Created by Turbolearn AI

Introduction to Cybercrimes
Cybercrime Definition:

Criminal activities that involve computers, networks, or digital devices, targeting individuals, organizations,
or nations.

Key Characteristics:
Perpetrated in cyberspace, offering anonymity and global reach.
Exploits technological vulnerabilities.
Examples:
Hacking
Identity theft
Ransomware attacks
Cyberterrorism

Types and Classification of Cybercrimes

Cyber-Dependent Crimes:
Require technology (e.g., DDoS attacks, malware deployment).
Cannot occur without computers, networks, or the Internet.
Technology is both the medium and the target.
Cyber-Enabled Crimes:
Enhanced by technology (e.g., fraud, trafficking).
Traditional crimes facilitated or expanded by technology.
Technology amplifies the scale, efficiency, or scope, but is not strictly necessary.
Classification of Cybercrimes:
Against Individuals:
Phishing
Identity Theft
Against Organizations:
Ransomware
Data Breaches
Against Government:
Cyber Terrorism
Cyberespionage
Recent Trends:
Cryptojacking

Overview of Cyberforensics
Cyberforensics Definition:

The application of investigative techniques to collect, analyze, and present digital evidence for legal
purposes.

Key Objectives:
Preserve evidence integrity.
Recover data and identify perpetrators.
Types of Cyberforensics:
Computer Forensics
Network Forensics
Mobile Device Forensics
Cloud Forensics

Overview of Forensic Process

Page 1
 Created by Turbolearn AI

Phases of Cyber Forensics:

Identification
Preservation
Collection
Analysis
Reporting

Identification
Objective:

Recognize and define potential evidence related to a cyber incident.

Details:
Determine what data might be relevant (e.g., logs, emails, files).
Focus on devices and network components involved in the incident.
Prioritize based on legal and investigative value.
Tools:
Network scanners
System audits
Initial reconnaissance

Preservation
Objective:

Secure and isolate evidence to prevent tampering or loss.

Details:
Create a forensic copy of data using write-blockers to avoid altering evidence.
Document the chain of custody to ensure integrity.
Maintain original evidence in a secure environment.
Tools:
Imaging software (e.g., FTK Imager, EnCase)

Collection
Objective:

Acquire data in a legally defensible and forensically sound manner.

Details:
Extract data from storage media, RAM, logs, and other sources.
Follow standardized protocols to avoid contamination.
Include volatile data acquisition where applicable.
Tools:
Disk imaging tools
Memory acquisition tools (e.g., Volatility, dd)

Analysis

Page 2
 Created by Turbolearn AI

Objective:

Extract, interpret, and reconstruct events from the collected evidence.

Details:
Examine file structures, metadata, and timestamps.
Correlate evidence to timeline events and attack vectors.
Identify malicious activities or unauthorized access.
Tools:
Forensic suites (e.g., Autopsy, X-Ways Forensics)

Reporting
Objective:

Document findings and prepare to present them as expert testimony.

Details:
Prepare a detailed report outlining methodologies, findings, and conclusions.
Include visual aids like timelines, graphs, and charts for clarity.
Ensure the report is understandable for non-technical stakeholders (e.g., legal teams).
Tools:
Reporting templates
Visualization software (e.g., Timeline Explorer)

Digital Evidence
Digital Evidence Definition:

Any information or data that is stored or transmitted in digital form and can be used in legal proceedings.

Role:
Plays a critical role in modern investigations involving cybercrime, fraud, intellectual property theft, and more.
Characteristics of Digital Evidence:
Intangible: Exists in electronic form and requires special tools to collect and analyze.
Volatile: Can be easily altered, deleted, or overwritten.
Replicable: Can be copied without altering the original.
Metadata: Contains additional information, such as timestamps, user details, and file access history.

Sources of Digital Evidence

1. Computers and Laptops: Internal storage, applications, and logs.
2. Mobile Devices: SMS, call logs, GPS data, apps.
3. Servers: Hosting platforms, web servers, email servers.
4. IoT Devices: Cameras, smart home devices, health trackers.
5. Networks: Routers, switches, and firewalls.
6. Removable Media: USB drives, external hard drives, SD card

Legal Considerations for Digital Evidence

1. Admissibility: Must follow proper collection, preservation, and chain-of-custody procedures.
2. Authenticity: Prove the evidence is genuine and unaltered.
3. Integrity: Demonstrate that data was not tampered with during analysis.

Types of Digital Evidence

Page 3
 Created by Turbolearn AI

1. Computer Based Evidence:

Files and Documents: Text files, spreadsheets, presentations, or other documents stored on a computer or
storage media.
Metadata: Information about file creation, modification, and access dates.
Operating System Logs: System logs, error logs, and configuration files.
User Activity Logs: Data on user login/logout, application usage, and activity timelines.
Use: Establish user activity, detect alterations, or retrieve deleted files.
2. Network Based Evidence:
Packet Captures: Raw data captured from network traffic, showing communication between devices.
Firewall and Router Logs: Records of network traffic allowed or blocked.
Proxy Logs: Data on web requests made through a proxy server.
Intrusion Detection and Prevention System (IDS/IPS) Logs: Evidence of potential or blocked attacks.
Email Headers: Information about email senders, recipients, and transmission paths.
3. Mobile Device Evidence:
Call Logs and SMS/MMS: Details of calls made, received, or missed, and text or multimedia messages.
App Data: Data from apps like WhatsApp, Facebook, Instagram, and others.
Location Information: GPS data or cell tower triangulation details.
Photos and Videos: Media files stored on or shared through the device.
Browser History: Details of websites visited on the mobile device.
4. Web based Evidence:
Social Media Data: Posts, comments, direct messages, and profile information from platforms like Facebook,
Twitter, and LinkedIn.
Web Server Logs: Records of user visits, IP addresses, and session details.
Browser Cache: Locally stored data from visited websites.
5. Removable Media Evidence:
USB Drives: Files, documents, and software stored on portable drives.
External Hard Drives: Backup data or large repositories of files.
Memory Cards: Photos, videos, and application data
6. Multimedia Evidence:
Images: Photos with possible embedded metadata, such as geolocation.
Audio Files: Recorded conversations, voice notes, or intercepted VoIP communications.
Video Files: Surveillance footage, downloaded media, or videos captured on devices.
7. Cloud based Evidence:
Stored Files: Documents, images, or other data stored in cloud storage.
Access Logs: Records of user activity and access times.
Service Data: Logs from platforms like SaaS (Software as a Service).
8. Log-based Evidence:
Event Logs: Windows Event Viewer logs or syslog from Unix-based systems.
Application Logs: Records generated by installed software or applications.
Audit Trails: Chronological records of system or user activity.
9. Volatile Evidence:
RAM (Random Access Memory) Data: Active processes, open files, or encryption keys retrieved during live
analysis.
Running Processes: Details of processes and services active at the time of capture.
10. Encrypted Evidence:
Encrypted Files: Files protected by cryptographic algorithms.
Decryption Keys: Keys or passwords required to unlock encrypted data.
11. Deleted or Residual Data:
Deleted Files: Files recoverable using forensic tools.
Slack Space: Data remnants in unused areas of a disk.
Unallocated Space: Areas on a disk that may contain remnants of deleted files.
12. Artifacts from Emerging Technologies:
Blockchain Data: Transactions and records from distributed ledger systems like Bitcoin.
Digital Assistants: Logs or voice recordings from devices like Amazon Alexa or Google Assistant.
Virtual Reality (VR) or Augmented Reality (AR) Systems: User activity logs.

Tools for Collecting Digital Evidence

Page 4
 Created by Turbolearn AI

1. Forensic Imaging Tools: FTK Imager, EnCase, X-Ways.

2. Network Monitoring: Wireshark, NetWitness.
3. Mobile Forensics: Cellebrite, Oxygen Forensics.
4. Password Recovery: John the Ripper, Hashcat.
5. Log Analysis: Splunk, Graylog.

Best Practices for Handling Digital Evidence

Legality: Obtain proper warrants.
Maintain Chain of Custody: Document every step of evidence handling.
Preserve Original Data: Use write-blockers during acquisition.
Use Reliable Tools: Employ tools validated by forensic standards.
Document Everything: Record observations and actions in detail.

Understanding Storage Formats for Digital Evidence

Image File Storage

Acquisitions are stored in open-source or proprietary formats.
Common Formats:
1. Raw Format
2. Advanced Forensic Format (AFF)
3. Proprietary Formats
Key Consideration: Choose a format based on compatibility, tool support, and investigation needs.

Raw Format
Definition:

Bit-by-bit copy of data from one disk to another or as flat files. Commonly created using tools like
Linux/UNIX dd command.

Advantages:
Fast data transfers.
Universal compatibility: Supported by most forensic tools.
Error tolerance: Ignores minor read errors on the source drive.
Limitations:
Requires equal or larger storage space as the original disk.
Freeware tools might miss marginal (bad) sectors.
Low retry thresholds on weak media spots.
Validation Features:
Commercial tools perform validation checks using: $CRC32, MD5, SHA-1 (or later)$.
Validation results stored in separate hash value files.

Proprietary Formats

Page 5
 Created by Turbolearn AI

Features:
Option to compress or not compress image files, saving space.
Capability to split an image into smaller segmented files for archiving purposes, with integrated data integrity
checks.
Capability to integrate metadata into the image file, such as date and time of acquisition, hash value, investigator
name, and comments.
Limitations:
Incompatibility: Images often cannot be shared between different vendors’ tools.
Example: ILookIX formats (IDIF, IRBF, IEIF) work only with ILookIX tools.
File Size Limitations: Segmented files usually limited to 650 MB - 2 GB due to FAT format restrictions.
Maximum 2 GB per segment for many proprietary tools.
Expert Witness Compression Format:
Unofficial standard, default for Guidance Software EnCase.
Produces both compressed and uncompressed image files.
Files (or volumes) write an extension starting with .e01 and increment it for each additional segmented image
volume.
Supported by tools like X-Ways Forensics, FTK, Belkasoft, and SMART.

Advanced Forensic Format

Developed by Dr. Simson L. Garfinkel.
Design Goals:
Capable of producing compressed or uncompressed image files
No size restriction for disk-to-image files
Space in the image file or segmented files for metadata
Simple design with extensibility
Open source for multiple computing platforms and OSs
Internal consistency checks for self-authentication
File extensions include .afd for segmented image files and .afm for AFF metadata.
Because AFF is open source, digital forensics vendors have no implementation restrictions on this format

Data Acquisition
Data Acquisition Definition:

The process of copying data for collecting digital evidence from electronic media.

Types of Data Acquisition:

Static Acquisitions
Live Acquisitions

Static Acquisitions
Performed on powered-off systems.
Data is collected from storage devices like magnetic disks and flash drives.

Live Acquisitions
Performed on active systems.
Necessary for systems using whole disk encryption or for collecting data in RAM.
Shift to Live Acquisitions: Due to increased use of whole disk encryption in modern OSs.
Essential for preserving volatile data in RAM.

Determining the Best Acquisition Method

Page 6
 Created by Turbolearn AI

Static Acquisition
Preferred method for collecting digital evidence.
Typically performed on computers seized during operations, e.g., police raids.
Limitations:
Ineffective for encrypted drives without the decryption key.
Cannot access computers only available over a network.

Live Acquisition
Used when the computer is powered on and logged in by the suspect.
Necessary for accessing encrypted drives with available passwords or passphrases.
Decryption Tools:
Elcomsoft Forensic Disk Decryptor: Helps access data on drives encrypted with whole disk encryption.

Data Collection Methods for Acquisitions

1. Disk-to-Image File
2. Disk-to-Disk Copy
3. Logical Disk-to-Disk/Data File
4. Sparse Copy

Disk to Image
Most common and flexible method for digital evidence acquisition.
Creates a bit-for-bit replication of the original drive.
Advantages:
Enables creation of multiple copies for analysis.
Compatible with many commercial forensic tools for direct interpretation.
GUI Forensic Tools: Save time and resources by analyzing directly from the disk-to-image file.
Challenges and Alternatives:
Disk-to-image creation may fail due to hardware or software errors, especially with older drives.
Alternative Method: Disk-to-Disk Copy: Used when disk-to-image is not feasible. Adjusts target disk geometry
(cylinder, head, track configuration) for exact replication.
Tools for Disk Imaging:
EnCase
X-Ways Forensics

Logical and Sparse Acquisitions

Logical Acquisition
Captures specific files or file types relevant to the case.
Examples: Collecting Outlook .pst/.ost files or specific records from RAID servers.
Preferred for large storage systems (e.g., RAID, SAN).

Sparse Acquisition
Similar to logical but includes fragments of unallocated (deleted) data.
Suitable for cases where examining the entire drive isn't necessary.
Use Cases: Time-sensitive investigations, Large drives or exabyte-scale storage systems.

