Associated domains with Qadras Malware 

  • GET /media/system/js/statc40.php – Injected Redirect Script

  • – – Redirected Site
  • – – Phishing page
  • : Malicious Content Download
  • Port 443 – – Qadars Post Infect Traffic
  • Port 443 – – Qadars Post Infect Traffic
For Analysing you can download the sample from here : .But am not responsible for infection for your own system.

                                                      MEMORY FORENSICS

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is
investigation of advanced computer attacks which are stealthy enough to avoid leaving data on
the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

                                                     Why Memory Forensics

• Processes and threads
• Malware (including rootkit technologies)
• Network sockets, URLs, IP addresses,events and IOC (Indicator of compromise)
• Open files,network share
• User generated content
• Passwords, caches, clipboards
• Encryption keys,Application
• Hardware and software configuration

• Windows registry keys and event logs

                                                 Memory Analysis Advantages
  •  Best place to identify malicious software activity
  •  Study running system configuration
  •  Identify inconsistencies (contradictions) in system
  •  Bypass packers, binary obfuscators, rootkits (including kernel mode) and other hiding tools.  
  •  Analyze and track recent activity on the system
  •  Identify all recent activity 
  •  Profile user or attacker activities
  •  Collect evidence that cannot be found anywhere else
  •  Memory-only malware
  •  Chat threads
  •  Internet activities
                                              Virtual Machine Memory Acquisition

VMware (Fusion/Workstation/Server/Player) : .vmem file = raw memory image
Microsoft Hyper-V :  .bin file = raw memory image
Parallels         :   mem file = raw memory image
VirtualBox        :  .sav file = partial memory image

                                                  TOOLS TO CAPTURE RAM

• LIVE System (RAM Acquisition)
  win32dd.exe / win64dd.exe 
  Belkasoft Ram Capturer
• DEAD System
  Hibernation File
  Contains a compressed RAM Image


                                                       Zeus / Zbot Overview

•  Persistent malware designed to steal credentials
• Many variants. A popular one does the following:
• Copies itself to %system32%\sdra64.exe
• Injects code into winlogon.exe or explorer.exe
• Further injects code into every process but csrss & smss
• Auto-start path: HKLM\Software\Microsoft\WindowsNT\winlogon\userinit
• Creates local.ds & user.ds in %sytem32%\lowsec\
• Retrieves files from command and control server
• Mutant: _AVIRA_

• Hooks over 50 system APIs

                                                                      IMAGE INFO
To identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.


To find artifacts from previous connections that have since been terminated, in addition to the active ones.


To list the processes of a system and it shows the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started and exited.

Here svchost.exe is the process which is making connections with instead of an Internet Browser


To Find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions

                                                            HASHING THE DUMP 

md5sum process.0x80ff88d8.0xb70000.dmp process.0x80ff88d8.0xcb0000.dmp 
59f1993ae96c0108f0fa224609f51a2f  process.0x80ff88d8.0xb70000.dmp
da295c2ce7c8741c2f16ff8d0f76efd3  process.0x80ff88d8.0xcb0000.dmp


To display the subkeys, values, data, and data types contained within a specified registry key, use the printkey command. By default, printkey will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

You can see "sdra64.exe" will run when the computer starts.


This provides alot of information about the user activity


To scan physical memory for KMUTANT objects with pool tag scanning, use the mutantscan command. By default, it displays all objects, but you can pass -s or --silent to only show named mutexes. The CID column contains the process ID and thread ID of the mutex owner if one exists.

