DIGITAL FORENSICS (20CP411T)
Introduction to Digital Forensics
1. What is Digital Forensics?
The art of acquiring the evidence and details from all type of digital device we evaluate
in any criminal case and proceeding is called Digital Forensics.
2. What is Computer Forensics?
Computer forensics is the practice of collecting, analyzing, and reporting on digital
data in a lawful manner. It can be used to detect and prevent crime, as well as in any
issue where evidence is stored digitally. It is the application of specific procedures for
when a case entails challenges including electronic data recovery, authentication, and
analysis Computer usage reconstruction, assessment of residual data, and data
authentication technical analysis or explanation of data and computer usage technical
features
The computer Forensics necessitates specific knowledge that extends beyond
standard data collection and analysis.
End-users and system support employees can access preservation strategies. The
same as all Computer forensics is a type of forensic science that involves the
application of the law.
Computer forensics is concerned with the preservation, identification, and extraction
of data from computers.
As well as proof from computers. Computer forensics, like many other forensic
studies, Forensics involves the use of advanced technological instruments and
procedures that must be followed to ensure the accuracy of evidence preservation
and results. Involving electronic evidence processing. The application of specialist
recovery techniques,
Information collected by computers authentication and analysis, typically of data that
has been erased or obliterated.
3. What is Cyber Crime?
According to [Link] and Dr. K. Jaishankar defines Cybercrimes as "offenses
committed against individuals or groups of individuals with a criminal motive to
intentionally harm the victim's reputation or cause physical or mental harm, or loss,
to the victim directly or indirectly, through the use of modern telecommunication
networks such as the Internet (chat rooms, emails, notice boards, and groups) and
mobile phones (SMS/MMS)". Such acts can jeopardize a country's security and
financial health. These types of crimes have gained prominence, particularly those
involving hacking, copyright infringement, pornography involving children, and child
grooming. There are additional privacy concerns when confidential material is
intercepted or shared, whether properly or illegally.
Internationally, both state and non-state entities are involved in cybercrime, which
includes espionage, financial theft, and other cross-border crimes. Cyberwarfare
refers to activity that crosses international borders and involves the interests of at
least one nation state
1
POOJA SHAH AASHKA RAVAL
� DIGITAL FORENSICS (20CP411T)
Digital Forensics is traditionally associated with criminal investigations and, as you would
expect, most types of investigation centre on some form of computer crime. This sort of crime
can take two forms; computer based crime and computer facilitated crime
Furthermore the cybercrimes are divided into two parts:
a. Computer based Crime: This is criminal behavior that takes place solely on
computers, such as cyberbullying or spam. It encompasses both new
crimes defined by the computing era and classic crimes done solely on
computers (for example, child pornography).
b. Computer facilitated crime: Crime committed in the "real world" but made
easier by the use of technology. Fraud is a famous example of this type of
crime: computers are frequently used to communicate with other
fraudsters, record/plan operations, or manufacture bogus documents. Not
all digital forensics investigations focus on illegal behavior; the techniques
can also be utilized in corporate (or private) settings to recover lost data or
reconstruct employee behaviors.
4. Series of Events that help us bring digital forensics
5. Stages Of Computer Forensics Process
The overall computer forensics process is sometimes viewed as comprising four stages
a. Acquire: Identifying and Preserving
b. Analyze: Technical Analysis
c. Evaluate: What the Lawyers Do
d. Present: Present digital evidence in a manner that is legally acceptable in any
legal proceedings.
2
POOJA SHAH AASHKA RAVAL
� DIGITAL FORENSICS (20CP411T)
6. Where can we use Computer Forensics
There are rarely crimes or disputes where computer forensics cannot be used. Law
enforcement agencies were among the first and most heavy users of computer
forensics, and as a result, they have frequently been at the forefront of innovations in
the subject.
Computers can be used to create a crime scene, such as by hacking or denial of service
attacks, or they can hold evidence in the form of emails, internet history, documents,
or other data related to crimes such as murder, kidnapping, fraud, and drug trafficking.
Investigators may be interested not just in the content of emails, documents, and
other files, but also in the information linked with such files. A computer forensic
analysis can disclose when a document was first created on a computer, when it was
last changed, saved, or printed, and which person performed these acts.
Recently, business organizations have employed computer forensics to their
advantage in a variety of circumstances, including:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Bankruptcy investigations
Inappropriate email and internet use in the work place
Regulatory compliance
7. Objective of Computer Forensics
We can all agree that we are increasingly reliant on Information and Communication
Technology (ICT) tools and the internet for digital services, to the point where we now
talk online using chat applications, rely on email to communicate with relatives and
the office, stay in touch with our friends and update status using social engineering
platforms like Facebook, etc., work online by staying connected to our office/ client
via the internet, and shop online. Our reliance on computers and the internet has
grown to the point where we are almost always online. As a result, there is a greater
need to secure our information from misuse by adhering to information security
principles. However, if our computer's security is hacked, computer forensics can help
with post-incident inquiry.
The objectives of Computer forensics are to provide guidelines for:
Following the first responder procedure and access the victim‘s
computer after incident.
Designing procedures at a suspected crime scene to ensure that the
digital evidence obtained is not corrupted.
Data acquisition and duplication.
Recovering deleted files and deleted partitions from digital media to
extract the
Evidence and validate them.
3
POOJA SHAH AASHKA RAVAL
� DIGITAL FORENSICS (20CP411T)
Provide guidelines for analyzing digital media to preserve evidence,
analyzing logs and
deriving conclusions, investigate network traffics and logs to correlate
events,
Investigate wireless and web attacks, tracking emails and investigate
email crimes.