Factors for Choosing an Acquisition Method

Page 7
 Created by Turbolearn AI

Key Considerations:
1. Size of the source disk (e.g., 4 TB or more).
2. Availability of a target disk for storing a disk-to-image file.
3. Time constraints for performing the acquisition.
4. Retention or return requirements for the source disk.
Alternatives for Large Data:
1. Lossless compression can reduce the image size by up to 50%.
2. Older Microsoft tools (e.g., DoubleSpace) and modern archiving tools (e.g., PKZip, WinZip).

Ensuring Data Integrity and Legal Compliance

Ensuring Integrity
Use $MD5$ or $SHA-1$ hashes before and after compression to verify data integrity.
Perform dual hashing (e.g., $MD5$ and $SHA-1$) for added precaution.

Legal Considerations
Check if logical acquisition is acceptable when returning the evidence drive.
Use reliable forensic tools and ensure a good copy in civil litigation cases (e.g., discovery demands).

Contingency Planning for Acquisitions

Importance of Contingency Planning:
Protect digital evidence from loss and failures during acquisition.
Create duplicates of disk-to-image files to mitigate risks.
Use multiple tools (e.g., FTK Imager Lite, X-Ways Forensics) for redundancy and to handle corrupted areas.
If limited to one tool, make two images (compressed and uncompressed) to ensure reliability.
Addressing Murphy's Law:
Plan for potential failures during investigations.
Verify tools can handle Host Protected Area (HPA); consider hardware acquisition tools (e.g., Belkasoft, ILookIX
IXImager).

Handling Encryption Challenges

Whole Disk Encryption (e.g., BitLocker)

Encrypts entire drives, complicating static acquisitions.
Requires user cooperation for decryption or recovery of the key.

Decryption Process
Convert encrypted disks to unencrypted disks manually, which is time-intensive.
Tools like Elcomsoft Forensic Disk Decryptor can assist in recovering decryption keys.

Key Considerations
Encryption preserves data integrity, including free and slack space.
Acquiring decryption keys in criminal cases can be challenging due to lack of suspect cooperation.

Using Acquisition Tools

Windows-Based Acquisition Tools

Page 8
 Created by Turbolearn AI

Advantages:
Convenient for acquiring evidence using swappable devices (e.g., USB-3, FireWire, SATA).
Compatible with current OSs like Windows and Linux.
Drawbacks:
Risk of evidence contamination from OS auto-mounting, which alters metadata (e.g., access times).
Essential to use well-tested write-blocking hardware to prevent contamination.
Legal Considerations:
Some countries don’t accept write-blocking devices for evidence acquisition.
Consult legal counsel regarding local evidence standards.

Windows Based Acquisition

Mini-WinFE Boot CDs and USB Drives

Forensic boot CD/DVD or USB drive gives you a way to acquire data from a suspect computer and write-
protect the disk drive.

Preparation Steps
Build Mini-WinFE Boot Media
Create a bootable CD/DVD or USB drive with Mini-WinFE.
Pre-Boot Setup
Connect the target drive (e.g., USB drive) to the suspect's system.
Boot Process
Boot the suspect’s computer with Mini-WinFE.
List all connected drives (mounted as read-only by default).
Data Acquisition
Alter the target USB drive to read-write mode.
Run the forensic acquisition program.
Ensure integrity by documenting steps and checks.

Acquiring Data with a Linux Boot CD

The unique feature of older Linux versions that allows accessing a drive that isn’t mounted
Ability to read raw disk data through the device file.
This is done by interacting directly with the block device files, such as /dev/sda or /dev/hda, without needing to mount
the filesystem.
Tools like dd or cat can be used to read data from these device files in a forensically sound manner.
This feature is particularly useful in forensic investigations where mounting the drive might alter its contents.
Physical Access for Data Reading:
Applies to connected media devices like disk drives, USB drives, and other storage devices.
Automatic Drive Mounting:
In both Windows OS and newer Linux kernels, connecting a drive via USB, FireWire, SATA, or PATA triggers
automatic mounting and access.
Impact of Mounting on Data:
Windows: Acquisition workstations can access and potentially alter data, including the Recycle Bin.
Linux: Metadata, such as mount point configurations on Ext3 or later drives, is likely altered.
Forensic Acquisition of USB Drives:
For USB drives without a write-lock switch, use a forensic Linux environment to ensure a forensically sound
acquisition.
The following are some well-designed Linux Live CDs for digital forensics:
Penguin Sleuth Kit
CAINE (www.caine-live.net)
Deft (www.deftlinux.net)
Kali Linux (www.kali.org), previously known as BackTrack
(www.backtracklinux.org/wiki/index.php/Forensics_Boot)
Knoppix (www.knopper.net/knoppix/index-en.html)
SANS Investigate Forensic Toolkit

Page 9
 Created by Turbolearn AI

Acquring data with dd in Linux

A unique feature of a forensics Linux Live CD is that it can mount and read most drives.
To perform a data acquisition on a suspect computer, following are needed:
A forensics Linux Live CD
A USB, FireWire, or SATA external drive with cables
Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux Live CD
Knowledge of which shell commands to use for the data acquisition
dd is a powerful command-line utility for low-level data acquisition in Linux.
It enables forensic duplication of data from a source drive to a target location, ensuring integrity.

Steps for using dd

1. Identify the Source and Target Drives:

Use lsblk or fdisk -l to locate the source (/dev/sdX) and target (/mnt/target/image.dd).
2. Execute the dd Command:

dd if=/dev/sdX of=/mnt/target/image.dd bs=4M conv=noerror,sync

if:Specifies the input file (source drive).

of:Specifies the output file (target image).
bs=4M: Sets the block size to 4 MB for efficient data transfer.
conv=noerror,sync: Ensures errors are ignored, and blocks are synchronized.
3. Monitor Progress (Optional):
Use the status=progress flag to display real-time progress
4. Post-Acquisition Verification
Verify image integrity with hashing: sha256sum /mnt/target/image.dd
Document the hash value for forensic records.

Acquiring data with dcfldd in Linux

dcfldd is an enhanced version of dd, specifically designed for forensic imaging.
It includes additional features like hashing, logging, and simultaneous output to multiple destinations.
1. Identify the Source and Target Drives:
lsblk or fdisk -l to locate the source (/dev/sdX) and target (/mnt/target/image.dd).
2. Execute the dcfldd Command:

dcfldd if=/dev/sdX of=/mnt/target/image.dd hash=sha256 hashlog=hash.log

if:Specifies the input file (source drive).

of:Specifies the output file (target image).
hash: Generates a hash (e.g., SHA-256) for integrity verification.
hashlog: Saves the hash value to a log file.
3. Monitor Progress:
Real-time progress is displayed during execution.
4. Post-Acquisition Verification:
Use the hash value in hash.log to verify the integrity of the acquired image.
sha256sum /mnt/target/image.dd

FTK Imager

Page 10
 Created by Turbolearn AI

FTK Imager is a data acquisition tool included with a licensed copy of AccessData Forensic Toolkit.
Like most Windows data acquisition tools, it requires using a USB dongle licensing.
FTK Imager Lite, is free and require no dongle license
FTK Imager is designed for viewing evidence disks and disk-to-image files created from other proprietary formats.
Supports multiple proprietary and standard file formats:
AccessData (.ad1)
Expert Witness Compression (EnCase) (.e01)
SMART (.s01)
Advanced Forensic Format (AFF)
Raw format files.

Disk-to-Image Copying with FTK Imager

Disk-to-Image Features:
Creates forensically sound disk-to-image copies of evidence drives.
Supports acquisition at:
Logical Partition Level
Physical Drive Level
Customization Options
Define the size of each disk-to-image file volume
Segment the image into one or many split volumes.
Ensures flexibility in storing large evidence files.
Key Benefits:
Compatible with diverse storage devices.
Enables detailed and segmented forensic imaging for efficient data handling.
Maintains integrity of evidence during acquisition.

1. Understanding File Systems

File System Definition:

A hierarchical structure for organizing and storing files. It defines how data is stored and accessed on
storage devices.

It determines how data is stored, accessed, and organized on storage media such as hard drives, SSDs, and USB
drives.
Components of a File Systems:
1. Boot Sector
2. Master File Table
3. File Allocation Table (FAT)
4. Directories and Folders
5. Data Blocks or Clusters
6. Metadata

Boot Sector
Located at the beginning of a storage device.
Contains metadata about the file system, including the size, structure, and layout.
Critical for system startup and forensic analysis.

Master File Table

Used in NTFS file systems.
Contains records of every file and directory, including metadata such as timestamps and file attributes.

File Allocation Table

Page 11
 Created by Turbolearn AI

Used in FAT-based systems (e.g., FAT16, FAT32, exFAT).

Maps file clusters to their locations on the disk.

Directories and Folders

Organize files in a hierarchical structure.
Contain pointers to the actual file data.

Data Blocks or Clusters

The smallest storage unit that stores file content.
Managed by the file system to allocate and deallocate space.

Metadata
Descriptive data about files (e.g., creation time, last modified date, permissions).
Essential for forensic timelines and reconstruction.

1.1 Common File Systems

FAT (File Allocation Table)

Characteristics:
Simple and widely used in portable devices.
Limited file size and partition support in FAT16/FAT32.
Forensic Relevance:
Easy to analyze due to simplicity.
Deleted files can often be recovered by analyzing the FAT table.

NTFS (New Technology File System)

Characteristics:
Advanced file system used by Windows
Supports large files, encryption, and journaling.
Forensic Relevance:
Metadata stored in MFT aids in reconstruction.
Journaling helps recover files after system crashes

Ext (Extended File System)

Characteristics:
Commonly used in Linux distributions (e.g., Ext2, Ext3, Ext4).
Supports large partitions and journaling (Ext3 and Ext4)
Forensic Relevance:
Journaling provides a trail of recent changes.
Tools like Sleuth Kit can analyze Ext file systems.

HFS+ and APFS: (Hierarchical File System, Apple File System)

Page 12
 Created by Turbolearn AI

Characteristics:
Used in macOS systems (HFS+ for older, APFS for newer).
Optimized for SSDs with support for snapshots and encryption.
Forensic Relevance:
FileVault encryption poses challenges for forensic analysis.
Snapshots can reveal historical states of the file system.

1.2 Understanding the Boot Sequence

Boot Process Definition:

The sequence of steps a computer system follows to initialize hardware and load the operating system (OS)
into memory, enabling the system to become operational.

Overview of Boot Sequence:

Desktops and laptops follow a specific boot process, while tablets/smartphones require vendor-specific
documentation.
Key components in the boot process:
CMOS: Stores system configuration, date, and time when power is off.
BIOS/EFI: Programs for hardware-level input/output:
BIOS: For x86 systems with MBR disks.
EFI: For x64 systems with GPT disks.( Extensible Firmware Interface)
UEFI: Modern standard, bridging firmware and OS, reducing dependency on specific hardware.(Unified
Extensible Firmware Interface)

Accessing BIOS/CMOS Settings

Steps to Access Settings:
During startup, a key is pressed (e.g., Delete, F2, F10) to open the CMOS setup screen.
Alternative methods include disconnecting the keyboard to prompt key instructions.
Key combinations vary by manufacturer (e.g., Ctrl+A, Ctrl+Alt+Insert).
Safe Practices for Forensic Analysis:
Remove all hard drives to verify BIOS without altering disk data.
Confirm system date/time to maintain data integrity
The bootstrap process, which is contained in ROM, tells the computer how to proceed.

Windows Boot Process: Key Stages

1. Power-On Self-Test (POST)
2. Boot Manager Execution
3. Loading the Windows Kernel
4. Session Initializations
5. User Logon & GUI Startup

Power-On Self-Test (POST)

The system firmware (BIOS/UEFI) initializes hardware components.
Performs basic hardware checks (RAM, CPU, storage).
Searches for the bootable disk.

Boot Manager Execution

BIOS/UEFI locates the bootloader (BOOTMGR).
If UEFI is used, it loads winload.efi; otherwise, BIOS loads winload.exe.
The Boot Configuration Data (BCD) is read to determine the OS to load.

Page 13
 Created by Turbolearn AI

Loading the Windows Kernel

loads essential drivers for storage and boot.
winload.exe/efi
The Windows kernel (ntoskrnl.exe) and Hardware Abstraction Layer (HAL) are initialized.

Session Initializations
mss.exe (Session Manager Subsystem) starts, initializing critical processes.
Windows Registry, Page File, and system variables are configured.
Essential system services (csrss.exe, winlogon.exe) are loaded.

User Logon & GUI Startup

winlogon.exestarts the logon screen.
lsass.exe(Local Security Authority Subsystem) manages authentication.
Once credentials are verified, the user session starts, and the desktop is displayed.

