1

UNIT 1
DIGITAL FORENSICS

1.1 What Is Digital Forensics?

Digital forensic science is a branch of forensic science that focuses on the

recovery and investigation of material found in digital devices related to cybercrime.
The term digital forensics was first used as a synonym for computer forensics.

Since then, it has expanded to cover the investigation of any devices that can
store digital data. Although the first computer crime was reported in 1978, followed by
the Florida computers act, it wasn’t until the 1990s that it became a recognized term. It
was only in the early 21st century that national policies on digital forensics emerged.

Digital forensics is the process of identifying, preserving, analyzing, and

documenting digital evidence. This is done in order to present evidence in a court of
law when required.

1.2 STANDARD PROCEDURE : WHAT ARE THE STEPS IN FORENSIC

ANALYSIS?

Digital forensics is a computer forensic science that involves the process of

seizure, acquisition, analysis, and reporting of evidence found in electronic devices and
media to be used in a court of law. Following is a detailed description of each phase.

1) Seizure

The seizure step involves marking the elements that will be used in later
processes. Photographs of the scene and notes are taken. An important question to
answer in this phase is whether or not to pull the plug on the network. Leaving the
system online while proceeding may alert the attacker, allowing him to wipe the attack
traces and destroy evidences. The attacker may also leave a dead man switch, which
destroys the evidence once the system goes offline. In such circumstances, it may be
necessary or advisable for to gather evidence from the system while it is running or in
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 2

a live state, being fully aware that this causes changes to the system and reasons for
taking this approach must be explained.

2) Acquisition

After the seizure phase comes the data collection/acquisition. The data must be
acquired without altering or damaging the source to be analyzed later. Notice that an
illegal seizure or improper methodology can affect the admissibility of the evidence in
court. Following the applicable rules of evidence, evidence is admitted into court when
permitted by the judge. For this reason, methods of acquiring evidence should be
forensically sound and verifiable. Acquisition can be physical or logical. In physical
acquisition, a bit stream image is captured from a physical storage media, while in a
logical acquisition, a sparse or logical image is captured from storage media. In both
cases, write blockers are to be used to prevent the evidence from being modified. The
duplicate image must be verified that is identical to the source by comparing the hash
value of the acquired image/copy and the original media data.

It is always recommended to start capturing from the most to the least data. The order
of volatility is:

 Registers, cache

 Network state (ARP cache and routing table)

 Running processes

 Kernel modules and statistics

 Main memory

 Temporary files on disk

There are several tools for acquiring data, most of which are software-based and require
training to successfully perform the collection phase. InfoSec Institute offers hand-on
labs to learn and practice data acquisition and evidence collection using popular
commercial and open-source tools in a real forensics environment and real use-cases.

3) Analysis

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 3

In the analysis phase, evidence should be extracted by interpreting the acquired

information.
Appropriate methodologies and standards should be followed during this procedure
(described in the next section). The investigator should examine the acquired
copy/image of the media, not the original media.

The examiner may use additional tools to conduct special actions and help
retrieve additional information, such as deleted files. Those tools must be validated to
ensure their correctness and reliability, as noted above. Referring to the requestor
documentation, the examiner extracts evidence from the collected data. Typically, there
are two approaches: The examiner looks for something he doesn’t know within
something he knows. This can be infected programs, opened programs, erased
documents, Internet history, or chat/calls history. Otherwise, he looks for something he
knows in something he don’t know, trying to extract meaningful information from
unstructured data, such as URLs, email addresses, or cryptographic keys through the
use of carving techniques. The evidence found is then assembled to reconstruct events
or actions to provide facts. In the case of multiple sources, the evidence is aggregated
and correlated together. The facts may identify the attack scenario, attacker identity,
attacker location, or any other relevant information, which is provided to the requestor.

In contrast with the seizure phase (which can be conducted by non-experts),

acquisition and analysis phases must be conducted by experts. Examiners must have
knowledge and be properly trained. InfoSec Institute offers accelerated in-depth
computer forensics boot camp sessions that include seminar-style lectures and hands-
on labs focusing on identifying, preserving, extracting, analyzing, and reporting
computer forensic evidence.

