DIGITAL FORENSICS CYB205

MODULE 5 & 6

5.1 DISK FORENSICS

Disk forensics is the science of extracting forensic information from digital storage media like Hard disk,
USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc. The process of Disk Forensics are
as follows:

1. Identify digital evidence.

2. Seize & Acquire the evidence.
3. Authenticate the evidence
4. Preserve the evidence
5. Analyze the evidence
6. Report the findings
7. Documenting

 Identify digital evidence First step in Disk Forensics is identification of storage devices at the
scene of crime like hard disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy disk, Mobiles,
PDAs, flash cards, SIM, USB/ Fire wire disks, Magnetic Tapes, Zip drives, Jazz drives etc. These
are some of the sources of digital evidence.
 Seize & Acquire the evidence Next step is seizing the storage media for digital evidence
collection. This step is performed at the scene of crime. In this step, a hash value of the storage
media to be seized is computed using appropriate cyber forensics tool. Hash value is a unique
signature generated by a mathematical hashing algorithm based on the content of the storage
media. After computing the hash value, the storage media is securely sealed and taken for
further processing.

One of the cardinal rules of Cyber Forensics is “Never work on original evidence”. To ensure this
rule, an exact copy of the original evidence is to be created for analysis and digital evidence
collection. Acquisition is the process of creating this exact copy, where original storage media
will be write protected and bit stream copying is made to ensure complete data is copied into
the destination media. Acquisition of source media is usually done in a Cyber Forensics
laboratory.
 Authenticate the evidence Authentication of the evidence is carried out in Cyber Forensics
laboratory. Hash values of both source and destination media will be compared to make sure
that both the values are same, which ensures that the content of destination media is an exact
copy of the source media.
 Preserve the evidence Electronic evidence might be altered or tampered without trace. Once
the acquisition and authentication have been done, the original evidence should be placed in

1
 secure storage keeping away from highly magnetic and radiation sources. One more copy of
image should be taken, and it needs to be stored into appropriate media or reliable mass
storage. Optical media can be used as the mass storage. It is reliable, fast, longer life span and
reusable.
 Verification and Analysis the evidence Verification of evidence before starting analysis is an
important step in Cyber Forensics process. This is done in Cyber Forensics laboratory before
commencing analysis. Hash value of the evidence is computed and compared it with the hash
value taken at the time of acquisition. If both the values are same, there is no change in the
content of the evidence. If both are different, there is some change in the content. The result of
verification should be properly documented.
Analysis is the process of collecting digital evidence from the content of the storage media
depending upon the nature of the case being examined. This involves searching for keywords,
picture analysis, timeline analysis, registry analysis, mailbox analysis, database analysis, cookies,
temporary and Internet history files analysis, recovery of deleted items and analysis, data
carving and analysis, format recovery and analysis, partition recovery and analysis, etc.
 Report the findings Case analysis report should be prepared based on the nature of examination
requested by a court or investigation agency. It should contain nature of the case, details of
examination requested, details of material objects and hash values, result of evidence
verification, details of analysis conducted, and digital evidence collected, observations of the
examiner and conclusion. Presentation of the report should be in simple terms and precise way
so that non-technical persons should be able to understand the content of the report.
 Documenting Documentation is very important in every step of the Cyber Forensics process.
Everything should be appropriately documented to make a case admissible in a court of law.
Documentation should be started from the planning of case investigation and continue through
searching in scene of crime, seizure of material objects, chain of custody, authentication and
acquisition of evidence, verification and analysis of evidence, collection of digital evidence and
reporting, preservation of material objects and up to the closing of a case.

5.2 NETWORK FORENSICS

Network Forensics defined as the investigation of network traffic patterns and data captured in transit
between computing devices—can provide insight into the source and extent of an attack. It also can
supplement investigations focused on information left behind on computer hard drives following an
attack.

Identifying attack patterns requires a thorough understanding of common application and network
protocols. For example:

 Web protocols, such as http and https

 File transfer protocols, such as Server Message Block (SMB) and Network File System (NFS)
 Email protocols, such as Simple Mail Transfer Protocol (SMTP)
 Network protocols, such as Ethernet, WiFi, and Transmission Control Protocol/Internet Protocol
(TCP/IP)

The investigator must understand the normal form and behavior of these protocols to discern the
anomalies associated with an attack.