 Here we noticed _AVIRA_2018 AND _AVIRA_2019


Portable electronic device forensics is a relatively new and emerging field of interest within digital forensics. In the modern era, Personal Digital Assistants (PDAs) are getting immensely popular. They are prone to get involved in electronic crimes in future, mainly because of their compact size and integrated features. The Federal Bureau of Investigation has highlighted the issue of growing crimes involving handheld devices in their computer crime survey. The PDA family mainly includes Palm devices, Windows mobile devices (Pocket PCs) and Linux based devices. Among these, Windows mobile devices are gaining more popularity of late, as they are based on the popular Microsoft Windows operating system and offer a familiar look and feel. In addition to make and receive phone calls, it allows to browse the Internet, chat, send and receive text/multimedia messages as well as view and edit Word, Excel and PowerPointfiles. Discrepancies between computer forensics and portable electronic device forensics exist due to various factors including:
  • Wide range of hardware models and accessories.
  • Variety of different embedded operating systems.
  • Short product cycle with new models emerging very frequently.
  • Extreme orientation towards mobility.
  • File system residing in volatile memory on certain devices while in non-
  • volatile on some others.
  • Hybrid devices with advanced networking and communication features.
  • Suspending processes when off or idle, while the device being active in the

                          Windows Mobile Device Architecture

The Windows mobile device platform built on Windows CE architecture consists of four major layers.
  • Hardware Layer : This consists of microprocessor, RAM, ROM, digital signal processors, various input/output etc.
  • Original Equipment Manufacturer (OEM) Layer : This includes boot-loader, configuration files, drivers and the OEM Adaptation Layer (OAL). The OAL allows an OEM to adapt to a specific platform and consists of functions related to system start-up, interrupt management, profiling, power management, timer and clock.
  • Operating System Layer : This includes kernel, core DLL, object store,  multimedia technologies, device manager, communication services, networking and Graphic Windowing and Events Subsystem (GWES). The GWES provides an interface between the application, user and the operating system. The object store includes three types of persistent storage, which are the file system, registry and property databases. The registry stores information about system configuration, applications, settings user preferences etc. Property database is a storehouse of data that can be searched and retrieved by associated applications. 
  • Application Layer : This consists of applications like Office mobile, Outlook  mobile, Windows media player, Pocket Internet Explorer, Pocket MSN  Messenger, Picture and Video Viewer etc., user interface, and various custom applications.
FIGURE 1 : Windows Mobile Simplified Architecture

The different types of memory supported by the operating system are:
  • RAM: This consists of two areas, the object store in which the data is stored and program memory where programs execute. The object store is similar to a virtual RAM disk and data present will be retained even when the system is suspended. The partition line between object store and program memory can be changed
  • Expansion RAM : This is supported to provide additional storage for the users.This is mapped into virtual memory and appears identical to the system RAM in the virtual memory map to the operating system.
  • ROM : It consists of the operating system, applications, data files, support for uncompressed executables and DLL files. Uncompressed programs are executed there itself whereas if the module is compressed, it is decompressed and loaded into the RAM. When a program is executed directly from ROM, the time requiredto start an application is less, as it need not have to be loaded into RAM.
  • Persistent Storage : The persistent storage options are mainly in the form of removable memory cards like Compact Flash (CF), Secure Digital (SD),MultiMedia Cards (MMC) etc.  Data stored in such removable storage cards are mapped into the system RAM when required.

                                   Hardware Characteristics
Having designed for mobility, Windows mobile devices are very compact in size, battery powered and light weight. There are many hardware manufactures making devices using the Windows mobile platform. All of them have a basic set of comparable features and capabilities. Physical characteristics like size, shape, weight etc. and technical specifications like processor speed, memory capacity, expansion capabilities etc. may vary for each model. The Windows mobile platform gives the flexibility to hardware manufacturer, system integrator or developer to incorporate their choice of services in their device version. A Windows mobile device in general consists of RAM, ROM, microprocessor, touch screen liquid crystal display, communication modules like GSM/GPRS, WLAN, Bluetooth and IrDA, slots for external memory cards and peripherals, optional modules like FM radio, GPS etc., digital signal processor, camera,speaker, microphone and a few hardware keys and interfaces
Figure 2 : Windows Mobile Device Generic Hardware Diagram

