lOMoARcPSD|34371525

UNIT-4
UNDERSTANDING COMPUTER FORENSICS
Introduction
The word “forensics” means the use of science and technology to investigate and establish facts in
criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge for the
purpose of analyzing the evidence and presenting them in court.

Cyber Forensic:

 Cyber forensics is a branch of forensic science which deals with the investigation, analysis
techniques on computers.
 Cyber forensic also referred as computer forensic as it includes computer system indulged in
Cybercrime.
 Cyber forensics aids in an investigation, collection and preservation of evidences for legal
purposes.

Process follows in cyber forensic:

1. Identification
2. Preservation
3. Analysis
4. Documentation
5. Presentation

Digital Forensics Science

 Digital forensics is the process of storing, analyzing, retrieving, and preserving electronic data
that may be useful in an investigation so that it can be used as evidence. It includes data from
hard drives in computers, mobile phones, smart appliances, vehicle navigation systems, electronic
door locks, and other digital devices.

 It is a branch of forensic science that focuses on retrieving and analyzing data from digital
devices including computers, and other digital storage media.

 Digital Forensics’ goal is to determine the details of a digital incident, such as a cybercrime or
data security breach, in a manner that is impartial, thorough, and compatible with legal rules and
regulations.

 Experts in the field of Digital Forensics must possess a thorough understanding of computer
science, programming, and data structures as well as knowledge of the laws surrounding
electronic evidence.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Steps of Digital Forensics Process

Now that you understand what is digital forensics, let’s look at its steps:

Identification:

This is the initial stage in which the individuals or devices to be analyzed are identified as likely sources
of significant evidence.

During this process, the relevant data related to the case is identified and extracted from the collected
evidence. This includes information such as emails, documents, images, and other types of digital files
that are relevant to the case.

Preservation:

Preserving the evidence is the next step here. This involves duplicating the digital data and ensuring that
the original data is kept undamaged. This is an important process since it ensures that the evidence will be
accepted in court and can be used to support the findings of the investigation.

It focuses on safeguarding relevant electronically stored information (ESI) by capturing and preserving
the crime scene, documenting relevant information such as visual images, and how it was obtained.

Analysis:

It is a methodical examination of the evidence of the information gathered. This examination

produces data objects, including system and user-generated files, and seeks specific answers and
points of departure for conclusions.

The collected evidence till now, is then analyzed to uncover any related information. This
involves using various Digital Forensics tools to examine the data, such as disk imaging tools,
data recovery tools, and many more.

Documentation:

These are tried-and-true procedures for documenting the analysis's conclusions, and they must allow other
competent examiners to read through and duplicate the results.

Presentation:

The final step of the Digital Forensics process is to prepare a report, document the findings of the Digital
Forensics investigation, and present the evidence in a clear and brief form to the relevant authorities or
stakeholders.

The collection of digital information, which may entail removing electronic devices from the
crime/incident scene and copying or printing the device(s), is critical to the investigation.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Objectives of Digital Forensics

 Knowing the primary objectives of using digital forensics is essential for a complete
understanding of what is digital forensics:

 It aids in the recovery, analysis, and preservation of computers and related materials for the
investigating agency to present them as evidence in a court of law

 It aids in determining the motive for the crime and the identity of the primary perpetrator

 Creating procedures at a suspected crime scene to help ensure that the digital evidence obtained is
not tainted

 Data acquisition and duplication: The process of recovering deleted files and partitions from
digital media in order to extract and validate evidence

 Assists you in quickly identifying evidence and estimating the potential impact of malicious
activity on the victim

 Creating a computer forensic report that provides comprehensive information on the investigation
process

 Keeping the evidence safe by adhering to the chain of custody

Types of Digital Forensics

As digital data forensics evolves, several sub-disciplines emerge, some of which are listed below:

i. Computer Forensics:

It analyzes digital evidence obtained from laptops, computers, and storage media to support ongoing
investigations and legal proceedings.

ii. Mobile Device Forensics:

It entails obtaining evidence from small electronic devices such as personal digital assistants, mobile
phones, tablets, sim cards, and gaming consoles.

iii. Network Forensics:

Network or cyber forensics depends on the data obtained from monitoring and analyzing cyber network
activities such as attacks, breaches, or system collapse caused by malicious software and abnormal
network traffic.

iv. Digital Image Forensics:

This sub-specialty focuses on the extraction and analysis of digital images to verify authenticity and
metadata and determine the history and information surrounding them.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

v. Digital Video/Audio Forensics:

This field examines audio-visual evidence to determine its authenticity or any additional information you
can extract, such as location and time intervals.

vi. Disk Forensics:

In this particular case, forensic experts try to obtain crucial pieces of information from digital data
storage media like Hard disks, USB devices, Firewire devices, CDs, DVDs, Flash Drives, Floppies, etc.

vii. Malware forensic:

In this methodology, forensics experts sift through code to check for potentially malicious programs and
scrutinize their payload. In addition, these particular sorts of programs might comprise Trojan horses,
ransomware, or several viruses.

This branch of forensics involves hacking related crime, here forensic experts examines the malware,
Trojans to identify the hacker involves behind this.

Investigating the competence of malicious software enables the IT team to enhance the assessment of a
security incident, and may help prevent more infections. A considerable quantity of computer
intrusions entails some variety of malicious software (malware), which somehow finds its way to the
victim’s workstation or a server.

Techniques that cyber forensic(computer forensic) investigators use

Digital/Cyber Investigators or Computer Forensics Experts utilize a series of tactics and
techniques with a genuine usage of forensic tools to verify the copy of evidence document they
have seized from a compromised computer or device. In addition, they go for a search for
hidden or encrypted folders and unallocated disk spaces for traces of deleted, encrypted,
overwritten, or tampered files, and all the shreds of digital copies are nicely documented in a
proper manner for filing a report duly admissible in the court of law without being harming the
original source of the evidence and maintaining its integrity.

However, these Methods and Techniques of Cyber Forensics utilized by digital investigators are
a combo of tricks, tactics, and techniques with a piece of expert knowledge. Some of the
prominent techniques are as the following:

1. Cross-Drive Analysis
This particular technique associates and counterparts data-sets found on several computer drives
to look for scrutinizing and maintain info regarding a forensic analysis. Moreover, events that
enhance the hunch are dedicatedly compared with data on another drive to watch for likeness and
offer context.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

2. Live Analysis:
In this particular tactic, a system is scrutinized from inside the operating system while the system
or equipment is functioning, utilizing system tools on the computer. In addition, the
corresponding analysis of volatile data is generally stored in cache memory or RAM. Several
tools were utilized to obtain the volatile data need the computer in to be in a particular state
within a forensic lab to keep up the integrity of the original source of the evidence.

3. Deleted Files Recovery:

As the name suggests, in this technique, forensics experts will be able to retrieve the database of
the deleted files that were partially deleted in one place but left some traces elsewhere on the
particular system while searching for a computer or any other corresponding device and even the
memory for fragments of files. Moreover, this individual technique is widely known as file
carving or data carving.

4. Stochastic Forensics:-
In this technique, forensic experts scrutinize and rebuild the digital process without the usage of
digital artifacts. Furthermore, the artifacts are clues regarding a digital crime, like alterations to
file characteristics during a data heist. Moreover, stochastic forensics is continually utilized in
data breach examinations where the hacker is pretended to be an insider who might not leave any
digital artifacts behind.

5. Reverse Steganography:-
It is a basic technique utilized to conceal data within any sort of digital file, context, or data
stream. In addition, computer forensic experts reverse a steganography effort by understanding
the data hashing of a particular file to map its data of any corresponding size to a fixed
length. If, in case, any Cyber Criminal encrypts any confidential data inside an image, video, or
any other digital file, it might be able to look exactly the same prior or after to the common
perception; however, by the usage of the hash or string of data that portrays the image will
transform.