Know the Sources

2
Network forensic investigators examine two primary sources: full-packet data capture, and log
files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by
capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site
names, and other information.

Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the
meaning and value, of data being transferred can be determined. Packet capture is not usually
implemented on networks full-time because of the large amount of storage required for even an hour’s
worth of data on a typical business network. In addition, there may be privacy concerns (although most
businesses today require all employees to sign an acknowledgement that they do not have a right to
privacy while on business-owned systems and networks).

Data capture is typically implemented when suspicious activity has been detected and may still be
ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic
flowing among all affected devices, or multiple taps must be implemented.

Log files. Most modern network devices, such as routers, can store NetFlow (or equivalent) data into log
files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion
Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log
files also contain much useful information about activity on the network. These log files can be analyzed
to identify suspicious source and destination pairs (e.g., your server is communicating with a server in
Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port
other than port 80, 443, or 8080).

One advantage of using log files is the much smaller file size compared to full-packet capture. Another
advantage is that the collection points are already in place in key locations, and it is not difficult to
collect and store the output from multiple devices into one master log for analysis. There are many free
as well as commercial tools for log aggregation.

Know the Tools

There are many free software tools available for network forensics. While a few have a graphical user
interface (GUI), most free tools have only a command-line interface, and many run only on Linux.

Especially in the case of full-packet captures, data must be reduced through filtering before detailed
analysis is performed.

What You Can Do

There are steps organizations can take before an attack to help network-based forensic investigations be
successful. Here are three things you can do:

Put a process in place. For network forensic investigators to do their work, there need to be log and
capture files for them to examine. Organizations should implement event-logging policies and
procedures to capture, aggregate, and store log files.

Plan. Incident management planning will help to respond to and mitigate the effects of an attack.

Acquire the talent. The ability to interpret the data in log and capture files and recognize malicious
activity in the data is a special skill that requires in-depth knowledge of network and application

3
protocols. Whether the talent is in-house or external, it is vital that organizations have access to
computer and network forensics investigators who are experienced and accessible.

5.3 MOBILE FORENSICS

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from
mobile devices. “Forensically sound” is a term used extensively in the digital forensics world to
qualify and justify the use of a particular forensic technology or methodology. The central principle
for a sound forensic examination is that the original evidence must not be modified. Let us
understand this very important process step by step.

Mobile Forensics Steps

 Identifying is the location of evidence (on a mobile phone). Preserving it means making sure
that the integrity of the digital evidence is not manipulated in any way, shape, or form.
Preservation must also consist of protecting or shielding the evidence from any radio
interference such as a mobile data network, Wi-Fi, Bluetooth, or any other application which
can give the device a remote connection. One of the best ways to isolate a mobile device is
by putting it into a Faraday Bag which prevents the transmission of the electromagnetic
waves. Seizing the evidence is the process to protect it from physical damage which includes
the secure evacuation of evidence and proper transportation of it to protect it from any
electromagnetic, electric shock, excessive heat, etc. This is to protect from any tampering.
 In hand with these steps, clear documentation is to be maintained (aka the “Chain of
Custody” forms) for future reference, such as in a court of law. This chain of custody contains
details pertaining to evidence values, any special notes, a chain which describes the
handover of the evidence from an individual to another entity, with the date and time
captured in these instances. Another part of documentation is taking pictures (photographs)
of the crime scene, capturing the original state of the mobile device, as well as the make,
model, serial numbers and so on. The other of the phone – such as IMEI number or operating
system version – which would help during the acquisition phase and need to be captured as
well.
 Forensic acquisition is the process of acquiring the original evidence in a forensically sound
manner while maintaining the integrity of it. This process is also known as “Imaging.” It can
be done on site (at the scene) and can also be done off-site (in the lab. The acquisition tools
of today now possess the technical capabilities to break the passcode/pin/pattern of just
about any mobile device.
 In the examination phase, the image is captured from the original evidence. It also consists
of data which is deleted or hidden on the mobile device. In these instances, the relevant and
irrelevant data is segregated by the forensic analyst based on the case background shared by
the investigator. In the analysis phase, the analyst looks for the correlation between the
relevant data (revealed during the examination phase) and sets priorities to this data set
based on the proceeding investigation. In summary, the examiner looks to collect as much
information as he or she can, and builds up the evidence. Some of the common types of
evidence are the contacts, call logs, SMS, Audio and Video files, emails, any saved notes (this
might contain passwords for other accounts), saved geographic location, web activity, and
social media updates and chats.