                                               Generic States 
Unlike most digital devices that could be either in on state or off state, Windows mobile devices or rather PDAs in general, can be in any one of a variety of states at a given point of time.
  • Nascent State : The device contains no user data and observes factory configuration settings. Usually the device must be charged for a minimum amount of time before entering into this state. Any user action will result in a transition from this state. This state can be achieved any time by doing a hard reset of the device or by allowing the battery to discharge totally.
  • Active State : The device attains this state whenever it is powered on and the user is performing some tasks and the file system is having data. This state can be achieved by doing a soft reset, which clears the working memory.
  • Quiescent State : This appears to be an inactive mode, though background functions are being performed and all user data are being maintained while conserving battery life. This state is attained when the power button is pressed while in active or semi-active state. Also when the inactivity timer expires while in semi-active state a transition to this state occurs. Generally the device is said to be ‘off’ if it is in the quiescent state and ‘on’ if it is in any other state.
  • Semi-Active State : The device in this state is in between active and quiescent states, attained when a timer is triggered after a period of inactivity. This conserves battery life by reducing the backlight and other similar functions.Performing a soft reset, pressing any button or tapping the screen causes transition to this state.

Figure 3 : Generic States of a Windows Mobile Device

Windows mobile devices turn out to be quite challenging for forensic investigations,primarily because of their compact size, integrated features and the availability of a wide range of models and accessories.
  • Volatile data : Unlike computers, Windows mobile devices do not have hard disks. They generally store data in volatile memory, which will be lost if there is no adequate power. Recovering volatile evidence and analyzing it could turn out to be a tedious task.
  • Generic state of the device : Even if a device appears to be in off state, it may not be entirely inactive, as background processes may be running. A sudden transition from one state to another may result in loss of data. Care should be taken to identify the current state of the device and the state it should be kept.
  • Dynamic nature of evidence : Digital evidence may be easily altered either knowingly or accidentally. The data residing in a Windows mobile memory may change dynamically even when the device is left idle. Hence extreme care should be taken in the preservation of evidence and hashing and various cryptographic techniques should be applied whenever needed.
  • Hardware and OS version differences : The forensic investigator may come across different types of hardware during an investigation. The models may be different in their size, technical specifications and features. The version of the operating system may also differ. Tools applicable to a particular version and model may not work well with another. 
  • Accidental reset : Resetting the device accidentally while examining may result in the loss of data. A hard reset will wipe out everything from RAM. A soft reset reinitializes the dynamic memory and records marked for deletion are removed. Loss of battery life causes a hard reset and hence the battery level needs to be continuously monitored.
  • External memory devices : Most Windows mobile devices support additional memory devices like MMC, SD and CF cards. It is essential to search and seize such associated memory devices also.
  • Synchronization with other devices : Potential evidence on Windows mobile  devices may include address book, documents, text messages, voice messages,passwords, emails and appointment calendars. This information can be synchronized easily with a personal computer or laptop. Hence they should also be seized and examined.
  •  Device alteration : Possibilities of device alteration may range from removing logos and manufacturer labels to modifying the operating system. The expertise of the suspect should be taken into account. It is possible to remap a hardware key to perform a function other than the default one. Common utilities can be replaced with malicious programs to alter the data in the device.
  •  Password recovery : If the device is password protected, the forensic investigator needs to gain access to the device without damaging the device or the data. The possible techniques include exploiting system vulnerabilities, authentication weaknesses and gaining access through back-door.
  • Encryption mechanisms : Encryption and other techniques might be used to alter the data, if the suspect has a certain level of computer expertise. The investigator should have the tools and expertise to overcome such circumstances.
  • Communication shielding : Communication mechanisms like wireless could be on and any further possibility of communication should be eliminated.
  • Lack of availability of tools : There are only few specialized forensic tools for Windows mobile devices. A single tool may not perform all the necessary functions. So in many cases, a combination of tools needs to be used.
  • Malicious programs : The device may contain malicious software like a virus or a Trojan. Such malicious programs may attempt to spread over other devices either over a wired or wireless interface.
  • Understanding circumstances : In some investigations, an incident might have occurred but the identity of the offender might be unknown whereas in some cases the offender and the incident are both known. The forensic examiner should  have adequate knowledge of the circumstances and then search for evidence accordingly.
  • Legal issues : Since these devices are extremely compact, there is every possibility of them being involved in crimes, which can easily cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic investigator should be well aware of the nature of the crime and the regional laws.
                          Windows Mobile Forensic Process Model
There are many digital forensic models proposed in different parts of the world. However no conclusion has been reached as which is the most appropriate one. Each framework may work well with a particular type of investigation. None of these models focus on the specific information flow associated with the forensic investigation of Windows mobile devices. The Windows mobile device forensic process model has been developed to help forensic practitioners and law enforcement officials in the investigation of crimes involving such devices. The standard practices and techniques in the physical and digital investigation world are incorporated, wherever appropriate. This model attempts to overcome the major shortcomings of the existing digital forensic models discussed in the earlier chapter and emphasises a systematic and methodical approach for digital forensic
investigation. The proposed model consists of twelve stages, which are explained in the subsequent sections.