What is Computer Forensics and Why We Need It?

Cybercrime causes billions of dollars of economic damage. Because of this, forensic science
has to evolve to deal with cybercriminals. Computer forensic techniques allow investigators to
gather evidence against cybercriminals that will stand up in a court of law.

 Technology such as computers can make our lives easier and more convenient. One
major way that computers are used every day is to store vast amounts of data and
information that is important to the daily operations of businesses, government
organizations, and private individuals.
 Data found on computers is valuable and unfortunately vulnerable. Cybercrimes, where a
dishonest individual gains illegal access to data found in computers and networks are on

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

the rise and cyber criminals are becoming more and more adept at evading legal
consequences.
 Because of the rise of cybercrimes, a new branch of investigation has been developed to
help law enforcement trace and find proof of illegal activity using computers. This is
computer forensics and much of their techniques involved some form of data recovery, it
is also known as digital forensics.
 Computer forensic experts can go through a suspected cybercriminal’s hard drive – be it
on a computer or a mobile device – and find deleted and hidden files that serve as
evidence of illegal activity.
 Much of what computer forensics does is related to data recovery. Data recovery
programs used in businesses and personal computers.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Cyber forensics and Digital Evidence

 Cyber forensics is a branch of forensic science which deals with the investigation, analysis
techniques on computers.
 Cyber forensic also referred as computer forensic as it includes computer system indulged in
Cyber Crime.
 Cyber forensics aids in an investigation, collection and preservation of evidences for legal
purposes.

Collection and preservation of digital evidence:

 Determine the device is in ON or OFF condition.

 Video-graph and Photograph the device.
 Note down the device model number and serial number.
 If any destructive device is suspected, remove the main plug immediately without
shutting down.
 Investigator must also look for CD, DVD, Flash drives, note pads, etc.
 Peak the collected devices in anti-static bag to prevent any kind of radiation.
 Place the devices in boxes or evidence bags and label them.
 Keep the devices safe and secure from magnets, extreme temperatures and other
damages.
 Once all the evidences are collected and preserved, it can be sent to laboratory for further
analysis.

Forensics Analysis of E-Mail

 Email forensics is exactly what it sounds like. The analysis of emails and the content within to
determine the legitimacy, source, date, time, the actual sender, and recipients in a forensically
sound manner. The aim of this is to provide admissible digital evidence for use in civil or
criminal courts.
 The reason email forensics come into part of the digital forensics investigation is due to the
massive and common use of emails among people nowadays.
 People’s using email to communicate with their friends, schoolmates, colleagues and a variety of
people. Hence, numerous data and information is transmitted across its use and meanwhile some
of those are illegal not surprisingly just like what other common communication approach, e.g.
mobile phone, has happened as well when it was popularized to certain extend.
 In fact, it’s already a severe public concern that a majority of criminals are using email for their
crime committed in recent years, especially when it comes to cyber security and digital crime
 E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. this study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Various approaches that are used for e-mail forensic are:

[Link] Analysis: E-mail forensics refers to the study of source and content of e-mail message as
evidence, identification of the actual sender, recipient, date and time when it was sent, etc. Forensic
analysis of an e-mail message aims at discovering the history of a message and identity of all involved
entities. Besides message analysis, e-mail forensic also involves investigation of some client or server
computer suspected of being used or misused for e-mail forgery.

Metadata in the e-mail messages in the form of control information i.e. envelope and headers including
headers in the messages body contain information about the sender and/or the path along which the
message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed
analysis of these headers and their correlation is performed in header analysis.

2. Bait Tactics: In bait tactics investigation an e-mail with http: “<imgsrc>” tag having image source
at some computer monitored by the investigators is send to the sender of e-mail under investigation
containing real (genuine) e-mail address. When the image is opened, along entry containing the IP
address of the recipient ( sender of the e-mail under investigation) is recorded on the http server hosting
the image and thus sender is tracked. However if the recipient (sender of the e-mail under investigation) is
using a proxy server then IP address of the proxy server is recorded. The logon proxy server can be used
to track the sender of the e-mail under investigation. If the proxy servers log is unavailable due to some
reason, then investigation may send the tactic e-mail containing

(a) Embedded java applet that runs on receiver’s computer

(b) HTML page with active X object.