4) Reporting

After the examination is complete, the results are reported, along with a detailed
description of the steps conducted during the investigation. An examination report
typically includes the following details: information related to the acquisition phase (the
person who did the examination, when it was done, what software/hardware tools were

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 4

used, and what version numbers), the original data hash and the acquired data hash,
photographs taken. Detailed information related to the examination phase, such as
descriptions of the examined media (volatile memory, hard disk, etc.), are also included
in the report. This allows another examiner to be able to identify what has been done
and to access the findings independently. Further actions are determined after the report
is reviewed.

Quality, Quality Assurance, Quality Control

One important aspect of digital forensic examination is quality. Quality in this

case means measuring the results of a forensic examination and its compliance with
defined procedures, methodologies, policies, and standards. Hence, to ensure the
reliability and the accuracy of the digital forensic examination, effective quality control
must be established and maintained. Quality assurance will guarantee that forensics
examination results can successfully be admitted in court. This should be implemented
in every step of the forensic procedure. The acquisition phase must be carried out
correctly by ensuring the use of documented and standard procedures, verified forensic
tools, technical competencies of the examiner, and technical capabilities of the
laboratory. In the analysis phase, results must be verified by performing the same steps
using another forensic tool. In addition, documented procedures must still be followed
for this step. In the reporting phase quality can be assured by subjecting the reports and
analysis to rigorous peer review before submission to court.

What Are Standard Operating Procedures?

Standard operating procedures (SOPs) are documented quality control guidelines

to be followed in performing routine operations. They contain detailed information on
procedures, methodologies, report formats, and the approval process. SOPs are crucial
components of digital forensic quality assurance practices. There are a few widely
accepted guidelines that should be followed.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 5

Scientific working group on digital evidence (SWGDE) creates a number of

standards for digital forensics. SWGDE has a set of useful documents on its
website, https://www.swgde.org, that examiners and labs should consult to delve deeper
into the nuances of proper digital forensics examination.

For example, SWGDE’s Model Standard Operation Procedures for Computer

Forensics document defines examination requirements, process structures, and
documentation. According to this document, there are four steps of examination:

Visual Inspection: The purpose of this inspection is just to determine the type
of evidence, its condition, and relevant information to conduct the examination. This is
often done in the initial evidence seizure. For example, if a computer is being seized,
you would want to document whether the machine is running, what condition it is in,
and what the general environment is like.

Forensic Duplication: This is the process of duplicating the media before

examination. It is always recommended to work on a forensic copy and not the original.

Media Examination: This is the actual forensic testing of the application. By

media, we mean hard drive, RAM, SIM card, or some other item that can contain digital
data.

Evidence Return: Exhibit(s) are returned to the appropriate location, usually

some locked or secured facility.

1.2.2 INTRODUCTION OF COMPUTER FORENSICS

Introduction
Computer Forensics is a scientific method of investigation and analysis in order to
gather evidence from digital devices or computer networks and components which is
suitable for presentation in a court of law or legal body.
It involves performing a structured investigation while maintaining a documented
chain of evidence to find out exactly what happened on a computer and who was
responsible for it.
TYPES

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 6

 Disk Forensics: It deals with extracting raw data from the primary or secondary
storage of the device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves
monitoring and analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their
related metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying
viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including
deleted emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of
phones and smartphones and helps to retrieve contacts, call logs, incoming, and
outgoing SMS, etc., and other data present in it.

 Identification: Identifying what evidence is present, where it is stored, and how it

is stored (in which format). Electronic devices can be personal computers, Mobile
phones, PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence,

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 7

mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw
conclusions based on evidence.
 Documentation: A record of all the visible data is created. It helps in recreating
and reviewing the crime scene. All the findings from the investigations are
documented.
 Presentation: All the documented findings are produced in a court of law for further
investigations.

Procedure for computer forensics:

The procedure starts with identifying the devices used and collecting the
preliminary evidence on the crime scene.
Then the court warrant is obtained for the seizure of the evidence which leads
to the seizure of the evidence.
The evidence are then transported to the forensics lab for further investigations
and the procedure of transportation of the evidence from the crime scene to labs are
called chain of custody.
The evidence are then copied for analysis and the original evidence is kept safe
because analysis are always done on the copied evidence and not the original
evidence.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 8

The analysis is then done on the copied evidence for suspicious activities and
accordingly, the findings are documented in a nontechnical tone. The documented
findings are then presented in a court of law for further investigations.

