was safe and secure in its early days but at this time it has become a risky chapter.

The National Academy of Science quoted:

“

The modern thief can steal more with computer than a gun. Tomorrow’s terrorist may be able to damage more with keyboard than with a bomb.”

Computer, mobile, and internet technologies help in commission of crimes as well as provide information about crimes. Different evidence sources about certain crimes such as child pornography, drugs dealings through these technologies are also available over the globe. Drug dealers may use encrypted e-mail messages to deal in prohibited and illegal substances. They arrange meetings to distribute the substances, exchange recipes to make new drugs through restricted chat rooms. Dangerous criminals who engaged in organized crimes or terrorism may store their targets and evidences to access them and commit crime. Criminals also upload and download information about their crimes, weapon constructions, and techniques to do crimes. Nowadays cookbooks and handbooks which provide logistical information about all these activities are also available on internet and helpful in major crimes are being committed in all over the world today. The logistical information about mechanical and chemical weapon construction, bomb and bullets making guidelines, sniper trainings, establishing bunkers, secret houses and training campus are drawn or shared trough internet [20].

Terrorism

“Terrorism is an act of creating fear among common people by using of illegal means. It is done for threatening to humanity. It takes in person or group spreading violence, burglaries, riots, kidnappings, rapes, bombings, fighting, etc. It is an act of cowardice.”

Two types of terrorism is common in this era one is the political terrorism which generates panic on an outsized scale and the other is criminal terrorism which is kidnapping, rapes, bombings, fighting etc. Both of the types are involving the use of technologies. Political terrorism is more crucial than criminal because it is done by and well-trained personalities. It becomes challenging for law enforcing agencies to control and arrest the people in time. However, the information technology experts in agencies are playing a vital role to control this type of terrorism. Criminal terrorism is more focused form of terrorism to control by the law enforcement agencies because it is caused to physical killing and damaging the people and losing assets of the nations. Because in modern era terrorists of all the types are using technologies such as computers, mobiles, digital and communication technologies so agencies are also updating their technological skills, upgrading their crime counter systems and trying to make safe the globe.

Organized Crimes

“The criminal activities performed and controlled by powerful people on a large scale through a planned way are organized crimes.”

Organized crimes are the form of corruption which are committed and maintained by political leaders through public officials. The use of intimidation, force, or threats to protect its operations is very common. Different organized criminal groups use computer and internet technologies to communicate each other and conduct their illegal business activity. This business activity can create ephemeral form of organization where the Internet is used to link up reprobates to commit the offline crime, after that they dissipate to form new alliances. All processes like this are performed through technologies. On the other side law enforcement agencies and judiciary systems are also involving computer, other digital technologies to control and counter these types of crimes and corruptions.

Internet Gambling

Internet gambling or online gambling is a kind of gambling conducted on the internet. Real money online gambling over the globe through different sites has grown. The first gambling Web site launched in the mid-1990s and rose in popularity, mainly in United States.

Numerous websites on the internet provide services for treating money illegally such as gambling on different events, political activities and sports. A huge number of websites are providing services for such activities on payments. They provide paid accounts (user id and password) for doing games on events to the users [21].

1.7 Computer Forensics Investigation Steps

Four different procedural steps are involved in computer related forensics investigation i.e. acquisition, identification, evaluation and presentation. In Figure 1.1, we have step wise simpler and understandable view of forensic steps.

Acquisition

This step involves retrieval, collection, and documentation of evidence which sets the direction for investigators to do what in investigation process. Forensic specialist prepare a comprehensive documentation which cover all aspects related to the investigation such as some queries about evidence are cover like who found the evidence, where from evidence was collected, when was collected the evidence etc. Computer forensic experts may collect evidence in different ways such as:

Figure 1.1 Forensics investigation steps.

Onsite searching the computers or digital devices

Storage devices are captured and detail examined onsite or offsite

Computer and other digital and storage devices can be seized so that their content can be retrieved and reviewed offsite for evidence collection.

