(UNDERSTANDING COMPUTER FORENSICS)

NOTES (UNIT-IV)

Digital Forensics Science

Digital forensics is a scientific discipline that involves collecting, examining, and analyzing
digital evidence to help in investigations, especially those related to cybercrimes and
computer-related offenses. It's a specialized field within forensic science that focuses on
understanding what happened on computer systems and other digital devices to reconstruct
events and identify perpetrators.
1. Scope and Purpose:
• Broad Application:
Digital forensics isn't limited to cybercrimes; it's used in various investigations, including
criminal cases, civil disputes, and corporate investigations.
• Data Recovery:
A key aspect involves recovering data from damaged or deleted files, hard drives, and other
storage media.
• Evidence Analysis:
Digital forensics experts analyze data from various sources, including computers, mobile
phones, network traffic, and cloud storage, to extract relevant information.
• Legal Admissibility:
The goal is to preserve the integrity of digital evidence and document the process in a way
that ensures its admissibility in court.
2. Process and Techniques:
• Chain of Custody:
Digital forensics investigators follow a strict chain of custody to prevent tampering with
evidence and ensure its integrity.
• Forensic Imaging:
Creating a bit-by-bit copy of a hard drive or storage media to preserve the original data and
work with a copy.
• Data Analysis:
Using various tools and techniques to analyze the extracted data, including metadata, file
contents, and network traffic.
• Reporting:
Preparing detailed reports that document the investigation, evidence collected, and analysis
findings, suitable for legal proceedings.
3. Key Concepts:
• Digital Evidence:
Any data stored electronically that can be used as evidence in an investigation.
• Metadata:
Data about data, such as file creation dates, author information, and last accessed times.
• Forensic Integrity:
Ensuring that the original data is not altered or corrupted during the investigation process.
• Chain of Custody:
A documented record of who handled the evidence, when, and why, to maintain its integrity.
4. Applications:
• Cybercrime Investigations:
Identifying and investigating cybercrimes like hacking, malware attacks, and data breaches.
• Criminal Investigations:
Analyzing evidence from devices related to criminal activity, such as murder or drug
trafficking.
• Civil Litigation:
Investigating disputes involving data breaches, intellectual property theft, and contract
disputes.
• Corporate Investigations:
Analyzing data to identify corporate misconduct, fraud, or internal threats.

