Chanderprabhu Jain College of Higher Studies

&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

E-NOTES
Class : BCA III Sem.

Paper Code : BCA 213

Subject : Cyber Security

Faculty Name : Mr. Prabhat

UNIT – IV

Cyber forensics, also known as digital forensics, is the science of collecting, analysing,
and preserving digital evidence from various electronic devices. It plays a crucial role in
investigations related to cybercrimes, data breaches, and any unauthorized digital activity.
The primary objective of cyber forensics is to establish a timeline of events and provide
clear evidence that can be presented in a court of law.

IMPORTANCE OF CYBER FORENSICS

The rise in cybercrimes has made cyber forensics an essential field. It helps organizations
understand the methods employed by cybercriminals, assess damage, and develop
strategies to prevent future incidents. Moreover, the legal system relies heavily on cyber
forensic experts to provide credible evidence in court cases involving technology.

KEY COMPONENTS OF CYBER FORENSICS

• Data Collection: Gathering digital evidence without altering it is paramount.

Techniques such as imaging, which creates an exact copy of the digital media, are
commonly used.

• Data Analysis: Analyzing the collected data involves examining file systems,
recovering deleted files, and identifying anomalies that indicate malicious activities.

• Documentation and Reporting: A detailed report is prepared, outlining the

findings, methodologies, and conclusions drawn during the analysis phase.

1
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

• Testimony: Forensic experts may be called upon to present their findings in court,
explaining technical concepts in a manner that is understandable to judges and
juries.

TECHNIQUES USED IN CYBER FORENSICS

• File Carving: This technique is used to recover files without the file system's
metadata, often employed to recover deleted files.

• Network Forensics: Involves monitoring and analyzing network traffic to identify

unauthorized access or data exfiltration.

• Malware Analysis: Examining malicious software to understand its behavior and

the impact it has on systems.

Cyber forensics is a critical field that continues to evolve with technology. Its
significance in law enforcement and corporate security cannot be overstated, as it
provides essential insights into cyber incidents and helps in safeguarding digital assets.

DIGITAL EVIDENCE

Digital evidence refers to any information stored or transmitted in digital form that can
be used in a court of law. This includes data from computers, smartphones, tablets,
servers, and any device capable of storing digital information.

TYPES OF DIGITAL EVIDENCE

• Files and Documents: Includes text files, spreadsheets, presentations, and images.
• Emails and Messaging: Communications can provide insights into intent and
actions.
• Logs: System and application logs record activities that can be crucial in
investigations.

2
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

• Network Traffic: Data packets and logs from network devices can reveal
unauthorized access or data breaches.

RULES GOVERNING DIGITAL EVIDENCE

• Admissibility: For digital evidence to be admissible in court, it must be relevant,

authentic, and reliable.
• Chain of Custody: Maintaining a documented chain of custody is essential. It
ensures that the evidence collected has not been tampered with or altered.
• Preservation: Digital evidence must be preserved in its original state to prevent
contamination or alteration.
• Analysis Methodologies: The methods used for collecting and analyzing digital
evidence should be well-established and repeatable to uphold the evidence's
credibility.

Digital evidence plays a pivotal role in modern investigations. It can establish

connections between suspects and criminal activities, confirm alibis, and provide
insight into the methods used by cybercriminals. Understanding digital evidence and
its governing rules is essential for law enforcement, legal professionals, and
organizations. Proper handling of digital evidence can significantly impact the
outcomes of investigations and legal proceedings.

Challenges in Handling Digital Evidence

• Volume and Complexity: The vast amount of digital data can complicate
investigations.
• Technological Advances: Rapid technological advancements require forensic
experts to continuously update their skills and tools.
• Privacy Concerns: Balancing the need for investigation with individuals' privacy
rights can be challenging.

3
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

The life cycle of digital forensics refers to the systematic process followed during a
forensic investigation. It ensures that all steps are documented and that evidence is
collected and analyzed in a manner that preserves its integrity.

