2/3/2024

Dr.S.Udhayakumar
Associate Professor

Course Objectives
• To provide the fundamentals of digital and cyber space, impact of the
activities.
• To cover the fundamentals of cyber-crime and steps involved in
collecting the evidences through various tools.
• To provide basics of Cyber-crime incidents and how Cyber Law
address them.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

1
 2/3/2024

Course Outcomes

CO1
Explain the concept of digital forensics and cyber forensics
CO2 Understand and able to perform cyber forensics for the cybercrime
incident
CO3 Able to use different forensics tools and standard to report the real-
world cyber incidents
CO4
Familiarizing the fundamentals of Anti-forensics and Cyber laws

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

Syllabus
• Unit 1 : Classifications of Cyber Crimes against individuals, property and nation, Need for Digital forensics and steps in digital
forensics (scientific methods), Number System: Binary, Decimal, Hexadecimal, ASCII, and Unicode representation of data,
Arenas for digital forensics: disk, network, wireless, database, mobile, e-mail, GPS and memory, Incident handling and
response with forensic triage, Ethical Hacking and future of cybercrime.
• Unit 2 : Locard's exchange principle and digital forensic investigation models, types: artifacts, identifying raw and proprietary
forensic storage formats, identification of potential evidence: slack space, swap space, steganography, recovery of hidden,
deleted and corrupt data, standard file formats with their headers and forensic file carving, planning your investigation,
order of volatility and forensic triage, overview of file systems.
• Unit 3 : Rules of collecting Digital Evidence, Standard collection procedures: seizure, write blockers, bit-stream imaging,
hashing, Chain of Custody (COC), evidence bags and SOP for collecting evidences, Source and Location of Digital Evidences,
Duplicating and Preserving Digital Evidences, Importance of MAC timings, Types of System logs and Windows Registry.
• Unit 4 : Forensic laboratory requirements: setting up of lab, evaluating lab staff, selection of appropriate forensic
workstations, backup and recovery plans, generating forensically sound reports., IPR and Cyber Laws in India - IT Act 2000
and 2008 Amendment and like-minded IPC sections, Code of Ethics, Expert Witness and analyzing sample forensic reports.
• Unit 5 : Validating and gathering evidence using DOS Commands and Unix/Linux Commands, Forensic imaging using DD
commands, Software tools - Open Source and proprietary digital forensic frameworks, Hardware tools - write blockers,
images and evidence protection containers/bags, NIST tools - CFReDS, CTFF and NSRL and analyzing e-mail headers and
network packets.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

2
 2/3/2024

Textbook and Reference books

• Textbook(s)
• 1. E. Casey, Handbook of Digital Forensics and Investigation, Academic Press; 2010.
• 2. David Cowen, Computer Forensics: A Beginners Guide, McGraw Hill Education; 2013.
• 3. Bill Nelson, Amelia Phillips, Christopher Steuart, Guide to Computer Forensics and
Investigations, Fourth Edition; 2014.
•
• Reference(s)
• 1. Brian Carrier, File System Forensic Analysis, Pearson, 2006.
• 2. Marjie T. Britz, Computer Forensics and Cyber Crime, Pearson, 2012

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

Unit 3
• Rules of collecting Digital Evidence,
• Standard collection procedures:
• seizure,
• write blockers,
• bit-stream imaging,
• hashing,
• Chain of Custody (COC),
• evidence bags and
• SOP for collecting evidences,
• Source and Location of Digital Evidences,
• Duplicating and Preserving Digital Evidences,
• Importance of MAC timings,
• Types of System logs and
• Windows Registry.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

3
 2/3/2024

The Cardinal Rules of Cyber Forensic

• There are basically five cardinal rules to be followed systematically by
cyber forensic examiner.
• 1 Never Mishandle the Evidence
• 2 Never work on the Original Evidence
• 3 Never Trust the Subject’s Operating System
• 4 Document Everything
• 5 The results should be repeatable and verifiable by a third party

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

1 Never Mishandle the Evidence

• The first cardinal rule says to preserve the evidence, which means
that the evidence should not to be tampered with or contaminated.
• Secure collection of evidence is important to guarantee the evidential
integrity and security of information.
• The best approach for this matter is to use disk imaging tool.
Choosing and using the right imaging tool is very important in cyber
forensics investigation.
• 1.1Disk imaging tool top level requirement
• 1.2 Importance of Imaging:
• 1.3 Chain of Custody

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

4
 2/3/2024

1.1Disk imaging tool top level requirement

• The tool shall make a bit-stream duplicate or an image of an original
disk or partition on fixed or removable media.
• The tool shall not alter the original disk
• The tool shall be able to verify the integrity of a disk image file
• The tool shall log I/O errors
• The tool should provides good documentation

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

1.2 Importance of Imaging:

• To preserve the original evidence, a forensic copy or imaging of the
original data is done using specialized software and write blocker so
that integrity of evidence is not altered.
• The analysis is done now on forensic copy of evidence. The
original evidence is to be preserved into safe custody.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

5
 2/3/2024

1.3 Chain of Custody:

• To document the evidence, like who recovered the evidence and
when, and who possessed it and when a chain-of-evidence form is
generated and filled, which helps the examiner to document what has
and has not been done with both the original evidence and the
forensic copies of the evidence.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

2 Never Work on the original evidence

• The second cardinal rule says not to work on the original evidence as
the digital evidence is very fragile in nature. To maintain the integrity
of the digital evidence and any unknowing alteration, preserve the
original evidence in its pristine condition.