The Need for Computer Forensics

Computer forensics is needed to investigate and resolve a wide range of issues in the digital
world, from cybercrimes and data breaches to legal disputes and data recovery. It's a critical
tool for law enforcement, businesses, and individuals alike, helping to identify and address
problems related to technology and data.
1. Investigating Cybercrimes and Data Breaches:
• Identifying cybercriminals:
Computer forensics helps pinpoint the source of cyberattacks, track down cybercriminals, and
gather evidence to be used in court.
• Recovering stolen data:
In cases of data breaches, computer forensics can help recover lost or stolen information.
• Protecting sensitive information:
By identifying vulnerabilities and security flaws, computer forensics can help organizations
prevent future cyberattacks and protect sensitive data.
2. Solving Legal Disputes:
• Electronic discovery (eDiscovery):
Computer forensics is used in civil litigation to gather and analyze electronic data, which can
be crucial in proving or disproving claims.
• Intellectual property theft:
Computer forensics can help identify the source of stolen intellectual property and track its
flow.
• Fraud investigations:
By analyzing financial records and other digital evidence, computer forensics can assist in
identifying fraudulent activities.
3. Data Recovery:
• Recovering lost or damaged data:
Computer forensics professionals can recover data from damaged or broken devices, such as
hard drives, servers, and mobile devices.
• Restoring systems:
In the event of a system crash or failure, computer forensics can help restore critical data and
functionality.
4. Other Applications:
• National security:
Computer forensics plays an important role in national security, helping to investigate
cyberattacks and identify potential threats.
• Preventing future crimes:
By identifying vulnerabilities and security flaws, computer forensics can help organizations
improve their security posture and prevent future crimes.
In essence, computer forensics is a vital tool for ensuring the integrity and security of digital
systems and data, as well as for resolving disputes and bringing justice in the digital age.
CHARACTERISTICS
• Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile
phones, PDAs, etc.
• Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence,
mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
• Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions
based on evidence.
• Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
• Presentation: All the documented findings are produced in a court of law for further
investigations.
Procedure
The procedure starts with identifying the devices used and collecting the preliminary
evidence on the crime scene. Then the court warrant is obtained for the seizure of the
evidence which leads to the seizure of the evidence. The evidence are then transported to
the forensics lab for further investigations and the procedure of transportation of the evidence
from the crime scene to labs are called chain of custody. The evidence are then copied for
analysis and the original evidence is kept safe because analysis are always done on the copied
evidence and not the original evidence.
The analysis is then done on the copied evidence for suspicious activities and accordingly, the
findings are documented in a nontechnical tone. The documented findings are then presented
in a court of law for further investigations.
Applications
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Misuse of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concerned the regulatory compliance
Advantages of Computer Forensics
• To produce evidence in the court, which can lead to the punishment of the culprit.
• It helps the companies gather important information on their computer systems or
networks potentially being compromised.
 • Efficiently tracks down cyber criminals from anywhere in the world.
• Helps to protect the organization's money and valuable time.
• Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action's in the court.
Disadvantages of Computer Forensics
• Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
• Producing and keeping electronic records safe is expensive.
• Legal practitioners must have extensive computer knowledge.
• Need to produce authentic and convincing evidence.
• If the tool used for digital forensics is not according to specified standards, then in a
court of law, the evidence can be disapproved by justice.
• A lack of technical knowledge by the investigating officer might not offer the desired
result.
Cyber forensics and Digital Evidence
Cyber forensics, also known as digital forensics or computer forensics, is the practice of
collecting, analyzing, and preserving digital evidence from various sources like computers,
mobile devices, and networks. This evidence can be used in legal proceedings, investigations,
and other contexts.
Key aspects of cyber forensics and digital evidence:
• Digital Evidence:
This refers to any digital data that can be used as evidence, such as log files, emails, browsing
