Name - Akhil Singh

Date – 14/10/2024.

P.R.N. – 2201409028

Subject – Cyber Security DMM 503

Topic – “Explain types of digital forensics with examples.”

Email – [email protected]

Assignment – Skill 4

PRN: 2201409028
What Is Digital Forensics?
Digital Forensics is the practice of identifying, acquiring, and analyzing electronic evidence.
Today almost all criminal activity has a digital forensics element, and digital forensics experts
provide critical assistance to police investigations. Digital forensic data is commonly used in
court proceedings.
An important part of digital forensics is the analysis of suspected cyberattacks, with the
objective of identifying, mitigating, and eradicating cyber threats. This makes digital
forensics a critical part of the incident response process. Digital forensics is also useful in the
aftermath of an attack, to provide information required by auditors, legal teams, or law
enforcement.
Electronic evidence can be gathered from a variety of sources, including computers, mobile
devices, remote storage devices, internet of things (IoT) devices, and virtually any other
computerized system.

Why Is Digital Forensics Important?

Digital forensics is commonly thought to be confined to digital and computing environments.
But in fact, it has a much larger impact on society. Because computers and computerized
devices are now used in every aspect of life, digital evidence has become critical to solving
many types of crimes and legal issues, both in the digital and in the physical world.
All connected devices generate massive amounts of data. Many devices log all actions
performed by their users, as well as autonomous activities performed by the device, such as
network connections and data transfers. This includes cars, mobile phones, routers, personal
computers, traffic lights, and many other devices in the private and public spheres.
Digital evidence can be used as evidence in investigation and legal proceedings for:
 Data theft and network breaches—digital forensics is used to understand how a
breach happened and who were the attackers.
 Online fraud and identity theft—digital forensics is used to understand the impact
of a breach on organizations and their customers.
 Violent crimes like burglary, assault, and murder—digital forensics is used to
capture digital evidence from mobile phones, cars, or other devices in the vicinity of
the crime.
 White collar crimes—digital forensics is used to collect evidence that can help
identify and prosecute crimes like corporate fraud, embezzlement, and extortion.
In the context of an organization, digital forensics can be used to identify and investigate both
cybersecurity incidents and physical security incidents. Most commonly, digital evidence is
used as part of the incident response process, to detect that a breach occurred, identify the
root cause and threat actors, eradicate the threat, and provide evidence for legal teams and
law enforcement authorities.

2
To enable digital forensics, organizations must centrally manage logs and other digital
evidence, ensure they retain it for a long enough period, and protect it from tampering,
malicious access, or accidental loss.
Defining Digital Risks
As organizations use more complex, interconnected supply chains including multiple
customers, partners, and software vendors, they expose digital assets to attack. Organizations
also leverage complex IT environments including on-premise and mobile endpoints, cloud-
based services, and cloud native technologies like containers—creating many new attack
surfaces.
Digital risks can be broken down into the following categories:
 Cybersecurity risk—an attack that aims to access sensitive information or systems
and use them for malicious purposes, such as extortion or sabotage.
 Compliance risk—a risk posed to an organization by the use of a technology in a
regulated environment. For example, technologies can violate data privacy
requirements, or might not have security controls required by a security standard.
 Third party risks—these are risks associated with outsourcing to third-party vendors
or service providers. For example, vulnerabilities involving intellectual property, data,
operational, financial, customer information, or other sensitive information shared
with third parties.
 Identity risk—attacks aimed at stealing credentials or taking over accounts. These
types of risks can face an organization’s own user accounts, or those it manages on
behalf of its customers.

What Are the Different Branches of Digital Forensics?

Computer Forensics
Computer forensic science (computer forensics) investigates computers and digital storage
evidence. It involves examining digital data to identify, preserve, recover, analyze and present
facts and opinions on inspected information.
This branch of computer forensics uses similar principles and techniques to data recovery, but
includes additional practices and guidelines that create a legal audit trail with a clear chain of
custody.
Mobile Device Forensics
Mobile device forensics focuses primarily on recovering digital evidence from mobile
devices. It involves investigating any device with internal memory and communication
functionality, such as mobile phones, PDA devices, tablets, and GPS devices.
Network Forensics

3
The network forensics field monitors, registers, and analyzes network activities. Network
data is highly dynamic, even volatile, and once transmitted, it is gone. It means that network
forensics is usually a proactive investigation process.
Forensic Data Analysis
Forensic data analysis (FDA) focuses on examining structured data, found in application
systems and databases, in the context of financial crime. FDA aims to detect and analyze
patterns of fraudulent activity.
Database Forensics
Database forensics involves investigating access to databases and reporting changes made to
the data. You can apply database forensics to various purposes. For example, you can use
database forensics to identify database transactions that indicate fraud.
Alternatively, your database forensics analysis may focus on timestamps associated with the
update time of a row in your relational database. This investigation aims to inspect and test
the database for validity and verify the actions of a certain database user.
The Digital Forensics Process
The digital forensics process may change from one scenario to another, but it typically
consists of four core steps—collection, examination, analysis, and reporting.
Collection
The collection phase involves acquiring digital evidence, usually by seizing physical assets,
such as computers, hard drives, or phones. It is critical to ensure that data is not lost or
damaged during the collection process. You can prevent data loss by copying storage media
or creating images of the original.
Examination
The examination phase involves identifying and extracting data. You can split this phase into
several steps—prepare, extract, and identify.
When preparing to extract data, you can decide whether to work on a live or dead system. For
example, you can power up a laptop to work on it live or connect a hard drive to a lab
computer.
During the identification step, you need to determine which pieces of data are relevant to the
investigation. For example, warrants may restrict an investigation to specific pieces of data.
Analysis
The analysis phase involves using collected data to prove or disprove a case built by the
examiners. Here are key questions examiners need to answer for all relevant data items:
 Who created the data
 Who edited the data