• Pros and cons of using original evidence:

• It is easier to work on the original evidence and the cost related to it is also
low. If analyzed directly, the digital evidence will lose its integrity,
authenticity and will not be admissible in any court.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

6
 2/3/2024

3 Never Trust the Subject’s Operating System

• Computer criminal can modify the routine operating system
commands to perform destructive commands.
• Using the subject’s operating system could easily destroy data with
just a few keystrokes.
• When the subject computer starts, booting to a hard disks overwrites
and changes evidentiary data.
• To make sure that data is not altered, we need to monitor the
subject’s computer during initial bootstrap to identify the correct key
to use access the CMOS setup.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

4 Document Everything
• To document the evidence, chain-of-evidence form is created.
• It serves the following functions.
• Identify the evidence
• A legal authority copy should be obtained.
• Chain of custody including initial count of evidence to be examined,
• Information regarding the packaging and condition of the evidence upon
receipt by the examiner,
• Lists the dates and times the evidence was handled.
• Documentation should be preserved according to the examiner’s agency
policy

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

7
 2/3/2024

5. The results should be repeatable and verifiable by

a third party
• The fifth cardinal rule says that the analysis done on the evidence
should be completely audited by the third party.
• To establish the integrity of information a cryptographic hash value,
such as MD5 or SHA-1 are calculated so that it can be proven to the
courts.
• Chain of custody forms are created if evidence are used in court or
verified by any third party. The same process can be conducted and
verified by any expert or person.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

Online content
• https://www.unodc.org/e4j/en/cybercrime/module-6/key-
issues/handling-of-digital-evidence.html

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

8
 2/3/2024

Rules of collecting Digital Evidence

• Managing Digital Evidence
• Digital evidence management has become so critical to legal and
corporate affairs that government agencies now routinely provide
guidance on the best ways to preserve digital evidence. Since most
companies do not have the resources to retain in-house evidence
collection specialists, we’ve pulled together these 10 best
practices for handling digital evidence. They will help non-experts
handle evidence in the safest and most secure way possible.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

1. Document Device Condition

• This is often overlooked during the identification phase.

Make sure to take pictures of the device holding the digital
media you will be collecting.
• Document its physical condition and where it was located.
• Are there any dents or scratches? Is it wet?
• Are there tools nearby that could have been used to tamper
with it?
• Track this information in the same evidence management
system as the physical device.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

9
 2/3/2024

2. Get Forensic Experts Involved

• It is important to know when to stop working with evidence and let
the experts take over.
• Following the best practices detailed here will allow even regular
security officers, IT technicians, and office workers to help with the
collection process.
• But the process of preserving and analyzing data still usually
requires forensic expertise.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

3. Have a Clear Chain of Custody

• Document the transfer of media and digital evidence between every

person and agency that comes in contact with it.
• Gaps in these records can prevent evidence from being admitted in
court should legal action need to be taken.
• While a chain of custody can be recorded on paper, an authoritative
digital record is often more reliable.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

10
 2/3/2024

4. Don’t Change the Power Status

• Leave the device in its current power state as long as possible during
evidence identification and collection.
• If the device is on, leave it on. If it is off, leave it off.
• Leave battery-powered devices in their current state as long as
possible.
• Obviously, for wired devices, such as desktop PCs, you will eventually
need to turn them off for transport.
• For highly sensitive investigations, it is best to bring in forensic
experts before you do whenever possible.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

5. Secure the Device

• Ensure proper chain of custody for both hardware and data with
strong physical security.
• Don’t store the device in an open access area.
• Try not to leave it unattended when it is being worked on.
• Poor chain of custody can reduce the value of evidence during
proceedings.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

11
 2/3/2024

6. Never Work on the Original Data

• Sometimes data collection involves just copying readable files from
media storage. But often other metadata can be collected from
devices by forensic experts.
• Metadata is data about the condition of files on the device or about
the device itself. Useful metadata can include how files were
accessed, whether a shutdown or delete command was issued, or
whether the user tried to copy files to another device.
• Working directly on the original media will often delete valuable
metadata. Professional data retrieval and forensic services always
perform their analyses and reporting on virtual copies of media
whenever possible.
20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

7. Keep the Device Digitally Isolated

• Another way to preserve metadata is to keep the device isolated from
other storage systems. Keep it off Wi-Fi and wired network
connections.
• Sometimes well-intentioned staff can accidentally overwrite valuable
metadata if they plug in a thumb drive attempting to copy files via
conventional means for analysis. Leave the data copying to
professional forensic experts.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

12
 2/3/2024

8. Prepare for Long-Term Storage

• Consider whether off-site storage is needed for long-term evidence
management, or whether an on-site modular evidence management
system can accommodate your needs. Modular systems will be able
to scale if evidence retention needs or available space change.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

9. Monitor Evidence Transactions

• Staff will need to periodically sign out evidence for reporting or
attorney consultations. Recording all of these transactions is essential
for maintaining a proper chain of custody.
• This can be difficult for most organizations that aren’t staffed with a
full-time evidence manager. Even those law enforcement agencies
that do have evidence managers can’t have them on duty around the
clock. Consider whether automated evidence lockers can simplify
transaction monitoring.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

13
 2/3/2024

10. Periodically Audit Your Evidence Management

Program
• New electronic devices are constantly hitting the market. In
particular, the advent of Internet of Things (IoT) technology means
many more types of devices now hold data. You should regularly
review your digital evidence management practices to ensure they
accommodate all new types of devices and forms of digital storage
that might come into your possession.

20CYS311 – Cyber Forensics - Dr.S.Udhayakumar, Associate Professor, CSE- CYS

14