history, social media posts, and data from various devices and systems.
• Collection and Preservation:
Cyber forensics involves using specialized tools and techniques to collect digital evidence in
a way that ensures its integrity and admissibility in court. This includes creating forensic
images of hard drives and other storage devices.
• Analysis:
The collected data is then analyzed to identify relevant information, trace activities, and
determine the nature and extent of a cyber incident.
• Reporting:
The findings are documented and presented in a clear and concise manner, often for use in
legal proceedings or investigations.
Examples of digital evidence:
• Log files:
System logs, application logs, and network logs can reveal important information about user
activity, system events, and network traffic.
• Email:
Email communication can provide insights into communication patterns, intentions, and
relevant information related to an incident.
• Browsing history:
Web browsing history can reveal the websites a user visited, their online activity, and
potentially malicious links.
• Social media posts:
Social media posts can provide insights into an individual's activities, relationships, and
potentially relevant information about a cyber incident.
• Data from mobile devices:
Mobile devices can contain a wealth of information, including contacts, messages, photos,
and browsing history, which can be valuable in investigations.
Importance of cyber forensics:
• Legal investigations:
Cyber forensics plays a crucial role in investigating cybercrimes and other legal matters.
• Cybersecurity incident response:
Cyber forensics helps organizations understand and respond to cyberattacks, identify the
cause of incidents, and prevent future attacks.
• Data recovery:
Cyber forensics can be used to recover lost or damaged data.
• Corporate investigations:
Cyber forensics can be used in corporate investigations to determine if employees have
violated company policies or engaged in unethical behavior.
Advantages of Digital Evidence Forensics in Cyber Security
• It is vital to keep computer systems and other digital devices safe.
• Evidence can be produced when needed in a court of law for the authorities to pass
judgment.
• In case the systems & networks are compromised within an organization, this can be
used for capturing sensitive details.
• This collection helps in tracing cybercriminals in all parts of the world quickly.
• Take out, analyze, and explain the evidence in a law court to show one is criminal
behavior.
Challenges Faced During Digital Evidence Collection
• Evidence should be handled with utmost care as data is stored in electronic media and
it can get damaged easily.
• Collecting data from volatile storage.
• Recovering lost data.
• Ensuring the integrity of collected data.
Forensics Analysis of E-Mail
Email forensic analysis is the process of examining emails and related data to determine their
source, authenticity, and content. It involves analyzing email headers, metadata, and
attachments to uncover information about senders, recipients, dates, and potential malicious
activity. This can be used to investigate email-related crimes, identify data leaks, or
understand the flow of communication.
Key aspects of email forensic analysis include:
• Header Analysis:
Examining the email header provides insights into the email's path, including the IP addresses
of servers and potential points of origin. This can help determine if an email was spoofed or if
there are unusual routing paths.
• Metadata Extraction:
Email metadata contains information about when and where an email was created, forwarded,
or read. This data can help establish a timeline for suspicious emails and identify
unauthorized access points.
• Attachment and Link Examination:
Forensic investigators analyze attachments and embedded links in emails for malicious
content, such as malware or phishing attempts. They may also extract payloads from these
elements for deeper examination.
• Content Analysis:
Analyzing the language and phrasing of emails can reveal insights into phishing or business
email compromise (BEC) attempts. Investigators look for signs of social engineering or
unusual language patterns.
• Email Artifacts:
These are crucial evidence that can be recovered from a single email, including the header
(which contains information about the email's origin, timestamp, and routing), and the email
body (which contains the actual content).
Tools and Techniques:
• Specialized Software:
Forensic investigators use specialized tools to analyze emails, including tools for header
analysis, metadata extraction, and file analysis.
 • Email Analytics:
Some email platforms provide analytics that track user engagement with emails, including
open rates, click-through rates, and other metrics.
• Network Device Investigation:
Logs from network devices like routers and firewalls can be used to trace the path of an email
and identify the source of a message.
• Server Investigation:
Copies of delivered emails and server logs can be examined to identify the source of a
message.
Digital Forensics Life Cycle