Both aiming to extract IP address of the receiver’s computer and e-mail it to the investigators.

3. Email Server Investigation:

Email servers are investigated to locate the source of an email. For example, if an email is deleted from a
client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they usually
save copies of emails after delivery. Servers also maintain logs that can be analyzed to identify the
computer’s address from which the email originated.

It is worth noting that Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP)
logs are archived frequently by large Internet Service Providers (ISPs). If a log is archived, tracing
relevant emails can take a lot of time and effort, requiring decompressing and extraction techniques.
Therefore, it is best to examine the logs as soon as possible.

4. Investigation of Network Devices:

In some cases, logs of servers are not available. This can happen for many reasons, such as when servers
are not configured to maintain logs or when an ISPs refuses to share the log files. In such an event,
investigators can refer to the logs maintained by network devices such as switches, firewalls, and routers
to trace the source of an email message.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

5. Embedded Software Identifiers:

Sometimes, the email software used by a sender can include additional information about the message and
attached files in the email. For example, it can be found in Multipurpose Internet Mail Extensions
(MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth
analysis of these sections can reveal vital details related to the sender, like the MAC address, Windows
login username of the sender, PST (personal storage table)/Data file file name, and much more.

Digital forensic life cycle

Data Collection: The first step in the forensic process is to identify potential sources of data and
acquire data from them.
It involves identification, labeling, recording, and the acquisition of data from all the possible
relevant sources that preserve the integrity of the data and evidence collected.

Examination: After data has been collected, the next phase is to examine the data, which
involves assessing and extracting the relevant pieces of information from the collected data. This
phase may also involve bypassing or mitigating OS or application features that obscure data and
code, such as data compression, encryption, and access control mechanisms.

Analysis: Once the relevant information has been extracted, the analysis should study and
analyze the data to draw conclusions from it. The foundation of forensics is using a methodical
approach to reach appropriate conclusions based on the available data or determine that no
conclusion can yet be drawn.

This stage is the result of the examination stage. In the Analysis stage, legally justifiable methods
and techniques are used to derive useful information to address questions posed in the particular
case.

Reporting: The process of preparing and presenting the information resulting from the analysis
phase.

 Statement regarding Chain of Custody.

 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be take

Chain of Custody Concept

 Chain of Custody refers to the logical sequence that records the sequence of custody,
control, transfer, analysis and disposition of physical or electronic evidence in legal
cases. Each step in the chain is essential as if broke, the evidence may be rendered
inadmissible. Thus we can say that preserving the chain of custody is about following the
correct and consistent procedure and hence ensuring the quality of evidence.
 Chain of custody is the accurate documentation of the movement and possession of a
piece of evidence, from the time it is taken into custody until it is delivered to the court.

In this we will be discussing-

1. What Chain of Custody entails in Digital Forensics.
2. Importance of maintaining Chain of Custody.
3. The Chain of Custody Form.
4. Procedure to establish the Chain of Custody
5. How Chain of Custody can be assured?

1. What the Chain of Custody entails in Digital Cyber Forensics?

The chain of custody in digital cyber forensics is also known as the paper trail or forensic link,
or chronological documentation of the evidence.
 Chain of custody indicates the collection, sequence of control, transfer and analysis.
 It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not tampered.
Digital evidence is acquired from the myriad of devices like a vast number of IoT devices,
audio evidence, video recordings, images, and other data stored on hard drives, flash drives,
and other physical media.
2. Importance of maintaining Chain of Custody?

Importance to Examiner:

 To preserve the integrity of the evidence.

