UNIT-IV

Introduction of Computer Forensics-

INTRODUCTION
Computer Forensics is a scientific method of investigation and analysis in order to gather evidence from digital devices or
computer networks and components which is suitable for presentation in a court of law or legal body. It involves
performing a structured investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computer and who was responsible for it.

Digital forensics Science-

Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on
data stored electronically.
Electronic evidence is a component of almost all criminal activities and digital forensics support is crucial for law enforcement
investigations.
Electronic evidence can be collected from a wide array of sources, such as computers, smartphones, remote storage, unmanned
aerial systems, shipborne equipment, and more.
Digital forensics is the process of storing, analyzing, retrieving, and preserving electronic data that may be useful in an
investigation. It includes data from hard drives in computers, mobile phones, smart appliances, vehicle navigation systems,
electronic door locks, and other digital devices.

TYPES
 Disk Forensics: It deals with extracting raw data from the primary or secondary storage of the device by searching active,
modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring and analyzing the computer network
traffic.
 Database Forensics: It deals with the study and examination of databases and their related metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including deleted emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system registers, cache, RAM) in raw form and then
analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and smartphones and helps to retrieve
contacts call logs, incoming, and outgoing SMS, etc., and other data present in it.

CHARACTERISTICS-

 Identification: Identifying what evidence is present, where it is stored, and how it is stored (in which format). Electronic
devices can be personal computers, Mobile phones, PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting unauth orized personnel from using the
digital device so that digital evidence, mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions based on evidence.
 Documentation: A record of all the visible data is created. It helps in recreating and reviewing the crime scene. All the
findings from the investigations are documented.
 Presentation: All the documented findings are produced in a court of law for further investigations.
APPLICATIONS-

 Intellectual Property theft

 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance

Advantages of Computer Forensics:

 To produce evidence in the court, which can lead to the punishment of the culprit?
 It helps the companies gather important information on their computer systems or networks potentially
being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows extracting, process, and interpreting the factual evidence, so it proves the cybercriminal action’s in
the court.

Disadvantages of Computer Forensics:

 Before the digital evidence is accepted into court it must be proved that it is not tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in a court of law, the
evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the desired result.
 The Need for forensics
Digital forensics is often a critical component of criminal cases, civil fraud cases, whistleblower complaints, internal
investigations, and other matters that require analysis to understand when, how, and who used technology to perpetrate misdeeds.

Digital forensic investigations can unearth a great deal of information after cyberattacks, including:

 Identifying the cause and implications of cyberattacks

 Containing and remediating attacks
 Safeguarding digital evidence before it becomes obsolete
 Retracing hacker steps, and finding hacker tools
 Identifying whether data was accessed or exfiltrated
 Identifying the duration of unauthorized access to the network
 Geolocating the hacker logins and mapping them

When Can Digital Forensic Investigations Help?

Examples of common scenarios where digital forensics investigations might be needed include:

Accidental or deliberate company data disclosure-When corporate information is disclosed

without permission, either by accident or by design.

Intellectual property theft-When an employee steals intellectual property from an employer and passes it to a
competitor or uses it to set up a competing company.

Employee internet abuse or misuse-When an employee violates a computer policy, such as Internet use. If
the systems in the office are used for any illegal activity, computer forensics can help determine when and how these illegalities
happened.

Incident or breach investigations-When a cyberattack occurs, digital forensics can help identify exactly
what happened and attempt to identify who or what was responsible, whether that’s for prosecution or just internal knowledge.

White-collar crimes-When insiders or scamsters commit financially motivated crimes, such as identity theft, Ponzi
schemes, embezzlement, and other fraud schemes.

Industrial espionage-When a competitor steals trade secrets by recording or copying confidential documents that
contain secret formulas, product specifications, or business plans. Industrial espionage is an illegal activity, and computer
forensics can help during investigations.

Fraud-When people deliberately provide false or misleading information to gain something unfairly, the Internet or
technology is frequently involved.

Online harassment-When people use digital technologies such as social media platforms, email, messaging services,
gaming platforms, or cell phone communications to sexually harass or defame people. Digital forensic investigations can help
identify the perpetrator and halt these harmful activities.

Human resources investigations-When human resource professionals need to collect data to determine the
veracity of allegations or alleged misbehavior.