4
  Reporting is a comprehensive summary of the results of the mobile forensics investigation.
This phase also explains the reason why a particular step was performed with the result that
followed from it. The final report also consists of all the compiled documentation, which
include the Chain of Custody forms, photographs, etc.
Types of Mobile Forensics

There are several types of mobile forensics Processes which are based on the below-mentioned
parameters:

 Type of phone (Make, Model, Manufacture)

 Operating System
 Encryption level
 Availability of necessary passcode/pin code/pattern

Manual method

In the manual method, the device is browsed through manually by the forensic specialist. The data on
the phone is directly seen/observed/accessed by using its keypad or touchpad. It is a quick method as
the examiner is aware of which data to browse first. This method holds the advantage of viewing
specific data in a readable format using its native application as it is being observed directly by the
forensics investigator. However, this method is prone to human error and biases. Also, it would take a
lot of time to capture all the needed data from the mobile device in question.

Logical method

The Logical Method is a quick way of extracting data from the user files directly. The advantage of this
method is that it can be viewed easily in the mobile forensic tools. The size of the extracted data is less
as the data is not acquired from the flash memory. However, the disadvantage of this method is that it
cannot recover deleted data/items from the mobile device.

Physical method

The Physical Method consists of accessing flash memory of the mobile phone and extracting data from
that space. In this case, the flash memory is being accessed directly to garner the existing data, and the
deleted data also gets captured as well. This method proves to be very beneficial in many forensics
cases. To access the flash memory, tools use a bootloader to bypass the security patch of the mobile
device.

File system

The File System method extracts data from the system level of the mobile device in question. In this
process, information and data related to the applications of the mobile device also get extracted. It is
the OS which stores information related to the deleted files in the file system.

5.4 MEMORY FORENSICS

Memory forensics (sometimes referred to as memory analysis) refers to the analysis of volatile data in a
computer’s memory dump. Information security professionals conduct memory forensics to investigate
and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.

5
WHAT IS VOLATILE DATA?

Volatile data is the data stored in temporary memory on a computer while it is running. When a
computer is powered off, volatile data is lost almost immediately. Volatile data resides in a computer’s
short term memory storage and can include data like browsing history, chat messages, and clipboard
contents. If, for example, you were working on a document in Word or Pages that you had not yet saved
to your hard drive or another non-volatile memory source, then you would lose your work if your
computer lost power before it was saved.

WHAT IS IN A MEMORY DUMP?

A memory dump (also known as a core dump or system dump) is a snapshot capture of computer
memory data from a specific instant. A memory dump can contain valuable forensics data about the
state of the system before an incident such as a crash or security compromise. Memory dumps contain
RAM data that can be used to identify the cause of an incident and other key detail about what
happened.

THE IMPORTANCE OF MEMORY FORENSICS

Memory forensics can provide unique insights into runtime system activity, including open network
connections and recently executed commands or processes. In many cases, critical data pertaining to
attacks or threats will exist solely in system memory – examples include network connections, account
credentials, chat messages, encryption keys, running processes, injected code fragments, and internet
history which is non-cacheable. Any program – malicious or otherwise – must be loaded in memory to
execute, making memory forensics critical for identifying otherwise obfuscated attacks.
As attack methods become increasingly sophisticated, memory forensics tools and skills are in high
demand for security professionals today. Many network-based security solutions like firewalls and
antivirus tools are unable to detect malware written directly into a computer’s physical memory or RAM.
Security teams should look to memory forensics tools and specialists to protect invaluable business
intelligence and data from stealthy attacks such as fileless, in-memory malware or RAM scrapers.

MEMORY FORENSICS TOOLS

Traditional network and endpoint security software has some difficulty identifying malware written
directly in your system’s RAM. Traditional security systems typically analyze input sources like network,
email, CD/DVD, USB drives, and keyboards, yet lack the ability to analyze volatile data that is stored in
memory. These systems are viable options for protecting against malware in ROM, BIOS, network
storage, and external hard drives. However, your data in execution might still be at risk due to attacks
that upload malware to memory locations reserved for authorized programs. The most sophisticated
enterprise security systems now come with memory forensics and behavioral analysis capabilities which
can identify malware, rootkits, and zero days in your system’s physical memory.