                   Figure 4 : Phases of the Windows Mobile Device Forensic Model

Phase One - Preparation : 
The preparation phase occurs prior to the actual investigation. This involves getting an initial understanding of the nature of the crime and activities like preparing the tools required for standard portable electronic device investigations, building an appropriate team, assigning roles to each personnel (case supervisor, crime scene sketch prepare, evidence recorder and so on), accumulating materials for packing evidence sources etc. It is very important to obtain the best possible assessment of the circumstances relating to the crime, prior to proceeding to the crime scene. Knowledge of various mobile devices,
accessories, features, specific issues etc. will be beneficial. A critical issue in the
investigations involving Windows mobile devices is that the power runs out before
evidence collection is over. So it is essential to prepare a tool-kit consisting of standard power supplies, cables and cradles. The investigation should follow the various legal constraints and jurisdictional as well as organizational restrictions. This stage also involves obtaining search warrants, support from the management, required authorizations etc. before proceeding to the crime scene. The privacy rights of suspects should be taken into account. Legal notice must be provided to all concerned parties notifying about the forensic investigation. An appropriate strategy for investigation should be developed, having taken into account the nature of the incident and various technical, legal and business factors. Training, education and experience of the investigators will contribute in this phase. Having a thorough preparation phase increases  the quality of evidence and minimizes the risks and threats associated with an investigation.

Phase Two - Securing the Scene : 
This stage primarily deals with securing the crime scene from unauthorized access and preserving the evidence from being contaminated. There should be a formal protocol for handing over a crime scene in order to ensure that the chain of custody is properly followed. It will be difficult to judge how much at the crime scene is actually the evidence. The investigators should identify the scope of the crime and establish a perimeter. Ensuring the safety of all people at the scene and protecting the integrity of all evidence should also be the targets at this stage. The investigators should have absolute control of the scene and interference from unwanted people should be avoided. As the number of people at the crime scene increases, the possibilities for the contamination and destruction of evidence also increase. However an attempt should not be made to determine what is present in the device and external storage media at this stage. The devices must be left in their existing state until a proper assessment is made. If the device is on, it is better to leave it on. Similarly, if the device is off, never turn it on. Nobody should be allowed to touch any electronic device in the scene. Top priority should be
given at this stage in minimising the corruption of evidence. Any item that could be of evidence should not be tampered with. This phase plays a major role in the overall investigative process as it determines the quality of evidence.