1.3 Understanding the Disk Drives

Geometry—Geometry refers to a disk’s logical structure of platters, tracks, and sectors.
Head—The head is the device that reads and writes data to a drive. There are two heads per platter that read and
write the top and bottom sides.
Tracks—Tracks are concentric circles on a disk platter where data is located.
Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top
and bottom.
Sectors—A sector is a section on a track, usually made up of 512 bytes

The image above depicts a detailed illustration of a hard disk drive's

internal components and structure. At the top, a circular diagram showcases the disk's organization into concentric circles,
referred to as tracks, and wedge-shaped sections, known as sectors. The bottom half of the image features an open hard
disk drive with a rainbow-colored disk, labeled as "Multiple platters," and a "Read/write head" positioned above it. The
background of the image is a clean white, providing a clear visual representation of the hard disk drive's inner workings.

Storage Devices & File Systems

ZBR, Track Density, Areal Density, Head and Cylinder Skew

Page 14
 Created by Turbolearn AI

Zone Bit Recording (ZBR): A method used by most manufacturers to handle the smaller circumference of inner tracks
on a disk platter.
Track Density: The spacing between individual tracks on a storage medium.
Areal Density: The number of bits stored per square inch on a disk platter, including unused space between tracks.
Head and Cylinder Skew: Techniques employed to enhance disk performance.

Solid-State Storage Devices

Flash memory is used in various devices like USB drives, SSDs, laptops, tablets, and smartphones.
Wear-leveling: A technique that distributes writes evenly across memory cells to extend lifespan but complicates
forensic recovery as data shifts physically.
Data Deletion: Unlike magnetic drives, deleted data in flash memory is physically moved, not just marked as
unallocated.
Lifespan Limitations: Flash memory cells have a limited number of read/write cycles (10,000–100,000), which can
lead to data loss.
Importance of Immediate Acquisition: If forensic acquisition isn't performed promptly, deleted data may become
irretrievable.

Microsoft File Structures

File Systems: Methods for organizing files on a storage device; examples include FAT (File Allocation Table) and
NTFS (New Technology File System).
Importance: The OS dictates how and where data is stored, including hidden locations.
Forensic Relevance: Investigators must examine hidden storage areas for potential evidence.

Clusters
Clusters: Storage allocation units consisting of one or more sectors.
Size Range: 512 bytes to 32,000 bytes per cluster.
Purpose: Reduces read/write overhead by grouping sectors.
Allocation:
Small disks (e.g., floppy) → 1 sector per cluster
Large disks (e.g., hard drives) → 4 or more sectors per cluster
The number of sectors per cluster is determined by the disk's size.

Logical vs Physical Addresses

Clusters are numbered sequentially, starting at 0 in NTFS and 2 in FAT.
The first sector of all disks contains a system area, the boot record, and a file structure database.
Logical Addresses (Cluster Numbers):
Assigned by the OS.
Represent relative positions of clusters (e.g., cluster 100 is 98 clusters from cluster 2).
Specific to a logical disk drive (partition).
Physical Addresses (Sector Numbers):
Exist at the hardware/firmware level.
Start from sector 0 (first sector) and continue sequentially.

Disk Partitions
Partitioning: Dividing a hard disk into multiple sections.
Partition: A logical drive within the disk.
Windows Support:
Three primary partitions
One extended partition (can contain multiple logical drives)

Page 15
 Created by Turbolearn AI

Partition Gaps
Partition Gaps: Unused space between partitions where data can be hidden.
Hiding Data Techniques:
Creating and deleting partitions to conceal data.
Declaring a smaller disk size to hide data at the end of the disk.
Risk: Hidden data can be recovered using disk analysis tools.

Disk Editing Tools and Hexadecimal Analysis

Disk Editing Tools: Software like WinHex and Hex Workshop.
Examine a disk’s physical structure.
View file headers and critical file system data.
Hexadecimal Analysis:
Helps identify hidden partitions and retrieve concealed data.

Partition Table and MBR

Partition Table: Stored in the Master Boot Record (MBR) at sector 0 of the disk.
MBR Contents: Contains information about disk partitions and their locations.
Partition Table Offsets in a Hex Editor:
First partition: Offset 0x1BE
Second partition: Offset 0x1CE
Third partition: Offset 0x1DE
Fourth partition: Offset 0x1EE

Examining FAT Disks

Introduction to File Allocation Table (FAT)

FAT: A file structure database developed by Microsoft for organizing files on disks.
Original Use: Initially designed for floppy disks but now used in USB drives, SD cards, and other storage devices.
FAT Database Location: Stored on the disk’s outermost track.
Contents:
Filenames & directory names
Date & time stamps
Starting cluster number
File attributes (archive, hidden, system, read-only)
Compatible with Windows, Linux, and macOS.

Evolution of FAT File Systems

Version Description

FAT12 For floppy disks, max storage 16 MB

FAT16 Supports 4 GB partitions
FAT32 Developed for larger disks (>2 GB)
exFAT Used in mobile storage; supports large files
VFAT Introduced long filenames beyond the 8.3 format

Cluster Sizes & Drive Slack

Page 16
 Created by Turbolearn AI

Cluster sizes vary based on hard disk size and file system type (FAT16, FAT32, etc.).
Microsoft OSs allocate disk space in clusters, leading to drive slack:

Drive Slack: The unused space on a drive due to how the OS allocates disk space in clusters.

RAM Slack: Leftover data from RAM stored in unused space (found in older Windows OSs).
File Slack: The remaining unused space in the last cluster assigned to a file.
Newer Windows OSs zero out RAM slack to prevent leftover data storage.

Effects of Cluster Allocation & Fragmentation

Larger clusters in FAT16 reduced file fragmentation but caused wasted disk space.
Converting FAT16 to FAT32 improved space efficiency by reducing wasted space in clusters.
File growth and deletion lead to cluster chaining:
Contiguous clusters: Files are stored sequentially.
Fragmented clusters: Files are spread across different parts of the disk, reducing efficiency.
Tools like WinHex can analyze cluster chaining and fragmentation.

Drive Slack in FAT16

The image above depicts the structure of a file on a disk, demonstrating the concept of drive slack in FAT16. A 5000-
character text file (5000 bytes) saved on a FAT16 1.6 GB disk might be assigned 1 cluster (~32,000 bytes) by the OS. Even
though the file uses only 5120 bytes, the OS assigns the entire cluster to it. This leaves approximately 27,000 bytes as file
slack.

Unused space breakdown:

120 bytes RAM slack (from the last sector).
Remaining sectors = file slack.
Security concern:
Older Microsoft OSs stored RAM data in slack space, which could include passwords, deleted emails, and logon
credentials.

RAM Slack

Page 17
 Created by Turbolearn AI

Definition: The unused space between the end of the actual file data and the end of the last sector in the last
allocated cluster.
A sector is 512 bytes, but the file size may not always be an exact multiple of 512.
The OS must fill the remaining bytes in the sector before moving to the next one.
Security Concern:
In older Microsoft OSs (e.g., MS-DOS, Windows 95/98), the OS fills the unused space with random leftover RAM
data.
This RAM slack might contain sensitive information such as logon credentials, clipboard data, or previously
opened files.
Modern OS Behavior:
Newer Windows versions overwrite RAM slack with zeros to prevent leakage of sensitive information.
Example:
A 200-byte file is stored in a 512-byte sector. The remaining 312 bytes are filled with random RAM data in older
systems.

File Slack
Definition: The remaining unused space in a cluster after all sectors are filled.
A cluster is a group of sectors (e.g., 4 KB cluster = 8 sectors).
If a file doesn’t fully use the last cluster assigned to it, the remaining space becomes file slack.
Security Concern: Deleted file fragments and old data may remain in file slack.
Forensic tools can recover sensitive information from file slack.
Example: A 5000-byte text file is saved on a FAT16 disk where one cluster is 32,000 bytes. The file only needs 5120
bytes, leaving 27,000 bytes of file slack in the cluster.

Deleting FAT Files

When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in
the filename’s first letter position in the associated directory entry.
This value tells the OS that the file is no longer available and a new file can be written to the same cluster location.
Process:
The directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the
filename.
The FAT chain for that file is set to 0.
The data in the file remains on the disk drive.
The area of the disk where the deleted file resides becomes unallocated disk space (also called “free disk
space”).
The unallocated disk space is now available to receive new data from newly created files or other files needing
more space as they grow.
Most forensics tools can recover data still residing in this area.

Windows Registry

Overview
A database that stores hardware and software configuration information, network connections, user preferences
(including usernames and passwords), and setup information.
For investigative purposes, the Registry can contain valuable evidence.
Registry Editor (RegEdit) can be used to view the Registry contents.
Uses:
To locate entries that might contain trace evidence, such as information identifying the last person who logged on
to the computer.
To determine the most recently accessed files and peripheral devices.
All installed programs store information in the Registry, such as Web sites accessed, recent files, and even chat
rooms accessed

Page 18
 Created by Turbolearn AI

Key Terms
Registry: A hierarchical database containing system and user information.
Registry Editor: A Windows utility for viewing and modifying data in the Registry. There are two Registry Editors:
Regedit and Regedt32 (introduced in Windows 2000).
HKEY: Windows splits the Registry into categories with the prefix HKEY.
Key: Each HKEY contains folders referred to as keys. Keys can contain other key folders or values.
Branch: A key and its contents, including subkeys, make up a branch in the Registry.
Value: A name and value in a key; it’s similar to a file and its data content.
Default value: All keys have a default value that may or may not contain data.
Hives: Hives are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE.

Registry Files
The Registry uses six files: Ntuser.dat, System.dat, SAM.dat, Software.dat, Security.dat, and Default.dat.

Viewing the Registry

The image above displays a screenshot of the Windows Registry Editor, showcasing the HKEYs used in Windows. These
HKEYs are categories that split up the registry.

File Structure of ext4

Linux supports a wide range of file systems. The early standard was Second Extended File System (Ext2), and then
Third Extended File System (Ext3) replaced Ext2 in most Linux distributions.
Its major difference from Ext2 was being a journaling file system, which has a built-in file recovery mechanism used
after a crash.
Fourth Extended File System (Ext4) was introduced later.
It added support for partitions larger than 16 TB and improved management of large files.
In UNIX and Linux, everything is considered a file, including disk drives, monitors, tape drives, network interface cards,
system memory, and directories.

UNIT 3: Data Analysis

Page 19
 Created by Turbolearn AI

This unit covers:

Preparation for forensic analysis

Data carving
Recovering graphics files and header analysis
Email and internet activity analysis
Data hiding techniques
Malware analysis

Forensic Investigation Process

A methodological approach to investigate, seize, and analyze digital evidence and then manage the case from the
time of search and seizure to reporting the investigation result.

Digital evidence is fragile, so strict guidelines and a thorough process are critical to ensure the integrity of evidence to
prove a case in court.
The process must comply with local laws and established precedents. Any deviation may jeopardize the complete
investigation.
Investigators must follow a repeatable and well-documented set of steps such that every iteration of analysis provides
the same findings; otherwise, the findings of the investigation can be invalidated during the cross-examination in a
court of law.

Phases Involved
Pre-investigation Phase
Deals with tasks to be performed prior to the commencement of the actual investigation.
Involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit,
setting up an investigation team, getting approval from the relevant authority, etc.
Investigation Phase
The main phase of the computer forensics investigation process.
Involves acquisition, preservation, and analysis of evidentiary data to identify the source of the crime and the
culprit behind it.
Includes documentation of all actions undertaken and all findings uncovered during the investigation.
Post-investigation Phase
Ensures that the report is easily explicable to the target audience and that it provides adequate and acceptable
evidence.

Setting Up a Computer Forensics Lab

A Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic
workstations required for conducting a computer-based investigation with regard to the collected evidence.

Design Considerations

Page 20
 Created by Turbolearn AI

Physical & Structural

Lab size
Access to essential services
Space estimation for work area and evidence storage
Heating, ventilation, and air conditioning
Workstation requirement
Ambience
Internet, network, and communication line
Lighting systems and emergency power
Planning & Budgeting
Number of expected cases
Type of investigation
Manpower
Equipment and software requirement
Forensic lab licensing
ASCLD/LAB accreditation
ISO/IEC 17025 accreditation
Physical security
Electronic sign-in
Intrusion alarm systems
Fire suppression systems
Human resources
Number of required personnel
Training and certification
Work area

Building the Investigation Team

Investigation Team

Keep the team small to protect the confidentiality of the investigation and to guard against information leaks.
Identify team members and assign them responsibilities.
Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks.
Assign one team member as the technical lead for the investigation.

Team Roles

Role Responsibility

Photographer Photographs the crime scene and the evidence gathered

Incident Responder Responsible for the measures to be taken when an incident occurs
Incident Analyzer Analyzes the incidents based on their occurrence
Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence
Evidence Documenter Documents all the evidence and the phases present in the investigation process
Evidence Manager Manages the evidence in such a way that it is admissible in the court of law
Evidence Witness Offers a formal opinion in the form of a testimony in the court of law
Attorney Provides legal advice

Hardware and Software Requirements of a Forensic Lab

A digital forensic lab should have all the necessary hardware and software tools to support the investigation process,
starting from searching and seizing the evidence to reporting the outcome of the analysis.

