Unit -4

Understanding Computer Forensics

Cyber Forensics

• Cyber Forensics (also known as Computer Forensics or Digital Forensics) is the branch
of forensic science that deals with the identification, preservation, analysis, and
presentation of evidence found in digital devices and cyber environments to investigate
cybercrimes.

• It involves the use of scientific and systematic methods to recover, analyze, and interpret
data from computers, networks, and other digital storage media often for use in legal
proceedings.

Computer Forensics (or Digital Forensics)

Digital forensics

• Digital forensics is the science of identifying, collecting, analyzing, and presenting digital
evidence or electronic system in a legally acceptable manner.

• It covers all digital devices, including computers, mobile phones, networks, cloud
storage, IOT devices, etc.

• Aim to uncover the truth about how digital systems were used in incident (e,g: cyber
crime, cyber attack, data breach)

Computer forensics

• Computer forensics is a sub – branch of digital forensics that deals specifically with
computer and computer-related data (like hard drives, desktop, laptop, or removable
storage).

• Focuses on retrieving and analyzing data stored on or transmitted through computer

system

• Example: Recovering deleted files, examining internet history, or analyzing operating

system logs.
Process of Digital forensics Digital forensics entails the following steps

Identification
Preservation
Analysis
Documentation
Presentation

1. Identification: It is the first step in the forensic process. The identification process
mainly includes things like what evidence is present, where it is stored, and lastly, how it
is stored (in which format).Electronic storage media can be personal computers, Mobile
phones, PDAs, etc.
2. Preservation: In this phase, data is isolated, secured, and preserved. It includes
preventing people from using the digital device so that digital evidence is not tampered

3. Analysis: In this step, investigation agents reconstruct fragments of data and draw
conclusions based on evidence found. However, it might take numerous iterations of
examination to support a specific crime theory.

4. Documentation: In this process, a record of all the visible data must be created. It helps
in recreating the crime scene and reviewing it. It involves proper documentation of the
crime scene along with photographing, sketching, and crime-scene mapping.

5. Presentation: In this last step, the process of summarization and explanation of

conclusions is done. However, it should be written in a layperson’s terms using
abstracted terminologies. All abstracted terminologies should reference the specific
details.
Needs of computer forensics

Provides digital evidence of a specific or general activity

Key role in investigation of cybercrime
"Evidence" in the case of "cyber offenses“
Handling of the digital forensics evidence
Computer is either the subject or the object of cybercrimes or is used as a tool to commit
a cybercrime

1. Provides digital evidence of a specific or general activity:

 Cyber forensics involves identifying and extracting digital evidence from computers,
mobile phones, networks, and other devices. This evidence helps trace user activities
such as emails sent, files accessed, or websites visited.
 Example: Investigators recover deleted emails or chat logs from a suspect’s computer to
prove illegal communication in a fraud case.

2. Key role in investigation of cybercrime

 Cyber forensics plays a central role in detecting, analyzing, and proving crimes that occur
in cyberspace, such as hacking, identity theft, and phishing.
 Example: When a company’s database is hacked, cyber forensic experts analyze log files
to find out who accessed the system and how the breach occurred.

3. “Evidence” in the case of “cyber offenses”:

 Digital evidence serves as legal proof in cases involving cybercrimes or cyber offenses.
This evidence must be collected and preserved properly to be admissible in court.
 Example: IP address tracking and timestamped browser history are used as evidence to
link an individual to an illegal download or cyber attack.

4. Handling of the digital forensics evidence:

 The process involves careful collection, documentation, and preservation of evidence to

ensure it remains un altered and credible. Any mishandling can make evidence invalid in
court.
 Example: Investigators use write blockers while copying data from a hard drive to
ensure the original data is not modified.
5. Computer is either the subject or the object of cybercrimes or is used as a tool to commit
a cybercrime

 In cybercrime, the computer can play three roles — it can be the target (e.g., hacking),
the tool (e.g., spreading malware), or the container of evidence (e.g., stored illegal files).
 Example:

• As a subject: A hacker attacks a company’s server.

• As a tool: A computer is used to send phishing emails.

• As evidence: A laptop stores stolen credit card data.