Some Tools used for Investigation:

Tools for Laptop or PC –

 COFEE – A suite of tools for Windows developed by Microsoft.

 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.

Tools for Memory :

 Volatility
 WindowsSCOPE
Tools for Mobile Device :
 MicroSystemation XRY/XACT
APPLICATIONS
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
Advantages of Computer Forensics :
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or
networks potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 9

 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.
Disadvantages of Computer Forensics :
 Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in
a court of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the
desired result.
1.3 Incident Identification And Response
Incident response is an activity to identify the attack, minimize the loss of
attack and find the loss of data during attack . Every organization follows the steps in
order to prepare ,detect and recover from data loss .
Due to the increasing amount of cyber attacks in today’s world ,the digital
forensic and incident response have become a major practice to stay safe from these
attacks . Every organization nowadays stores the information on the cloud due to its
increased protection and services . The DFIR helps in ensuring protection from
various threads that are connected to the network .
The DFIR uses different tools and advanced technology, such as AI and ML
which help in building preservative measures .
Digital Forensic Process
The Digital Forensic process is a method that Investigators follow to find the
evidence . The digital forensic process consist of three steps :
Acquisition :
In this step , the exact duplicate media is created using a Hard drive duplicator
or different tools . Through this way the original media is kept safe from tampering .

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 10

Analysis :
After the acquisition process is over the Digital forensic specialist analyses the
duplicate data . The analysis is conducted on an ongoing Incident and finds out how
the attacker entered the system and what is the area of loss .

Reporting :
Once the investigation is completed an incident is covered the report is then sent to
the authorized authority for Law enforcement .

Use of Digital Forensics in Incident Response plan

The Digital Forensics helps in incident response planning by providing necessary
information and evidence to the computer emergency response team . Digital
Forensics includes:
File system Forensics :
Analysis of file system is done within endpoint
Memory Forensics :
Analyzing of memory is also done to find signs of attack that were not found
in the file system forensics .
Network Forensics :
The ongoing network activities are monitored such as browsing activities ,
emails , messaging to identify the attack .Through this the technique used by the
attacker can be identified .
Log Analysis :
The login activity or login record is monitored to find the unwanted activity or
event

The digital forensics help in responding to attack , Moreover also help in

finding vulnerability in systems that are prone to attacks . The data that is provided
from Digital forensics helps in strengthening security measures . This overall helps in
reducing the risk in organization .
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 11

Advantages of Digital Forensic and Incident response(DFIR)

The Digital forensics and Incident response are two different things but are co-
related to each other in some ways . There are several advantages of Digital forensic
and Incident response some of them are listed below :
– Responding to incidents with speed and accuracy .
– Must follow the same process when investigation and evaluation of an incident is
done .
– Minimize data loss and data theft so no harm is done to the reputation of the company
or organization .
– Working on strengthening security and existing risks .
– Recover from threads quickly .
– Assist in finding out the person who is behind the attack through evidence and
documentation

1.3 Recovering Deleted Digital data

According to a survey, 93% of all information never leaves the digital form.
The majority of information these days is being created, modified, and consumed
entirely in digital form. This means most spreadsheets and databases never make it on
paper, and most digital snapshots never get printed. In this article, we will discuss
methods and techniques to recover deleted digital evidence.

What is Digital Evidence?

Digital Evidence is any information that is stored or transmitted in the digital

form that a party at court can use at the time of trial. Digital evidence can be Audio
files, and voice recordings, Address books and contact lists, Backups to various
programs, including backups to mobile devices, Browser history, Cookies, Database,
Compressed archives (ZIP, RAR, etc.) including encrypted archives, etc.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 12

Destroyed Evidence

In a criminal or cyber-criminal case, the attempts to destroy the evidence are very
common. Such attempts can be more or less successful depending upon the following
conditions:

 Action is taken to destroy the evidence.

 Time Available to destroy the evidence.
 Type of storage device like magnetic hard drive, flash memory card, or SSD drive.
In this section, we will be discussing some of the methods to destroy the
evidence and ways to recover the destroyed evidence.
Deleted Files

Deleting files is one of the easiest, convenient, and foremost way to destroy the
evidence. Whether it is using the “Delete” button or “Shift+Delete” button. The
principle of file recovery of deleted files is based on the fact that Windows does not
wipe the contents of the file when it’s being deleted. Instead, a file system record
storing the exact location of the deleted file on the disk is being marked as “deleted”
and the disk space previously occupied by the deleted file is then labeled as available
– but not overwritten with zeroes or other data.