Hardware

Page 21
 Created by Turbolearn AI

Two or more forensic workstations with good processing power and RAM.
Specialized cables.
Write-blockers and drive duplicators.
Archive and Restore devices.
Media sterilization systems.
Other equipment that allow forensic software tools to work.
Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle, DeepSpar Disk Imager, FRED forensic
workstation etc.

Software
OSes
Data discovery tools
Password-cracking tools
Acquisition tools
Data analyzers
Data recovery tools
File viewers (Image and graphics)
File type conversion tools
Security and Utilities software
Computer forensic software tools such as Wireshark, Access Data’s FTK etc.

Computer Forensics Investigation Methodology

Documenting the Electronic Crime Scene

Page 22
 Created by Turbolearn AI

Documentation of the electronic crime scene is necessary to maintain a record of all the forensic investigation
processes performed to identify, extract, analyze, and preserve the evidence.

Points to Remember
Document the physical crime scene, noting the position of the system and other equipment, if any.
Document details of any related or difficult-to-find electronic components.
Record the state of computer systems, digital storage media, and electronic devices, including their power status.

Search and Seizure

Page 23
 Created by Turbolearn AI

Planning the Search and Seizure

A search and seizure plan should contain the following details:

Description of the incident

Case name or title of the incident
Location of the incident
Applicable jurisdiction and relevant legislation
Determining the extent of authority to search
Creating a chain of custody document
Details of equipment to be seized
Search and seizure type (overt/covert)
Approval from local management
Health and safety precautions

Evidence Preservation

Evidence preservation refers to the proper handling and documentation of evidence to ensure that it is free from
any contamination.

Any physical and/or digital evidence seized should be isolated, secured, transported, and preserved to protect its true
state.
At the time of evidence transfer, both the sender and the receiver need to provide information about the date and time
of transfer in the chain of custody record.
The procedures used to protect the evidence and document it while collecting and shipping are as follows:
The logbook of the project
A tag to uniquely identify any evidence
A chain of custody record

Data Acquisition

Page 24
 Created by Turbolearn AI

Data Acquisition

Forensic data acquisition is a process of imaging or collecting information from various media in accordance with
certain standards for analyzing its forensic value.

Investigators can then forensically process and examine the collected data to extract information relevant to any
particular case or incident while protecting the integrity of the data.
It is one of the most critical steps of digital forensics as improper acquisition may alter data in evidence media and
render it inadmissible in the court of law.
Investigators should be able to verify the accuracy of acquired data, and the complete process should be auditable and
acceptable to the court.

Data Analysis
Data Analysis

This phase includes the following:

Data analysis techniques depend on the scope of the case or the client’s requirements.
Analysis of the file’s content, date and time of file creation and modification, users associated with file creation,
access and file modification, and physical storage location of the file.
Timeline generation
Identification of the root cause of the incident
Data analysis refers to the process of examining, identifying, separating, converting, and modeling data to isolate
useful information.

Case Analysis
Investigators can relate the evidential data to the case details for understanding how the complete incident took place
and determining the future actions such as the following:
Determine the possibility of exploring other investigative procedures to gather additional evidence (e.g., checking
host data and examining network service logs for any information of evidentiary value, collecting case-specific
evidence from social media, identifying remote storage locations etc.)
Gather additional information related to the case (e.g., aliases, email accounts, ISP used, names, network
configuration, system logs, and passwords) by interviewing the respective individuals.
Consider the relevance of components that are out of the scope of investigation; for example, equipment such as
laminators, check paper, scanners, and printers in case of any fraud; or digital cameras in case of child
pornography.
Gathering and Organizing Information
Documentation in each phase should be identified to decide whether it is appropriate to the investigation and
should be organized in specific categories.

Procedures for Gathering and Organizing Documentation

Gather all notes from different phases of the investigation process.
Identify the facts to be included in the report for supporting the conclusions.
List all the evidence to submit with the report.
List the conclusions that need to be in the report.
Organize and classify the information gathered to create a concise and accurate report.

Writing the Investigation Report

Report

Report writing

Page 25
 Created by Turbolearn AI

Forensic Investigation Report

Important Aspects of a Good Report

A good forensics report is:

Clear and concise

Written for the appropriate audience

It should:

Accurately define the details of an incident

Convey all necessary information in a concise manner
Be technically sound and understandable to the target audience
Be structured logically for easy information retrieval
Be able to withstand legal inspection
Adhere to local laws to be admissible in court

Forensics Investigation Report Template

The template contains the following sections:

Executive Summary
Case number
Names and Social Security Numbers of authors, investigators, and examiners
Purpose of investigation
Significant findings
Signature analysis objectives of the incident
Date and time the incident allegedly occurred
Date and time the incident was reported to the agency’s personnel
Details of the person or persons reporting the incident process
Date and time the investigation was assigned
Allotted investigators
Nature of the claim and information provided to the investigators

Investigation Details
Relevant findings
Supporting Files
Attachments and appendices
Full path of the important files
Expert reviews and opinion

Other Supporting Details

Attacker’s methodology
User’s applications and Internet activity
Recommendations

Evidence Information

Page 26
 Created by Turbolearn AI

Location of the evidence

List of the collected evidence
Tools involved in collecting the evidence
Preservation of the evidence

Evaluation and Analysis Process

Initial evaluation of the evidence
Investigative techniques
Analysis of the computer evidence (Tools involved)

Testifying as an Expert Witness

Things that take place in the courtroom:

The expert witness becomes familiar with the usual procedures followed during a trial.
The attorney introduces the expert witness.
The opposing counsel may try to discredit the expert witness.
The attorney leads the expert witness through the evidence.
The opposing counsel’s cross-examination follows.

Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes complex
technology.

Data Carving
Data carving is the act of searching for particular strings or bytes within a structure.
A hex editor or other data-viewing tools can be used to carve for data.
The analyst determines a string or binary pattern to search for, then initiates a search across a device or structure for
that string or pattern.
The target can be of whatever scope is appropriate for the task, such as a file, slackspace, unallocated space, a full
volume, a memory image, or a swapfile.
The technique can be used to carve for full files–such as recovering deleted JPG image files; or for records–such as
recovering portions of a deleted Windows event log.

How Data Carving Works

1. File Signatures: Every file type (like JPEG, PNG, PDF, DOCX, etc.) has a unique header (beginning) and footer (end)
that can be identified by specialized software. These are called "magic numbers" or "file signatures." Data carving uses
these signatures to locate the start and end of files within the raw data.
2. Search for Patterns: The process involves scanning the unallocated space or fragmented storage, looking for these
specific signatures. Once identified, the tool "carves" out the data between the known start and end points of a file.
3. Reconstructing Files: After finding the file's start and end, the carving tool will attempt to reconstruct the file. Even if
parts of the file are missing or fragmented, it may still be possible to recover significant portions of the file.

Tools for Data Carving

Several software tools are used for data carving, including:

PhotoRec: A popular open-source tool for file recovery that specializes in carving out lost files, particularly multimedia
files.
Scalpel: A fast file-carving tool used for recovering files based on predefined signatures.
FTK Imager: Used in digital forensics, FTK can carve files from disk images, even when the file system is damaged.

Recovering Graphics Files

Page 27
 Created by Turbolearn AI

Types of Graphics Files

Bitmap Graphics:
Consists of pixels arranged in a grid.
Each pixel holds color information.
Common formats: BMP, GIF, JPEG.
Vector Graphics:
Made up of mathematical equations that define lines, curves, shapes, and text.
Scalable without losing quality.
Common formats: SVG, EPS.
Metafile Graphics:
Combines both bitmap and vector graphics.
Contains multiple types of image data.
Common formats: EMF, WMF.

Graphics Programs
1. Graphics Editors:

Used to create, modify, and save graphics.

Works with bitmap, vector, and metafile formats.
Examples:
Microsoft Paint (basic editing).
Adobe Photoshop (advanced bitmap editing).
GIMP (open-source graphics editor).

2. Image Viewers:

Used to view graphics files without altering them.

Cannot modify the contents of the image.
Examples: Windows Photo Viewer, Preview on macOS.

Graphics File Formats and Their Properties

1. BMP (Bitmap):

Uncompressed and high-quality.

Large file size.

2. GIF (Graphics Interchange Format):

Supports animation and limited color palette (256 colors).

Uses lossless compression.

3. JPEG (Joint Photographic Experts Group):

Uses lossy compression.

Suitable for photographs and images with complex color gradients.

Format Conversion
Use graphics editors to open and save files in different formats.
Choose a format based on quality, file size, and usage.

Bitmap Images

Page 28
 Created by Turbolearn AI

Store graphics as grids of pixels (picture elements).

Each pixel has a specific color value.

Raster Images
Also collections of pixels but arranged in rows.
Used for easy printing by converting images into printable pixels line by line.

Resolution and Image Quality

Resolution:

Determines the amount of detail displayed.

Measured by the density of pixels onscreen.
Higher resolution → Sharper images.

Factors Affecting Resolution:

Hardware: Monitor capability, video card memory.

Software: Drivers, image-processing programs

High vs. Low Resolution Example

A Windows computer with a 4096 × 2160 resolution displays:

4096 pixels horizontally

2160 pixels vertically

Key Takeaways:

High-resolution images use smaller pixels for finer details.

Advanced video cards and optimized software improve image clarity.

Color Depth and Image Quality

Color Depth (Bits per Pixel) Affects Image Quality:

More bits = More colors and smoother gradients.

Common Color Depth Levels:

1 bit → 2 colors
4 bits → 16 colors
8 bits → 256 colors
16 bits → 65,536 colors
24 bits → 16.7 million colors
32 bits → 4.29 billion colors

Impact on Bitmap and Raster Images:

Files use as much color as possible based on format.

Saving a file may reduce color quality depending on format support.

Understanding Vector Graphics

Page 29
 Created by Turbolearn AI

Vector Graphics vs. Bitmap Images

Use lines and shapes instead of dots (pixels).

Store mathematical calculations rather than image data.
Smaller file size compared to bitmap images.
Can be resized without losing quality (scalable).

Examples of Vector Graphics Software:

CorelDRAW
Adobe Illustrator

Understanding Metafile Graphics

What are Metafile Graphics?

Combination of raster and vector graphics.

Example: A scanned photograph (bitmap) with added text or arrows (vector).

Advantages & Limitations:

Vector parts remain sharp when resized.

Bitmap parts lose resolution when enlarged.

Understanding Graphics File Formats

Graphics Editors & File Types:

Graphics are created and saved using specialized software.

Examples of Graphics Editors:
Microsoft Paint
Adobe Freehand MX (Vector-based)
Adobe Photoshop (Supports both raster & vector)
GIMP (GNU Image Manipulation Program)
Choosing the Right Tool:
Use vector software for scalable graphics.
Use raster software for detailed image editing.

Standard Graphics File Formats

Bitmap File Formats:

.png (Portable Network Graphics)

.gif (Graphics Interchange Format)
.jpg / .jpeg (Joint Photographic Experts Group)
.tif / .tiff (Tagged Image File Format)
.bmp (Windows Bitmap)

Vector File Formats:

.hpgl (Hewlett-Packard Graphics Language)

.dxf (AutoCAD Drawing Exchange Format)

Nonstandard & Proprietary Graphics File Formats

Page 30
 Created by Turbolearn AI

Less Common & Proprietary Formats:

.tga (Targa)
.rtl (Raster Transfer Language)
.psd (Photoshop)
.ai (Illustrator)
.fh11 (Freehand)

Newer & Obsolete Formats:

.svg (Scalable Vector Graphics – newer format)

.pcx (Paintbrush – old/obsolete)

Challenges in Digital Forensics:

Nonstandard files may require special tools to open.

Investigators must identify unknown formats for evidence.

Identifying Unknown Graphics File Formats

Steps to Identify a Graphics File:

1. Search online for the file extension (e.g., .tga).

2. Use Web resources like:
www.garykessler.net/library/file\_sigs.html
www.webopedia.com
3. Use file signature analysis tools.
4. Find and install the appropriate viewing software.
5. Example Investigation:
1. Encounter a .tga file → Use Webopedia to search for details.
2. Find supported programs and determine file content.

Understanding Digital Photograph File Formats

Impact of Digital Photographs in Digital Forensics:

Smartphones
Digital cameras
CCTV surveillance

Forensic Importance:

Digital photos are easily created using:

Photos can be crucial evidence in investigations.
Used in cases like:
Accidents (witness photos)
Criminal investigations (child exploitation, fraud, etc.)