Memory forensics tools also provide invaluable threat intelligence that can be gathered from your
system’s physical memory. Physical memory artifacts include the following:

 Usernames and Passwords: Information users input to access their accounts can be stored on
your system’s physical memory.

6
  Decrypted Programs: Any encrypted malicious file that gets executed will have to decrypt itself
to run. This threat intelligence is valuable for identifying and attributing threats.

 Open Clipboard or Window Contents: This may include information that has been copied or
pasted, instant messenger or chat sessions, form field entries, and email contents.

While this is in no way an exhaustive list, it does demonstrate the importance of solutions that
incorporate memory forensics capabilities into their offerings. There are also a range of commercial and
open source tools designed solely for conducting memory forensics. The decision of whether to use a
dedicated memory forensics tool versus a full suite security solution that provides memory forensics
capabilities – as well as the decision of whether to use commercial software or open source tools –
depends on the business and its security needs.

5.5 MALWARE FORENSICS

It is a way of finding, analyzing & investigating various properties of malware to seek out the culprits and
reason for the attack. the method also includes tasks like checking out the malicious code, determining
its entry, method of propagation, impact on the system, ports it tries to use etc. investigators conduct
forensic investigation using different techniques and tools.

Types of Malware:

The category of malware is predicated upon different parameters like how it affects the system,
functionality, or the intent of the program, spreading mechanism, and whether the program asks for
user’s permission or consent before performing certain operations. a few of the commonly encountered
malwares are:

 Backdoor
 Botnet
 Downloader
 Launcher
 Rootkit
 HackTool
 Rogue application
 Scareware
 Worm or Virus
 Credential-stealing program, etc.

Symptoms of Infected Systems:

Following are some symptoms of an infected system-

 System could become unstable and respond slowly as malware might be utilizing system
resources.
 Unknown new executables found on the system.
 Unexpected network traffic to the sites that you simply do not expect to attach with.
 Altered system settings like browser homepage without your consent.
 Random pop-ups are shown as advertisement.

7
Recent additions to the set are alerts shown by fake security applications which you never installed.
Messages like “Your computer is infected” are displayed and it asks the user to register the program to
get rid of the detected threat. Overall, your system will showcase unexpected & unpredictable behavior.

Different ways Malware can get into system:

 Instant messenger applications

 Internet relay chat
 Removable devices
 Links and attachments in emails
 Legitimate “shrink-wrapped” software packaged by disgruntled employee
 Browser and email software bugs
 NetBIOS (File sharing)
 Fake programs
 Untrusted sites & freeware software
 Downloading files, games screensavers from websites .

Prerequisites for Malware Analysis:

Prerequisites for malware analysis include understanding malware classification, essential x86
programming language concepts, file formats like portable executable file format, windows APIs,
expertise in using monitoring tools, disassemblers and debuggers .

Types of Malware Analysis:

The two of the malware analysis types supported the approach methodology include:

1. Static Malware Analysis: it’s a basic analysis of code & comprehension of the malware that
explains its functions.
2. Dynamic Malware Analysis: It involves execution of malware to look at its conduct, operations
and identifies technical signatures that confirm the malicious intent.

Online Malware Analysis Services:

 VirusTotal
 Metascan Online
 Malware Protection Center
 Web Online Scanners
 Payload Security
 Jotti
 Valkyrie, etc.

Malware Analysis Tools:

 IDA Pro
 What’s Running
 Process Explorer
 Directory Monitor
 RegScanner

8
  Capsa Network Analyzer
 API Monitor .

It is an enormous concern to supply the safety to computing system against malware. a day many
malwares are being created and therefore the worse thing is that new malwares are highly sophisticated
which are very difficult to detect. Because the malware developers use the varied advanced techniques
to cover the code or the behavior of malware. Thereby, it becomes very hard to research the malware
for getting the useful information to style the malware detection system due to anti-static and anti-
dynamic analysis technique. Therefore, it is crucial for the forensic analysts to possess sound knowledge
of various malware programs, their working, and propagation, site of impact also as methods of
detection and analysis and continuous advancement of an equivalent.

