Unit-4

Understanding Computer Forensics

Computer Forensics:
It is a scientific method of investigation and analysis in order to gather evidence from digital
devices or computer networks and components which is suitable for presentation in a court of
law or legal body. It involves performing a structured investigation while maintaining a
documented chain of evidence to find out exactly what happened on a computer and who was
responsible for it.

Types of Computer Forensics:

1. Disk Forensics: It deals with extracting raw data from the primary or secondary storage of the
device by searching active, modified, or deleted files.
2. Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and
analysing the computer network traffic.
3. Database Forensics: It deals with the study and examination of databases and their related
metadata.
4. Malware Forensics: It deals with the identification of suspicious code and studying viruses,
worms, etc.
5. Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
6. Memory Forensics: Deals with collecting data from system memory (system registers, cache,
RAM) in raw form and then analysing it for further investigation.
7. Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and
smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc., and
other data present in it.
Characteristics:
1. Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile phones,
PDAs, etc.
2. Preservation: Data is isolated, secured, and preserved. It includes prohibiting unauthorised
personnel from using the digital device so that digital evidence, mistakenly or purposely, is not
tampered with and making a copy of the original evidence.
3. Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions based on
evidence.
4. Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
5. Presentation: All the documented findings are produced in a court of law for further
investigations.
Application:
● Intellectual Property theft
● Industrial espionage
● Employment disputes
● Fraud investigations
● Misuse of the Internet and email in the workplace
● Forgeries related matters
● Bankruptcy investigations
● Issues concerned the regulatory compliance
Advantages of Computer Forensics :
● To produce evidence in the court, which can lead to the punishment of the culprit.
● It helps the companies gather important information on their computer systems or networks
potentially being compromised.
● Efficiently tracks down cyber criminals from anywhere in the world.
● Helps to protect the organisation’s money and valuable time.
● Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.
Disadvantages of Computer Forensics :
● Before the digital evidence is accepted into court it must be proved that it is not tampered with.
● Producing and keeping electronic records safe is expensive.
● Legal practitioners must have extensive computer knowledge.
● Need to produce authentic and convincing evidence.
● If the tool used for digital forensics is not according to specified standards, then in a court of
law, the evidence can be disapproved by justice.
● A lack of technical knowledge by the investigating officer might not offer the desired result.
Digital Forensic Science:
● Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting of any valuable digital information in the digital devices related to
computer crimes, as a part of the investigation.
● In simple words, Digital Forensics is the process of identifying, preserving, analysing and
presenting digital evidence.
● The first computer crimes were recognized in the 1978 Florida computers act and after this, the
field of digital forensics grew pretty fast in the late 1980-90’s.
● It includes the area of analysis like storage media, hardware, operating system, network and
applications.
It consists of 5 steps at high level:

1. Identification of evidence: It includes identifying evidence related to the digital crime

in storage media, hardware, operating system, network and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital evidence identified in the first step so that they
don't degrade to vanish with time. Preserving the digital evidence is very important and crucial.
3. Analysis: It includes analysing the collected digital evidence of the committed computer
crime in order to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidence, loopholes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidence and documentation in the
court in order to prove the digital crime committed and identify the criminal.
Branches of Digital Forensics:

● Media forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of audio, video and image evidence during the investigation process.
● Cyber forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidence during the investigation of a cyber crime.
● Mobile forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidence during the investigation of a crime committed
through a mobile device like mobile phones, GPS device, tablet, laptop.
● Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidence during the investigation of a crime
related to softwares only.

The Need for Computer Forensics:

1. Rising Cyber Crime Rates: With the increasing prevalence of cybercrimes, including
hacking, data breaches, and online fraud, there is a growing need for computer forensics to
investigate and respond to digital incidents.
2. Digital Evidence in Legal Proceedings: As digital evidence becomes integral to legal
proceedings, computer forensics plays a crucial role in collecting, analysing, and presenting this
evidence in a forensically sound and legally admissible manner.
3. Protection of Sensitive Information: Organizations and individuals need computer forensics
to safeguard sensitive information from unauthorised access, ensuring the confidentiality and
integrity of digital data.
4. Corporate Security: In the corporate world, computer forensics is essential for responding to
incidents such as data breaches, insider threats, and intellectual property theft, helping
organisations maintain a secure digital environment.
5. Incident Response and Mitigation: Computer forensics aids in incident response by
providing methodologies and tools to quickly identify and mitigate cybersecurity incidents,
minimising potential damage.
6. Legal Compliance: Compliance with legal standards and regulations requires organisations to
conduct thorough investigations using computer forensics when dealing with digital incidents or
potential data breaches.
7. Recovery of Lost or Deleted Data: Computer forensics helps in the recovery of lost or
deleted data, which can be critical in both criminal investigations and corporate settings.
8. Prevention and Deterrence: The knowledge that computer forensics can uncover and trace
digital activities serves as a deterrent, discouraging potential cybercriminals and contributing
to overall cyber security awareness.