Why Investigators Need to Analyze Digital Photos:

Understanding data structures in graphics files enhances evidence collection.

Knowledge of photo formats boosts credibility in court.

Common Digital Photo Formats:

Raw format – Unprocessed image data from digital cameras.

Exif format – Contains metadata like timestamp, location, and camera setting

Page 31
 Created by Turbolearn AI

What is a Raw File Format?

Also known as a digital negative.

Used in high-end digital cameras.

No enhancement or processing by the camera.

Records pixel data directly onto the memory card.

Advantages:

Highest picture quality – No compression or loss of detail.

More flexibility in post-processing.

Challenges for Digital Forensics:

Proprietary format – Different for each camera manufacturer.
Not universally supported – Standard image viewers may not open raw files.
Requires specialized viewing/conversion software from the manufacturer.
Key Process: Demosaicing
Converts raw data to standard formats like JPEG or TIF.
Uses manufacturer-specific algorithms for processing.

Examining the Exchangeable Image File (Exif) Format

What is Exif?

A standard for storing metadata in JPEG and TIF files.

Developed by Japan Electronics and Information Technology Industries Association (JEITA).
Stores camera details, settings, and timestamp when a photo is taken.
If GPS-enabled, latitude and longitude can also be recorded.

Importance in Digital Forensics:

Helps investigators identify the camera/device used.

Provides critical metadata about the photo’s origin.

Examining the Exchangeable Image File (Exif) Format

What Metadata is Stored in Exif?

Device Information: Camera model, make, serial number.

Photo Settings: Shutter speed, focal length, resolution, date, and time.
GPS Data: Latitude, longitude (if supported by the device).

Exif Viewing Tools:

Exif Reader (www.takenet.or.jp)

IrfanView (www.irfanview.com)
Magnet Forensics AXIOM (www.magnetforensics.com)

Examining the Exchangeable Image File (Exif) Format

Exif vs. Standard JPEG Files

Page 32
 Created by Turbolearn AI

Differences in File Headers:

Exif JPEG File: Contains additional metadata (camera details, GPS, settings).
Standard JPEG File: Stores only image data without metadata.

Example:

Sawtoothmt.jpg → Exif file (with metadata).

Sawtoothmtn.jpg → Standard JPEG file (image only).

Forensic Use:

Investigators can analyze Exif data to verify authenticity.

Useful in tracking photo origins and modifications.

Examining the Exchangeable Image File (Exif) Format

Extracting Metadata as Evidence:

Tools for Metadata Extraction:

Autopsy – Digital forensics tool for analyzing metadata.

Exif Reader – Extracts metadata from JPEG and TIF files.

Importance in Forensics:

Metadata provides crucial evidence, such as date, time, device details, and location.
Example: Autopsy shows a photo taken on July 10, 2017, at 5:50 p.m. PDT.
Helps track the origin and authenticity of an image.

Examining the Exchangeable Image File (Exif) For Challenges with Date & Time in
Exif Metadata
Why Date & Time Might Be Inaccurate:

Intentional Changes:
Suspects can alter a camera’s clock settings to mislead investigations.
Unintentional Errors:
Battery failure or camera malfunctions may reset the clock.
Transferring files to a computer may result in metadata loss.

Forensic Best Practice:

Treat Exif date and time as subjective evidence.

Look for corroborating details (e.g., device settings, other timestamps).

Examining the Exchangeable Image File (Exif) For Verifying Exif Date & Time Using
Sun Position

Page 33
 Created by Turbolearn AI

Adjusting for Time Zones:

Exif timestamps may be recorded in UTC instead of local time.

Example: A photo taken in Santa Fe, NM, on Sept 10, 2013, at 7:09 p.m. MDT.

Using Sun & Shadows for Verification:

Sunset Check:
Online tools: Time and Date (www.timeanddate.com)
On Sept 10, 2013, sunset was at 7:18 p.m. MDT.
If shadows are short in the image, the timestamp may be incorrect.
GPS & Sun Angle Calculation:
If latitude and longitude exist in Exif, you can approximate the time of day.
Works only for outdoor photos taken in sunlight.

Analysing Email Headers

Role of Email Forensics

Collecting and analyzing email evidence in cyber investigations
Identifying phishing, spoofing, and fraudulent emails

Common Phishing Techniques

Email Spoofing: Forging sender address to appear legitimate
Fake Websites & Links: URLs disguised as authentic sites
Social Engineering: Manipulating users into providing sensitive information

Indicators of Phishing Emails

Urgent or threatening language
Suspicious links and attachments
Unusual sender addresses

Investigator’s Role: Validate email authenticity, trace senders, and analyze email headers & metadata.

Investigative Techniques for Phishing Emails

Use Online Lookup Tools

WHOIS lookup for domain registration details

Email and IP address tracing tools (e.g., MXToolbox, VirusTotal)

Detect DNS Poisoning & Pharming

Verify website authenticity using digital certificates

Compare IP resolution with known legitimate addresses

Cybercriminals exploit human psychology and technical weaknesses—effective forensic analysis can prevent data breaches
and fraud.

Exploring the Roles of the Client and Server in E-mail

Internet Email – Publicly accessible email services (e.g., Gmail, Yahoo, Outlook.com)
Intranet Email – Internal network-based email (e.g., corporate email systems)

Page 34
 Created by Turbolearn AI

Client/Server Architecture:
Email Server: Centralized system (e.g., Microsoft Exchange Server) managing email storage & distribution
Email Clients: Programs (e.g., Microsoft Outlook, Thunderbird) used to send/receive emails

How It Works:
1. User composes an email in an email client
2. Email client sends the message to the email server
3. Server forwards it to the recipient’s email server
4. Recipient retrieves the email using their email client

Email systems operate in a client/server model, ensuring efficient communication across both internet and intranet
environments.

Here is an image depicting how Email in a client/server architecture works:

The image shows the email client sending "Do you have mail for me?" to the email server, which responds with "Yes, here it
is!".

Email Services – Internet vs. Intranet

Email in Client/Server Architecture:

Both Internet and Intranet email use a client/server model.

Key Difference: How accounts are assigned, managed, and accessed.
Feature Intranet Email System (Private Use) Internet Email System (Public Use)

Provided by external services (e.g., Google,

Server Location Part of the local network
Yahoo, GMX)
Open to the public—users create accounts
Management Managed by an administrator with strict security policies
freely
Access Only company employees have access Accessible from anywhere via the Internet
Naming Follows a standardized naming convention No standard naming convention
Convention (e.g.,jane.smith@mycompany.com) (itty_bitty@gmail.com)

Security & Forensics Considerations

Investigating Intranet vs. Internet Email

Page 35
 Created by Turbolearn AI

Task Intranet Emails (Easier) Internet Emails (Challenging)

Standardized usernames help identify users. IT Usernames are arbitrary and anonymous.
User administrators manage all accounts. Example: Companies don’t regulate naming schemes.
Identification jane.smith@mycompany.com is clearly linked to Jane Example: itty_bitty@gmail.com provides no
Smith. obvious identity clues.
Forensic Intranet email logs can be accessed for internal Internet email tracking requires ISP cooperation, IP
Implications investigations. tracking, and metadata analysis.

Forensic Challenges in Email Investigations

Intranet Emails Easier to track due to company regulations & standardization. Admin logs & access policies aid
forensic analysis.
Internet Emails Difficult to trace—users choose random usernames. Requires external cooperation from email
providers & ISPs.
Investigator’s Role Analyze email headers for IP addresses & metadata. Use WHOIS, DNS records, and legal requests
for user identification.

Email Forensics Techniques

Header Analysis: Traces email source, IP addresses, and sender information.
Metadata Examination: Identifies timestamps, attachments, and routing details.
Content Analysis: Detects suspicious links, keywords, and anomalies.
Attachment & Malware Analysis: Scans for embedded threats
Forensic Tools:
MailXaminer, EnCase, FTK – Comprehensive email investigation.
MIME & BASE64 Decoders – Extract hidden information.
Traceroute & WHOIS Lookup – Tracks email origins.

Understanding Email Structure

Components of an Email Message:

Header: Contains metadata (sender, recipient, timestamps, IP addresses).

Body: The main content of the email, including text, links, and embedded media.
Attachments: Files included in the email that may contain malware or hidden data.

Types of Email Protocols:

SMTP (Simple Mail Transfer Protocol): Used for sending emails.

IMAP & POP3: Used for receiving and storing emails.

Key Information Collected from Headers

Page 36
 Created by Turbolearn AI

Received Fields:

Shows email’s journey through mail servers.

Reveals the sender’s IP address and geolocation.

Return-Path & Reply-To:

Used to detect email spoofing.

Message-ID:

Unique identifier assigned by the mail server.

Helps in tracking email threading.

SPF, DKIM, and DMARC Records:

SPF (Sender Policy Framework): Verifies if the sender is authorized.

DKIM (DomainKeys Identified Mail): Ensures email integrity.
DMARC (Domain-based Message Authentication, Reporting & Conformance): Prevents email spoofing.

Email Forensics Definition

Branch of cyber forensics that analyzes email contents and components.

Email Forensics Challenges

Hackers use proxy servers and IP spoofing to hide identities.
Tracing email sources is difficult due to evolving cybercriminal tactics.

Digital forensics is not just data extraction but involves scientific investigation without altering original data.

Challenges in Webmail Forensics

Modern Technologies (e.g., AJAX):

Make recovery of webmail artifacts more difficult.

Email content is often not stored in expected disk locations.

Alternative Sources for Email Evidence:

Paging files & hibernation files – May contain webmail artifacts.

System RAM – Can store email data but is volatile.

Many forensic investigations begin after the system is powered down, limiting RAM recovery.

Recovering Emails
Email consists of multiple components aiding forensic analysis:

Email Header (metadata, sender, recipient, timestamps)

Email Body (main content, links, embedded objects)
Attachments (files, documents, potential malware)
Related Properties (encryption, MIME type, routing details)

Data Recovery in Email Forensics

Page 37
 Created by Turbolearn AI

Importance of Data Recovery

Converts data into readable format.

Helps restore and filter emails while maintaining integrity.

Stages of E-Discovery
Collection of data.
Processing and indexing.
Review and analysis.
Presentation of forensic evidence.

Key Forensic Techniques

IP Geopositioning & Mobile Data:

Track sender’s location using IP address, call records, and GPS data.

Conversation Reconstruction:

Rebuild email, text, and chat history for chronological analysis.

Duplicate Detection & Analysis:

Identify and group similar documents for systematic review.

Word Context & Near-Duplicate Merging:

Detect key phrases, merge similar files, and filter irrelevant data.

Here is an image with a list of steps of an email forensic investigation:

The image lists "Obtain the search warrant," "Obtain a bit-by-bit image of Email Information," "Retrieve the Email Header,"
"Analyze Email Headers," "Recover Deleted Emails," "Acquire Email Archives," and "Trace Email Origins."

Email Header Analysis

Email headers contain metadata crucial for forensic investigations.
Helps analyze and examine email artifacts.

Page 38
 Created by Turbolearn AI

Key Components of an Email Header

Sender Email Address
SMTP Servers the Mail Passed Through
Network Path of the Email
IP Address of the Sender
Timestamp (Date & Time of Email Transmission)
Client & Encoding Information

Importance of Email Headers in Investigations

Crucial in tracing the origin of an email.
Allows forensic investigators to track email routing.
Helps detect email spoofing and phishing attempts.
Identifies anomalies in email metadata.

Analyzing the 'Received' Field

Methodology for Source Tracing:

Start from the bottom of the header and move upwards.

Examine the ‘Received’ fields for hop-by-hop tracking.
Compare timestamps to detect inconsistencies.

Indicators of a Fake Email Header:

Time discrepancies between different mail servers.

Multiple server entries that seem out of place.
Header alterations suggesting spoofing or proxy usage.

Challenges in Email Header Analysis

IP Spoofing and Proxy Usage:

Attackers can mask their IPs using proxies.

Makes direct tracking difficult and complex.

Altered Headers:

If HTTP/SMTP server logs do not match the header details, the email may be fake.
Requires advanced forensic techniques for verification.

Here is an image showing how to retrieve email headers from different mail providers:

Page 39
 Created by Turbolearn AI

The image is a table for retrieving email headers from Gmail, Yahoo Mail, and Outlook Express, with step by step
instructions.

Analysis of an Email Header

Tools for Email Header Analysis Commercial and Online Tools:

www.ip-adress.com
EmailTracker Pro
MailXaminer
MX Toolbox
These tools help extract and analyze email metadata for investigative purposes.

Using IP-Adress.com for Analysis

Step 1: Copy the email header from the email client.
Step 2: Paste it into www.ip-adress.com.
Step 3: Extract sender’s IP address and ISP information.
Step 4: Verify the authenticity of the IP.
Step 5: Cross-check with other forensic tools for validation.

Tracing the Attacker

Once the IP is confirmed:

Identify the ISP associated with the IP.

