Current Computer Forensics Tools –

Software & Hardware

• Computer forensics involves the capture,
preservation, and analysis of digital data to
determine whether a crime has or has not
been committed.
• Crimes may be:
• Purely computer-related (hacking, data theft,
cyber fraud), or
• Traditional crimes where evidence exists in
digital form (emails, documents, mobile data).
 Types of Digital Data
• Persistent Data
– Stored on hard drives, USB drives, CDs, etc.
– Remains intact even when the system is powered off.
• Volatile Data
– Stored in RAM or in transit (network connections,
running processes).
– Lost when the system is turned off.
– Can be critical evidence, so a powered-on system at a
crime scene should remain ON until properly imaged
 Phases of Computer Forensics
• Acquisition
• Creating forensic images of storage devices
• Collecting volatile and non-volatile evidence
• Analysis
• Examining collected data
• Recovering deleted or hidden information
• Presentation
• Preparing reports and presenting findings in court
• (No special tools are generally used in this phase
Types of Computer Forensics Tools
• 1. Hardware Forensic Tools
• Range from:
• Write blockers
• Imaging devices
• Dedicated forensic workstations and servers
• Used to safely acquire data without modifying
the original evidence.
• Software Forensic Tools
• Two major categories:
• Command-Line Tools
– Fast, scriptable, lightweight
– Preferred by experts for automation
• GUI Tools
– User-friendly
– Provide visualization, reporting, and easy navigation
• 👉 Main purpose: Copy data from a suspect disk to a
forensic image file and analyze it without altering the
 Capabilities of Forensic Tools
• Recover deleted files
• Identify attached external devices and users who
accessed them
• Determine executed programs
• Recover visited web pages and browser history
• Recover emails and identify who read them
• Recover chat logs and social media data
• Identify accessed file servers
• Reveal hidden document history (metadata)
• Extract phone records and SMS from mobile devices
Tasks Performed by Forensic Tools
• Acquisition – Imaging and collecting evidence
• Validation & Discrimination – Ensuring data
integrity and filtering relevant data
• Extraction – Retrieving useful information
• Reconstruction – Rebuilding events and
timelines
• Reporting – Generating forensic reports for
legal use
 Acquisition and Seizure of Evidence
from Computers and Mobile Devices
• The acquisition and seizure of digital evidence
is a crucial stage in digital forensics. It involves
identifying, collecting, preserving, and
analyzing electronic data from computers and
mobile devices while ensuring that the
evidence remains authentic and legally
admissible.
 1. Principles of Digital Evidence
Acquisition
• Preservation – Evidence must not be altered,
damaged, or contaminated during collection.
• Integrity – Originality of data must be maintained
using cryptographic hash values (MD5, SHA-256).
• Chain of Custody – Every action on the evidence
must be documented to track who handled it and
when.
• Admissibility – All procedures must follow legal
and forensic standards so that evidence is
acceptable in cour
 2. Evidence Seizure Process
• A. Seizing Computers
• Identify the Device
• Locate desktops, laptops, external drives, and USB devices related
to the suspect.
• Document the Scene
• Photograph the system setup, connected cables, and peripherals.
• Record serial numbers, model details, and running applications.
• Power Considerations
• If the system is ON:
– Capture volatile data such as RAM and running processes using tools
like FTK Imager, Volatility.
• If the system is OFF:
– Do not power it on; directly create a forensic image of the disk.
• Handling Storage Devices
• Use write blockers to prevent modification of
original data.
• Clone the disk using tools such as EnCase, FTK
Imager, or dd.
• Packaging and Transport
• Place devices in anti-static bags.
• Maintain detailed evidence transfer logs.
 B. Seizing Mobile Devices
• Secure the Device
• Use Faraday bags to block network signals and prevent remote
wiping.
• Document the screen state and active applications.
• Identify Lock Mechanisms
• Check for PIN, pattern, password, fingerprint, or face lock.
• Use forensic tools like Cellebrite UFED or Magnet AXIOM for
access.
• Extract Data
• Logical Extraction: retrieves visible data (contacts, SMS, call logs).
• Physical Extraction: bit-by-bit copy of entire memory, including
deleted data.
• Preserve SIM & Memory Cards
• Remove and analyze SIM using forensic
readers.
• Clone SD cards using write-protected
adapters.
• Transport and Storage
• Keep devices in controlled environments.
• Maintain strict chain-of-custody records.
 Chain of Custody
• The Chain of Custody refers to a detailed
record that tracks the movement, handling,
and storage of digital evidence throughout an
investigation
 Importance of Chain of Custody
• Legal Admissibility: Ensures that evidence is
accepted in court.
• Evidence Integrity: Prevents unauthorized
access and modifications.
• Accountability: Tracks who handled the
evidence and when.
• Investigation Transparency: Provides a clear
record of evidence movement
 Steps in Maintaining the Chain of
Custody
• Step 1: Evidence Collection
• Identify all relevant digital devices such as
computers, mobiles, hard disks, USB drives,
and memory cards.
• Document the crime scene before touching
any device (photographs, notes, sketches).
• Create forensic images using trusted tools like
FTK Imager or EnCase instead of working on
the original evidence.
• Step 2: Proper Documentation
• Record complete details in the Chain of Custody
form:
• Date and time of collection
• Location of seizure
• Name and designation of the collector
• Description of evidence (device type, serial
number, capacity)
• Condition of the device (on/off, damaged, locked)
• Step 3: Evidence Handling
• Use write blockers to prevent accidental modification.
• Place mobile devices in Faraday bags to block network
signals.
• Seal all items in tamper-proof covers with proper labels and
case IDs.
• Step 4: Secure Storage
• Store evidence in a restricted forensic lab or evidence
locker.
• Maintain suitable environmental conditions (temperature,
humidity).
• Allow access only to authorized personnel.
• Step 5: Evidence Transfer
• Every transfer must be logged with:
– Name and signature of sender and receiver
– Date and time
– Purpose of transfer
• Use secure and traceable transportation.
• Step 6: Analysis and Reporting
• Analyze evidence using forensic tools (Autopsy,
Volatility, EnCase).
• Maintain an activity log of all actions performed.
• Prepare detailed forensic reports for legal presentation.