 The deleted file can be retrieved by analyzing the contents of the recycle bin as
they are temporarily stored there before being erased.
 If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete”
command, then, in that case, you can use commercial recovery tools to recover the
deleted evidence. One such example commercial tool is DiskInternals Partition
Recovery.
 Looking for characteristic signatures of known file types by analyzing the file
system and/or scanning the entire hard drive, one can successfully recover :
 Files that were deleted by the user.
 Temporary copies of Office documents (including old versions and
revisions of such documents).
 Temporary files saved by many applications.
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 13

 Renamed files.
 Information stored in deleted files can be supplemented with data collected from
other sources. For example, the “chatsync” folder in Skype stores the internal data
that may contain chunks and bits of user conversations. This means if the
“chatsync” folder exists there is a possibility to recover user chat’s even if the
Skype database is deleted. Many tools exist for this purpose like Belkasoft
Evidence Center 2020.

Formatted Hard Drives

Recovery of the data from the formatted hard drive depends upon a lot of
parameters. Information from the formatted hard drive may be recoverable either
using data carving technology or by using commercial data recovery tools.
There are two possible ways to format a hard drive: Full Format and Quick Format.
Full Format – As the name suggests, this initializes the disk by creating the new
file system on the partition being formatted and also checks the disk for the bad
sectors. Prior to Windows Vista, a full format operation did not zero the disk being
formatted. Instead, Windows would simply scan the disk surface sector after sector.
Unreliable sectors would be marked as “bad”. But in case of Vista and Windows 7, a
full format operation will actually:

 Wipe the disk clean.

 Writing zeroes onto the disk.
 Reading the sectors back to ensure reliability.
Quick Format – This is never destructive except for the case of SSD. Disk format
simply initializes the disk by creating the new file system on the partition being
formatted. Information from disks cleared using a quick format method can be
recovered by using one of the data recovery tools that support data carving.
SSD Drives
SSD means Solid-State Drives represent a new storage technology.

 They operate much faster than traditional drives.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 14

 They employ a completely different way of storing information internally, which

makes it much easier to destroy information and much more difficult to recover it.
The culprit in SSD is TRIM Command. According to a survey, TRIM enables
SSD completely wiped all the deleted information in less than 3 minutes. This means
that the TRIM command effectively zeros all the information as soon as it is marked
as deleted by the operating system. Moreover, TRIM command effects can’t be
prevented even by using Write-Blocking devices.
Traditional Methods are not useful when we try to recover deleted data from the SSD
or even any information from the SSD formatted with either Full format or Quick
format. This means the traditional methods can be used for data recovery in SSD only
when the TRIM command is not issued or at least one of the components does not
support TRIM. The components include:

 Version of Operating System: Windows Vista and Windows 7 support TRIM

Command, on the other hand, Windows XP and earlier versions typically don’t
support TRIM Command.
 Communication Interface: SATA and eSATA support TRIM, while external
enclosures connected via USB, LAN or FireWire don’t.
 File System: Windows supports TRIM on NTFS volumes but not on FAT-
formatted disks. Linux, on the other hand, supports TRIM on all types of volumes
including those formatted with FAT.

Data Carving
Carving means bit-precise and sequential examination of the entire content of the
hard drive. The concept of Data Carving is completely different from File Recovery.
Carving allows:

 Identifying particular signatures or patterns that may give a clue that some
interesting data can be stored in a particular spot on the disk.
 Locating various artifacts that would not be available otherwise.
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 15

Data Carving is truly amazing when looking for destroyed evidence. In the case of
data carving, investigators don’t need to rely on files as they may be partially
overwritten, fragmented and scattered around the disk. Data Carving has the following
features when we are dealing with the text content:

 Text information is easiest to recover.

 Blocks containing text data are filled exclusively with numeric values belonging
to a shallow range that represents letters, numbers, and symbols.
 When carving for text data, investigators have to take various languages and text
encodings into accounts. For example, the Turkish character set differs from Latin,
and neither has anything in common with Arabic, Chinese or Korean writing.
 Different encodings must be taken into account when looking for texts in each
supported language.
 By analyzing the information read from the disk in terms of a specific language
and a specific encoding, one can typically detect text information.
In the case of Binary data:

 Binary data is much random.