Contact the ISP for customer details.
Authorities collaborate with law enforcement for tracking.
Investigators gather digital evidence and proceed with legal action.

Challenges in Email Header Analysis

Email spoofing and anonymization techniques.

Use of VPNs and proxies by attackers.
Dynamic IP addresses that change frequently.
ISP cooperation delays and legal restrictions.

Page 40
 Created by Turbolearn AI

Here is an image of a sample email header:

The diagram shows the "Return-Path" and indicates the email address for bounce messages.

Here is another sample email header, annotated:

This annotated header highlights the date sent, sender, recipient, message ID, and subject.

e-Discovery from Enron Corpus

CASE STUDY

Data Hiding Techniques

Data hiding is a common technique used by hackers and attackers to conceal sensitive information.
They exploit hidden storage areas that are not included in conventional search parameters.
Key areas used for hiding data:
Host Protected Area (HPA)
Slack Space
Alternate Data Streams (ADS)

Host Protected Area (HPA)

Page 41
 Created by Turbolearn AI

A reserved section of a hard drive not visible to standard OS tools.

Initially designed by manufacturers for system recovery and diagnostics.
Hackers exploit HPA to store malware, hidden files, or unauthorized code.
Detection and access require forensic tools like HDAT2 or ATA commands.

Slack Space
Slack space refers to the unused portion of a disk cluster left when a file does not entirely fill it.
Even after file deletion, residual data can exist in slack space.
Attackers use it to hide small amounts of data without modifying file system metadata.
Forensic tools like EnCase, FTK, and Autopsy can detect slack space data.

Alternate Data Streams (ADS)

A feature of NTFS file systems allowing multiple data streams per file.
Attackers use ADS to embed malicious content within legitimate files without changing file size.
Example: notepad.exe sample.txt:hidden.txt stores hidden.txt inside sample.txt.
Forensic detection tools include streams.exe and adsspy.

Detecting and Mitigating Hidden Data

Use forensic tools to analyze disk structures and file systems:

HPA: Use BIOS settings and forensic software like HDAT2.

Slack Space: Perform full disk imaging and analysis.
ADS: Scan NTFS structures using dir /r command or specialized tools.
Implement endpoint security measures and proactive monitoring.

Steganography and Cryptography

Steganography is an age-old practice of secret or hidden writing.

It has existed for a long time where it was adopted by spies to hide the messages.

Steganography and Cryptography

Steganography
Steganography is a method of embedding secret data into media without causing noticeable changes.
Techniques like Least Significant Bit (LSB) and masking are employed.

For example, hiding text in an image by slightly modifying pixel values. Specialized tools are needed for embedding and
extracting data.

Polyglot Attack
A polyglot attack involves hiding malware within the code of an existing file, such as an image. When a web browser loads
the intended file, the hidden malware executes malicious activities. For example, an image containing JavaScript malware
that executes upon upload. Attackers manipulate a file’s code to merge malware with an image so that it appears normal
but contains hidden, executable code that activates unnoticed when the file is accessed.

Popular Steganography Tools

Page 42
 Created by Turbolearn AI

SilentEye: Open-source tool for hiding messages in images and audio.

iSteg: Hides files inside JPEG images.
OpenStego: Used for data hiding and watermarking.
OpenPuff: Free steganography software for Windows.
Steghide: Hides data in images and audio files.
Spammimic: Encodes messages into spam-like text.

Stegdetect – Steganography Detection Tool

Stegdetect is an open-source utility for analyzing images for hidden steganographic content by running
statistical tests to detect hidden messages in image files.

Detection Capabilities:

Identifies multiple steganographic techniques, including:

Jsteg
Jphide
Invisible Secrets
OutGuess
F5
Camouflage

Malware Analysis
Malware analysis is the process of determining the behavior and impact of a malware sample to identify the
malware type, its purpose, and mitigation strategies. It is essential for cybersecurity and forensic investigations.

Key Processes:

Static Analysis: Examining malware without execution.

Hashing: Ensuring file integrity and quick identification.
Antivirus Check: Comparing file signatures with malware databases.
Dynamic Analysis: Executing malware in a controlled environment.

Static Analysis
Static analysis involves examining malware without running it. Methods include file type determination,
extracting encoded strings, and checking for obfuscation. It helps reverse-engineer malware to understand its
structure and intent.

Hashing in Malware Analysis

Hashing converts character strings into unique hash values. It is used to compare malware samples against
known signatures and ensures data integrity during forensic analysis. It is a standard practice for all forensic
investigations.

Antivirus Check
An antivirus check is the first step before in-depth analysis, using antivirus tools or online services to check
malware signatures by comparing the file signature with known malware databases to quickly identify common
malware threats.

Disassembling Malware Code

Page 43
 Created by Turbolearn AI

Malware is often written in C or C++ and compiled into X86 binary. Disassembly helps understand the script’s design and
function. Packed malware requires unpacking tools before analysis.

Malware files are typically in Windows Portable Executable (PE) format, which includes .dll, .exe, and .sys files. PE files
instruct Windows on how to load programs into memory.

Dynamic Analysis
Dynamic analysis involves running malware in a controlled environment to identify malware functionality and
behavior when static analysis yields no results.

Key components:

System processes analysis: Observes process creation and execution.

Registry analysis: Monitors registry modifications by malware.
Network analysis: Captures and analyzes malware network activity.

Risk: Running unknown malware may cause unintended consequences.

Unit 4: Network Forensics

Introduction
Network Forensics is a sub-branch of cyber forensics that revolves around examining networking-related digital
evidence by monitoring, recording, analyzing, and interpreting network traffic.

Components:

Packet capture and analysis

Network device acquisition
Incident response

Network forensics helps distinguish between a genuine cyberattack and unintended system changes by identifying whether
an issue is due to malicious activity or a user-installed untested patch or custom program. Intruders leave a trail behind, so
knowing your network’s typical traffic patterns is important in spotting variations in network traffic.

The Need for Established Procedures

Standard procedures help identify compromised systems, reduce downtime, and prevent future attacks. Rushing restoration
without investigation may leave security gaps.

Key Considerations:

Identify and isolate compromised machines.

Trace attack methods and analyze the impact.
Ensure attackers have not left backdoors for re-entry.

Guidelines & Standards:

NIST SP 800-86: Official guide for forensic incident response.

Adeyemi et al. (2012): Investigates forensic needs in military, law enforcement, and industry.
Indian Framework (2010): General network forensic model.

Securing a Network

Page 44
 Created by Turbolearn AI

Network Forensics helps determine how a security breach occurred. Preventative measures must be taken to harden
networks before an attack. Rising threats include network attacks, viruses, and security incidents, which requires a layered
defense strategy to protect critical data.

Network Hardening Strategies

Applying the latest security patches.
Implementing a layered defense strategy to protect valuable data.
Increasing security as attackers penetrate deeper into the network.

Defense-in-Depth (DiD) Strategy – Developed by NSA with three modes of protection:

People
Technology
Operations

If one mode of protection fails, the others can be used to thwart the attack.

Network Hardening Strategies: People, Technology, Operations

Category Strategies

Hire qualified employees & ensure job satisfaction, provide security training & enforce policies, and implement
People
physical & personnel security measures.
Use strong network architecture, IDSs, and firewalls, conduct regular penetration testing & risk assessments, and
Tech
implement rapid security breach analysis & response systems.
Update security patches, antivirus, and OS regularly, perform continuous assessment & monitoring, and maintain
Ops
disaster recovery & incident response plans.

Developing Procedures for Network Forensics

1. Always use a standard installation image for systems on a network with MD5 and SHA-1 hash values of all
application and OS files.
2. When an intrusion incident happens, make sure the vulnerability has been fixed to prevent other attacks from taking
advantage of the opening.
3. Attempt to retrieve all volatile data, such as RAM and running processes, by doing a live acquisition before turning the
system off.
4. Acquire the compromised drive and make a forensic image of it.
5. Compare files on the forensic image with the original installation image. Compare hash values of common files, such
as Win.exe and standard dynamic link libraries (DLLs), and ascertain whether they have changed.

Reviewing Network Logs

Network logs record traffic in and out of a network. Network servers, routers, firewalls, and other devices record the
activities and events that move through them. A common way of examining network traffic is running the tcpdump command-
line program.

Reviewing Network Logs

Using a network analysis tool such as Wireshark you could generate a list of the top 10 Web sites users in your network are
visiting.

Page 45
 Created by Turbolearn AI

The image above shows the top 10 external sites visited and the top 10 internal users, generated using a network analysis
tool like Wireshark. The number of bytes being transferred is listed first, followed by the IP address of the site.

Using Network Tools

Used for remote monitoring, shutdowns, and security management. Available as freeware, enterprise software, or demo
versions. Can consult records that the tool generates to prove an employee ran a program without permission. Monitor your
network and shut down machines or harmful processes that could be.

Popular Network Monitoring Tools:

Splunk: Log analysis & security monitoring

Spiceworks: IT asset & network management
Nagios: Network & system performance monitoring
Cacti: Graph-based network monitoring

Using Packet Analysers

Packet analyzers are devices or software placed on a network to monitor traffic and operate at Layer 2 (Data Link) or Layer 3
(Network) of the OSI model, capturing and analyzing network packets. Most network administrators use them for increasing
security and tracking bottlenecks.

Windows Packet Capture Tools can capture and analyze network packets but the data collected is not directly compatible
with all tools.

Pcap Format for Packet Capture

Libpcap: Used in Linux
WinPcap: Used in Windows
Standard format for most packet analysis tools

Popular Packet Analysis Tools:

tcpdump: Command-line tool for packet capture

Wireshark: GUI-based tool for in-depth packet analysis

Investigation Workflow:

Capture packets using tcpdump

Analyze the captured data in Wireshark for detailed insights

Page 46
 Created by Turbolearn AI

Choosing the Right Forensic Tool for Network Analysis

Selecting the Right Tool:

Match the tool to the forensic investigation needs.

Focus on specific packet characteristics for analysis.

Detecting SYN Flood Attacks

A SYN flood attack exploits the TCP handshake process. An attacker repeatedly sends SYN requests without completing the
handshake, overloading the server’s capacity to handle new connections.

Packet Analysis for SYN Flags

Tools like tcpdump and tethereal can filter packets with SYN flags by examining TCP headers to detect excessive SYN
requests. TCP headers contain multiple control flags, including SYN (S). Identifying flagged packets helps in attack detection
and mitigation.

TCP Header Format

The image displays the structure of a Transmission Control Protocol (TCP) segment. The TCP segment includes fields such
as Source Port, Destination Port, Sequence Number, Acknowledgement Number, Header Length, Flags (URG, ACK, PSH,
RST, SYN, FIN), Window Size, Checksum, Urgent Pointer, Options, and Data. This structure is crucial for analyzing network
packets and understanding communication protocols.

Tools for Extracting & Processing Packet Data

Tcpslice: Extracts specific time frames from large Libpcap files and merges multiple packet capture files.
Tcpreplay: Replays recorded Libpcap network traffic and is useful for testing IDSs, switches, and routers.

Graphical Network Traffic Analysis Tools

EtherApe: Provides a graphical view of network traffic and displays network activity in real-time.
Netdude: GUI-based tcpdump analysis tool that allows inspection and modification of large packet capture files.

Real-Time Packet Monitoring & Session Analysis

Page 47
 Created by Turbolearn AI

Wireshark: Opens & analyzes saved packet captures and rebuilds TCP sessions for detailed investigation. The "Follow
TCP Stream" feature is used to track exploits.
Argus: Real-time flow monitor for security, accounting, and network management that collects and analyzes session
data.

Network Based Evidence

Data collected from network traffic and logs used in digital forensics:

Packet captures (PCAP files)

Network logs (firewall, IDS, router logs)
Email headers and metadata
Intrusion detection system (IDS) alerts
VPN and proxy logs

Router Investigation
Routers act as the gateway for network communication and play a key role in forensic investigations by storing logs and
monitoring traffic. Attackers can exploit routers to control network traffic or exfiltrate data.

Sources of Evidence in Routers

Configuration Files: Store network settings, access control lists (ACLs), and policies.
System Logs (Syslogs): Record login attempts, firewall events, and network activity.
Routing Tables: Show active connections and potential malicious redirections.
Access Control Lists (ACLs): Define who can access the router and what traffic is allowed.
Network Address Translation (NAT) Tables: Map private IPs to public IPs, useful for tracking users.

Unit 5: Mobile Device Forensics

Mobile Device Forensics - Introduction

Mobile devices store vast amounts of personal and sensitive information, and losing a phone can lead to data breaches and
security risks. Forensic analysis of mobile devices helps recover and analyze stored data.