1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. It might be possible
that the evidence may be overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
In case of a network, the interactions can be between devices in the organization or across the
globe (Internet). If the evidence is never identified as relevant, it may never be collected and
processed.
2. Collecting and Recording Digital Evidence
Digital evidence can be collected from many sources. The obvious sources can be:
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
Proper care should be taken while handling digital evidence as it can be changed easily. Once
changed, the evidence cannot be analysed further. A cryptographic hash can be calculated for
the evidence file and later checked if there were any changes made to the file or not.
Sometimes important evidence might reside in the volatile memory. Gathering volatile data
requires special technical skills.
3. Storing and Transporting Digital Evidence
Some guidelines for handling of digital evidence:
• Image computer-media using a write-blocking tool to ensure that no data is added to
the suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their
accuracy and reliability
Care should be taken that evidence does not go anywhere without properly being traced.
Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving mechanisms
Sometimes evidence must be transported from place to place either physically or through a
network. Care should be taken that the evidence is not changed while in transit. Analysis is
generally done on the copy of real evidence. If there is any dispute over the copy, the real can
be produced in court.
4. Examining/Investigating Digital Evidence
Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one
has the legal authority to do so. Forensic investigation performed on data at rest (hard disk) is
called dead analysis.
Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits
the information in the computer’s main memory. Performing forensic investigation on main
memory is called live analysis. Sometimes the decryption key might be available only in
RAM. Turning off the system will erase the decryption key. The process of creating and exact
duplicate of the original evidence is called imaging. Some tools which can create entire hard
drive images are:
• DCFLdd
• Iximager
• Guymager
The original drive is moved to secure storage to prevent tampering. The imaging process is
verified by using the SHA-1 or any other hashing algorithms.
5. Analysis, Interpretation and Attribution
In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the
type of information stored on it. Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
 • Network analysis
• Image analysis
• Video analysis
6. Reporting
After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation,
and attribution steps. As a result of the findings in this phase, it should be possible to confirm
or discard the allegations. Some of the general elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
7. Testifying
This phase involves presentation and cross-examination of expert witnesses. An expert
witness can testify in the form of:
• Testimony is based on sufficient facts or data
• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of the case
Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents should change the
evidence
• When a person to access the original data held on a computer, the person must be
competent to do so
• An audit trial or other record of all processes applied to digital evidence should be
created and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that
the law and these are adhered to
Chain of Custody:
In cybersecurity, the chain of custody (CoC) is a process that meticulously tracks the
handling and movement of digital evidence from its collection to its analysis and presentation
in legal proceedings. It ensures the integrity and authenticity of evidence, guaranteeing its
admissibility in court by documenting all stages of its lifecycle, including who handled it,
when, and for what purpose.
1. Documentation and Tracking:
• CoC involves documenting every step of the evidence handling process, from the
initial seizure to its analysis and potential use in legal proceedings.
• This documentation includes details like the date and time of each transfer, the person
responsible for the evidence, and the purpose of the transfer.
• A complete and accurate CoC creates a verifiable "paper trail" or "forensic link" that
demonstrates the evidence has not been tampered with or altered.
2. Ensuring Evidence Integrity:
• The goal of CoC is to ensure the evidence remains unaltered and reliable throughout
its lifecycle, thus maintaining its integrity.
• This requires careful handling, secure storage, and the use of methods like checksums
and file integrity reporting to detect any modifications.
• A broken CoC can compromise the admissibility of the evidence in court, as it raises
doubts about its authenticity and integrity.
3. Importance in Legal Proceedings:
• A well-maintained CoC is crucial for establishing the authenticity and reliability of
digital evidence, which is essential for legal proceedings.
• It allows courts to confidently rely on the evidence presented by ensuring that it has
not been tampered with or altered in any way.
• Without a proper CoC, the evidence may be deemed inadmissible, potentially
jeopardizing the entire case.
4. Examples of CoC in Cyber Security:
• Digital Forensics:
In digital forensics investigations, CoC ensures that the evidence collected from a computer
system or network is handled and analyzed in a way that maintains its integrity.
• Cloud Forensics:
In cloud environments, CoC is used to track the movement and control of data and evidence
within the cloud, ensuring its integrity and admissibility.
• Data Migration:
During data migration projects, CoC helps to document the movement and changes made to
data, ensuring its integrity and accountability.
5. Key Features of a Robust CoC:
• Careful Documentation:
Detailed records of all data handling processes, including date and time, involved parties,
actions taken, and relevant comments.
• Preservation of Integrity:
Employing methods to ensure data remains unchanged, such as encryption, secure storage,
and careful vetting of personnel.
• Accountability:
Assigning responsible parties for each stage of the data lifecycle, ensuring that breaches or
mishaps can be traced.