Phase Three – Survey and Recognition : 
This stage involves an initial survey conducted by the investigators for evaluating the scene, identifying potential sources of evidence and formulating an appropriate search plan. In a complex environment, this may not be straight forward. In the case of Windows mobile devices, the major sources of evidence other than the device itself are the power adaptor, cradle, external memory cards, cables and other accessories. Since the information present in these devices can be easily synchronized with computers, any personal computer or laptop at the crime scene may also contain evidence. Evaluate the electronic equipments at the scene to determine whether any expert assistance is required in processing the scene. Identifying people in the scene and conducting preliminary interviews are extremely important. The owners or users of the electronic devices or system administrators can provide valuable information like the purpose of the system,
security schemes, various applications present in the devices, user names, passwords,encryption details etc. Without violating the jurisdictional laws and corporate policies, the investigators must try to obtain the maximum information from the various people present in the scene. If it becomes necessary to search for items that are not included in the search warrant, appropriate amendments must be made to the existing warrant or a new warrant must be obtained, which includes the additional items. An initial plan for collecting and analysing evidence must be developed at the end of the survey and recognition phase.

Phase Four - Documenting the Scene :
This stage involves proper documentation of the crime scene along with photographing, sketching and crime-scene mapping. All the electronic devices at the scene must be photographed along with the power adaptors, cables, cradles and other accessories. If the mobile device is in the on state, what is appearing on the screen should also be documented. A record of all visible data must be created, which helps in recreating the scene and reviewing it any time. This is particularly important when the forensic specialist has to do a testimony in a court, which could be several months after the investigation. Circumstances surrounding the incident, including those who reported the incident initially and at what date and time, should be included. It is necessary to keep a log of those who were present on the scene, those who arrived, those who left etc., along with the summary of their activities while they were at the scene. It is necessary to classify the people into separate groups like victims, suspects, bystanders, witnesses, other assisting personnel etc. and record their location at the time of entry.Documentation is a continuous activity, required in all the stages and is quite critical for maintaining proper chain of custody.

Phase Five – Communication Shielding : 
This step occurs prior to evidence collection. At this stage, all further possible
communication options of the devices should be blocked. Even if the device appears to be in off state, some communication features like wireless or Bluetooth may be enabled.This may result in overwriting the existing information and hence such possibilities should be avoided. In other situations where the device is in the cradle connected to a computer, synchronization mechanisms using ActiveSync might be enabled. This may also lead to the corruption of evidence. The best option after seizing a device is to isolate it by disabling all its communication capabilities. If the device is in the cradle, remove any USB or serial cable, which connects it to a computer.