 It is easy to detect the beginning and end of each text block by counting the number
of characters that do not belong to a given language/encoding combination.
 Once a set threshold is met, it is assumed that the algorithm has reached the end of
a given text block.
Limitations of Data Carving –

 Not all formats of data can be carved.

 Data Carving is based on looking for characteristic signatures or patterns. For
example- JPEG files typically have the “JFIF” signature, in the beginning,
followed by the file header. ZIP archives start with “PK” and PDF files begin with
“%PDF”.
 Some files can be a true binary file without any permanent signature in their
header. For example, QQ messenger.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 16

 Text-based files can be an issue in most of the cases as there is a humongous

amount of plain-text files that can be stored on a PC.
 Data Carving cannot be used in the case where special algorithms are used to fill
the disk space previously occupied with sensitive information with
cryptographically strong random data.
 In “paranoid” mode, sensitive information is overwritten several times to make
even best and cleanroom type extraction impossible.
 In case the sensitive information is not stored on a hard drive rather it is stored in
RAM. In such a case Data Carving is impossible. The only feasible option here is
“Live RAM Analysis”.
 Data Carving is quite useless and impossible in SSD.

1.4 RECOVERING DAMAGED DATA

Files can be corrupted due to a system crash, virus attack, or mistaken operation.
A corrupted file is always unusable and inoperable. When facing this issue, you can
first try to repair them or try to run a virus detection program. However, if they do not
work, you can try a third-party file recovery tool - Recoverit Data Recovery program to
help recover corrupted files in Windows. Please stop using your computer and do not
open the file document again and again.
In order to fix corrupted files, one should have a better understanding of why this
happens in the first place. There are multiple reasons that can corrupt your windows
files, such as:

 Power Surges: Sudden surge in the power supply can corrupt windows system files.
Use a surge regulator to protect your PC.
 The sudden outage of Power: If your computer’s power supply suddenly gets
interrupted and the battery runs out faster when unplugged then it can also lead to
corrupted files.
 System Crash: If your system files get corrupted it can be responsible for a crash
and if your system crashes it can end up corrupting your files.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 17

 Update Errors: While updating your system are at risk of developing corrupted files
due to bugs.
 Mismatched Versions: If you download or install the wrong version of a file.
 Virus or Infected files: Virus and malware attack system files.
 Hard Disk Problem: If your PC hard disk gets filled with junk files or bloatware
then the chances of files getting corrupted increases.

In case you are facing difficulty in operating and accessing your files, you should know
that it is completely possible to recover corrupt files.

How to Recover Corrupted Files

1 Restore Previous Versions:
If you have a previous version feature enables, you can use this method. Go through
the following steps carefully.
Step 1: Choose the file or folder you want to restore, right-click and look for “Restore
previous versions” then click.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 18

Step 2: Now you will get “previous versions come from file history or from restore
points”.
Step 3: Here, if your PC permits, a list of files containing the older version of the same
will show up. Then, simply choose one and click on the “Restore” option.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 19

2 Use System Restore

Whoever has a computer is well acquainted with the system restore option. Well, this
common feature can be very useful in the recovery of corrupted files. Let’s have a
clear perceptive of system restore so that it saves you from future troubles. System
restore generates a copy of your working system. If anything happens in the future you
can easily restore and recover the former version.
System Restore does not have an auto-enable option. However, anyone can enable this
feature manually following these few easy steps:
Step 1: Go to your windows taskbar and type in “Create a restore point” click the option
when it displays.
Step 2: Click “System Restore” and then “Next”.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 20

Step 3: Now, check the “Show more restore points” at the bottom and choose the restore
point that is available. Hit “Next” and simply go along with the instructions.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 21

Do not forget that if you start this procedure you have to leave your system
uninterrupted until the restoration is done.
3 Use the SFC /Scannow command
The easiest way to search for the corrupted files of your system file is using a
windows repair tool called SFC or System File Checker tool. The process of scanning
and repairing using SFC is described below in few easy steps-
Step 1: Begin by opening the command prompt. To do this, press “Windows + R” and
type “cmd”.
Step 2: Press Enter key and when the command prompt is open, type “sfc/scannow”.
Press the “Enter” key then. This will begin the scanning.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 22

