DF347 Networks Forensics 2024/2025 PDF

Summary

Presentation slides for a computer networks and forensics course at Al-Balqa Applied University covering topics like computer networks layers, encapsulation and decapsulation, and forensic science.

Full Transcript

DF347
Networks Forensics
2024/2025 – Semester 1
Week 2
13th – 17th October 2024

[email protected]
Dr. Basil Elmasri
[email protected]
Computer Networks Layers
Internet OSI 7-layer
5-layer Model
reference
TCP/IP (hybrid) Application
protocol suite model
Presentation
Application Application Session
Transport Transport Transport
Internet Network Network
Network Data Link Data Link
Access/Interface Physical Physical
Encapsulation and Decapsulation
Data itself … Data …
5-layer model

→Encapsulation→
←Decapsulation←
Application Message HTTP, FTP, RTP… Header … Data …

Transport Segment TCP – UDP Header … Data …
↓ ↑
Network Packet IP Header … Data …

Data Link Frame MAC Header … Data … Trailer

Physical … 0's and 1’s …
Encapsulation and Decapsulation Example
Server A sends webpage to B, after B has requested it, the page is broken down into chunks.
Each chunk is appended with headers on each layer then sent to B via the internet.
HTTP header is added, then TCP, then IP, then the MAC header and trailer to create a “Frame”.
PC A The frame is converted to 0’s and 1’s, then A push it PC B
(Server) (Client)
through the connecting media to B.
B receives the bits and gather them into a frame.
B removes the MAC header and trailer, then the IP

HTTP
Data Data
Encapsulation

header, then the TCP header, then the HTTP header, to

HTTP
HTTP

TCP
Data

Decapsulation
Data
get a chunk of the page.
At the end B adds this chunk to the page.

TCP
TCP

Data Data

IP
Each chunk is sent in such way to create a full display of

MAC

Tail
IP
IP

Data Data
the webpage.

MAC
MAC

Tail
Tail

Data Data

… 01010101 …
Forensic science
Forensic science may be defined as any science that is used in the
service of the justice system, the investigation and resolution in both civil
disputes and criminal cases. (Jackson & Jackson, 2017)
In practice, forensic science is more likely to be involved in the
investigation and resolution of criminal cases.
The science of associating people, places, and things involved in criminal
activities; these scientific disciplines assist in investigating and
adjudicating criminal and civil cases. The discipline divides neatly into
halves, like the words that describes it. (Houck & Siegel, 2015).
Forensic Science

The discipline divides neatly into halves, like the words that describes it.
“Science” is the collection of systematic methodologies used to
increasingly understand the physical world. The word “forensic” is derived
from the Latin forum for “public”.

In other words; “Forensic Science” is an apt term for the profession of
scientists whose work answers questions for the courts through reports
and testimony.
Forensic Science – UK Home Office
Forensic science is the application of science to a criminal investigation
and court proceedings. This includes crime scene investigation and the
collection, identification, analysis and interpretation of potential evidence
such as DNA, fingerprints, digital evidence, drug analysis and footwear
marks.
The Government’s vision for forensic science is for a clearer system of
governance to ensure quality standards and proper ethical oversight, and
a cost-effective service that delivers to law enforcement and the Criminal
Justice System (CJS) robust and relevant forensic evidence, and in so
doing strengthens public and judicial trust in forensic science.
Forensic Science Strategy Presented to Parliament, A national approach to forensic
science delivery in the criminal justice system. By the Secretary of State for the Home
Department, by Command of Her Majesty. March 2016.
Evidences Processing

A crime scene may mean any location, such as a building, garden or field,
or person (whether alive or dead) that is to be searched for physical
evidence.

Involvement of forensic science in the investigation and resolution of
criminal offences begins at the crime scene.