Phase Six – Volatile Evidence Collection : Majority of the evidence involving mobile devices will be of volatile nature, being  present in ROM. Collecting volatile evidence presents a problem as the device state and memory contents may be changed. The decision whether to collect evidence at the crime scene or later at a secured forensic workshop depends on the nature of the particular situation including the current power state. If the device is running out of battery power,the entire  information will be lost soon. In that case, adequate power needs to be maintained if possible by using the power adaptor or replacing batteries. If maintaining the battery power seems doubtful, the contents of the memory should be imaged using appropriate tools as quickly as possible. Paraben PDA Seizure is a major commercial forensic tool, which can be used for memory acquisition, in addition to several open source tools. A combination of tools must be used to obtain better results. If possible, an adequate power supply must be maintained by recharging the device or replacing the battery, whichever is appropriate. If it is not possible to provide sufficient power, the device must be switched off to preserve battery life and the contents of the memory. The presence of any malicious software installed by the user should also be checked at this stage.
Phase Seven – Non-volatile Evidence Collection : This phase involves collecting evidence from external storage media supported by these devices, like MMC cards, compact flash (CF) cards, memory sticks, secure digital (SD) cards, USB memory sticks etc. Evidence from computers, which are synchronized with these devices, must be collected. If the device has integrated phone features, the acquisition of sim card information takes place at this stage. Appropriate forensic tools must be used for collecting evidence to ensure its admissibility in a court of law. The integrity and authenticity of the evidence collected should be ensured through mechanisms like hashing, write protection etc. All power cables, adaptors, cradle and other accessories should also be collected. Care should be also taken to look for evidence of non-electronic nature, like written passwords, hardware and software manuals and related documents, computer printouts etc.
Phase Eight – Preservation :  This phase includes packaging, transportation and storage. Appropriate procedures should be followed and documented to ensure that the electronic evidence collected is not altered or destroyed. All potential sources of evidence should be identified and labelled properly before packing. Use of ordinary plastic bags may cause static electricity. Hence anti-static packaging of evidence is essential. The device and accessories should be put in an envelope and sealed before placing it in the evidence bag. The evidence bag must be kept in a radio frequency isolation container to avoid further communications with any other device. All the containers holding these evidence bags must also be properly
labelled. Adequate precautions are necessary as the sources of evidence could be easily damaged while transportation because of shock, excessive pressure, humidity or temperature. Afterwards the device can be moved to a secure location where a proper chain of custody can be maintained and examination and processing of evidence can be started. The evidence should be stored in a secure area and should be protected from electromagnetic radiations, dust, heat and moisture. Unauthorized people should not have access to the storage area. National Institute of Standards and Technology guideline highlights the need of proper transportation and storage procedures, for maintaining a proper chain of custody.
Phase Nine – Examination :  This phase involves examining the contents of the collected evidence by forensic specialists and extracting information, which is critical for proving the case. Appropriate number of evidence back-ups must be created before proceeding to examination. This phase aims at making the evidence visible, while explaining its originality and significance. Huge volumes of data collected during the volatile and non-volatile collection phases need to be converted into a manageable size and form for future analysis. Data filtering, validation, pattern matching and searching for particular keywords with regard to the nature of the crime or suspicious incident, recovering relevant ASCII as well as non- ASCII data etc. are some of the major steps performed during this phase. Personal organizer information data like address book, appointments, calendar, scheduler etc, text messages, voice messages, documents and emails are some of the common sources of evidence, which are to be examined in detail. Finding evidence for system tampering, data hiding or deleting utilities, unauthorized system modifications  etc. should also be performed. Detecting and recovering hidden or obscured information  is a major tedious task involved. Data should be searched thoroughly for recovering passwords, finding unusual hidden files or directories, file extension and signature mismatches etc. The capabilities of the forensic tools used by the  examiner play an important part in the examination phase. When the evidence is  checked-out for examination and checked-in, the date, time, name of investigator and  other details must be documented. It is required to prove that the evidence has not been altered after being possessed by the forensic specialist and hence hashing techniques like md5 must be used for mathematical authentication of data.
Phase Ten – Analysis : This step is more of a technical review conducted by the investigative team on the basis of the results of the examination of the evidence. Identifying relationships between fragments of data, analyzing hidden data, determining the significance of the information obtained from the examination phase, reconstructing the event data, based on the extracted data and arriving at proper conclusions etc. are some of the activities to be performed at this stage. The National Institute of Justice (2004) guidelines recommend
timeframe analysis, hidden data analysis, application analysis and file analysis of the extracted data. Results of the analysis phase may indicate the need for additional steps in the extraction and analysis processes. It must be determined whether the chain of evidence and timeline of the events are consistent. Using a combination of tools for analysis will yield better results. The results of analysis should be completely and accurately documented.
Phase Eleven - Presentation :  After extracting and analyzing the evidence collected, the results may need to be presented before a wide variety of audience including law enforcement officials,technical experts, legal experts, corporate management etc. Depending on the nature of the incident or crime, the findings must be presented in a court of law, if it is a police investigation or before appropriate corporate management, if it is an internal company investigation. As a result of this phase, it should be possible to confirm or discard the allegations regarding the particular crime or suspicious incident. The individual results of each of the previous phases may not be sufficient to arrive at a proper conclusion about the crime. The results of examination and analysis must be reviewed in their entirety to get a complete picture. A report consisting of a detailed summary of the various steps in the process of investigation and the conclusions reached must be provided. In many cases, the forensic specialist may have to give an expert testimony in court. The complex terms involved in various stages of investigation process needs to be explained in layman’s terminology. The expertise and knowledge of the forensic examiner, the methodology adopted, tools and techniques used etc. are all likely to be challenged before a jury. Along with the report, supporting materials like copies of digital evidence, chain of custody document, printouts of various items of evidence etc. should also be submitted.
Phase Twelve - Review  :  The final stage in the model is the review phase. This involves reviewing all the steps in the investigation and identifying areas of improvement. As part of the review phase, the results and their subsequent interpretation can be used for further refining the gathering,examination and analysis of evidence in future investigations. In many cases, much iteration of examination and analysis phases are required to get the total picture of an incident or crime. This information will also help to establish better policies and procedures in place in future.
Conclusion :  A new forensic process model has been proposed, focusing exclusively on the issues surrounding Windows mobile device forensic investigation and standardizing the approach. This model is an initial step towards bridging the gap between law enforcement models and digital investigation models. The proposed set of activities in the model is not
complete and there is considerable scope of work in the future. Though the model works as a standard for the Windows mobile family, additional procedures are needed to standardize it for the entire PDA family, which includes Palm and Linux devices also.But for such a generic model, when it comes to the volatile evidence collection phase, the procedures of memory acquisition will be different depending on the operating system. Additional work must be done to make sure that the model can be applied to other family of digital electronic devices including portable music players, digital cameras, mobile phones, removable data storage devices and so on. However the addition of new procedures may make this model clumsy.