4 Use DISM tool

You can use the DISM tool also known as Deployment Image Servicing and
Management. It is used by developers and administrators under the category of
command-line tools for modifying and repairing system images such as Windows
Setup, Windows Recovery Environment, and Windows PE (WinPE). On the bright side,
you do not require any complex programming skills to use this tool.
You can also use an array of command options on the DISM tool to quickly determine
the prevalence of any corrupted file in your local Windows 10 image. Follow the below-
given steps to know-how;
Step 1: Search the ‘Command Prompt’, then right-click on the displayed top results.
Next, select the ‘Run as Administrator option.
Step 2: Type in the following commands to repair Windows 10 image and then press
‘Enter’;
DISM/Online/Cleanup-Image/RestoreHealth

Perform SFC scan before Windows 10 starts

When your PC is starting up and you feel it is taking too long to boot up then you can
perform the Windows Startup Repair on your Windows 10 PC. Then again, this process
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 23

is rather a long one and will take some time and effort on your part. However, it has a
great chance of locating and repairing corrupted files before it affects your system files.
Follow these steps to easily get it done in a few minutes time;
Step 1: On your keyboard, press and hold the SHIFT key and then from the list of
options on the bottom left corner click on ‘Restart’.
Step 2: From the boot screen, click on the “Troubleshoot” option.

Step 3: Now, click on the “Advanced Options” followed by “Command Prompt”.

Step 4: Now, type the following command:
sfc /scannow /offbootdir=C: /offwindir=D:Windows
Step 5: Press Enter key and scanning will start.
7 Reset your Windows 10
If none of the above-mentioned options work out in removing or repairing corrupted
files on your PC then your last resort would be to reset your Windows 10. Remember
that this process would end up removing previously installed apps and files, so be sure
to back up any files that might be important to you.
To initiate this process you will require a Windows 10 installation media so make sure
you create one by utilizing a bootable USB flash drive. Now, if the reset process does
not work out, you can repeat it again, but this time – chose to remove everything.
This would mean, you would have to select the drive where only Windows files are
installed and select the ‘Just remove my files’ option.
Here are the steps to Reset Windows 10;
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 24

Step 1: Restart your PC.

Step 2: Open the troubleshoot option and select Reset this PC.

Step 3: You will now be shown two options;

 Keep my files: This would reinstall Windows 10 but while preserving your personal
files and settings. (You can use this option to simply clean the drive)
 Remove Everything: This option would inevitably remove both your personal files
and settings.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 25

Step 4: Now, choose your username when asked for and enter the password. (Also, you
might be asked to insert Windows 10 installation media, so be sure to do so).
Step 5: Now choose the version of Windows you wish to reinstall and click on the
Restart button.
Step 6: Simply follow the instructions displayed on the screen to complete the process.
8 The Best Corrupted Files Recovery Software - Recoverit
Wonder share Recoverit is an effective and safe file recovery software. With
Recoverit File Recovery, you can easily recover corrupted files from a USB hard
drive or other storage devices in Windows.

Free download and install Recoverit Data Recovery on your computer. With Recoverit
Windows version to recover corrupted files in simple steps. If your corrupted files
stored on a USB hard drive, please connect them to the computer. Follow the next
tutorial to restore corrupted files from USB.
Step 1. Select your USB Hard Drive
Make sure your USB hard drive has connected to the computer and detected. Select the
USB drive on the list and click the "Start" button to process.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 26

Step 2. Scan the USB Hard Drive

Recoverit Corrupted File Recovery will start the first scan to search your USB
hard drive. You can simply preview some recoverable files after the scan. If you cannot
find your files, please go to scan again with the "All-around Recovery" mode. It will
deeply scan and search more files from USB hard drives, but it will take more time to
scan.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 27

Step 3. Preview and Recover Corrupted Files

After the scanning, you can check all recoverable files on the scan results, you can
preview some specific files like image files (JPEG, JPG, GIF, PNG). Select your
recovered files and click the "Recover" button to get your files back.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 28

Please note that you must choose a different save location that the device you are
recovering data from to avoid data overwriting which may cause data loss

