Unit-4

What Is Digital Forensics?

Digital forensics is the process of storing, analyzing, retrieving, and preserving
electronic data that may be useful in an investigation. It includes data from hard
drives in computers, mobile phones, smart appliances, vehicle navigation systems,
electronic door locks, and other digital devices. The process's goal of digital
forensics is to collect, analyze, and preserve evidence.

Steps of Digital Forensics

Now that you understand what is digital forensics, let’s look at its steps:

Identification

This is the initial stage in which the individuals or devices to be analyzed are
identified as likely sources of significant evidence.

Preservation

It focuses on safeguarding relevant electronically stored information (ESI) by

capturing and preserving the crime scene, documenting relevant information such as
visual images, and how it was obtained.

Analysis

It is a methodical examination of the evidence of the information gathered. This

examination produces data objects, including system and user-generated files, and
seeks specific answers and points of departure for conclusions.

Documentation

These are tried-and-true procedures for documenting the analysis's conclusions, and
they must allow other competent examiners to read through and duplicate the results.

Presentation: The collection of digital information, which may entail removing

electronic devices from the crime/incident scene and copying or printing the
device(s), is critical to the investigation.
Objectives of Digital Forensics

Knowing the primary objectives of using digital forensics is essential for a complete
understanding of what is digital forensics:

 It aids in the recovery, analysis, and preservation of computers and related

materials for the investigating agency to present them as evidence in a court of
law

 It aids in determining the motive for the crime and the identity of the primary
perpetrator

 Creating procedures at a suspected crime scene to help ensure that the digital
evidence obtained is not tainted

 Data acquisition and duplication: The process of recovering deleted files and
partitions from digital media in order to extract and validate evidence

 Assists you in quickly identifying evidence and estimating the potential impact
of malicious activity on the victim

 Creating a computer forensic report that provides comprehensive information on

the investigation process

 Keeping the evidence safe by adhering to the chain of custody

Types of Digital Forensics

As digital data forensics evolves, several sub-disciplines emerge, some of which are
listed below:

Computer Forensics

It analyzes digital evidence obtained from laptops, computers, and storage media to
support ongoing investigations and legal proceedings.

Mobile Device Forensics

It entails obtaining evidence from small electronic devices such as personal digital
assistants, mobile phones, tablets, sim cards, and gaming consoles.

Network Forensics

Network or cyber forensics depends on the data obtained from monitoring and
analyzing cyber network activities such as attacks, breaches, or system collapse
caused by malicious software and abnormal network traffic.

Digital Image Forensics

This sub-specialty focuses on the extraction and analysis of digital images to verify
authenticity and metadata and determine the history and information surrounding
them.

Digital Video/Audio Forensics

This field examines audio-visual evidence to determine its authenticity or any

additional information you can extract, such as location and time intervals.

Memory Forensics

It refers to the recovery of information from a running computer's RAM and is also
known as live acquisition.

Introduction of Computer Forensics

INTRODUCTION
Computer Forensics is a scientific method of investigation and analysis in order
to gather evidence from digital devices or computer networks and components
which is suitable for presentation in a court of law or legal body. It involves
performing a structured investigation while maintaining a documented chain of
evidence to find out exactly what happened on a computer and who was
responsible for it.
TYPES
 Disk Forensics: It deals with extracting raw data from the primary or
secondary storage of the device by searching active, modified, or deleted
files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves
monitoring and analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases
and their related metadata.
 Malware Forensics: It deals with the identification of suspicious code and
studying viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis,
including deleted emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then analyzing it for further
investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis
of phones and smartphones and helps to retrieve contacts, call logs,
incoming, and outgoing SMS, etc., and other data present in it.