5.6 SOCIAL MEDIA FORENSICS

Social Media needs no introduction. It has taken over the world and our lives like an insidious wave. It is
a wave that has brought the world closer, yet not without detrimental effects. At present, over 3.397
billion users are active on social media who spend 116 minutes per day on an average. With abundant
personal information available on social media platforms, it is now the hotbed of crimes and malicious
activities. But, where there’s a crime, there’s also inspection to bring justice to victims and combat such
occurrences in the future. Presenting some common social media crimes and the science of Social Media
Forensics. Know how investigators extract social media forensics evidence and engage in forensic
analysis of social networking applications on mobile devices.

The Black Hole called Social Media

Social media is any application or website that facilitates users to interact and socialize, share ideas and
information, upload photos and files, participate in various activities/events, and engage in real-time
conversations.

Online communications in the form of social networking have witnessed a colossal evolution in the last
couple of years. From September 2017 to October 2018, the number of social media users grew by 320
million. This spells out a one new social media user every 10 seconds! In fact, WhatsApp and Facebook
Messenger handle 60 billion messages every day!

Social Media Statistics

The social media world is of mammoth size, and it is only increasing by the day! Here are some social
media statistics for you. Did you know that Facebook adds 500,000 new users to its fraternity every day?
This amounts to the creation of 6 new profiles every second! There are 1.3 billion accounts on Twitter,
with 326 million active users each month! As we write this blog, LinkedIn contains a user base of 500
million members whereas Snapchat has 187 million active users daily! In fact, 60% of Snapchat users are
under the age of 25. Furthermore, Pinterest boasts of 200 million active users every month. Speaking of
social media, how can we not talk about our favorite video content platform – YouTube? Did you know
that YouTube sees around 1,148 billion mobile video views each day? When it comes to publishing
content, users publish 74.7 million blog posts per month on WordPress alone! Whoah! That is quite
some activity online! Isn’t it?

Type of Social Networking Platforms

9
We all know what social media is. But, what most don’t know is that Facebook, Instagram, Twitter,
Snapchat and WhatsApp are not the only social media platforms. The classification of social media
platforms is based on its primary objective of use Following are the different types of social networking
platforms.

 Social Networks Also sometimes called “relationship networks, social networks enable people
and organizations to connect online for exchanging information and ideas. Use: To associate
with people and brands virtually. Examples: Facebook, Twitter, WhatsApp, LinkedIn
 Media Sharing Networks Media sharing networks enable users and brands to search and share
media online. This includes photos, videos, and live videos. Use: To search for and share photos,
videos, live videos, and other forms of media online. Examples: Instagram, Snapchat, YouTube
 Discussion Forums One of the oldest types of social media platforms, discussion forums are an
excellent repertoire for market research. They provide a wide range of information and
discussion on various subjects. Use: Serves as a platform to search, discuss, and exchange
information, news, and opinions. Examples: Reddit, Quora, Digg
 Bookmarking and Content Curation Networks Such social networking platforms enable people
to explore and discuss trending media and content. These platforms are the epicenter of
creativity for those seeking new ideas and information. Use: To explore, save, exchange, and
discuss new and trending content and media. Examples: Pinterest, Flipboard
 Consumer Review Networks Consumer review networks enable people to express their
opinions/experiences about products, services, brands, places, and everything else under the
sun! Use: To search, review, and share opinions/information about brands, restaurants,
products, services, travel destinations, etc. Examples: Yelp, Zomato, TripAdvisor
 Blogging and Publishing Networks Blogging/publishing networks serve as a platform for
publishing online content in a way that facilitates discovery, commenting and sharing. Publishing
platforms consist of traditional blogging platforms such as Blogger and WordPress,
microblogging platforms such as Tumblr, and even interactive platforms such as Medium.

Use: To publish, explore, and comment on content online.

Examples: WordPress, Tumblr, Medium

7. Sharing Economy Networks

It is also known as ‘collaborative economy network’. These networks enable people to connect online
for advertising, finding, sharing, trading, buying and selling of products and services online.

Use: To find, advertise, share, and trade products and services online.

Examples: Airbnb, Uber, Task rabbit

8. Anonymous Social Networks

As the name itself states, such social networks enable users to share content anonymously. Thus,
miscreants are increasingly misusing such platforms for cyberbullying.