Types of Data Stored on Mobile Devices

Call logs (incoming, outgoing, missed)
MMS and SMS messages
Emails and instant messaging logs
Web browsing history
Photos, videos, and music files
Calendar and contacts
Social media account information
GPS data and location history
Voice recordings and voicemail
Banking and financial credentials
Smart home and security system access

Challenges in Mobile Device Forensics

Page 48
 Created by Turbolearn AI

1. Complexity of Investigation: Smartphones store data in different ways, making investigation difficult. There is no
universal standard for message storage.
2. Rapid Evolution of Mobile Technology: New phone models are released frequently causing incompatibility between
old and new devices.
3. Storage and Data Extraction Issues: Different operating systems and proprietary file systems exist and encrypted
storage and security features hinder forensic analysis.
4. Obsolescence of Forensic Tools: Cables, software, and accessories become outdated quickly, requiring continuous
updates and new forensic techniques.
5. Legal and Ethical Challenges: Access restrictions exist due to encryption and privacy laws, requiring that the
admissibility of evidence in court be ensured.

Mobile Phone Basics - Evolution of Mobile Phone Technology

1. Rapid Advancement of Mobile Technology: Mobile phones have evolved far beyond early designs. Early models were
bulky and expensive, accessible only to the wealthy.
2. Generations of Mobile Networks:
1st Generation (Analog) – Basic voice communication.
2nd Generation (Digital PCS) – Improved call quality and SMS support.
3rd Generation (3G, 2001-2008) – Enabled mobile internet, downloads on the go.
3. Introduction of 4G (2009): Sprint Nextel introduced the first 4G network, offering faster speeds and better connectivity
for streaming and gaming.
4. Rise of 5G (2020 Onward): Supports ultra-fast speeds and low latency and incorporates cloud computing and device-
to-device networks, revolutionizing IoT, smart cities, and AI-driven applications.

4G Network Technologies
1. Orthogonal Frequency Division Multiplexing (OFDM): Uses multiple parallel carriers instead of a single broad carrier,
making it less susceptible to interference.
2. Mobile WiMAX (IEEE 802.16e): Uses Orthogonal Frequency Division Multiple Access (OFDMA) and supports
transmission speeds of 12 Mbps. It was adopted by Sprint for its 4G network, though its status as true 4G is debated.
3. Ultra Mobile Broadband (UMB) (CDMA2000 EV-DO): Used by CDMA network providers for 4G transition,
supporting speeds of 275 Mbps (downlink) and 75 Mbps (uplink). It was later replaced by LTE.
4. Multiple Input Multiple Output (MIMO): Developed by Airgo, later acquired by Qualcomm and supports speeds up to
312 Mbps. It is utilized in 4G, WiMAX, and other wireless technologies.
5. Long Term Evolution (LTE): Designed for GSM and UMTS networks, supporting speeds ranging from 45 Mbps to 144
Mbps and is commonly referred to as "4G LTE".

Cellular Network Architecture

1. Basic Principles of Digital Networks: Networks operate on the same fundamental principles despite technology
differences. Geographic areas are divided into honeycomb-like cells.
2. Key Components of Cellular Communication
1. Base Transceiver Station (BTS): Contains radio transceiver equipment, defines cells, and communicates with
mobile phones. It is commonly referred to as a "cell phone tower", though the tower is only one part.
2. Base Station Controller (BSC): A combination of hardware and software that manages multiple BTSs by
assigning channels and connecting to the Mobile Switching Center (MSC).
3. Mobile Switching Center (MSC): Routes digital packets and connects calls by managing a central database for
subscriber data (account, location, etc.). Retrieving data from the carrier's central database requires a warrant or
subpoena.

Inside Mobile Devices: Mobile Device Components

Page 49
 Created by Turbolearn AI

1. Types of Mobile Devices:

Simple Phones
Smartphones
Tablets
Smartwatches
2. Key Hardware Components:
Microprocessor: Central processing unit of the device.
ROM (Read-Only Memory): Stores the operating system and firmware.
RAM (Random Access Memory): Temporary memory for running applications.
Digital Signal Processor (DSP): Optimizes audio and video signals.
Radio Module: Handles cellular communication.
Microphone & Speaker: For audio input and output.
3. Hardware Interfaces:
Keypads & Touchscreens: User input.
Cameras & GPS: Location tracking and imaging.
LCD Display: Visual output.
4. Storage and Connectivity:
Microprocessor – Central processing unit of the device.
ROM (Read-Only Memory) – Stores the operating system and firmware.
RAM (Random Access Memory) – Temporary memory for running applications.
Digital Signal Processor (DSP) – Optimizes audio and video signals.
Radio Module – Handles cellular communication.
Microphone & Speaker – For audio input and output.

Mobile Device Operating Systems & PDAs

1. Mobile Operating Systems (OS)
Basic Phones: Use proprietary OS.
Smartphones: Use PC-based or stripped-down OS versions:
Windows Mobile
RIM OS (BlackBerry)
Android (Linux-based)
Google OS
iOS (Apple devices)
2. OS & Data Storage
Stored in Electronically Erasable Programmable Read-Only Memory (EEPROM).
Allows service providers to reprogram devices remotely.
Users can modify phones unofficially to switch service providers or unlock features.
OS is stored in ROM (nonvolatile memory) – retains data even without power.
3. Personal Digital Assistants (PDAs):
Replaced by iPods, iPads, and smartphones.
Still used in medical and industrial sectors as "handhelds.“
Early PDAs: Palm Pilot, Microsoft Pocket PC.
Components similar to smartphones:
Microprocessor
Flash ROM & RAM
Calendar, address book, web access
4. PDA Memory Cards
Compact Flash (CF) – Extra storage, works like PCMCIA cards.
MultiMediaCard (MMC) – Designed for mobile phones but also used in PDAs.
Secure Digital (SD) – Similar to MMC, but with added security features.
5. Synchronization Capabilities
Designed to sync with computers via:
Built-in slots
Wired or wireless synchronization
Rare in modern investigations but useful background knowledge for digital forensics.

Page 50
 Created by Turbolearn AI

SIM Cards & External Storage in Mobile Devices

1. SIM Cards Overview:
Found in GSM devices.
Contain a microprocessor and internal memory.
Similar to memory cards but with different connector alignments.
iPhones & Androids use micro SIM & nano SIM slots (some require phone unlocking).
2. GSM Mobile Station Components:
Mobile Station = SIM Card + Mobile Equipment (ME).
The SIM card is essential for ME to function.
3. SIM Card Functions:
Identifies subscriber to the network.
Stores service-related information.
Can back up device data.
4. SIM Card Types & Portability
Three sizes: Standard, Micro, Nano.
Easily transferable between compatible phones.
Use case: Switching SIMs for different network providers while traveling.
Some phones store contacts separately, so switching SIMs won’t erase them.
Common practice: Swapping SIMs when exceeding monthly usage limits.
5. SD Cards for External Storage
Used in mobile devices & game consoles.
Standard SD card sizes: 16 GB to 64 GB.
Variants: MiniSD, MicroSD.
Google Nexus devices typically lack SD card slots.

Understanding Acquisition Procedures for Mobile Devices

1. Importance of Proper Procedures:
Similar importance as computer forensics.
Key concerns: Power loss, cloud sync, remote wiping.
2. Handling Volatile Memory:
All mobile devices have volatile memory – data can be lost if power is cut.
Prevent power loss to preserve RAM data.
3. Investigation Scene Procedures:
Determine device status (ON or OFF).
If OFF: Leave it off, locate and attach charger if possible.
If ON: Check the battery level on display and log charging status if uncertain about the charge at the time of
seizure.

Preventing Data Synchronization

Mobile devices sync with laptops & tablets via USB/micro USB.
Disconnect immediately to prevent automatic data overwrite.
Many use smartphones for Internet access on laptops/tablets.
Collect connected devices (laptops, peripherals) for deleted transferred files.

Handling Mobile Devices After Seizure

Time of seizure may be legally relevant.
New messages received after seizure may/may not be admissible in court.
If turning off the device, record the time & date.

Isolating the Device from Incoming Signals

Page 51
 Created by Turbolearn AI

Methods to prevent remote access & attacks:

Airplane mode, if available.

Paint can with radio wave-blocking paint.
Faraday bag (blocks signals, allows charging).
Turn off the device.

Battery Drain Considerations

Isolation methods may trigger roaming mode, accelerating battery drain.
Mobile devices shut off or enter sleep mode at low battery.
Ensure the device is completely isolated from signals and broadcasting.

SANS DFIR Mobile Forensics Process

Three conditions for handling mobile devices:

Device is on & unlocked → Isolate from the network, disable screen lock, remove passcode.
Device is on & locked → Steps depend on device type (iPhone, Android, BlackBerry).
Device is off → Perform physical static acquisition, turn it on, and follow the locked/unlocked procedure.
Advanced devices require battery removal for full shutdown.

Logical vs. Physical Acquisition

Logical Acquisition:
Access files & folders as seen in File Explorer.
Useful for standard data retrieval.
Physical Acquisition:
Bit-by-bit copy of device storage.
Used to recover deleted files & hidden data.
Decision depends on data location & retrieval capability.

Key Data Storage Locations

Internal memory (primary storage).
SIM card (subscriber & network data).
Removable/external memory cards (extra storage).
Network provider (requires legal approval).

Legal Considerations & GPS Data

Search warrant/subpoena required for:

Checking provider servers (voicemail, backups).

Accessing suspect/victim call logs & locations.
Cell tower triangulation still needed for tracking without device.
If the device is available, GPS data can often be retrieved directly.

Legal Considerations & Cellular Triangulation

Cellular Triangulation is a technique used to determine a mobile device’s location by relying on signals from
multiple cell towers to pinpoint location, which is used in forensics, emergency response, and law enforcement. It
is more accurate in urban areas due to higher tower density.

How Cellular Triangulation Works:

Page 52
 Created by Turbolearn AI

Based on signal strength & time delay from at least three cell towers.
Key methods:
Time of Arrival (TOA) – Measures signal travel time.
Angle of Arrival (AOA) – Determines direction from towers.
Received Signal Strength (RSSI) – Estimates distance based on signal power.
Higher precision when combined with GPS data.

Cloud Backups & Remote Wiping

Mobile devices often back up data to cloud storage (iCloud, Google Drive, etc.).
Service providers or third-party cloud services may store user data.
Remote wiping is used to protect sensitive information on lost/stolen devices, which erases contacts, messages,
photos, and account logins and can restore the device to factory settings.
Remote wipes can be triggered by device owners or service providers.
Investigators risk losing evidence due to unauthorized remote wipes.

Mobile Device Memory Storage

Memory types:
Volatile memory – Requires power (missed calls, messages, temp data).
Non-volatile memory – Permanent (OS files, personal data, backups).
Data storage locations:
Internal phone storage
SIM card (if present)
Cloud storage (provider or third-party services)
Data retrieval depends on device type and access permissions.

SIM Card Structure & Data Storage

SIM cards store subscriber and network data. The file system is hierarchical:

Master File (MF) – Root directory.

Dedicated Files (DFs) – Subdirectories (e.g., GSM, Telecom).
Elementary Files (EFs) – Store actual data.

The image illustrates the hierarchical structure of a SIM card file system. The Master File (MF) branches into Dedicated Files
(DFs) such as DF GSM, DF DCS1800, and DF Telecom, which further branch into Elementary Files (EFs) containing the
actual data.

Types of data stored in SIM cards:

Service-related data (SIM ID, subscriber info).

Call data (dialed numbers, call logs).
Message records (SMS storage).
Location tracking information.

SIM Card Access & Security Measures

Page 53
 Created by Turbolearn AI

SIM cards may require PINs or PUKs for access. Common default PINs to try: 1111, 1234. Three incorrect attempts lock the
SIM card, requiring provider intervention. Look for user manuals or documents at crime scenes for access information.
Investigators must retrieve SIM card data before power loss to avoid authentication issues.

Mobile Forensics Equipment

Mobile forensics is an evolving science and the biggest challenge is constantly changing phone models. What works today
may not work on future models.

Steps of Mobile Forensics:

1. First step: Identify the mobile device. Most users do not alter their devices, but some users modify serial numbers or
display misleading data. Online resources can assist in identification.
2. Investigators can use Phonescoop.com to verify device details, such as model numbers, operating systems, and
connectivity options, which may aid.

Mobile Forensics Equipment

Steps of Mobile Forensics

1. Second Step: Connecting the Mobile Device
Attach the phone to its power supply.
Connect using the correct cables.
Most modern phones use a combination USB/power cable.
Many USB/power cables are interchangeable.
Older phones may require custom cable arrangements.
Some vendors offer toolkits with various cables for compatibility.
2. Third Step: Downloading Data from the Device
After connecting the device, start the forensic software.
Begin downloading available data.
If the software doesn’t support the device, acquire alternative tools.
Ensure the software is forensically sound to maintain integrity.