Digital Forensics life cycle

 Identification: Identifying what evidence is present, where it is stored, and
how it is stored (in which format). Electronic devices can be personal
computers, Mobile phones, PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes
prohibiting unauthorized personnel from using the digital device so that
digital evidence, mistakenly or purposely, is not tampered with and making
a copy of the original evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw
conclusions based on evidence.
 Documentation: A record of all the visible data is created. It helps in
recreating and reviewing the crime scene. All the findings from the
investigations are documented.
 Presentation: All the documented findings are produced in a court of law for
further investigations.

Digital Evidence Collection

In the early 80s PCs became more popular and easily accessible to the general
population, this also led to the increased use of computers in all fields and
criminal activities were no exception to this. As more and more computer-
related crimes began to surface like computer frauds, software cracking, etc.
the computer forensics discipline emerged along with it. Today digital evidence
collection is used in the investigation of a wide variety of crimes such as fraud,
espionage, cyberstalking, etc. The knowledge of forensic experts and
techniques are used to explain the contemporaneous state of the digital artifacts
from the seized evidence such as computer systems, storage devices (like SSDs,
hard disks, CD-ROM, USB flash drives, etc.), or electronic documents such as
emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for
investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the
collected evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so
that they can be submitted in court.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to
support the claims in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible
evidence such as flash drives, hard drives, documents, etc. an eyewitness
can also be considered as a shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court
statements. These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is
made by a person who is not a testifying witness. It is done in order to prove
that the statement was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and
gives their statement in court. The shreds of evidence presented should be
authentic, accurate, reliable, and admissible as they can be challenged in
court.

Email Forensics
The reason email forensics come into part of the digital forensics investigation is due
to the massive and common use of emails among people nowadays.
 People’s using email to communicate with their friends, schoolmates, colleagues and a
variety of people. Hence, numerous data and information is transmitted across its use
and meanwhile some of those are illegal not surprisingly just like what other common
communication approach, e.g. mobile phone, has happened as well when it was
popularized to certain extend.
In fact, it’s already a severe public concern that a majority of criminals are using email
for their crime committed in recent years, especially when it comes to cyber security
and digital crime. Not only that, increasingly noncomputer crimes and even civil
litigation, has been related to emails.
That’s being said, we do want to unveil the operation theory of email and thus
extract email related crimes via email forensics to bring the criminals to justice.

What is Email Forensics?

Email forensics is dedicated to investigating, extracting, and analyzing emails to collect
digital evidence as findings in order to crack crimes and certain incidents, in a
forensically sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which
mainly includes

 Email messages
 Email addresses(sender and recipient)
 IP addresses
 Date and time
 User information
 Attachments
 Passwords
 logs (Cloud, server, and local computer)

To deeply and overall investigate the above crucial elements of email, potential clues
are going to be obtained to help push the progress of a criminal investigation.
Hence, knowing how to conduct scientific and effective email forensics has come into
account.
But before diving deep into practical email forensics, without a full understanding of
the operation and theory of emails themselves, the forensic work is likely to be stuck.

How Email Works?

Just like other digital forensics technology, it’s not easy to conduct forensics without
understanding the basis of the underlying technologies.
Emails are probably generated from various mediums and approaches and thus different
technologies are applied accordingly.
Commonly speaking, a man writes an email on his digital device, maybe a phone or
computer, and then sends it to the one he wants to. Though it’s seemingly the man has
finished his work, the upon email processing work just starts in order to successfully
and correctly be delivered to the recipient.
When an email is sent out, countless servers are actually undertaken the whole
information of the email before it can really arrive in the recipient’s inbox, which is
said that we have to understand what’s proceeding after we click the “send” button.