A government official is caught embezzling hundreds of thousands of dollars from his agency. A Federal Search Warrant is executed at his residence for evidence of his crime and to locate the money. The money is not found, but on his computer is a letter discussing the disposition of the illegally obtained funds. A paedophile is caught attempting to molest children. His residence is searched for evidence which will prove that this incident is part of a long-standing pattern of behaviour and which will identify additional victims.  On his computer numerous images are stored which depict the subject, his residence and several neighbourhood children committing sex acts. A terrorist bombing suspect’s home is searched for evidence of the conspiracy and the motive for the crime. Fragments of documents and drawings are found on the computer of the suspect which link him to the bombing and provide insight as to the motive for the crime. A con man is tried in Federal Court for running a scam in which the prizes will never be given away. A computer forensic specialist testifies that the computer program which is used to determine the winning numbers is programmed in such a way that the prizes are outside the range of the program’s variables. In each of these cases the critical evidence was developed from the perpetrator’s own computer and subsequently used in legal proceedings.

Law enforcement and the legal establishment are facing a new challenge. Criminal acts are being committed and the evidence of these activities are recorded in electronic form. Additionally, crimes are being committed in cyberspace. Evidence in these crimes is almost always recorded in digital fashion. It is important that computer security professionals be aware of some of the requirements of the legal system and understand the developing field of computer forensics.Hundreds of years of tradition and countless court decisions have developed the complex set of rules that apply to evidence which can be used in legal proceedings. The reality of the Information Age is having a significant impact on the legal establishment.

One major area in which this is being felt is that of the acquisition, authentication, evaluation, and legal admissibility of information stored on magnetic and other media.This information can be referred to as digital evidence. Computer forensics is the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law. At one extreme is the pure science of ones and zeros. At this level, the laws of physics and mathematics rule. At the other extreme, is the courtroom.  To get something admitted into court requires two things. First, the information must be factual.  Secondly, it must be introduced by a witness who can explain the facts
and answer questions. While the first may be pure science, the latter requires training, experience, and an ability to communicate the science.

The Document Paradigm

In the paper-based world, the law assumes a process which is mutually understood and observed by all the parties. Almost without thinking, a four-part process takes place. When we try to apply this process to digital evidence, we see that we have a new set of problems.

First, a document is acquired. How it is acquired (via consent, search warrant, a public record, business record) is subject to a set of rules that have a long and well documented history. Even so, there  are often cases where there will be room for disagreement which will then result
in litigation. Rarely is determining that the document physically exists or where it came from, a problem.With digital evidence, this is often a problem.What does this binary string represent?
Where did it come from? While these questions,to the computer literate,  may seem obvious at first glance, they are neither obvious nor understandable to the layman. These problems then require a substantial foundation being laid prior to their admission into evidence at trial.