SIM Card Readers

Used for GSM phones and many newer mobile devices.
Hardware/software combination for accessing SIM card data.
Should be used in a forensic lab with antistatic precautions.
Consult lead investigator before proceeding to this step.

Steps to Access SIM Card Data

Remove the device’s back panel.
Remove the battery.
Remove the SIM card from its holder.
Insert SIM card into the reader and connect to forensic workstation via USB.

Considerations for SIM Card Readers

Some SIM card readers are forensically sound, while others are not.
Ensure forensic integrity and document findings in the investigation log.
Unread SMS messages should be carefully documented before accessing them.
Using screen capture tools can provide additional documentation of message status.

Mobile Phone Forensics Tools and Methods

Page 54
 Created by Turbolearn AI

The best method of retrieving information is acquiring a forensic image, which enables you to recover deleted text
messages and similar data.
With Android devices, the process can be as simple as using AccessData FTK Imager to perform a logical acquisition
and a low-level analysis.

iPhone Data Acquisition

iPhone acquisition procedures are generally similar.
Several effective forensic tools are available for this purpose.
MacLockPick 3.0 is one such tool.
Specifically designed to support:
iPhones
iPads
iOS
macOS
Features of MacLockPick 3.0 include:
Extraction of iPhoto information
Capability to handle plug-in applications
Retrieval of the user's online browsing history across devices.

NIST 6 Types of Mobile Forensics Methods

Manual Extraction

This method involves looking at the device’s content page by page and taking pictures. It’s used if
investigators can’t do a logical or physical extraction.

Logical Extraction

The mobile device is connected to a forensic workstation via a wired (USB cable, for example) or wireless
(such as Bluetooth) connection, and then the file system information is extracted.

Physical Extraction

As with a logical extraction, the mobile device is attached to a forensic workstation. However, a forensic
copy is made so that deleted files can be retrieved and other items decoded.

Hex Dumping and JTAG (Joint Test Action Group) Extraction

Hex dumping involves using a modified boot loader to access the RAM for analysis. The JTAG extraction
method gets information from the processor, flash memory, or other physical components. It’s a highly
invasive method.

Chip-off

This method requires physically removing flash memory chip and gathering information at the binary level.

Micro read

This method looks at logic gates with an electron microscope and can be used even when data has been
overwritten on magnetic media. It’s very expensive, however, so it’s typically used only in cases involving
national security.

Phone Forensics Tools

Page 55
 Created by Turbolearn AI

Paraben Software
E3:DS Forensic Suite:
Website: www.paraben.com
Investigates mobile and IoT devices
Bootloader for locked devices
Supports data parsing and cloud data capture
Offers customizable packages for different forensic needs
DataPilot (www.datapilot.com)
Cable collection compatible with various phone brands: Nokia, Motorola, Samsung, etc.
Susteen Secure View 3 (secureview.us)
Mobile forensic analysis software
Supports various data extraction techniques
BitPim Utility
Website: www.bitpim.org
Views data on CDMA phones (LG, Samsung, Sanyo, etc.)
Compatible with Windows, Linux, macOS
Note: Not a forensic tool, but can be used in read-only mode
Stores files in Documents\BitPim by default (Windows)
Move files to prevent overwriting during new cases
Cellebrite UFED Forensic System
Works with:
Smartphones, PDAs, tablets, GPS devices
Features:
Includes hundreds of cables
Supports international handsets and multiple languages
USB-based smart device access
Micro Systemation XRY
Used extensively by government agencies
Retrieves data from:
Smartphones, tablets, GPS, music players, drones
MOBILedit Forensic
Features:
Built-in write blocker
Connects via Bluetooth, IrDA, or cable
Reads SIM cards using a SIM reader
Highly user-friendly interface

Suggested Readings
How Avast recovered 'erased' data from used Android phones

Cyber Laws in India: A Detailed Report on the Information

Technology Act, 2000 and the IT (Amendment) Act, 2008

Introduction
The advent of the digital age has revolutionized communication, commerce, governance, and daily life. This evolution has
also led to the emergence of cybercrimes and related threats. In response, India enacted the Information Technology Act,
2000 (ITA 2000) and the Information Technology (Amendment) Act, 2008 (ITAA 2008). These legislations aim to provide
legal recognition to electronic transactions, promote secure use of digital platforms, and penalize cyber offences.

Section 43 – Penalty for Damage to Computer, Computer System, etc.

Page 56
 Created by Turbolearn AI

Section 43 of the IT Act 2000 addresses unauthorized access and damage to computer systems, networks, or databases. It
encompasses a wide range of cyber contraventions such as hacking, denial of service (DoS) attacks, introduction of
viruses or malware, and unauthorised downloading or copying of data. The section imposes civil liability rather than
criminal penalties, wherein the offender is liable to pay damages by way of compensation to the affected party. This
provision plays a crucial role in deterring non-consensual access and tampering with information infrastructure, especially in
corporate and government sectors.

Covers both intentional and negligent acts.

Emphasizes the importance of digital accountability and due diligence in data handling practices.

Section 66 – Computer-Related Offences

Section 66 criminalizes acts defined under Section 43 when committed with dishonest or fraudulent intent. This crucial
distinction elevates the nature of the offence from a civil wrong to a criminal act, thereby invoking penal consequences such
as imprisonment for up to three years and/or a fine. The section applies to a wide array of offences including hacking, data
theft, and unauthorized system access, provided they meet the mental element of fraud or dishonesty as defined under
the Indian Penal Code (IPC). This section underscores the need for intent-based legal assessment in cybercrime cases.

Serves as a backbone for prosecuting routine cyber offences.

The interpretation of terms such as “dishonestly” and “fraudulently” is drawn from IPC Sections 24 and 25,
respectively.

Section 66A – Punishment for Sending Offensive Messages (Struck Down)

Section 66A, introduced through the ITAA 2008, criminalized the sending of “grossly offensive” or “menacing” messages
through electronic communication. It was initially intended to curb cyberbullying, harassment, and online defamation. The
provision prescribed a penalty of up to three years’ imprisonment for disseminating such messages via emails, social media,
or messaging platforms. However, the section’s broad and vague wording gave rise to severe concerns regarding its
compatibility with the fundamental right to freedom of speech and expression.

The constitutional validity of Section 66A was challenged in Shreya Singhal v. Union of India (2015), wherein the
Supreme Court of India declared it unconstitutional.

Section 66C – Identity Theft

Section 66C deals specifically with identity theft and the fraudulent or dishonest use of another person's electronic
signature, password, or other unique identification feature. With the rise of digital banking, online authentication, and
government services linked to biometric data, identity theft has emerged as a significant cyber threat. Section 66C provides
for imprisonment of up to three years and/or a fine, ensuring that individuals or entities misusing personal identifiers are
criminally liable.

Plays a critical role in safeguarding personal data and trust in digital identities.
Complements broader cybersecurity policies by mandating legal protection for sensitive authentication credentials.

Section 66D – Cheating by Personation using Computer Resource

Section 66D criminalizes cheating by personation through electronic means, targeting fraudsters who impersonate others
using email, social media, or websites to deceive and extract information or money. The offence is punishable with
imprisonment of up to three years and a fine. It covers online scams including phishing, fake job portals, and fraudulent
impersonation in electronic auctions or services.

Vital in addressing socioeconomic harms stemming from trust-based digital interactions.

Strengthens the jurisprudence on cyber deception and fraud.

Page 57
 Created by Turbolearn AI

Section 66E – Violation of Privacy

Section 66E penalizes the intentional capture, publication, or transmission of the image of a person’s private area without
consent, in circumstances where the person has a reasonable expectation of privacy. This provision addresses the growing
concern over voyeurism, nonconsensual pornography, and misuse of mobile cameras in private or semi-private settings.
The section prescribes imprisonment up to three years or a fine up to two lakh rupees, or both.

Aligns with constitutional principles outlined in the Puttaswamy v. Union of India judgment, which recognized privacy
as a fundamental right.
Important in an era marked by the widespread dissemination of explicit content and the risk of technology-facilitated
gender-based violence.

Section 66F – Cyber Terrorism

Section 66F defines and penalizes cyber terrorism, a serious offence punishable by life imprisonment. It encompasses
activities intended to threaten the unity, integrity, or sovereignty of India through unauthorized access to critical information
infrastructure (CII) or by inducing fear among the public. Acts such as hacking into national security databases, disrupting
emergency services, or disseminating terror propaganda online fall within this provision’s ambit.

Poses a grave threat to national security, especially given the digitization of defence, energy, and communication
sectors.
Strategic cooperation between law enforcement, intelligence agencies, and cybersecurity experts is indispensable for
operationalizing this law effectively.

Section 67 & 67B – Obscenity and Child Pornography

Section 67 criminalizes the publishing or transmitting of obscene material in electronic form. Section 67A and 67B,
introduced via ITAA 2008, extend this to sexually explicit material and child pornography, respectively. These provisions
mandate stringent penalties—up to five years of imprisonment and substantial fines—for first-time offenders. Repeat
offenders face enhanced penalties, emphasizing the gravity of the crime.

The digital proliferation of sexually explicit content has necessitated robust legal intervention.
Section 67B, in particular, aims to protect children from online sexual exploitation, aligning with international norms
such as the Optional Protocol on the Rights of the Child.

Conclusion
The Information Technology Act, 2000 and its subsequent amendment in 2008 represent India’s legislative efforts to adapt
to the dynamic challenges posed by digital technologies. These laws encompass a wide range of offences, from
unauthorized access and identity theft to cyber terrorism and child pornography. While their progressive scope is
commendable, continued improvements in enforcement, digital literacy, cyber forensics, and legal awareness are imperative
to ensure their efficacy. The evolution of cyber laws must keep pace with emerging threats to maintain a secure and
trustworthy digital ecosystem.

Ethics in Forensics

Definition and Importance of Ethics

Page 58
 Created by Turbolearn AI

Ethics vs. Rules of Conduct:

Ethics are internal moral principles guiding one’s professional and personal behavior. In contrast, rules of
conduct are external standards enforced by regulatory bodies, such as licensing or certifying organizations.

Codes of Professional Conduct:

These are formalized expectations set by professional organizations. They serve as a baseline for behavior,
but individuals may uphold higher ethical standards based on personal beliefs.

Role of Ethics in Forensics

Maintaining Balance in Contentious Situations:

Ethical principles act as a compass for decision-making in high-pressure and morally ambiguous situations,
which are common in forensic work.

Self-respect and Professional Credibility:

Ethical conduct enhances the credibility of forensic professionals both in the eyes of their peers and the
legal system.

Challenges Faced by Forensic Examiners

Lack of Uniform Codes:

Unlike medicine or law, digital forensics lacks a universally recognized code of conduct, making internal
ethical standards even more critical.

Higher Personal Standards:

Professionals are encouraged to maintain personal ethical standards that surpass the minimum
requirements established by law or professional bodies.

Protecting Yourself Through Ethical Behavior

Transparency and Accountability:

Ethical individuals operate with transparency and are willing to engage in self-criticism, which strengthens
both personal integrity and public trust.

Willingness to Criticize Impropriety:

An ethical stance allows professionals to call out misconduct without fear of hypocrisy or reprisal.

Role of Expert Witnesses

Presenting Unbiased and Technical Evidence:

Expert witnesses must strive to provide impartial, scientifically grounded testimony that assists the court.

Control Over Biases:

Ethical awareness helps experts manage and minimize their own biases, which could otherwise skew their
findings or testimony.

Legal System’s Concern

Page 59
 Created by Turbolearn AI

High Dependency on Experts:

With expert testimony appearing in over 80% of trials, the legal system is deeply reliant on the integrity of
such professionals.

Court’s Struggle with Ethics Guidelines:

Judicial systems lack comprehensive frameworks to govern expert witness behavior, leaving a gray area in
terms of accountability and conduct.

Examples of Ethical Breaches

West Virginia State Police Crime Lab:

A serologist was found falsifying evidence in criminal cases, illustrating severe ethical failure.

Texas Pathologist Erdmann Case:

A pathologist fabricated autopsy results to support criminal convictions—an example of unethical expert
witness behavior.

Lack of Licensing in Digital Forensics

Licensing Gaps:

Digital forensics professionals are often unlicensed or classified under unrelated professions, such as
private investigation, despite distinct roles.

Ethical Codes from Various Sources:

Forensic experts must rely on a mix of personal ethics, employer guidelines, and standards set by certifying
bodies or professional associations.

Toward a Unified Code

Proposal for General Code of Ethics:

There are ongoing efforts to establish a unified code of ethics for expert witnesses, covering areas like:

Confidentiality: Respecting client and case information.

Fees: Transparency and fairness in compensation.
Ex parte Communication: Avoiding improper communication with parties involved in the case.
Conflicts of Interest: Disclosing any relationship that may affect impartiality.
Professionalism: Upholding respectful and objective behavior in court and investigative work.

Page 60