Onsite search puts direct impact in which investigators directly approach to the digital devices to get evidence on the other hand offsite search refers to the actions taken outside, away or later on for investigation. Offsite investigation may have more ambiguities than onsite investigation due to some reasons like mismatch, failure, or lack of negligence of investigators. If search for investigation can be easily done onsite, there is not any justification to seize computer or other digital devices for offset search. But in some special cases where involve large storage, complex software applications and hardware factors there offsite search is inevitable [22].

Identification

In this step investigators identify the origin of evidence, significance of the origin. Investigators explain different aspect, point out facts in each aspect and document them in the manner so they can help to reach realities. Evidence is interpreted from different perspectives and contexts and elaborated to make easier to understand. It is viewed at both logical context and physical environment of the evidence lactation. If evidence data resides on digital storage media such as hard disk drive, flash drives then it is extracted through keywords or file craving methods. File craving is the method of searching files on the basis of different identifiers like headers, footer and footnotes etc. sometime cybercriminals delete the data which can become evidence later on, damage media or corrupt files and folders, investigators recover this data or files containing data through different ways [22].

Evaluation

Evidence data retrieved during investigation is analyzed for estimation of its significance and relevance to the case is evaluation. Digital Evidence indicates the suspects of crime and victim. It sets the direction in which case is solved in right way and right time. Investigators do their best to determine who, where, when, why and how crime was committed based on retrieved digital evidence. Conclusion from the evidence is drawn which support proceeding of policy violations of the company or institution. Prosecution in criminal court or civil lawsuits present well examined reliable digital evidence [23].

Presentation

In this step data after evaluation is reported in convenient to understand format so that outside parties can easily understand and evaluate the evidence. For better presentation, investigators should good presenters or they call aid of professional presenters. Data should be able in the testified form so that is must be able to defend the case in court. Stand operating procedures should be followed to handle evidence data for its better validity in court or against dimensioning party. Evidence data handling reflect the abilities and qualifications of investigators. This data depict findings about case to the lawyers, judges, administrative persons, officials, and corporate managers to reach the right decision. The custody claims (chronological records of evidence) may be challenged at any stage [24].

1.8 Report Generation of Forensic Findings Through Software Tools

With the help of numerous software tools, the log files of forensics analysis activities can be generated and reports of these activities can be created to provide appropriate information from findings about the a case. Although these reports focus on “what found” and “from where it found”, ruminate that it is the charge of report writer to make clear the significance of the recovered evidence. If there is a need to define any limitation or uncertainty that is applied on findings it must be written in report. These log and reports are normally in plain text, sheet, or HTML format. A report writer can use package such as Microsoft office or custom built software like inventory application of an organization for writing activity. For instance the management at Super Bicycles, Inc. needs to know the unauthorized and authorized applications on computer of an employee to ensure that everyone is complaining with software licensing. Autopsy for Windows can be used for finding evidence and generation of finding’s report [25].

1.9 Importance of Forensics Report

The investigators or forensic experts write a report for communication about the results of forensic analysis and examination of computers, digital mobile devices, and network systems. This forensic report presents digital evidence to support further investigation that can be admissible in the court of law, at any administrative hearing, or in any affidavit to maintenance issuing a search warrant or an arrest. The report may also offer justification to collect more evidences and can be used at a probable cause of hearing, as the evidence in a magnificent jury hearing or an indication hearing in the criminal or civil cases.

Furthermore, if any employer has to investigate misconduct of an employee, a report has to be designed on the basis of disciplinary action. Besides the facts presenting the report can communicate expert opinion. The report should be first testimony in a case. It must be expected that report can be examined and cross-examined.

The opposing counsel may be looking for an opportunity to attack over facts presented, whether determined them by self or taken out from the other reports or expected testimony of some other witnesses. What facts can affect opinion and what facts don’t? The expert witness should be aware that lawyer uses services called deposition banks (libraries), which store examples of expert witnesses’ previous testimony. Although information in reports are not specific but it should be deposition notice or subpoena so that it can include the information like Cause number, location and Date of the deposition, Name of the deponent (the person testifying at deposition), there is not any requirement to include details of previous testimony in a report, although it should be summarized key points of testimony for the future reference and could be kept transcripts of former testimony, if that is obtainable [26].

1.10 Guidelines for Report Writing