Next, a document will undergo an identification process. If the document is in English, then anyone who can read English can probably determine what the document says. It’s format and content define its purpose. A binary file requires conversion, in the form of  a program, which will transform the data into a form which is humanly readable.Only then, can a human determine what the document is.
 evaluation of the document follows. This is the time when the reader determines if the information contained in the document is relevant and determines who could testify concerning this document. When our digital data is in human readable form, we can also make these determinations. However, the electronic context of a file is arguably still significant. This will impact on how the evidence is introduced and by whom.

Ultimately, the document may be offered for evidence. This must be done by a warm, breathing, human being who has legal standing to explain it’s origin, it’s meaning, or both. In the case of paper evidence, the judge and jury may physically inspect the paper and will hear someone who is personally aware of the document describe it and it’s significance. It is not necessary to explain the three prior steps to the court, as these are generally accepted by all participants. At this stage of legal history, such is not the case for digital evidence. As a result, it is often necessary to have the testimony of someone who can explain the process of acquisition, identification, and evaluation.

This process can be summarized as follows:

                                                     Admission as Evidence

 The Digital Paradigm

This process is very clear and is intuitively obvious.Digital evidence, by it’s very nature is invisible to the eye. Therefore the evidence must be developed using tools other than the human eye. It is only logical that the process used in the case of digital evidence mimic the process that is used for paper evidence.Because each step requires the use of tools or knowledge, the process must be documented, reliable and repeatable. The process itself must be understandable to the members of the court.

Acquisition of evidence is both a legal and technical problem. In fact, these two aspects are irrevocably related. The law specifies what can be seized, under what conditions, from whom, and from where it may be seized. The determination of what a particular piece of digital evidence is, requires its examination. Is a particular file a word  processing document or an executable program? It may require examination to determine where a particular piece of evidence is physically located . Is the file on a local hard drive or is it on a server located in another legal jurisdiction? In short, it may
be necessary to show a technical basis for obtaining the legal authority to search.Likewise, it may require technical skills  in order to actually accomplish the search. The product of this phase is usually raw media, devoid of meaning or usefulness.

Actually identifying a piece of digital evidence represents a three-step process. It must be definable in its physical form. That is, that it resides on a specific piece of media. Next, it must be identifiable as to its logical position. Where does it reside relative to the file system? Lastly, we must place the evidence in the correct context in order to read it’s meaning. This may require looking at the evidence as machine language, for example, ASCII or EBCDIC, or by means of an application (program).

Each of these steps requires technical skills and may subsequently require testimony at
trial. At this point, we have translated  the media into data. Evaluation of the data involves both technical and  legal judgements. Data that is placed in its proper context is called information. From a technical standpoint, it may be possible to make conclusions as to: how the data was produced, when and by whom.The legal issues are the relevance of the information, its reliability, and who can testify
to it.

                              The path that digital evidence takes can be depicted as follows:

                                               Physical           Logical               Legal
                                              Context           Context              Context
                                                    ⇓                   ⇓                       ⇓
                                  Media     ⇒       Data     ⇒     Information   ⇒     Evidence


In law, if information is not admitted into evidence, then, for legal purposes, it does not exist. Testimony by both the forensic specialist who developed the evidence and someone who can explain it’s significance to the case is often required. Only then does the information become evidence.
 It should be clear from the above that technical skills and legal expertise must be combined in order to discover, develop and utilize digital evidence. The process used must conform to both the law and science. Failure in either arena, renders the product legally worthless.

The preceding has been based on the use of computer forensics to exploit stored digital information. Certainly, this need will grow dramatically in the future, as more and more of society's information are stored electronically. However, a potentially even larger use may be to document activities and processes that take place electronically. In  other words, to examine data that is not only at rest, but also that which is in motion.And while the law will slowly evolve and accept more and more technical issues,computer forensic specialists will continue the process of education for all parties in the legal process.