Rohini Sharma

Cybersecurity

Unit-4
UNDERSTANDING COMPUTER FORENSICS

Computer Forensics: It is a scientific method of investigation and analysis in order to gather

evidence from digital devices or computer networks and components which is suitable for
presentation in a court of law or legal body. It involves performing a structured investigation
while maintaining a documented chain of evidence to find out exactly what happened on a
computer and who was responsible for it.

Types of Computer Forensics:

1. Disk Forensics: It deals with extracting raw data from the primary or secondary storage of
the device by searching active, modified, or deleted files.
2. Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and
analysing the computer network traffic.
3. Database Forensics: It deals with the study and examination of databases and their related
metadata.
4. Malware Forensics: It deals with the identification of suspicious code and studying viruses,
worms, etc.
5. Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
6. Memory Forensics: Deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then analysing it for further investigation.
7. Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and
smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc., and
other data present in it.

Characteristics:
1. Identification: Identifying what evidence is present, where it is stored, and how it is stored
(in which format). Electronic devices can be personal computers, Mobile phones, PDAs, etc.
2. Preservation: Data is isolated, secured, and preserved. It includes prohibiting unauthorised
personnel from using the digital device so that digital evidence, mistakenly or purposely, is not
tampered with and making a copy of the original evidence.
3. Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions based
on evidence.
4. Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
5. Presentation: All the documented findings are produced in a court of law for further
investigations.

Application:
● Intellectual Property theft
● Industrial espionage
● Employment disputes
● Fraud investigations
● Misuse of the Internet and email in the workplace
● Forgeries related matters
● Bankruptcy investigations
● Issues concerned the regulatory compliance
Rohini Sharma
Cybersecurity

Advantages of Computer Forensics :

● To produce evidence in the court, which can lead to the punishment of the culprit.
● It helps the companies gather important information on their computer systems or networks
potentially being compromised.
● Efficiently tracks down cyber criminals from anywhere in the world.
● Helps to protect the organisation’s money and valuable time.
● Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.

Disadvantages of Computer Forensics :

● Before the digital evidence is accepted into court it must be proved that it is not tampered
with.
● Producing and keeping electronic records safe is expensive.
● Legal practitioners must have extensive computer knowledge.
● Need to produce authentic and convincing evidence.
● If the tool used for digital forensics is not according to specified standards, then in a court of
law, the evidence can be disapproved by justice.
● A lack of technical knowledge by the investigating officer might not offer the desired result.

Digital Forensic Science:

● Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting of any valuable digital information in the digital devices related to
computer crimes, as a part of the investigation.
● In simple words, Digital Forensics is the process of identifying, preserving, analysing and
presenting digital evidence.
● The first computer crimes were recognized in the 1978 Florida computers act and after this,
the field of digital forensics grew pretty fast in the late 1980-90’s.
● It includes the area of analysis like storage media, hardware, operating system, network, and
applications.
It consists of 5 steps at high level:
1. Identification of evidence: It includes identifying evidence related to the digital crime in
storage media, hardware, operating system, network, and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital evidence identified in the first step so that they
do not degrade to vanish with time. Preserving the digital evidence is very important and
crucial.
Rohini Sharma
Cybersecurity

3. Analysis: It includes analysing the collected digital evidence of the committed computer
crime to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidence, loopholes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidence and documentation in
the court in order to prove the digital crime committed and identify the criminal.

Branches of Digital Forensics:

● Media forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidence during the
investigation process.
● Cyber forensics: It is the branch of digital forensics which includes identification, collection,
analysis, and presentation of digital evidence during the investigation of a cybercrime.
● Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidence during the investigation of a crime
committed through a mobile device like mobile phones, GPS device, tablet,
laptop.
● Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidence during the investigation of a crime
related to softwares only.