STAGES OF THE DIGITAL FORENSICS LIFE CYCLE

• Preparation: Involves ensuring that forensic tools and methodologies are in place,
and team members are trained in the latest techniques.
• Collection: Gathering digital evidence while maintaining its integrity. This stage
involves using proper techniques to avoid altering data.
• Preservation: Securing collected evidence to prevent alteration or loss. This often
involves creating forensic images of storage devices.
• Analysis: In-depth examination of the collected evidence to identify relevant
information. This may include recovering deleted files, analyzing logs, and
investigating malware.
• Presentation: Compiling findings into a comprehensive report and presenting it in
court, if necessary. The presentation must be clear and understandable to non-
technical audiences.
• Review: Post-investigation evaluation of the processes followed and lessons
learned for future cases.

CHALLENGES IN THE DIGITAL FORENSICS LIFE CYCLE

• Rapidly Evolving Technology: Keeping up with new technologies and attack

vectors can complicate the forensic process.
• Legal Considerations: Navigating legal constraints while conducting
investigations can be challenging.
• Resource Limitations: Insufficient resources, including tools and personnel, can
hinder the forensic process.

4
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

The digital forensics process involves several key steps that guide investigators in
collecting, analyzing, and presenting digital evidence. Each step is critical for maintaining
the integrity of the evidence and ensuring a thorough investigation.

KEY STEPS IN THE DIGITAL FORENSICS PROCESS

• Identification: Determining the potential sources of digital evidence relevant to the

investigation.

• Collection: Gathering evidence using approved techniques to avoid data alteration.

This may include imaging drives, capturing network traffic, or downloading logs.

• Preservation: Ensuring that the collected evidence is secured and preserved in its
original state, often using write-blockers to prevent changes.

• Analysis: Investigating the collected data to identify patterns, recover deleted files,
and uncover hidden information.

• Reporting: Documenting the findings in a clear and comprehensive report,

detailing methodologies, results, and conclusions drawn from the analysis.

• Testimony: Forensic experts may be required to testify in court, explaining their

findings and the methodologies used during the investigation.

BEST PRACTICES IN THE DIGITAL FORENSICS PROCESS

• Maintain Documentation: Keep detailed records of all actions taken during the
investigation, including time stamps and personnel involved.

• Follow Legal Guidelines: Ensure compliance with legal and organizational

policies throughout the investigation.

• Use Multiple Tools: Employ a variety of tools to validate findings and ensure
comprehensive analysis.

5
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

The digital forensics process is a structured approach to investigating cyber incidents.

Following established procedures ensures that evidence is collected and analyzed
correctly, increasing the likelihood of successful outcomes in legal proceedings.

TOOLS USED IN DIGITAL FORENSICS

• Forensic Imaging Software: Tools such as FTK Imager and EnCase are used to
create forensic copies of storage devices.

• Data Recovery Tools: Software like Recuva and PhotoRec can help recover
deleted files.

• Network Forensics Tools: Tools such as Wireshark can capture and analyze
network traffic.

OSI 7 LAYER MODEL

INTRODUCTION TO THE OSI MODEL

The Open Systems Interconnection (OSI) model is a conceptual framework used to

understand and implement network communication. It divides the communication process
into seven distinct layers, each with specific functions.

THE SEVEN LAYERS OF THE OSI MODEL

1. Physical Layer: This layer deals with the physical connection between devices,
including cables, switches, and electrical signals. It defines the hardware elements
involved in communication.

2. Data Link Layer: Responsible for node-to-node data transfer, this layer ensures
error detection and correction and manages access to the physical medium.
Protocols such as Ethernet operate at this layer.

6
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

3. Network Layer: The network layer is responsible for routing data packets across
different networks. It determines the best path for data transmission and handles
addressing. Protocols like IP (Internet Protocol) function at this layer.

4. Transport Layer: This layer ensures the reliable transmission of data segments
between end systems. It manages flow control, error detection, and retransmission.
Protocols like TCP (Transmission Control Protocol) and UDP (User Datagram
Protocol) operate here.

5. Session Layer: The session layer establishes, manages, and terminates sessions
between applications. It ensures that data exchanges are synchronized and
organized.

6. Presentation Layer: This layer translates data between the application layer and
the network format. It handles data encryption, compression, and translation to
ensure that the data is presented in a readable format for the application layer.

7. Application Layer: The topmost layer, the application layer, provides network
services to end-user applications. It includes protocols like HTTP, FTP, and SMTP,
enabling users to access and interact with network resources.