Use: To anonymously spy, vent, gossip, and sometimes bully.

Examples: Whisper, Ask.fm, After School

10
Social Networking Platforms Offers a Lucrative Platform for Executing Social Media Crimes

On the righteous side, one may use social media platforms to socialize and communicate with near and
dear ones. However, it is the anonymous and diverse nature of social networking platforms that
miscreants use for unethical activities. Innocent-looking profiles can often be the masquerade for
fraudsters, phishers, child predators, lechers, and other cyber criminals.

In spite of the stringent policies imposed by social media platforms, there are approximately 270 million
fake profiles on Facebook!!!

Additionally, the abundance of personal information available on social networking platforms renders
them a favorite of cyber criminals. After the compromise of a profile, a hacker can access, manipulate
and misuse its information for various malicious activities. Other unscrupulous activities on such
platforms include stalking, bullying, defamation, circulation of illegal or pornographic material etc.

Following are some types of social media crimes.

1. Hacking

This happens when you are not able to log into your account because someone who has broken into
your account and taken complete control over it. Facebook is the most hacked social networking site.

Social media hacking usually occurs when:

One does not log out from the account, especially when using a public computer.

Sharing of passwords with strangers either unintentionally, or as a result of social engineering.

Using easy to predict, or same passwords across multiple platforms.

Hacking of one’s login email ID.

2. Photo Morphing

Photo morphing is the use of editing to change an image/shape into another without much difficulty.
Available data shows that people share nearly 3.2 billion images daily on social media platforms. The
widespread availability of media on social networking platforms makes it a cakewalk for miscreants to
download and misuse them.

Miscreants morph the images of popular figures and upload them on adult websites or use them for
blackmailing them for sexual or financial favors.

11
3. Offer & Shopping Scams

Women are usually known to fall for such offer and shopping scams on social networking platforms.

For example, a miscreant uses a shopping offer to make a user click on a link. Once clicked, it prompts
the user to forward it to 20 people to avail the coupon. However, the user does not get any coupon, but
the cybercriminal gets his/her personal information!

4. Dating Scams

In such scams, the fraudster connects with the victim using a fake name and picture. Once they befriend
the victim, they move to a different platform for further communication.

Once they realize that the victim has fallen for them, they first send small gifts like flowers and cards,
and later start demanding for emergency monetary help like recharging their phone to talk, booking
flight tickets to meet, medical reasons etc. At times, fraudsters may also record video calls or screen,
and later use them to blackmail the victim.

5. Cyberbullying

Cyberbullying is an act that involves sending or publishing obscene messages or humiliating content
online, or issuing threats to commit violent acts. It includes sending or sharing nasty or false information
about another individual for character assassination and causing humiliation.

Example: Imposters used social media platforms such as Facebook and WhatsApp for circulating the
deadly Blue Whale and Momo Challenges. These resulted in the death of many teenagers across the
globe as they committed suicide as a part of the challenge.

6. Link Baiting

In such scams, the fraudster sends the victim a link that entices the victim to open it. On opening, it
leads to a fake landing page which prompts the victim to enter his/her account credentials. This provides
the credentials to the cybercriminal who later uses it for illicit activities.

Example: The victim gets a message: “Somebody just put up these pictures of you drunk at this wild
party! Check ’em out here!”
Immediately, the victim clicks on the enclosed link, which leads to his/her Twitter or Facebook login
page. Once the victim enters his/her account details, the cybercriminal has the password and can take
total control of the account.

12
Social Media Forensics or Social Network Forensics

Now that you know how perpetrators can use social networking platforms to wreak havoc, are you
considering an exit? Well, let us enlighten you about digital forensics then! The increase in social media
crimes has also resulted in the increasing importance of digital forensics for their investigation.

Precisely known as social media forensics or social network forensics, it focuses on retrieval of electronic
evidence from social networking activities. Such evidence often plays a crucial role in the conviction or
acquittal of a suspect.

Social media forensics involves the application of cyber investigation and digital analysis techniques for:

Collecting information from social networking platforms such as Facebook, Twitter, LinkedIn etc.

Storing,

Analyzing, and

Preserving the information for fighting a case in the court of law

Social Media Forensics is basically about locating the source of electronic evidence. This is accompanied
by collecting it in an unhampered way while complying with all laws.