Types of Cyber Forensic

1. Disk Forensics: It deals with extracting data from storage media by searching active,
modified, or deleted files.
2. Network Forensics: It is a sub-branch of digital forensics. It is related to monitoring and
analysis of computer network traffic to collect important information and legal evidence.
3. Wireless Forensics: It is a division of network forensics. The main aim of wireless
forensics is to offers the tools need to collect and analyze the data from wireless network
traffic.
4. Database Forensics: It is a branch of digital forensics relating to the study and
examination of databases and their related metadata.
5. Malware Forensics: This branch deals with the identification of malicious code, to study
their payload, viruses, worms, etc.
6. Email Forensics: Deals with recovery and analysis of emails, including deleted emails,
calendars, and contacts.
7. Memory Forensics: It deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then carving the data from raw dump.
8. Mobile Phone Forensics: It mainly deals with the examination and analysis of mobile
devices. It helps to retrieve phone and SIM contacts, call logs, incoming, and outgoing
SMS/MMS, Audio, videos, etc.
The Digital Forensic Life Cycle

1. Preparation and identification

2. Collection and recording

3. Storing and transporting

4. Examination/investigation

5. Analysis, interpretation, and attribution

6. Reporting

7. Testifying
1. Preparing for the Evidence and Identifying the Evidence

 In order to be processed and analyzed, evidence must first be identified.

 It might be possible that the evidence may be overlooked and not identified at all.
 A sequence of events in a computer might include interactions between:
 Different files, Files and file systems, Processes and files, Log files
 In case of a network, the interactions can be between devices in the organization
or across the globe (Internet).
 If the evidence is never identified as relevant, it may never be collected and
processed.

2. Collecting and Recording Digital Evidence

 Digital evidence can be collected from many sources.

 The obvious sources can be:
Mobile phone,
Digital cameras,
Hard drives,
CDs,
USB memory devices
 Non-obvious sources can be:
Digital thermometer settings
Black boxes inside automobiles
RFID tags
 Proper care should be taken while handling digital evidence as it can be changed
easily. Once changed, the evidence cannot be analyzed further.
 A cryptographic hash can be calculated for the evidence file and later checked if
there were any changes made to the file or not.
 Sometimes important evidence might reside in the volatile memory. Gathering
volatile data requires special technical skills.
3. Storing and Transporting Digital Evidence

 Care should be taken that evidence does not go anywhere without properly being
traced. Things that can go wrong in storage include:
Decay over time (natural or unnatural)
Environmental changes (direct or indirect)
Fires
Floods
Loss of power to batteries and other media preserving mechanisms
 Sometimes evidence must be transported from place to place either physically or
through a network.
 Care should be taken that the evidence is not changed while in transit.
 Analysis is generally done on the copy of real evidence. If there is any dispute
over the copy, the real can be produced in court.

4. Examining/Investigating Digital Evidence

 Forensic specialist should ensure that he/she has proper legal authority to seize,
copy and examine the data.
 As a general rule, one should not examine digital information unless one has the
legal authority to do so.
 Forensic investigation performed on data at rest (hard disk) is called dead
analysis.

5. Analysis, Interpretation and Attribution

 In digital forensics, only a few sequences of events might produce evidence. But
the possible number of sequences is very huge.
 The digital evidence must be analyzed to determine the type of information stored
on it.
 6. Reporting

 After the analysis is done, a report is generated. The report may be in oral form or
in written form or both.
 The report contains all the details about the evidence in analysis, interpretation,
and attribution steps.
 As a result of the findings in this phase, it should be possible to confirm or discard
the allegations.

7. Testifying

 This phase involves presentation and cross-examination of expert witnesses. An

expert witness can testify in the form of:
 Testimony is based on sufficient facts or data
 Testimony is the product of reliable principles and methods
 Witness has applied principles and methods reliably to the facts of the case

Cyber forensics and Digital Evidence

1. Computer forensics
2. Network forensics

Computer forensics

• Computer forensics experts know the techniques to retrieve the data from files listed in
standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login
IDs, encrypted files, hidden partitions, etc.

• Typically, the evidences reside on computer systems, user created files, user protected
files, computer created files and on computer networks.

Network forensics

• Network forensics is the study of network traffic to search for truth in civil, criminal, and
administrative matters to protect users and resources from exploitation, invasion of
privacy and any other crime fostered by the continual expansion of network connectivity.
Digital Evidence

Digital evidence is any data stored or transmitted by digital devices, including emails, browsing
history, social media posts, text messages, and files on a computer.

The Rules of Evidence

According to the "Indian Evidence Act 1872", "Evidence" means and includes:

 All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
 All documents that are produced for the inspection of the court are called documentary
evidence.

Forensics Analysis of E-Mail

 It helps establish the authenticity of an E-Mail when suspected.

 E-Mails — the most common means of communication.
 The subject of forensics analysis for "digital evidence.
 Email forensics is the process of analyzing emails and their contents to determine the
sender, recipient, date, time, and other relevant information. The goal of email forensics
is to provide digital evidence that can be used in civil or criminal court cases.
 An E-Mail system is a combination of hardware and software that controls the flow of E-
Mail. Two most important components of an email system are:
E-Mail server
E-Mail gateway
 E-Mail servers are computers that forward, collect, store, and deliver email to their
clients.