Criminal and civil cases-When police or lawyers need evidence unearthed by digital forensic investigators to
serve as the backbone of criminal or civil cases.
Digital Evidence-

In the early 80s PCs became more popular and easily accessible to the general population, this also led to the
increased use of computers in all fields and criminal activities were no exception to this. As more and more
computer-related crimes began to surface like computer frauds, software cracking, etc. the computer
forensics discipline emerged along with it. Today digital evidence collection is used in the investigation of a wide
variety of crimes such as fraud, espionage, cyberstalking, etc. The knowledge of forensic experts and techniques
are used to explain the contemporaneous state of the digital artifacts from the seized evidence such as computer
systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash drives, etc.), or electronic documents such
as emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection :
The main processes involved in digital evidence collection are given below:

 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence is analyzed to
reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can be submitted in
court.

Types of Collectible Data:

The computer investigator and experts who investigate the seized devices have to understand what kind of
potential shreds of evidence could there be and what type of shreds of evidence they are looking for. So, that
they could structure their search pattern. Crimes and criminal activities that involve computers can range across
a wide spectrum; they could go from trading illegal things such as rare and endangered animals, damaging
intellectual property, to personal data theft, etc.

The investigator must pick the suitable tools to use during the analysis. Investigators can encounter several
problems while investigating the case such as files may have been deleted from the computer, they could be
damaged or may even be encrypted, So the investigator should be familiar with a variety of tools, methods, and
also the software to prevent the data from damaging during the data recovery process.

There are two types of data, that can be collected in a computer forensics investigation:

 Persistent data: It is the data that is stored on a non-volatile memory type storage device such as a local
hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc. the data on these devices is
preserved even when the computer is turned off.
Volatile data: It is the data that is stored on a volatile memory type storage such as memory, registers,
cache, RAM, or it exists in transit, that will be lost once the computer is turned off or it loses power. Since
volatile data is evanescent, it is crucial that an investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the claims in court. Below are
some major types of evidence.

 Real Evidence: These pieces of evidence involve physical or tangible evidence such as flash drives, hard
drives, documents, etc. an eyewitness can also be considered as a shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements. These are made
in courts to prove the truth of the matter.
  Original Evidence: These are the pieces of evidence of a statement that is made by a person who is not a
testifying witness. It is done in order to prove that the statement was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their statement in court.
The shreds of evidence presented should be authentic, accurate, reliable, and admissible as they can be
challenged in court.

Challenges Faced During Digital Evidence Collection:

 Evidence should be handled with utmost care as data is stored in electronic media and it can get damaged
easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.

Email Forensics-
Email forensics is dedicated to investigating, extracting, and analyzing emails to collect digital evidence as findings in order to
crack crimes and certain incidents, in a forensically sound manner.

The process of email forensics, it’s conducted across various aspects of emails, which mainly includes

• Email messages • Email addresses (sender and recipient)

• IP addresses • Date and time

• User information • Attachments

• Passwords • logs (Cloud, server, and local computer)

The theory of email running

Example -
for instance to better explain the theory of email running..

•STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical MUAs include Gmail, Apple Mail, Mozilla
Thunderbird, and Microsoft Outlook Express.

•STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s mail transfer agent (MTA) – the delivery process
uses the SMTP protocol.

•STEP 3: The MTA then checks the recipient of the message (here we assume it is you), queries the DNS server for the domain
name corresponding to the recipient MTA, and sends the message to the recipient MTA – again using the SMTP protocol.

At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet Server Provider)’s a mail server
and forwarded to your domain.

Digital Forensics Life Cycle

The digital forensics process is shown in the following figure. Forensic life cycle phases are:

1. Preparation and identification

2. Collection and recording
3. Storing and transporting
4. Examination/ investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
 1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. It might be possible that the evidence may be overlooked
and not identified at all. A sequence of events in a computer might include interactions between:

 Different files
 Files and file systems
 Processes and files
 Log files

In case of a network, the interactions can be between devices in the organization or across the globe (Internet). If the evidence
is never identified as relevant, it may never be collected and processed.

2. Collecting and Recording Digital Evidence

Digital evidence can be collected from many sources. The obvious sources can be:

 Mobile phone
 Digital cameras
 Hard drives
 CDs
 USB memory devices

Non-obvious sources can be:

 Digital thermometer settings

 Black boxes inside automobiles
 RFID tags

Proper care should be taken while handling digital evidence as it can be changed easily. Once changed, the evidence cannot be
analysed further. A cryptographic hash can be calculated for the evidence file and later checked if there were any changes made
to the file or not. Sometimes important evidence might reside in the volatile memory. Gathering volatile data requires special
technical skills.