Evidence Collection in Social Media Forensics

The simplest method of evidence collection in social media forensics is a manual collection. It uses basic
techniques such as visiting a website and/or taking a screenshot and is quite time-consuming. On the
contrary, open source tools and other commercial forensic tools offer a quicker gathering and extraction
of evidence. Additionally, since investigators often deal with a lot of live content, they also use content
archiving to preserve the nature of the evidence.

Above all, e-discovery or evidence collection needs to in compliance with the terms of service
agreement. Every social networking platform has specified terms and conditions that define the nature
of the information that an investigator can collect and manipulate. Such conditions often inhibit
investigations since the defense may cite breach of terms of service to dishonor the evidence.

13
The Three Basic Stages of Social Media Forensics

Social media forensics has three basic stages for the extraction, preservation, and analysis of electronic
evidence.

1. Evidence Identification

This step involves a thorough inspection of the crime scene to locate any hardware or software that is
worthy of collection. It also includes conducting a basic search to identify all social networking accounts
linked to the subject. Additionally, a search of all of the subject’s families, friends and associated on
social media. A forensic examiner needs to precisely document all sources of evidence along with how
and when they found it.

2. Collection

Forensic investigators use various methods to collect electronic evidence. Following are the methods for
social media evidence collection.

Manual documentation

Screen scrape/Screenshot

Open source tools (HTTrack)

Commercial tool (X1)

Web service (Page freezer)

Forensic recovery

Content subpoena

Furthermore, different social media forensic tools kits are available for the logical acquisition of
evidence on smartphones. The logical acquisition involves capturing a logical image of all files on the
smartphone’s internal memory. The files are then analyzed for evidence of various activities.

C. Examination (Organization)

The files obtained during the logical acquisition requires specific tools for decoding and viewing of their
contents. Once decoded, they provide a vast amount of user data such as call history, sent and received
SMS, calendar events, and address book entries. For social media forensics examiners, they provide a
huge bank of social networking footprints. These artifacts are then examined and correlated to the
actual case in hand.

Facebook Artifacts: Activity logs, Facebook archives, profile information, places visited, locations and
geo-locations, friends and family, applications, pages, groups, interests, text and links, the timestamp of
all activities, details of friends engaged in active chat sessions with the subject and much more.

Twitter Artifacts: User information, tweets posted, timestamps of the poster tweets, records of people
followed by the subject and their tweets along with timestamps.

Social Networking Applications & Mobile Devices

14
Due to the increasing use of social applications on smartphones, they are the biggest repertoire of
evidence for forensic investigators. Did you know that more than 90% of social media users use mobile
devices to access social networking platforms? Thus, they store a lot of potential information that social
media forensics professionals can extract with the right tools. Furthermore, with the right inspection
methods and tools, such evidence can provide crucial leads in a case.

In fact, half of Facebook users access Facebook through its mobile applications on their smartphones or
tablets. Moreover, such users are twice as active compared to those who use other devices (desktop,
laptop) to access Facebook.

Since millions of users leverage social networking applications on their mobile devices, the probability of
misuse is also quite high! Hence, a forensic analysis of the suspect’s mobile device offers a great
potential to aid in his/her incarceration or exoneration.

Challenges of Forensic Analysis of Social Networking Applications on Mobile Devices

As much as the potential they have, smartphones also pose many challenges to social media forensics
investigators. Since smartphones are always active and regularly update data, it causes faster loss of
evidence. Secondly, the closed source OS of smartphones (except for Linux-based phones) make it
difficult to extract evidence using custom tools.

To make things worse for forensic examiners, smartphone vendors release OS systems very often. This
makes it challenging for social media forensics professionals to keep up with the latest tools and
methods for examination.

Incognito Forensic Foundation (IFF Lab) – Social Media Forensics Laboratory in Bangalore

We are living in an era where each person has 5.54 social media accounts on an average. In such
circumstances, the use of social networking platforms for executing a host of online crimes is inevitable.
Incognito Forensic Foundation (IFF Lab) is a digital forensics lab in Bangalore that offers a range of digital
forensics services such as social media forensics, mobile phone forensics, and cyber forensics. IFF Lab is
a trusted name in the digital forensics industry and boasts of a reputed clientele.

15
16