 E-Mail gateways are the connections between email servers. Mail server software is
software which controls the flow of email. Mail client is the software which is used to
send and receive (read) emails. An email contains two parts:

1. Header

2. Body
Header

 Email header is very important from forensics point of view. A full header view of an
email provides the entire path email’s journey from its source to destination.
 The header also includes IP and other useful information. Header is a sequence of fields
(key-value pair).

Body

 The body of email contains actual message. Headers can be easily spoofed by spammers.
Header protocol analysis is important for investigating evidence.
 After getting the source IP address we find the ISP’s details. By contacting ISP, we can
get further information like : Name, Address, Contact number, Internet facility , Type of
IP address , Any other relevant information.

Chain of Custody

 It is the central concept in cyber forensics /digital forensics investigation

 A chain of custody is the process of validating how evidences have been gathered,
tracked, and protected on the way to the court of law. Forensic professionals know that if
you do not have a chain of custody, the evidence is worthless.
 The chain of custody is a chronological written record of those individuals who have had
custody of the evidence from its initial acquisition to its final disposition.
 A chain of custody begins when evidence is collected and the chain is maintained until it
is disposed off.
 The chain of custody assumes continuous accountability.

Network Forensics

 This discipline is included within the computer forensics science.

 The goal is to provide the methodology and tools required to collect and analyze
(wireless) network traffic.
 It involves capturing all data moving over Wi-Fi network and analyzing network events.
 The security analyst must follow the same general principles that apply to computer
forensics.
Approaching a Computer Forensics Investigation

The phases in a computer forensics investigation are:

1. Secure the subject system

2. Take a copy of hard drive/disk
3. Identify and recover all files
4. Access/view/copy hidden, protected, and temp files
5. Study special areas on the drive
6. Investigate the settings and any data from programs on the system
7. Consider the system from various perspectives
8. Create detailed report containing an assessment of the data and information collected

Setting of a computer forensics Laboratory: Understanding the

requirements

Lab Setup:

Setting Up a Digital Forensic Lab

Step 1: Get acquainted with the purpose of a digital forensic lab

Step 2: Determine the primary focus of your department

Step 3: Consider the physical limitations, the space, and the location you have available

Step 4: Assess your existing equipment

Step 5: Determine your software needs

Step 6: Cover your hardware needs

Step 7. Pick your digital forensic lab provider

Step 1:

Get acquainted with the purpose of a digital forensic lab

Prior to determining the right digital forensic lab set up for your needs, it’s essential to cover the
basics.

 A digital forensic lab is designed to collect, preserve, analyze, and report digital evidence
in a secure and controlled environment.
 Understanding its purpose is essential because it guides the tools, space, and expertise
you need.
 The lab must support legal investigations, cybersecurity incidents, fraud cases, and
electronic discovery.
 Its primary goal is to extract evidence without altering or damaging it. Knowing the
mission helps you build a lab that meets legal standards and organizational objectives.

Step 2:

Determine the primary focus of your department

 Different forensic labs specialize in different areas, such as computer forensics, mobile
forensics, network forensics, or malware analysis.
 Determining your department’s main focus ensures that your lab is equipped with the
right tools and skills for its intended tasks. For example, a lab focused on mobile devices
will require extraction tools like Cellebrite, while a cyber incident response team needs
network monitoring equipment.
 The focus also influences staff training and workflow design. Clearly defining your
specialization ensures efficiency, cost-effectiveness, and proper resource allocation.
 A well-rounded forensic lab should be able to handle various types of operating systems,
file systems, and databases, including:
Mobile OS: Android, Ios
Computer OS: Windows, Linux, Mac
Disk Format: NTFS, FAT32
Database: MySQL, SQLServer, SQLite
Step 3:

Consider the physical limitations, the space, and the location you have available

 A digital forensic lab requires a secure and controlled physical environment to protect
evidence integrity.
 You should evaluate how much space you have for workstations, storage, analysis areas,
and equipment.
 The location should be protected with restricted access to prevent tampering or
unauthorized entry.
 Environmental factors such as ventilation, cooling, lighting, and fire suppression systems
must also be considered.
 Proper physical planning ensures smooth workflow, safety, and compliance with forensic
standards.

Step 4:

Assess your existing equipment

 Before purchasing new tools, it is important to evaluate what equipment your department
already has.
 This may include computers, write blockers, storage devices, imaging tools, or forensic
workstations.
 Assessing existing equipment helps determine what is still usable and what needs
upgrading or replacement.
 It prevents overspending and ensures compatibility between old and new systems.
 Understanding your current assets also helps identify capability gaps that must be filled
to meet investigative needs.