Three distinct phases, in particular for a physical evidence.
Evidences Processing
1. The recovery and
continuity of A typical route of an
evidence. item recovered from a
crime scene to the
2. Examination and court, in UK
laboratory work on
the recovered
evidence.
3. The interpretation
and evaluation of
scientific evidence
and the presentation
of scientific test
results in court and
justice systems.
Recovery and Continuity of Evidence (I)
A successful crime scene processing is a proper and successful
identification and recovery of items of physical evidence.
In the UK, this task is normally carried out by Scenes of Crime Officers
(SOCOs), Forensic Scene Investigators (FSIs), or Crime Scene
Investigators (CSIs).
Other personnel may also recover evidence. These include police officers,
who may, for example, take items of evidence from suspects, forensic
medical examiners and forensic scientists.
Once items of physical evidence are recovered, the must be separately
and appropriately packaged, labelled, stored and transported to
usually the laboratory for the next stage.
Recovery and Continuity of Evidence (II)
Integrity of each individual item of physical evidence must be maintained
from the point of its recovery at the crime scene through to its possible
appearance as a court exhibit.
It must be possible to demonstrate that this continuity of evidence has
occurred.
For each item, records must be kept that show:
- The chronology of who has been responsible for its safekeeping and appropriate
handling (the chain of custody).
- The measures taken to guard against evidence tampering, accidental
contamination, deterioration and mislabelling.
In some serious incidents, an involvement of a dedicated exhibits officer
will help to ensure continuity of the evidence.
Recovery and Continuity of Evidence (III)
Evidence Continuity: provision of a complete documented account of
the progress of an item of evidence since its recovery from a crime
scene.

If this cannot be adequately demonstrated, the evidence in question
may be ruled inadmissible in court.
Loss of Integrity of an Evidence
Loss of integrity
Tampering
Accidental contamination
Deterioration
Accidental mislabelling of evidence
Loss of Integrity – Tampering
Tamper-evident seals on evidence packaging, with dedicated and secure
evidence storage facilities.
- See Tamper evident bags guidance, by UK Home Office
Specialist self-adhesive closures that cannot be opened without obvious
damage to the seal.
Signatures across seals in evidence packaging made using either
conventional self-adhesive tape or specialist tamper-evident tape.
Opening packaging away from previous seals so that the integrity of those
seals can still be seen.
Secure concurrent and simultaneous note taking.
An uninterrupted, documented, chain of custody.
- Minimising the number of people in the chain of custody.
Assiduous use of logging systems.
Loss of Integrity – Accidental Contamination
Standard Operating Procedures (SOPs) that incorporate anti-
contamination procedures, such as:
- The isolation of bulk and trace evidence.
- The use of appropriate personal protective equipment.
- Avoid between-sample cross-contamination
▪ Decontamination of surfaces and/or people to guard against cross-contamination between
samples.
▪ The use of disposable equipment where appropriate to.
- Isolation of samples from victims and suspects and from different crime scenes
associated with the same case.
Minimising the need to open evidence packaging,
- Transparent panels packages so its contents can be seen.
Re-packaging each item as soon as it has been analysed or examined.
Assiduous use of logging systems and contemporaneous note taking to
show compliance with anti-contamination SOPs.
Loss of Integrity – Deterioration
Appropriate packaging and storage.
Assiduous use of logging systems.
Contemporaneous note taking to show use of appropriate packaging and
storage.
Loss of Integrity –Accidental Mislabelling of Evidence
The use of SOPs specifically designed to minimise the opportunity for
mislabelling.
The assiduous use of contemporaneous notes to demonstrate compliance
with these SOPs.
References
Jackson, R. A., & Jackson, J. M. (2017). Forensic Science (4 ed.).
Harlow: Pearson Education.
Secretary of State for the Home Department. (2016). Forensic Science
Strategy Presented to Parliament, A national approach to forensic science
delivery in the criminal justice system. UK Home Office. Retrieved from
https://assets.publishing.service.gov.uk/government/uploads/system/uplo
ads/attachment_data/file/506683/54493_Cm_9217_Forensic_Science_St
rategy_Print_ready.pdf.