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 29

Step 3: The repairing process will begin now. Wait until it gets done and restart the PC.
5 Use the CHKDSK command
The next thing that can help you recover corrupted files is the Chkdsk command. Follow
these steps to resolve corrupted files using Chkdsk;
Step 1: Open the command prompt as we did previously.
Step 2: Now, enter the following command prompt;
chkdsk e: /f /r /x

 “e” represents the drive letter of the partition you wish to repair.
 chkdsk /f is running to fix any known or found errors.
 chkdsk /r is for locating bad sectors and for recovering readable information.
 chkdsk /x is for running a force on the volume you are about to check in order to
dismount it before the utility scan begins.

Step 4: In case there are any possible corrupted files found in your system, it is
advisable to run the System File Checker command tool to repair missing or corrupted
system files after completing Chckdsk.
You also can watch the video to restore your corrupted files.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 30

1.5 Disk Imaging:

Disk imaging is a form of hard drive backup that places all of a hard drive’s data
into a compressed file. That file can be stored on other devices, in a file system, or in
the cloud. Disk imaging allows individuals and businesses to recover all data that was
on a computer when the image was made.

Disk imaging bypasses the configuration stage of setting up a computer. Because

it saves every detail of the previous hard drive, including current operating system,
applications, and documents, computer users do not have to reset every aspect of the
new computer. This makes disk images a helpful tool for businesses that want to quickly
set up new computers with the same software and programs.

Installing a disk image on a hard drive typically requires a specific platform for
copying images onto disks.

Disk Imaging for Data Backup and Recovery

Imaging allows a computer user to return to a previous version of the hard drive,
including all applications and files stored on it at that time. If the current hard drive is
compromised by malware or a virus, users can replace it with another disk image.

Storing multiple disk images in different locations, both physical and virtual, provides
better protection for the computer data. If a disk image is stored in a file system, such
as NAS, and that is destroyed, the image on a local desktop or in Amazon’s cloud
service will still be available.

Enterprises that need to store multiple hard copies of computer data can store
disk images in different locations for additional data protection.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 31

Difference between Disk Imaging and Disk Cloning

Imaging is not the same as disk cloning. Many disk backup software programs
have options for both disk cloning and disk imaging, but the two are different.

While a disk image is a compressed file that holds all data from a hard drive, a
disk clone is another disk that is identical to the original. Data from the original hard
drive is copied directly to the next disk. This means that disk clones can only be made
one at a time.

Once disk cloning is complete, the newly created drive can be installed on a computer
immediately, and that computer will have the same patches, operating system,
applications, and files as the original drive. The clone can also be saved in storage for
future use, should a new computer need that hard drive or the original fail. Though the
cloned drive will only have the data that was on the original when it was cloned, it’s
still a good backup solution for saving computer data.

Cloning a disk takes less time than creating an image. The entire cloned disk is now a
copy of the original hard drive. In contrast, disk images take longer to process, but
multiple images can rest on a storage device, such as a USB flash drive.

Because disk images are compressed files, they take up less storage space than an entire
computer’s worth of uncompressed data would. This makes them particularly useful for
storage and backup.

Disk cloning is a useful technology for quickly creating a new hard drive that can then
be stored or installed.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 32

Disk Imaging Software

Disk imaging platforms often include other features for hard drives, such as backup and
recovery. We list four software options for disk imaging for both personal users and
businesses.

Acronis True Image

Acronis True Image doubles as disk cloning and backup solution. True Image allows
users to schedule full and incremental backups. Acronis also offers antivirus and anti-
malware checking; the software makes scans that especially search for malware in files
that would ordinarily be targeted. True Image is available for both Windows and Mac.

Clonezilla

Clonezilla offers both imaging and cloning. It’s a free and open source disk solution
that supports multiple file system formats. The server versions of the software can be
used for massive deployment, cloning many computers at one time. Clonezilla also
offers the option to encrypt disk images to protect the files stored within the image.

Macrium Reflect

Macrium Reflect triples as a backup, imaging, and cloning solution for Windows. It
offers a 30-day trial period and versions for personal users and businesses. It’s
commercially licensed and allows both incremental and scheduled backups. Reflect
offers ransomware protection as well.