 To prevent the evidence from contamination, which can alter the state of the evidence.
 In case you obtained metadata for a piece of evidence but unable to extract any meaningful
information from the metadata. In such a case, the chain of custody helps to show where possible
evidence might lie, where it came from, who created it, and the type of equipment used. This will
help you to generate an exemplar and compare it to the evidence to confirm the evidence
properties.

Importance to the Court: If not preserved, the evidence submitted in the court might be challenged
and ruled inadmissible.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

3. The Chain of Custody Form?

In order to prove a chain of custody, you’ll need a form that lists out the details of how the
evidence was handled every step of the way. The form should answer the following questions:
 What is the evidence?: For example- digital information includes the filename, md5 hash,
and Hardware information includes serial number, asset ID, hostname, photos, description.
 How did you get it?: For example- Bagged, tagged or pulled from the desktop.
 When it was collected?: Date, Time
 Who has handle it?: Digital forensic team or experts
 Why did that person handled it? For preserve, examination, analysis
 Where was it stored?: This includes the information about the physical location in which
proof is stored or information of the storage used to store the forensic image.
 How you transported it?: For example- in a sealed static-free bag, or in a secure storage
container.
 How it was tracked?
 How it was stored?: For example- in a secure storage container.
 Who has access to the evidence?: This involves developing a check-in/ check-out process.
The CoC form must be kept up-to-date. This means every time the best evidence is handled
off, the chain of custody form needs to be updated.
4. Procedure to establish the Chain of Custody?

In order to assure the authenticity of the chain of custody, a series of steps must be followed. It
is important to note that the more information Forensic expert obtains concerning the evidence,
the more authentic is the created chain of custody. You should ensure that the following
procedure is followed according to the chain of custody for electronic devices:
 Save the original material
 Take photos of the physical evidence
 Take screenshots of the digital evidence.
 Document date, time, and any other information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence content into forensic computers.
 Perform a hash test analysis to authenticate the working clone.

5. How can the Chain of Custody be assured?

A couple of considerations are involved when dealing with digital evidence and Chain of
Custody. We shall discuss the most common and globally accepted and practiced best
practices.
1. Never ever work with the Original Evidence: The biggest consideration that needs to be
taken care of while dealing with digital evidence is that the forensic expert has to make a
full copy of the evidence for forensic analysis. This cannot be overlooked as when errors
are made to working copies or comparisons need to be done, then, in that case, we need an
original copy.
2. Ensuring storage media is sterilized: It is important to ensure that the examiner’s storage
device is forensically clean when acquiring the evidence. Suppose if the examiner’s storage
media is infected with malware, in that case, malware can escape into the machine being
examined and all of the evidence will eventually get compromised.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

3. Document any extra scope: During the process of examination, it is important to

document all such information that is beyond the scope of current legal authority and later
brought to the attention of the case agent. A comprehensive report must contain following
sections:
 Identity of the reporting agency.
 Case identifier.
 Case investigator.
 Identity of the submitter.
 Date of receipt.
 Date of report.
 Descriptive list of items submitted for examination: This includes the serial number,
make, and model.
 Identity and signature of the examiner
 Brief description of steps taken during the examination: For example- string searches,
graphics image searches, and recovering erased files.
 Results.
4. Consider the safety of the personnel at the scene: It is very important to
ensure that the crime scene is fully secure before and during the search. In some cases, the
examiner may only be able to do the following while onsite:
 Identify the number and type of computers.
 Interview the system administrator and users.
 Identify and document the types and volume of media: This includes removable media
also.
 Determine if a network is present.
 Document the information about the location from which the media was removed.
 Identify offsite storage areas and/or remote computing locations.
 Identify proprietary software.
 Determine the operating system in question.
The Digital evidence and Digital Chain of Custody are the backbones of any action taken by
digital forensic specialists. In this article, we have examined the seriousness of the digital
evidence and what it entails and how slight tampering with the digital evidence can change the
course of the forensic expert’s investigation.