The Need for Computer Forensics:

1. Rising Cyber Crime Rates: With the increasing prevalence of cybercrimes, including
hacking, data breaches, and online fraud, there is a growing need for computer forensics to
investigate and respond to digital incidents.
2. Digital Evidence in Legal Proceedings: As digital evidence becomes integral to legal
proceedings, computer forensics plays a crucial role in collecting, analysing, and presenting
this evidence in a forensically sound and legally admissible manner.
3. Protection of Sensitive Information: Organizations and individuals need computer
forensics to safeguard sensitive information from unauthorised access, ensuring the
confidentiality and integrity of digital data.
4. Corporate Security: In the corporate world, computer forensics is essential for responding
to incidents such as data breaches, insider threats, and intellectual property theft, helping
organisations maintain a secure digital environment.
5. Incident Response and Mitigation: Computer forensics aids in incident response by
providing methodologies and tools to quickly identify and mitigate cybersecurity incidents,
minimising potential damage.
6. Legal Compliance: Compliance with legal standards and regulations requires organisations
to conduct thorough investigations using computer forensics when dealing with digital
incidents or potential data breaches.
7. Recovery of Lost or Deleted Data: Computer forensics helps in the recovery of lost or
deleted data, which can be critical in both criminal investigations and corporate settings.
8. Prevention and Deterrence: The knowledge that computer forensics can uncover and trace
digital activities serves as a deterrent, discouraging potential cybercriminals and contributing
to overall cybersecurity awareness.
9. Employee Misconduct Investigations: In cases of employee misconduct or policy
violations, computer forensics assists organisations in investigating and documenting digital
evidence related to such incidents.
Rohini Sharma
Cybersecurity

[Link] of Security Weaknesses: Computer forensics helps identify security

weaknesses and vulnerabilities in digital systems, enabling organisations to implement
effective security measures and protocols.
[Link] Collaboration: With the global nature of cybercrimes, computer forensics
facilitates international collaboration among law enforcement agencies and cybersecurity
professionals to combat digital threats.
[Link] Investigations: In criminal investigations, computer forensics is indispensable
for examining electronic evidence, reconstructing digital timelines, and identifying individuals
involved in cybercrimes.
[Link] for Law Enforcement: Law enforcement agencies rely on computer forensics to
gather evidence in cybercrime cases, track digital footprints, and prosecute individuals engaged
in illegal online activities.
[Link] Technological Advancements: The ever-evolving landscape of technology
and cyber threats necessitates ongoing advancements in computer forensics tools and
techniques to stay ahead of sophisticated cybercriminal tactics.

What is Digital Evidence?

● The term “ Digital Evidence” means the information that is transmitted and stored in binary
form that can be found in hard disks, mobile phones etc.
● It can be used for prosecution of various crimes but it is generally associated with E-Crimes.
● Digital evidence is described as information and data kept on, received from, or transferred
by an electronic device that is useful to an investigation.
● When electronic devices are taken into custody and secured for inspection, this evidence can
be obtained.
Digital proof −
1. Similar to fingerprints or DNA evidence, it is latent (hidden).
2. Swift and simple jurisdictional border crossing.
3. Can be easily changed, damaged, or destroyed.
4. Potentially time-sensitive.
Process involved in Digital Evidence Collection: The main processes involved in digital
evidence collection are given below:
● Data collection: In this process data is identified and collected for investigation.
● Examination: In the second step the collected data is examined carefully.
● Analysis: In this process, different tools and techniques are used and the collected evidence
is analysed to reach some conclusion.
● Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.
Rohini Sharma
Cybersecurity

Forensic Analysis of E-Mail:

● Email forensics involves the systematic examination and analysis of email data to gather
evidence for investigative or legal purposes.
● It plays a crucial role in cybercrime investigations, corporate incidents, and legal
proceedings.
1. Collection of Email Evidence:
● Metadata Extraction: Collect metadata, including sender and recipient details, timestamps,
and email server information.
● Email Headers: Examine email headers for routing information and details about the email's
journey.
● Attachments and Content: Extract and analyse email attachments and content for potential
evidence.
2. Preservation of Email Evidence:
● Original Email Preservation: Preserve original email content, headers, and metadata to
maintain authenticity.
● Chain of Custody: Document and maintain a secure chain of custody to track the handling
of email evidence.
3. Email Analysis Techniques:
● Keyword Search: Conduct keyword searches to identify relevant information within email
content.
● Link Analysis: Analyse relationships between email senders, recipients, and other entities
to uncover patterns or connections.
● Timeline Reconstruction: Reconstruct timelines of email exchanges to understand the
sequence of events.
● Content Analysis: Analyse the content of emails for contextual clues, threats, or indications
of malicious activity.
4. Authentication and Verification:
● Email Source Verification: Verify the authenticity of emails by examining the source,
SPF/DKIM signatures, and sender information.
● Sender Authentication: Validate the identity of the sender through forensic analysis to
prevent email spoofing.
5. Investigation of Email Attachments:
● Malware Analysis: Conduct analysis on email attachments to identify and characterise
potential malware.
● File Metadata Examination: Examine metadata of attached files for additional insights into
their origin and history.
6. Email Header Examination:
● IP Address Analysis: Analyse IP addresses in email headers to trace the geographic location
or identify potential malicious activities.
● Email Routing Analysis: Examine email routing paths to understand the journey of the
email through different servers.
7. Recovering Deleted Emails: Employ forensic techniques to recover deleted emails,
including examining email server logs and backup systems.
8. Legal Admissibility: Ensure that the methods used in email forensics adhere to legal
standards, making the evidence admissible in court.
9. Reporting: Generate comprehensive reports documenting the findings of the email forensics
analysis, including key evidence, methodologies used, and conclusions drawn.
Digital Forensics Life Cycle:
Rohini Sharma
Cybersecurity