3. Storing and Transporting Digital Evidence

Some guidelines for handling of digital evidence:

 Image computer-media using a write-blocking tool to ensure that no data is added to the suspect device
 Establish and maintain the chain of custody
 Document everything that has been done
 Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability

Care should be taken that evidence does not go anywhere without properly being traced. Things that can go wrong in storage
include:

 Decay over time (natural or unnatural)

 Environmental changes (direct or indirect)
 Fires
 Floods
 Loss of power to batteries and other media preserving mechanisms

Sometimes evidence must be transported from place to place either physically or through a network. Care should be taken that
the evidence is not changed while in transit. Analysis is generally done on the copy of real evidence. If there is any dispute over
the copy, the real can be produced in court.
 4. Examining/Investigating Digital Evidence

Forensics specialist should ensure that he/she has proper legal authority to seize, copy and examine the data. As a general rule,
one should not examine digital information unless one has the legal authority to do so. Forensic investigation performed on data
at rest (hard disk) is called dead analysis.

Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits the information in the computer’s
main memory. Performing forensic investigation on main memory is called live analysis. Sometimes the decryption key might be
available only in RAM. Turning off the system will erase the decryption key. The process of creating and exact duplicate of the
original evidence is called imaging. Some tools which can create entire hard drive images are:

 DCFLdd
 Iximager
 Guymager

The original drive is moved to secure storage to prevent tampering. The imaging process is verified by using the SHA-1 or any
other hashing algorithms.

5. Analysis, Interpretation and Attribution

In digital forensics, only a few sequences of events might produce evidence. But the possible number of sequences is very huge.
The digital evidence must be analyzed to determine the type of information stored on it. Examples of forensics tools:

 Forensics Tool Kit (FTK)

 EnCase
 Scalpel (file carving tool)
 The Sleuth Kit (TSK)
 Autopsy

Forensic analysis includes the following activities:

 Manual review of data on the media

 Windows registry inspection
 Discovering and cracking passwords
 Performing keyword searches related to crime
 Extracting emails and images

Types of digital analysis:

 Media analysis
 Media management analysis
 File system analysis
 Application analysis
 Network analysis
 Image analysis
 Video analysis

6. Reporting

After the analysis is done, a report is generated. The report may be in oral form or in written form or both. The report contains all
the details about the evidence in analysis, interpretation, and attribution steps. As a result of the findings in this phase, it should

be possible to confirm or discard the allegations. Some of the general elements in the report are:

 Identity of the report agency

 Case identifier or submission number
  Case investigator
 Identity of the submitter
 Date of receipt
 Date of report
 Descriptive list of items submitted for examination
 Identity and signature of the examiner
 Brief description of steps taken during examination
 Results / conclusions

7. Testifying
This phase involves presentation and cross-examination of expert witnesses. An expert witness can testify in the form of:

 Testimony is based on sufficient facts or data

 Testimony is the product of reliable principles and methods
 Witness has applied principles and methods reliably to the facts of the case

Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be taken when collecting digital
evidence are:

 No action taken by law enforcement agencies or their agents should change the evidence
 When a person to access the original data held on a computer, the person must be competent to do so
 An audit trial or other record of all processes applied to digital evidence should be created and preserved
 The person in-charge of the investigation has overall responsibility for ensuring that the law and these are adhered to

Chain of Custody Process-

The chain of custody process refers to acquiring, storing, safeguarding and transferring of an asset, whether digital or
physical; More specifically, tracking and documenting each transfer of the asset as it moves from one place to
another. While being a long and tedious process, chain of custody is vital as it ensures the authenticity of the
acquired asset, increases transparency, and allows the personnel involved to be held accountable for the actions taken on the
asset. With respect to cybersecurity, these assets can either be equipment, infrastructure, evidence, systems, and data.

A break in the chain or custody is unacceptable, as it refers to a period during which the control of the asset is unknown, a nd
the actions taken on the said asset cannot be confirmed and accounted for.

Chain of Custody in Cyber Security

The Chain of Custody in cyber security isn’t much different from the one in legal matters. It’s a documentation of the
ownership of a digital asset, such as data, as it transfers from one person or organization to another, the exact date and time
of the transfer, and the purpose of the transfer. The Chain of custody standards is usually set by following the National
Institute of Standards and Technology (NIST) or Cybersecurity Framework (CSF) guidelines in an organization to address
risk and improve the security of the infrastructure.

Why is a Chain of Custody Important in Cyber Security?