Network Forensics
“Network forensics is a science that centers on the discovery and retrieval of information
surrounding a cybercrime within a networked environment. Common forensic activities
include the capture, recording and analysis of events that occurred on a network in order to
establish the source of Cyber Attacks.”

Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is spreading
malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet
grew cybercrimes also grew along with it and so did the significance of network forensics,
with the development and acceptance of network-based services such as the World Wide Web,
e-mails, and others.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence,
the network protocol data that enclose each dialog is often very valuable.

For identifying the attacks investigators must understand the network protocols and
applications such as web protocols, Email protocols, Network protocols, file transfer protocols,
etc.
Investigators use network forensics to examine network traffic data gathered from the networks
that are involved or suspected of being involved in cyber-crime or any type of cyber-attack.
After that, the experts will look for data that points in the direction of any file manipulation,
human communication, etc.

Processes Involved in Network Forensics

Some processes involved in network forensics are given below:
I. Identification: In this process, investigators identify and evaluate the incident based on
the network pointers.
II. Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
III. Accumulation: In this step, a detailed report of the crime scene is documented and all
the collected digital shreds of evidence are duplicated.
IV. Observation: In this process, all the visible data is tracked along with the metadata.
V. Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
VI. Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

Challenges in Network Forensics:

 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing
 Data storage
 Data Privacy
 Data Extraction locations
 High Speed data transmission
 Data Integrity
 Access to IP address

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.

Approaching a Computer Forensics Investigation

The phases in a computer forensics investigation are:

 Secure the subject system

 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
 Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information collected

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Things to be avoided during forensics investigation:

 Changing date/timestamps of the files

 Overwriting unallocated space

Things that should not be avoided during forensics investigation:

 Engagement contract
 Non-Disclosure Agreement (NDA)

Elements addressed before drawing up a forensics investigation engagement contract:

 Authorization
 Confidentiality
 Payment
 Consent and acknowledgement
 Limitation of liability

General steps in solving a computer forensics case are:

 Prepare for the forensic examination

 Talk to key people about the case and what you are looking for
 Start assembling tools to collect the data and identify the target media
 Collect the data from the target media
 Use a write blocking tool while performing imaging of the disk
 Check emails records too while collecting evidence
 Examine the collected evidence on the image that is created
 Analyze the evidence
 Report your finding to your client

Forensics and Social Networking Sites:

Social networking site is defined as web-based services that allow individuals to:

 Create a public or semi-public profile

 Search or navigate through a list of users with whom they share a common connection
 View connections of other users

I. Although social networking sites have their uses, there are several associated security
threats. The concerns regarding social networking sites are:

 Does the social networking site violate people’s intellectual property rights
 Whether these sites infringe the privacy of their own users
 Whether these sites promote fraudulent and illegal activities

II. Content preservation can be challenging given the dynamic, short-lived and often multi-
format nature of social media. There is generally no control over the content posted on

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

social media networking sites. High level of forensic skill is required to analyze and
quantify the preserved data to answer questions such as:

 Who posted the offending content?

 Is there a real live person to whom the offending content can be attributed even when
evidence exists?
 Can we identify the time frame associated with the posting of the offending content?
 How much of the offending content exists across the entire social networking platform?
 Is there other content that supports interpretation of the relevant content?
 How accurate is the reported physical location?

III. Security issues that are associated with social networking sites are:

 Corporate espionage
 Cross site scripting
 Virus and Worms
 Social networking site aggregators
 Phishing
 Network infiltration leading to data leakage
 ID theft
 Cyber bullying
 Content-Based Image Retrieval (CBIR)
 Spam
 Stalking

[Link] Security/Privacy Threats:

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Challenges in Computer Forensics

Although there are well-developed forensic techniques, cybercrime investigation is not easy.
Huge amount of data is available and searching for evidence in that enormous data is not easy.
Most of the existing tools allow anyone to change the attribute associated with digital data.