● The digital forensics life cycle consists of a series of systematic steps and processes aimed
at identifying, collecting, analysing, and preserving digital evidence in a forensically sound
manner.
● This life cycle is followed in the investigation of cybercrimes, incidents, or any digital-related
legal matters.

Here are the key stages of the digital forensics life cycle:
1. Identification of evidence: It includes identifying evidence related to the digital crime in
storage media, hardware, operating system, network and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital evidence identified in the first step so that they
don't degrade to vanish with time.
Preserving the digital evidence is very important and crucial.
3. Analysis: It includes analysing the collected digital evidence of the committed computer
crime in order to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidence, loopholes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidence and documentation in
the court in order to prove the digital crime committed and identify the criminal.

Chain of Custody Concept in Digital Forensics:

The chain of custody in digital cyber forensics is also known as the paper trail or forensic link,
chronological documentation of the evidence.
● Chain of custody indicates the collection, sequence of control, transfer and analysis.
● It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
● It demonstrates trust to the courts and to the client that the evidence has not been tampered.
Chain of Custody Process:
In order to preserve digital evidence, the chain of custody should span from the first step of
data collection to examination, analysis, reporting and the time of presentation to the Courts.
This is very important to avoid the possibility of any suggestion that the evidence has been
compromised in any way.
Rohini Sharma
Cybersecurity

Network Forensics:
● Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in
malicious activities, and its investigation for example a network that is spreading malware for
stealing credentials or for the purpose analysing the cyber-attacks.
● As the internet grew cybercrimes also grew along with it and so did the significance of
network forensics, with the development and acceptance of network-based services such as the
World Wide Web, e-mails, and others.
● With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and web browsing history, and reconstructed to expose the original
transaction.
● It is also possible that the payload in the uppermost layer packet might wind up on the disc,
but the envelopes used for delivering it are only captured in network traffic.
Processes Involved in Network Forensics:
● Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
● Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
● Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
● Observation: In this process, all the visible data is tracked along with the metadata.
● Investigation: In this process, a conclusion is drawn from the collected shreds of evidence.
● Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

Challenges in Network Forensics:

● The biggest challenge is to manage the data generated during the process.
● Intrinsic anonymity of the IP.
● Address Spoofing.

Advantages:
● Network forensics helps in identifying security threats and vulnerabilities.
● It analyses and monitors network performance demands.
● Network forensics helps in reducing downtime.
● Network resources can be used in a better way by reporting and better planning.
Rohini Sharma
Cybersecurity

● It helps in a detailed network search for any trace of evidence left on the network.

Disadvantage:
● The only disadvantage of network forensics is that It is difficult to implement.
Approaching a computer forensics investigation: The phases in a computer forensics
investigation are:
● Secure the subject system
● Take a copy of hard drive/disk
● Identify and recover all files
● Access/view/copy hidden, protected, and temp files
● Study special areas on the drive
● Investigate the settings and any data from programs on the system
● Consider the system from various perspectives
● Create detailed report containing an assessment of the data and
information collected
Things to be avoided during forensics investigation:
● Changing date/timestamps of the files
● Overwriting unallocated space
Things that should not be avoided during forensics investigation:
● Engagement contract
● Non-Disclosure Agreement (NDA)
Elements addressed before drawing up a forensics investigation
engagement contract:
● Authorization
● Confidentiality
● Payment
● Consent and acknowledgement
● Limitation of liability
General steps in solving a computer forensics case are:
● Prepare for the forensic examination
● Talk to key people about the case and what you are looking for
● Start assembling tools to collect the data and identify the target media
● Collect the data from the target media
● Use a write blocking tool while performing imaging of the disk
● Check emails records too while collecting evidence
● Examine the collected evidence on the image that is created
● Analyse the evidence
● Report your finding to your client