9. Employee Misconduct Investigations: In cases of employee misconduct or policy violations,

computer forensics assists organisations in investigating and documenting digital evidence
related to such incidents.

[Link] of Security Weaknesses: Computer forensics help identify security

weaknesses and vulnerabilities in digital systems, enabling organisations to implement effective
security measures and protocols.
[Link] Collaboration: With the global nature of cyber crimes, computer forensics
facilitates international collaboration among law enforcement agencies and cybersecurity
professionals to combat digital threats.
[Link] Investigations: In criminal investigations, computer forensics is indispensable for
examining electronic evidence, reconstructing digital timelines, and identifying individuals
involved in cybercrimes.
[Link] for Law Enforcement: Law enforcement agencies rely on computer forensics to
gather evidence in cybercrime cases, track digital footprints, and prosecute individuals engaged
in illegal online activities.
[Link] Technological Advancements: The ever-evolving landscape of technology and
cyber threats necessitates ongoing advancements in computer forensics tools and techniques to
stay ahead of sophisticated cybercriminal tactics.
Cyber Forensics:

Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the evidence
to the court. Cyber forensics is also known as computer forensics. The main aim of cyber
forensics is to maintain the thread of evidence and documentation to find out who did the crime
digitally. Cyber forensics can do the following:
● It can recover deleted files, chat logs, emails, etc
● It can also get deleted SMS, Phone calls.
● It can get recorded audio of phone conversations.
● It can determine which user used which system and for how much time.
● It can identify which user ran which program.
What is Digital Evidence?
● The term “ Digital Evidence” means the information that istransmitted and stored in binary
form that can be found in harddisks, mobile phones etc.
● It can be used for prosecution of various crimes but it is generally associated with E-Crimes.
● Digital evidence is described as information and data kept on, received from, or transferred by
an electronic device that is useful to an investigation.
● When electronic devices are taken into custody and secured for inspection, this evidence can
be obtained.
Digital proof –
1. Similar to fingerprints or DNA evidence, it is latent (hidden).
2. Swift and simple jurisdictional border crossing.
3. Can be easily changed, damaged, or destroyed.
4. Potentially time-sensitive.

Process involved in Digital Evidence Collection: The main processes involved in digital
evidence collection are given below:
● Data collection: In this process data is identified and collected for investigation.
● Examination: In the second step the collected data is examined carefully.
Analysis: In this process, different tools and techniques are used and the collected evidence is
analysed to reach some conclusion.
● Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.

Forensic Analysis of E-Mail:

● Email forensics involves the systematic examination and analysis of email data to gather
evidence for investigative or legal purposes.
● It plays a crucial role in cybercrime investigations, corporate incidents, and legal proceedings.

1. Collection of Email Evidence:

● Metadata Extraction: Collect metadata, including sender and recipient details, timestamps,
and email server information.
● Email Headers: Examine email headers for routing information and details about the email's
journey.
● Attachments and Content: Extract and analyse email attachments and content for potential
evidence.
2. Preservation of Email Evidence:
● Original Email Preservation: Preserve original email content, headers, and metadata to
maintain authenticity.
● Chain of Custody: Document and maintain a secure chain of custody to track the handling of
email evidence.
3. Email Analysis Techniques:
● Keyword Search: Conduct keyword searches to identify relevant information within email
content.
● Link Analysis: Analyse relationships between email senders, recipients, and other entities to
uncover patterns or connections.
● Timeline Reconstruction: Reconstruct timelines of email exchanges to understand the
sequence of events.
● Content Analysis: Analyse the content of emails for contextual clues, threats, or indications of
malicious activity.
4. Authentication and Verification:
● Email Source Verification: Verify the authenticity of emails by examining the source,
SPF/DKIM signatures, and sender information.
● Sender Authentication: Validate the identity of the sender through forensic analysis to
prevent email spoofing.
5. Investigation of Email Attachments:
● Malware Analysis: Conduct analysis on email attachments to identify and characterise
potential malware.
● File Metadata Examination: Examine metadata of attached files for additional insights into
their origin and history.
6. Email Header Examination:
● IP Address Analysis: Analyse IP addresses in email headers to trace the geographic location
or identify potential malicious activities.
● Email Routing Analysis: Examine email routing paths to understand the journey of the email
through different servers.
7. Recovering Deleted Emails: Employ forensic techniques to recover deleted emails, including
examining email server logs and backup systems.
8. Legal Admissibility: Ensure that the methods used in email forensics adhere to legal
standards, making the evidence admissible in court.
9. Reporting: Generate comprehensive reports documenting the findings of the email forensics
analysis, including key evidence, methodologies used, and conclusions drawn.
Digital Forensics Life Cycle:

● The digital forensics life cycle consists of a series of systematic steps and processes aimed at
identifying, collecting, analysing, and preserving digital evidence in a forensically sound
manner.
● This life cycle is followed in the investigation of cybercrimes, incidents, or any digital-related
legal [Link] are the key stages of the digital forensics life cycle:

1. Identification of evidence: It includes identifying evidence related to the digital crime in

storage media, hardware, operating system, network and/or applications. It is the most important
and basic step.
2. Collection: It includes preserving the digital evidence identified in the first step so that they
don't degrade to vanish with time. Preserving the digital evidence is very important and crucial.
3. Analysis: It includes analysing the collected digital evidence of the committed computer
crime in order to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidence, loopholes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidence and documentation in the
court in order to prove the digital crime committed and identify the criminal.

Chain of Custody Concept in Digital Forensics:

The chain of custody in digital cyber forensics is also known as the paper trail or forensic link,
chronological documentation of the evidence.
● Chain of custody indicates the collection, sequence of control, transfer and analysis.
● It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
● It demonstrates trust to the courts and to the client that the evidence has not been tampered.
Chain of Custody Process:
In order to preserve digital evidence, the chain of custody should span from the first step of data
collection to examination, analysis, reporting, and the time of presentation to the Courts. This is
very important to avoid the possibility of any suggestion that the evidence has been
compromised in any way.

● Data Collection: This is where the chain of custody process is initiated. It involves
identification, labelling, recording, and the acquisition of data from all the possible relevant
sources that preserve the integrity of the data and evidence collected.
● Examination: During this process, the chain of custody information is documented outlining
the forensic process undertaken. It is important to capture screenshots throughout the process to
show the tasks that are completed and the evidence uncovered.

● Analysis: This stage is the result of the examination stage. In the Analysis stage, legally
justifiable methods and techniques are used to derive useful information to address questions
posed in the particular case.
● Reporting: This is the documentation phase of the Examination and Analysis stage. Reporting
includes the following:
a. Statement regarding Chain of Custody.
b. Explanation of the various tools used.
c. A description of the analysis of various data sources.
d. Issues identified.
e. Vulnerabilities identified.
f. Recommendation for additional forensics measures that can be taken.
Network Forensics:

● Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be involved
in malicious activities, and its investigation for example a network that is spreading malware for
stealing credentials or for the purpose analysing the cyber-attacks.
● As the internet grew cybercrimes also grew along with it and so did the significance of
network forensics, with the development and acceptance of network-based services such as the
World Wide Web, e-mails, and others.
● With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and web browsing history, and reconstructed to expose the original
transaction.
● It is also possible that the payload in the uppermost layer packet might wind up on the disc, but
the envelopes used for delivering it are only captured in network traffic.

Processes Involved in Network Forensics:

● Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
● Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
● Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
● Observation: In this process, all the visible data is tracked along with the metadata.
● Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
● Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:

● The biggest challenge is to manage the data generated during the process.
● Intrinsic anonymity of the IP.
● Address Spoofing.

Advantages:
● Network forensics helps in identifying security threats and vulnerabilities.
● It analyses and monitors network performance demands.
● Network forensics helps in reducing downtime.
● Network resources can be used in a better way by reporting and better planning.
● It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
● The only disadvantage of network forensics is that It is difficult to implement.
Approaching a computer forensics investigation:

The phases in a computer forensics investigation are:

● Secure the subject system
● Take a copy of hard drive/disk
● Identify and recover all files
● Access/view/copy hidden, protected, and temp files
● Study special areas on the drive
● Investigate the settings and any data from programs on the system
● Consider the system from various perspectives
● Create detailed report containing an assessment of the data and information collected

Things to be avoided during forensics investigation:

● Changing date/timestamps of the files

● Overwriting unallocated space

Things that should not be avoided during forensics investigation:

● Engagement contract
● Non-Disclosure Agreement (NDA)
Elements addressed before drawing up a forensics investigation engagement contract:

● Authorization
● Confidentiality
● Payment
● Consent and acknowledgement
● Limitation of liability

General steps in solving a computer forensics case are:

● Prepare for the forensic examination

● Talk to key people about the case and what you are looking for
● Start assembling tools to collect the data and identify the target media
● Collect the data from the target media
● Use a write blocking tool while performing imaging of the disk
● Check emails records too while collecting evidence
● Examine the collected evidence on the image that is created
● Analyse the evidence
● Report your finding to your client

The Security/Privacy Threats:

● Security and privacy threats in the digital landscape are diverse and evolving.
● Understanding these threats is crucial for individuals, organisations, and policymakers to
implement effective measures for protection.

Here are some key security and privacy threats:

1. Malware: Malicious software designed to harm or exploit computer systems.
● Threat Impact: Data theft, system damage, unauthorised access,
and financial losses.
● Examples: Viruses, Trojans, ransomware, spyware.
2. Phishing: Deceptive attempts to obtain sensitive information, often through fraudulent emails
or websites.
● Threat Impact: Identity theft, unauthorised access to accounts, financial fraud.
● Examples: Email phishing, spear phishing, vishing (voice phishing).
3. Data Breaches: Unauthorised access to and exposure of sensitive data.
● Threat Impact: Compromised personal information, financial losses, reputational damage.
● Examples: Hacking incidents, insider threats, accidental data leaks.
4. Social Engineering: Manipulating individuals to divulge confidential information or perform
actions.
● Threat Impact: Unauthorised access, data breaches, identity theft.
● Examples: Impersonation, pretexting, baiting.
5. IoT Vulnerabilities: Security weaknesses in Internet of Things (IoT) devices.
● Threat Impact: Unauthorised access, device manipulation, data exposure.
● Examples: Insecure smart devices, lack of encryption in IoT communication.
6. Insider Threats: Threats originating from individuals within an organisation with access to
sensitive information.
● Threat Impact: Data breaches, intellectual property theft, sabotage.
● Examples: Malicious employees, negligent behaviour, unintentional mistakes.
7. Ransomware: Malware that encrypts data, demanding payment for its release.
● Threat Impact: Data loss, financial losses, operational disruptions.
● Examples: WannaCry, NotPetya, Ryuk.
8. Identity Theft: Unauthorised use of someone's personal information for fraudulent purposes.
● Threat Impact: Financial fraud, damage to personal reputation.
● Examples: Stolen credentials, synthetic identity theft.
9. Artificial Intelligence (AI) Threats: Misuse of AI for maliciouspurposes or exploitation of
AI vulnerabilities.
● Threat Impact: Deepfake creation, AI-powered cyberattacks.
● Examples: AI-driven phishing, adversarial attacks on machine learning models.
10. Eavesdropping: Unauthorised interception of communications.
● Threat Impact: Privacy invasion, data leakage, industrial espionage.
● Examples: Wiretapping, packet sniffing.
11. Cloud Security Concerns: Risks associated with storing and accessing data in cloud
environments.
● Threat Impact: Data breaches, unauthorised access.
● Examples: Insecure APIs, misconfigured cloud settings.
12. Lack of Encryption: Failure to secure data with encryption, making it vulnerable to
unauthorised access.
● Threat Impact: Data exposure, privacy violations.
● Examples: Unencrypted communication channels, unsecured storage.
13. Data Mining and Profiling: Unauthorised collection and analysis of personal data for
profiling purposes.
● Threat Impact: Invasion of privacy, targeted advertising.
● Examples: Unethical data harvesting, profiling without consent.
14. Legislative and Regulatory Compliance: Failure to comply with data protection and
privacy regulations.
● Threat Impact: Legal consequences, fines, reputational damage.
● Examples: GDPR violations, non-compliance with local privacy laws.

Challenges in Digital Forensics

1. Data Encryption: Encryption can make it difficult to access the data on a device or network,
making it harder for forensic investigators to collect evidence. This can require specialised
decryption tools and techniques.
2. Data Destruction: Criminals may attempt to destroy digital evidence by wiping or destroying
devices. This can require specialised data recovery techniques.
3. Data Storage: The sheer amount of data that can be stored on modern digital devices can
make it difficult for forensic investigators to locate relevant information. This can require
specialised data carving techniques to extract relevant information.