4
  How the data was created
 When these activities occur
In addition to supplying the above information, examiners also determine how the
information relates to the case.
Reporting
The reporting phase involves synthesizing the data and analysis into a format that makes
sense to laypeople. These reports are essential because they help convey the information so
that all stakeholders can understand.
Digital Forensic Techniques
Digital forensics involves creating copies of a compromised device and then using various
techniques and tools to examine the information. Digital forensics techniques help inspect
unallocated disk space and hidden folders for copies of encrypted, damaged, or deleted files.
Here are common techniques:
Reverse Steganography
Cybercriminals use steganography to hide data inside digital files, messages, or data streams.
Reverse steganography involves analyzing the data hashing found in a specific file. When
inspected in a digital file or image, hidden information may not look suspicious. However,
hidden information does change the underlying has or string of data representing the image.
Stochastic Forensics
Stochastic forensics helps analyze and reconstruct digital activity that does not generate
digital artifacts. A digital artifact is an unintended alteration of data that occurs due to digital
processes. Text files, for example, are digital artifacts that can content clues related to a
digital crime like a data theft that changes file attributes. Stochastic forensics helps
investigate data breaches resulting from insider threats, which may not leave behind digital
artifacts.
Cross-drive Analysis
Cross-drive analysis, also known as anomaly detection, helps find similarities to provide
context for the investigation. These similarities serve as baselines to detect suspicious events.
It typically involves correlating and cross-referencing information across multiple computer
drives to find, analyze, and preserve any information relevant to the investigation.
Live Analysis
Live analysis occurs in the operating system while the device or computer is running. It
involves using system tools that find, analyze, and extract volatile data, typically stored in
RAM or cache. Live analysis typically requires keeping the inspected computer in a forensic
lab to maintain the chain of evidence properly.
Deleted File Recovery

5
Deleted file recovery, also known as data carving or file carving, is a technique that helps
recover deleted files. It involves searching a computer system and memory for fragments of
files that were partially deleted in one location while leaving traces elsewhere on the
inspected machine.
Digital Forensic Tools
Before the availability of digital forensic tools, forensic investigators had to use existing
system admin tools to extract evidence and perform live analysis. The drawback of this
technique is that it risks modifying disk data, amounting to potential evidence tampering.
In 1989, the Federal Law Enforcement Training Center recognized the need and created
SafeBack and IMDUMP. In 1991, a combined hardware/software solution called DIBS
became commercially available. These tools work by creating exact copies of digital media
for testing and investigation while retaining intact original disks for verification purposes.
By the late 1990s, growing demand for reliable digital evidence spurred the release of more
sophisticated tools like FTK and EnCase, which allow analysts to investigate media copies
without live analysis.
Today, the trend is for live memory forensics tools like WindowsSCOPE or specific tools
supporting mobile operating systems. Commercial forensics platforms like CAINE and
Encase offer multiple capabilities, and there is a dedicated Linux distribution for forensic
analysis. Open source tools are also available, including Wireshark for packet sniffing and
HashKeeper for accelerating database file investigation.
The main types of digital forensics tools include disk/data capture tools, file viewing tools,
network and database forensics tools, and specialized analysis tools for file, registry, web,
Email, and mobile device analysis.
When evaluating various digital forensics solutions, consider aspects such as:

 Integration with and augmentation of existing forensics capabilities.

 Support for various device types and file formats.
 Availability of training to help staff use the product.
 CLI, graphic UI, and ease of use.
 Compatibility with additional integrations or plugins.
 Types of configurations available.
 Advanced features for more effective analysis.

DFIR: Combining Digital Forensics and Incident Response

Digital forensics and incident response (DFIR) is a cybersecurity field that merges digital
forensics with incident response. DFIR aims to identify, investigate, and remediate
cyberattacks. It helps reduce the scope of attacks and quickly return to normal operations.
6
DFIR involves using digital forensics techniques and tools to examine and analyze digital
evidence to understand the scope of an event, and then applying incident response tools and
techniques to detect, contain, and recover from attacks.
Here are key advantages of DFIR:
 Proactive defense—DFIR can help protect against various types of threats, including
endpoints, cloud risks, and remote work threats. It complements an overall
cybersecurity strategy with proactive threat hunting capabilities powered by artificial
intelligence (AI) and machine learning (ML).
 Quick incident response—digital forensics provides your incident response process
with the information needed to rapidly and accurately respond to threats. It can help
reduce the scope of attacks, minimize data loss, prevent data theft, mitigate
reputational damages, and quickly recover with limited disruption to your operations.
 Consistent process—integrating digital forensics with incident response helps create
a consistent process for your incident investigations and evaluation process. It helps
obtain a comprehensive understanding of the threat landscape relevant to your case
and strengthens your existing security procedures according to existing risks.