The Security/Privacy Threats:

● Security and privacy threats in the digital landscape are diverse and evolving.
● Understanding these threats is crucial for individuals, organisations, and policymakers to
implement effective measures for protection.
Here are some key security and privacy threats:
1. Malware: Malicious software designed to harm or exploit computer systems.
● Threat Impact: Data theft, system damage, unauthorised access, and financial losses.
● Examples: Viruses, Trojans, ransomware, spyware.
2. Phishing: Deceptive attempts to obtain sensitive information, often through fraudulent
emails or websites.
● Threat Impact: Identity theft, unauthorised access to accounts, financial fraud.
Rohini Sharma
Cybersecurity

● Examples: Email phishing, spear phishing, vishing (voice phishing).

3. Data Breaches: Unauthorised access to and exposure of sensitive data.
● Threat Impact: Compromised personal information, financial losses, reputational damage.
● Examples: Hacking incidents, insider threats, accidental data leaks.
4. Social Engineering: Manipulating individuals to divulge confidential information or
perform actions.
● Threat Impact: Unauthorised access, data breaches, identity theft.
● Examples: Impersonation, pretexting, baiting.
5. IoT Vulnerabilities: Security weaknesses in Internet of Things (IoT) devices.
● Threat Impact: Unauthorised access, device manipulation, data exposure.
● Examples: Insecure smart devices, lack of encryption in IoT communication.
6. Insider Threats: Threats originating from individuals within an organisation with access to
sensitive information.
● Threat Impact: Data breaches, intellectual property theft, sabotage.
● Examples: Malicious employees, negligent behaviour, unintentional mistakes.
7. Ransomware: Malware that encrypts data, demanding payment for its release.
● Threat Impact: Data loss, financial losses, operational disruptions.
● Examples: WannaCry.
8. Identity Theft: Unauthorised use of someone's personal information for fraudulent
purposes.
● Threat Impact: Financial fraud, damage to personal reputation.
● Examples: Stolen credentials, synthetic identity theft.
9. Artificial Intelligence (AI) Threats: Misuse of AI for malicious purposes or exploitation
of AI vulnerabilities.
● Threat Impact: Deepfake creation, AI-powered cyberattacks.
● Examples: AI-driven phishing, adversarial attacks on machine learning models.
10. Eavesdropping: Unauthorised interception of communications.
● Threat Impact: Privacy invasion, data leakage, industrial espionage.
● Examples: Wiretapping, packet sniffing.
11. Cloud Security Concerns: Risks associated with storing and accessing data in cloud
environments.
● Threat Impact: Data breaches, unauthorised access.
● Examples: Insecure APIs, misconfigured cloud settings.
12. Lack of Encryption: Failure to secure data with encryption, making it vulnerable to
unauthorised access.
● Threat Impact: Data exposure, privacy violations.
● Examples: Unencrypted communication channels, unsecured storage.
13. Data Mining and Profiling: Unauthorised collection and analysis of personal data for
profiling purposes.
● Threat Impact: Invasion of privacy, targeted advertising.
● Examples: Unethical data harvesting, profiling without consent.
14. Legislative and Regulatory Compliance: Failure to comply with data protection and
privacy regulations.
● Threat Impact: Legal consequences, fines, reputational damage.
● Examples: GDPR violations, non-compliance with local privacy laws.

Challenges in Digital Forensics

1. Data Encryption: Encryption can make it difficult to access the data on a device or network,
making it harder for forensic investigators to collect evidence. This can require specialised
decryption tools and techniques.
Rohini Sharma
Cybersecurity

2. Data Destruction: Criminals may attempt to destroy digital evidence by wiping or

destroying devices. This can require specialised data recovery techniques.
3. Data Storage: The sheer amount of data that can be stored on modern digital devices can
make it difficult for forensic investigators to locate relevant information. This can require
specialised data carving techniques to extract relevant information.