The chain of custody process in cyber security is crucial as it confirms the integrity of the asset. Without a proper chain of
custody, the digital infrastructure of the organization can be accessed unknowingly from any point by malicious people,
questioning the integrity of the systems. The management of the or ganization should have complete documentation of the
operators that handled the asset, so they can be held accountable for their actions.

Regarding legal matters, the chain of custody for digital evidence is vital as it preserves the evidence in an unalt ered state.
Collection of digital evidence after a cyber incident should be well documented as it moves till the final legal proceedings of
the court, or else that key evidence might become inadmissible due to lack of sufficient chain of custody to back it s
authenticity.

What are the Steps in the Chain of Custody in Cyber Security?

Preserving the asset or evidence of an organization requires the chain of custody to start from the collection of that
evidence, its analysis, reporting, and till it’s presented in court. Evidence is usually altered (such as the timestamps or
metadata associated) as it is transferred to different people or different organizations, so documenting its state right from the
point of the collection becomes necessary. Let’s discuss each step in the chain of custody in a bit more detail:

1. Data Collection

After an incident, the chain of custody starts from the collection of evidence and its state. Each acquired piece of evidence is
to be labeled with its source, the time of its collection, where it is stored, and who has access to it. All of this is documented
to preserve the integrity of the evidence.

2. Examination

The examination of the captured evidence carried out by the digital forensics team is then documented precisely. This
includes taking notes of the complete process, who examined it, and the evidence uncovered.

3. Analysis

The collected evidence is then transferred for analysis, and again, each step of the analysis is recorded. Analysts use digit al
forensics tools to reconstruct the background of the evidence and draw unbiased conclusions, which are documented.

4. Reporting

The final stage is to report the findings to the court in a professional digital forensics report, following standards set by
organizations such as the National Institute of Standards and Technology (NIST). The report covers key aspects of the chain
of custody, which include: the tools used to collect and process the evidence, the chain of custody statement, a list of the
data sources, identified issues and vulnerabilities, and the next possible steps to take. All of this adds to the authenticity and
viability of the evidence and makes it presentable to the court.

Network Forensics-

The word “forensics” means the use of science and technology to investigate and establish facts in criminal or civil courts of law.
Forensics is the procedure of applying scientific knowledge for the purpose of analyzing the evidence and presenting them in
court.
Network forensics is a subcategory of digital forensics that essentially deals with the examination of the network and its traffic
going across a network that is suspected to be involved in malicious activities, and its investigation for example a network that is
spreading malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet grew cybercrimes also
grew along with it and so did the significance of network forensics, with the development and acceptance of network-based
services such as the World Wide Web, e-mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file transfers, e-mails, and, web browsing
history, and reconstructed to expose the original transaction. It is also possible that the payload in the uppermost layer packet
might wind up on the disc, but the envelopes used for delivering it are only captured in network traffic. Hence, the network
protocol data that enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols and applications such as web protocols, Email
protocols, Network protocols, file transfer protocols, etc.
Investigators use network forensics to examine network traffic data gathered from the networks that are involved or suspected of
being involved in cyber-crime or any type of cyber-attack. After that, the experts will look for data that points in the direction of
any file manipulation, human communication, etc. With the help of network forensics, generally, investigators and cybercrime
experts can track down all the communications and establish timelines based on network events logs logged by the NCS.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:

 Identification: In this process, investigators identify and evaluate the incident based on the network pointers.
 Safeguarding: In this process, the investigators preserve and secure the data so that the tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is documented and all the collected digital shreds of
evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the metadata.
 Investigation: In this process, a final conclusion is drawn from the collected shreds of evidence.
 Documentation: In this process, all the shreds of evidence, reports, conclusions are documented and presented in court.
Challenges in Network Forensics:
 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.

Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.

Approaching a Computer Forensics Investigation

The phases in a computer forensics investigation are:

 Secure the subject system

 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
  Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information collected

Things to be avoided during forensics investigation:

 Changing date/timestamps of the files

 Overwriting unallocated space

Things that should not be avoided during forensics investigation:

 Engagement contract
 Non-Disclosure Agreement (NDA)

Elements addressed before drawing up a forensics investigation engagement contract:

 Authorization
 Confidentiality
 Payment
 Consent and acknowledgement
 Limitation of liability

General steps in solving a computer forensics case are:

 Prepare for the forensic examination

 Talk to key people about the case and what you are looking for
 Start assembling tools to collect the data and identify the target media
 Collect the data from the target media
 Use a write blocking tool while performing imaging of the disk
 Check emails records too while collecting evidence
 Examine the collected evidence on the image that is created
 Analyze the evidence
 Report your finding to your client
1
2
3