.
Step 5:

Determine your software needs

 Digital forensic investigations rely heavily on specialized software to collect and analyze
evidence.
 You must identify what types of tools you need, such as disk imaging programs, mobile
extraction software, memory analysis tools, or network forensic applications.
 The software should be reliable, court-admissible, and regularly updated. License costs,
training requirements, and compatibility also play an important role.
 Choosing the right software ensures accurate and efficient investigation processes.

Step 6:

Cover your hardware needs

 After determining the software requirements, you must ensure the hardware can support
it.
 This includes powerful workstations, high-capacity storage drives, write blockers,
duplication systems, and mobile forensic hardware.
 The hardware must be fast, secure, and capable of handling large amounts of data.
Specialized equipment like server racks, imaging stations, and UPS power backup
systems may also be necessary.
 Having the right hardware ensures smooth operations and reliable evidence processing.

Step 7:

Pick your digital forensic lab provider

 A digital forensic lab provider can supply ready-made solutions, specialized equipment,
furniture, and support services.
 Choosing the right provider ensures that the lab is built using industry standards and best
practices.
 You should evaluate the provider’s experience, product quality, support options, and
long-term reliability.
 Good providers offer installation, configuration, training, and maintenance services.
Selecting the right partner helps you build a professional, secure, and efficient forensic
lab environment
Computer forensic and Steganography

 Steganography is the art of covered or hidden writing.

 The purpose of Steganography is covert communication to hide a message from a third
party.
 This differs from cryptography, the art of secret writing, which is intended to make a
message unreadable by a third party but does not hide the existence of the secret
communication.
 Steganography hides the covert message but not the fact that two parties are
communicating with each other.
 The Steganography process generally involves placing a hidden message in some
transport medium, called the carrier.
 The secret message is embedded in the carrier to form the Steganography medium. The
use of a Steganography key may be employed for encryption of the hidden message
and/or for randomization in the Steganography scheme.

Rootkits

 A "rootkit" is a set of tools used after cracking a computer operating system that hides
logins, processes, password, etc., which would carefully hide any trace that those
commands normally display.
 The mechanisms and techniques whereby malware including viruses, Spyware and
Trojans attempt to hide their presence from Spyware blockers, antivirus and system
management utilities.

Forensics and Social Networking Sites: The Security/Privacy Threats

 Sites: Orkut, Facebook, MySpace, Bebo, “Bigadda”, etc.

 It enables people to reach out to their old/long lost friends and classmates, relatives, etc.
 Social networkings sites help connect like-minded people, people with the same
professions or collaboration and discussion of ideas.
 Social networking, thus, makes people part of a worldwide community and so the sites
are getting popular. The usage of social network sites has increased rapidly in recent
years.
  Kids, teenagers are the ones who are known to be making the maximum use of social
networking sites. LinkedIn: Professional networking site.
 Security threats emerging through careless use of social networking sites.

Security issues that are associated with social networking sites:

 Corporate espionage.
 Cross-site scripting.
 Viruses and worms.
 Social networking site aggregators.
 Spear Phishing and social networking specific Phishing.
 Infiltration of networks leading to data leakage.
 ID theft

Forensics auditing

 Forensics auditing is also known as forensics accounting.

 Forensics auditing includes the steps needed to detect and deter fraud.
 Forensics auditor makes use of the latest technology to examine financial documents and
investigate crimes like frauds, identity theft, securities fraud, insider trading, etc.
 Forensics auditors are responsible for detecting fraud, identifying individuals involved,
collecting evidence, presenting the evidence, etc.
 Government departments or agencies can possibly use the techniques of forensics
auditing to assess compliance with regulations governing payments of grants/subsidies.
Antiforensics

 Antiforensics is the application of scientific method to digital media to invalidate factual

information for judicial review. Moreover, it is a combination of people, process and
tools.
 Four categories of antiforensics
Data Destruction: It is the destruction of any evidence before someone gets a
chance to find it.
Data Hiding: It provides an exploration into the present day and next generations
of tools and techniques used in data concealment tactics and advanced malware
methods.
Data Encryption: Encryption converts data into an unreadable format
(ciphertext) using a key. Without the correct decryption key, the data remains
inaccessible to investigators.
Data Contraception: It is a technique to limit the quantity and quality of forensic
evidence by keeping forensically important data off the disk.
 Some well-known tools with “counter-forensics features”
Windows Washer
Windows and Internet Cleaner
CyberScrub Pro
Evidence Eliminator
Acronis Privacy Expert
SecureClean

 Metasploit antiforensics investigation arsenal includes following tools

Timestomp
Slacker
Transmogrify
Sam Juicer