Producing computer forensic report which provides complete report
on computer
Forensic investigation process.
Preserving the evidence by following the chain of custody.
Employing the rigorous procedures necessary to have forensic results
stand up to
Scrutiny in a court of law.
Presenting digital forensics results in a court of law as an expert
witness.
8. Role of Forensics Investigator
Following are some of the important duties of a forensic investigator:
Confirms or dispels whether a resource/network is compromised.
Determine extent of damage due to intrusion.
Answer the questions: Who, What, When, Where, How and Why.
Gathering data in a forensically sound manner.
Handle and analyze evidence.
Prepare the report.
Present admissible evidence in court.
9. Benefits of Digital Forensics
Forensic readiness can offer an organization the following benefits:
• Evidence Can Be Gathered to Act in an Organization’s Defense If subject To a Lawsuit;
• Comprehensive Evidence Gathering Can Be Used As a Deterrent to the Insider Threat
(Throwing Away Potential Evidence Is Simply Helping To Cover the Tracks of a
Cyber Criminal);
• In The Event Of a Major Incident, an Efficient and Rapid Investigation Can Be Conducted
And Actions Taken With Minimal Disruption to the Business;
• A Systematic Approach to Evidence Storage Can Significantly Reduce the Costs and Time
Of An Internal Investigation;
• A Structured Approach To Evidence Storage Can Reduce The Costs Of Any Court-
Ordered Disclosure Or Regulatory Or Legal Need To Disclose Data (E.G. In Response to
a Request under Data Protection Legislation);
• Forensic Readiness Can Extend the Scope of Information Security to the Wider
Threat
From Cyber Crime, Such As Intellectual Property Protection, Fraud, Extortion Etc.;
• It Demonstrates Due Diligence and Good Corporate Governance of the Company's
Information Assets;
4
POOJA SHAH AASHKA RAVAL
� DIGITAL FORENSICS (20CP411T)
• It Can Demonstrate That Regulatory Requirements Have Been Met;
• It Can Improve and Facilitate the Interface to Law Enforcement If Involved;
• It Can Improve the Prospects for a Successful Legal Action;
• It Can Provide Evidence to Resolve A Commercial Dispute; And
• It Can Support Employee Sanctions Based On Digital Evidence (For Example to Prove
Violation of an Acceptable Use Policy)
10. Steps for Forensic Planning
The ten steps that follow define the major actions in forensic readiness planning:
1. Identify the business circumstances that necessitate digital evidence.
2. Determine accessible sources and the various categories of prospective
evidence;
3. Determine the requirement for evidence collection;
4. Establish a capability for acquiring legally acceptable evidence in a secure
manner in order to meet the criterion.
5. Implement a policy for the safe storage and handling of potential evidence.
6. Ensure that monitoring is focused on detecting and deterring serious events.
7. Specify the circumstances under which an escalation to a complete formal
investigation (which may include the use of digital evidence) should be
initiated.
8. Educate workers on incident awareness so that everyone engaged
understands their involvement in the digital evidence process as well as the
legal implications of evidence.
9. Document a based on evidence case outlining the incident and its impact;
and
10. Ensure legal review to facilitate action in response to the incident.
OVERVIEW OF THE CHAPTER:
1. Computer forensics is the practice of collecting, analyzing and reporting on digital
Data in a way that is legally admissible.
2. Computer forensics requires specialized expertise that goes beyond normal data
Collection and preservation techniques available to end-users or system support
Personnel.
3. Computer crime, or cybercrime, is any crime that involves a computer and a
network.
4. Activity crossing international borders and involving the interests of at least one
Nation state is sometimes referred to as cyberwarfare.
5. The ancient Chinese used fingerprints to identify business documents.
6. Sir Francis Galton established the first system for classifying fingerprints.
7. International Association of Computer Investigative Specialists (IACIS) is an
International non-profit corporation composed of volunteer computer forensic
Professionals dedicated to training and certifying practitioners in the field of forensic
Computer science.
8. The First FBI Regional Computer Forensic Laboratory established in 2000 at San
5
POOJA SHAH AASHKA RAVAL
� DIGITAL FORENSICS (20CP411T)
Diego.
9. The survival and integrity of any given network infrastructure of any company or
Organization strongly depends on the application of computer forensics.
10. Forensic readiness is the ability of an organization to maximize its potential to use
Digital evidence whilst minimizing the costs of an investigation.
11. Monitoring should be targeted at specific problems.
12. Physical security of data such as back-up files or on central log servers is important
From the data protection point of view, and also for secure evidence storage.
13. A policy for secure storage and handling of potential evidence comprises security
Measures to ensure the authenticity of the data and also procedures to demonstrate
that the evidence integrity is preserved whenever it is used, moved or combined with
new evidence.
14. In addition to gathering evidence for later use in court, evidence sources can be
Monitored to detect threatened incidents in a timely manner.
15. Some suspicious events can be system generated, such as by the rule-base of an
IDS, or the keywords of a content checker, and some will be triggered by human
Watchfulness.
16. The decision as to whether to escalate the situation to management will depend
on any indications that a major business impact is likely or that a full investigation may
be required where digital evidence may be needed.
17. It is necessary to ensure that staff is competent to perform any roles related to the
Handling and preservation of evidence.
18. The aim of an investigation is not just to find a culprit or repair any damage. An
Investigation has to provide answers to questions and demonstrate why those
answers are credible.
19. At certain points during the collating of the cyber-crime case file it will be
necessary to review the case from a legal standpoint and get legal advice on any
follow-up actions.
6
POOJA SHAH AASHKA RAVAL