Encryption is a commonly used antiforensics technique and keyword search can be defeated by
renaming file names. Cybercrime investigators often face a problem of collecting evidence from
very large groups of files. They need to use techniques like link analysis and visualization. To
find leads they need to use machine learning techniques (patterns)

Challenges in network forensics

 Networks span multiple time zones and multiple jurisdictions

 Network data will be available offline and online (real-time)
 Real-time data requires ability to capture and analyze data on the fly
 The data may involve different protocols
 The data may be huge due to increasing bandwidth
 A protocol might also involve multiple layers of signal (VoIP, HTTP tunneling)
 Current forensic tools will not be able to handle real-time data and huge amount of data

 There need to be a paradigm shift for network forensics techniques to analyze the real-
time data and huge amounts of data. Duration of forensics investigation may vary, some
simple cases might take a few hours and complex cases may take some years to solve.
 Certain digital information other than the data itself may help in solving the case. Such
information might include, data and timestamps of files, folder structure and message
transmission tags. Real-time data collection is more complex as it needs to address
legalities and privileges involved in surveillance.

Technical Challenges

 The two challenges faced in a digital forensic investigation are complexity and quantity.
The complexity problem refers to the data collected being at the lowest level or in raw
format. Non-technical people will find it difficult to understand such data.
 Tools can be used to transform the data from low level format to readable format. The
quantity problem refers to the amount of data that needs to be analyzed. Data reduction
techniques can be used to group data or remove known data. Data reduction techniques
include:

 Identifying known network packets using IDS signatures

 Identifying unknown entries during log processing
 Identifying known files using hash databases
 Sorting files by their types

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Legal challenges

 Digital evidence can be tampered easily, sometimes, even without any traces. It is
common for modern computers to have multiple gigabyte sized disks. Seizing and
freezing of digital evidence can no longer be accomplished just by burning a CD-ROM.
Failure to freeze the evidence prior to opening files has invalidated critical evidence.
 There is also the problem of finding relevant evidence within massive amounts of data
which is a daunting task. The real legal challenges involve the artificial limitations
imposed by constitutional, statutory and procedural issues. There are many types of
personnel involved in digital/computer forensics like technicians, policy makers, and
professionals.
 Technicians have sound knowledge and skills to gather information from digital devices,
understand software and hardware as well as networks. Policy makes establish forensics
policies that reflect broad considerations. Professionals are the link between policy and
execution who have extensive technical skills as well as good understanding of the legal
procedures.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Challenges faced by Digital Forensic Investigator:

 Legal Issues: The most important issue an investigator may encounter is getting the
guarantee evidence admissibility which means that it should be accepted by the court.
 Nature of Digital Evidence: The advancement in technology has impacted the
investigation in such a way that it detecting the digital evidence has become extremely
difficult. For example, cloud storage, PDAs, IoT devices, etc.
 Alteration of Evidence: The chain of custody should be maintained at all times to keep
the evidence’s credibility intact. If the evidence is in the wrong hands, the evidence might
get altered and may lose its credibility. Therefore, having a Forensic image and the hash
value of the evidence is extremely important for the investigator.
 Size and Distribution of the evidence: The size and the distribution of the evidence
matter because the data is no smaller. There is a huge amount of data produced regularly.
In cases of Big data Forensic Investigation, the size and the widely distributed data comes
up as a challenge for the investigator as he does not know where to start.
 Malware Present in evidence: The criminals can outsmart the investigators and insert
malware in the evidence device which can mislead or disrupt the ongoing investigation.
 Steganography: In earlier times, steganography had only limited types but today, due to
the availability of various tools and software on the dark web, it has become extremely
difficult to detect steganography present in the evidence items. Sometimes the
investigator doesn’t consider it as evidence as they aren’t able to get many in-depth ideas
about the evidence.
 Encryption: Many a time, the evidence is recovered in an encrypted form and the
investigator has a hard time to decrypt the evidence with no assurance of recovery of the
original contents.

Downloaded by Mir (waseemkhan2924@[Link])

 lOMoARcPSD|34371525

Downloaded by Mir (waseemkhan2924@[Link])