IMPORTANCE OF THE OSI MODEL

The OSI model serves as a guide for network design and troubleshooting. It provides a
standard framework for understanding how different network protocols interact and helps
network engineers identify where issues may arise in the communication process.

The OSI model is often compared with the TCP/IP model, which has fewer layers. The
TCP/IP model combines certain OSI layers into broader categories, reflecting a more
simplified approach to network communication. Understanding both models is essential
for network professionals.

7
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

The OSI model is a foundational concept in networking that provides a structured approach
to understanding how different layers of protocols interact. Its significance in network
design and troubleshooting cannot be overstated.

COMPUTER FORENSICS

Computer forensics is a branch of digital forensics that focuses specifically on the

recovery, analysis, and presentation of data from computer systems. It is used in criminal
investigations, civil litigation, and corporate security assessments.

Computer forensics plays a vital role in investigating cybercrimes, data breaches, and
fraud. It helps organizations protect their assets, recover from incidents, and comply with
legal requirements.

KEY COMPONENTS OF COMPUTER FORENSICS

• Evidence Collection: The process begins with the secure collection of data from
computer systems. This includes imaging hard drives and gathering volatile data
such as RAM.

• Data Analysis: Forensic experts analyze the collected data to identify relevant
information, recover deleted files, and investigate the actions of users on the system.

• Documentation and Reporting: Findings are documented in detailed reports,

outlining methodologies, results, and conclusions drawn from the analysis.

TOOLS USED IN COMPUTER FORENSICS

• Forensic Software: Tools like EnCase and FTK are commonly used for data
recovery and analysis.

• Disk Imaging Tools: These tools create exact copies of hard drives, ensuring that
the original evidence remains unaltered.

8
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

• Network Forensics Tools: Tools such as Wireshark and Network Miner help
analyze network traffic for evidence of unauthorized access or data exfiltration.

Challenges in Computer Forensics

• Rapid Technological Changes: Keeping up with new technologies and data

storage methods can be challenging for forensic investigators.

• Legal and Ethical Considerations: Navigating legal requirements and privacy

concerns is crucial during investigations.

• Volume of Data: The vast amount of data stored on computers can complicate the
analysis process.

Computer forensics is an essential field that aids in investigating cyber incidents and
protecting digital assets. Its methodologies and tools continue to evolve, making it a critical
component of modern cybersecurity efforts.

STEGANOGRAPHY

Steganography is the practice of hiding information within other non-secret data to avoid
detection. Unlike encryption, which alters the appearance of data, steganography conceals
the existence of the information.

Steganography is a fascinating field that intersects with cybersecurity, data protection, and
covert communication. Understanding its techniques, applications, and challenges is
essential for professionals in these domains.

TYPES OF STEGANOGRAPHY

• Image Steganography: Hiding data within image files, often by manipulating the
least significant bits (LSBs) of pixel values.

9
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

• Audio Steganography: Embedding information within audio files by altering

certain frequency components.

• Video Steganography: Concealing data within video files, which can include
altering frames or audio tracks.

• Text Steganography: Hiding data within text documents by using specific patterns
or formatting.

TECHNIQUES USED IN STEGANOGRAPHY

• Least Significant Bit (LSB): A common technique where data is embedded into
the least significant bit of pixel values in an image.

• Masking and Filtering: Techniques used to hide information in images, similar to

watermarking.

• Transform Domain Techniques: Methods that embed data in the frequency

domain rather than the spatial domain, enhancing robustness against detection.

• Data Protection: Used to conceal sensitive information, preventing unauthorized

access.

• Digital Watermarking: Embedding watermarks in media files to assert copyright

and ownership.

• Covert Communication: Enabling secret communication between parties without

raising suspicion.

CHALLENGES IN STEGANOGRAPHY

• Detection: Steganalysis is the process of detecting steganography, and advanced

techniques are continually developed to identify hidden data.

• Capacity: The amount of data that can be hidden is often limited by the medium
used.

10
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Recognized by Govt. of NCT of Delhi, Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE &Bar Council of India)

• Robustness: Ensuring that hidden data remains intact and undetectable even after
modifications or transformations to the host medium.

11