What the Chain of Custody entails in Digital Cyber

Forensics?
If you are in the field of Cyber Security, you will be at one point in your career will be
involved in Digital Forensics. One of the concepts that is most essential in Digital
Forensics is the Chain of Custody.
The chain of custody in digital cyber forensics is also known as the paper trail or forensic
link, or chronological documentation of the evidence.
 Chain of custody indicates the collection, sequence of control, transfer and
analysis.
 It also documents details of each person who handled the evidence, date and
time it was collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not
tampered.
Chain of Custody Process
In order to preserve digital evidence, the chain of custody should span from the first step
of data collection to examination, analysis, reporting, and the time of presentation to the
Courts. This is very important to avoid the possibility of any suggestion that the evidence
has been compromised in any way.
Let’s discuss each stage of the chain of custody in detail:
1. Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the
possible relevant sources that preserve the integrity of the data and evidence
collected.
2. Examination: During this process, the chain of custody information is
documented outlining the forensic process undertaken. It is important to
capture screenshots throughout the process to show the tasks that are completed
and the evidence uncovered.
3. Analysis: This stage is the result of the examination stage. In the Analysis
stage, legally justifiable methods and techniques are used to derive useful
information to address questions posed in the particular case.
4. Reporting: This is the documentation phase of the Examination and Analysis
stage. Reporting includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be
taken.

What Is Network Forensics?

“Network forensics is a science that centers on the discovery and retrieval of
information surrounding a cybercrime within a networked environment.
Common forensic activities include the capture, recording and analysis of
events that occurred on a network in order to establish the source of
cyberattacks.”
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
  Identification: In this process, investigators identify and evaluate the incident
based on the network pointers.
 Safeguarding: In this process, the investigators preserve and secure the data
so that the tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is documented
and all the collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the
metadata.
 Investigation: In this process, a final conclusion is drawn from the collected
shreds of evidence.
 Documentation: In this process, all the shreds of evidence, reports,
conclusions are documented and presented in court.
Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the
network.

Approaching a Computer Forensics Investigation

The phases in a computer forensics investigation are:

 Secure the subject system

 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
 Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information
collected

Things to be avoided during forensics investigation:

 Changing date/timestamps of the files

 Overwriting unallocated space
Things that should not be avoided during forensics investigation:

 Engagement contract
 Non-Disclosure Agreement (NDA)

Elements addressed before drawing up a forensics investigation engagement

contract:

 Authorization
 Confidentiality
 Payment
 Consent and acknowledgement
 Limitation of liability

General steps in solving a computer forensics case are:

 Prepare for the forensic examination

 Talk to key people about the case and what you are looking for
 Start assembling tools to collect the data and identify the target media
 Collect the data from the target media
 Use a write blocking tool while performing imaging of the disk
 Check emails records too while collecting evidence
 Examine the collected evidence on the image that is created
 Analyze the evidence
 Report your finding to your client

Forensics and Social Networking

Sites
In this article we will look at forensics and social networking sites. We will look at
different concerns related to social networking cites and challenges.

Social networking site is defined as web-based services that allow individuals to:
  Create a public or semi-public profile
 Search or navigate through a list of users with whom they share a common
connection
 View connections of other users

Although social networking sites have their uses, there are several associated
security threats. The concerns regarding social networking sites are:

 Does the social networking site violate people’s intellectual property rights
 Whether these sites infringe the privacy of their own users
 Whether these sites promote fraudulent and illegal activities

Content preservation can be challenging given the dynamic, short-lived and often
multi-format nature of social media. There is generally no control over the content
posted on social media networking sites. High level of forensic skill is required to
analyze and quantify the preserved data to answer questions such as:

 Who posted the offending content?

 Is there a real live person to whom the offending content can be attributed
even when evidence exists?
 Can we identify the time frame associated with the posting of the offending
content?
 How much of the offending content exists across the entire social networking
platform?
 Is there other content that supports interpretation of the relevant content?
 How accurate is the reported physical location?

Challenges faced by Computer Forensics

Here, are major challenges faced by the Digital Forensic:

 The increase of PC’s and extensive use of internet access

 Easy availability of hacking tools
 Lack of physical evidence makes prosecution difficult.
 The large amount of storage space into Terabytes that makes this
investigation job difficult.
 Any technological changes require an upgrade or changes to solutions.