Network Forensics
Network forensics is about looking at how computers talk to each other. It helps us
understand what happens in a company's computer systems. This is important when we need
to find out if someone did something wrong using computers. To do network forensics well,
we need to follow certain steps and use special tools. These tools help us see and understand
the information that moves between computers.
This helps find out if someone did something bad using computers. Network forensics looks
at network traffic, logs, and other data about network use. It helps solve computer crimes,
network problems, and data theft. The main job of network forensics is to find and keep
digital proof that can be used in court. By looking at network records, people who solve
computer crimes can piece together what happened.
They can see how people talk and when things happen. This helps them understand crimes or
strange events better. When looking at the records, they check for signs of people talking, if
files were changed, if certain words were used, and other clues that something bad might
have happened.
Network Forensics Examination Steps
Identification
First, decide what you need to look at. This helps you know what information to collect and
what tools to use. This step is very important for the whole process.
Preservation
Next, keep the evidence safe. Make copies of important data and store them securely. Collect
data in a way that keeps it unchanged. Use tools like Autopsy or Encase to keep the evidence
safe.
Collection
Now, gather the data. You can do this by hand or with special tools. It's often best to use both
ways. By hand, you look at each file. With tools, you use software to check network traffic
and get data.
Examination
Look closely at the collected data. Check for unusual things that might show a security
problem. Look at the data and its details. Check for signs that something bad happened, like
strange IP addresses or file names.
Analysis
Use the information from network traffic to figure out what happened. Use special software
to watch network activity. These tools also look at records to spot problems.
Presentation
Share what you found. Write a report or give a talk. Include all important information, like
proof of someone breaking in or doing bad things. Suggest ways to make things safer. Be
ready to answer questions.
Incident Response
Use what you learned to deal with the problem. Try to limit damage, find the main cause, and
fix it. Take steps to stop it from happening again. The plan should try to keep the system
running, save data, and protect the organization.
Types of Tools Available
There are many tools for looking at network evidence. These tools get information from
different parts of the network, like routers and servers. Here are some types -
1. Packet capture tools: These catch and save network data to look at later. They show
what's moving on the network. Examples are Wireshark, TCPDump, and Arkime. These tools
let you see the content of network messages.
2. Full-packet capture tools: These save all the data that goes through a network. They don't
miss anything. NetWitness Investigator and RSA NetWitness Platform are examples. They're
good for deep checking of network traffic.
3. Log analysis tools: These help look at records from network devices. Splunk, ELK Stack,
and Graylog are examples. They can find patterns in lots of records quickly.
4. NetFlow analysis tools: These look at network traffic patterns. They can spot unusual
things. SolarWinds NetFlow Traffic Analyzer and ManageEngine NetFlow Analyzer are
examples. They're useful for seeing how the network is used.
5. SIEM tools: These show all the records from different network devices in one place.
Splunk Enterprise Security and IBM QRadar are examples. They help spot problems across
the whole network.
6. Digital forensics platforms: These do everything from getting data to making reports.
RSA NetWitness Platform and Splunk Enterprise Security are examples. They're all-in-one
tools for network checking.
7. Intrusion detection system tools: These watch for bad things on the network and warn
about them. Snort and Suricata are examples. They help stop attacks before they cause
problems.
Security/Privacy Threats:
Cybersecurity threats encompass both security and privacy concerns, with security threats
aiming to compromise data integrity and availability, while privacy threats focus on
confidentiality and unauthorized access to personal information. Common security threats
include malware, phishing, ransomware, denial-of-service attacks, and insider
threats. Privacy threats can include data breaches, unauthorized access to personal
information, and tracking technologies.
Security Threats:
• Malware:
Malicious software designed to damage systems, steal data, or disrupt operations.
• Phishing:
Deceptive emails or messages that trick users into revealing sensitive information like
passwords or credit card details.
• Ransomware:
Malware that encrypts data and demands payment for decryption keys.
• Denial-of-Service (DoS) Attacks:
Overloading systems with traffic to make them unavailable to legitimate users.
• Insider Threats:
Malicious or accidental actions from within an organization that can compromise data and
systems.
• SQL Injection:
Exploiting vulnerabilities in web applications to gain unauthorized access to databases.
• XSS (Cross-Site Scripting):
Injections of malicious scripts into websites, allowing attackers to steal user data or
compromise the application.
Privacy Threats:
• Data Breaches:
Unauthorized access to sensitive data, often resulting from security vulnerabilities or insider
threats.
• Unauthorized Access:
Gaining access to private information without proper authorization.
• Tracking Technologies:
Using cookies, web beacons, and other methods to track user activity and collect personal
information.
• Social Engineering:
Manipulating individuals to reveal sensitive information or grant access to systems.
• Credential Theft:
Stealing login credentials to gain unauthorized access to accounts and systems.
The Interrelation of Security and Privacy:
Security threats can lead to privacy violations if attackers succeed in stealing or accessing
sensitive data. For example, a successful ransomware attack could lead to the exposure of
private data if the attacker releases the encrypted data to the public or sells it on the dark
web. Similarly, social engineering can be used to bypass security measures and gain
unauthorized access to personal information.
Protecting Against Cyber Threats:
• Strong Passwords: Using unique, strong passwords for all accounts and regularly
changing them.
• Antivirus Software: Installing and regularly updating antivirus and anti-malware
software.
• Firewalls: Using firewalls to protect networks and systems from unauthorized access.
• Data Backup: Regularly backing up important data to prevent data loss in case of a
security breach.
• Security Awareness Training: Educating employees about cyber threats and best
practices for online security.
• Staying Up-to-Date: Keeping software and operating systems updated to patch
vulnerabilities.
• Using HTTPS: Using HTTPS for all online transactions to ensure secure
communication.
• Being Wary of Phishing Emails: Being careful about clicking links or opening
attachments in suspicious emails.

Challenges in Digital Forensics

Data Encryption: Encryption can make it difficult to access the data on a device or network,
making it harder for forensic investigators to collect evidence. This can require specialized
decryption tools and techniques.
Data Destruction: Criminals may attempt to destroy digital evidence by wiping or
destroying devices. This can require specialized data recovery techniques.
Data Storage: The sheer amount of data that can be stored on modern digital devices can
make it difficult for forensic investigators to locate relevant information. This can require
specialized data carving techniques to extract relevant information.
Digital forensics is a rapidly evolving field that requires a combination of technical
knowledge, an understanding of legal principles, and investigative skills to be successful.