Symantec Ghost Solution Suite

Symantec, owned by Broadcom, includes disk imaging in its Ghost Solution Suite,
which also focuses on deployment across different computing systems. The Ghost
Solution Suite is also a migration tool, allowing users to migrate to different operating

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 33

systems. It supports Windows operating systems and servers and Microsoft SQL Server
databases.

1.6 Data Encryption and Data Compression

Data compression and data encryption are two important methods of protecting
and managing data. While both of these processes can help protect your data, they
work in different ways. In this article, we’ll discuss the key differences between data
encryption and data compression, and explain how each can help you protect your
data.

What is Data Encryption?

Data encryption is a process that scrambles data in such a way that it can only
be read by someone who has been given the key to decrypt it. It’s used to protect data
from unauthorized access and is commonly used when sending information over a
network or storing it on a computer. It’s also used to protect data stored in cloud
services. Data encryption works by using a mathematical algorithm to convert the data
into a code that can only be unlocked with a specific key. This key is usually a
password, but it can also be a physical device, such as a USB device.

What is Data Compression?

Data compression is a process that reduces the size of files, making them easier
to store and transfer. It works by removing redundant information from the file, or by
using algorithms to reduce the number of bytes needed to store the data. Data
compression is used to save space on hard drives, reduce download times, and make
files easier to email. It can also be used to reduce the amount of data sent over the
internet, making it faster and more efficient.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 34

Data Encryption Vs Data Compression

Factor Data Encryption Data Compression

Data encryption provides a high

level of security as it ensures that
only authorized users can access Data compression does not
the data and it is kept secure from provide a high level of
unauthorized access or security as it does not provide
manipulation. any encryption of the data.
Security

Data Encryption uses an encryption Data Compression uses a

algorithm to transform the data into compression algorithm to
a secure form. reduce the size of the data.
Algorithm

Data Compression is
Data Encryption uses an encryption relatively fast as it does not
key to generate a secure form of the require a lot of computing
data. power to compress the data.
Key

Data Encryption is relatively slow Data Compression does not

as it requires a lot of computing use any key to compress the
power to encrypt the data. data.
Speed

Data Encryption is relatively

Data Compression is
expensive as it requires specialized
relatively inexpensive as it
hardware and software to encrypt
does not require any
the data.
Cost specialized hardware or

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 35

Factor Data Encryption Data Compression

software to compress the

data.

Data Compression is not

reversible as the data cannot
Data Encryption is reversible as the be decompressed without
data can be decrypted using the losing some of the original
same encryption key. data.
Reversibility

Data Encryption ensures that only Data Compression does not

authorized users can access the ensure that only authorized
data. users can access the data.
Accessibility

Data Compression alters the

Data Encryption does not alter the format of the data in order to
format of the data. reduce its size.
Format

Data Encryption ensures the

integrity of the data as it is kept Data Compression does not
secure from unauthorized access or ensure the integrity of the
manipulation. data as it is not encrypted.
Integrity

Data Encryption uses an encrypted Data Compression uses an

code to transform the data into a encoded code to reduce the
secure form. size of the data.
Encoding

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 36

1.7 Search Techniques in Cyber Forensics

Computer forensic examinations uses computer generated data as their vital

source. The goal of any given computer forensic examination is to find facts, and
through these facts they try to recreate truth of an event. These Automated Search
Techniques are used to find out whether given type of object such as hacking tools or
pictures of specific type are present in information that is collected.
There are two types of Automated Search Techniques : Manual Browsing and
Automated Browsing.

Figure – Types of automated search techniques in cyber forensics

What is Manual Browsing ?

Forensic Analyst browses information that has been gathered and selects
objects of preferred type in Manual Browsing. The tool used for this browsing is type
of Watcher. It takes data object, e.g., file, decodes that file and gives result back in

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 37

human-readable format. Manual Browsing is slow and time consuming as there is

massive amount of data that is to be gathered in lot of investigations.

What are Automated Searches ?

The word Automated comes from Greek word automatos, meaning “acting of
oneself.” Something that is automated can do what it’s meant to do without having
person to help run it. An automated search procedure provides direct access to
automated files of another party where response to search procedure is fully
automated.
The types of automated Searches are : Keyword Search, Regular Expression Search,
Approximate Matching Search, Custom Searches, Search of Modifications.

1. Keyword Search –
The cyber forensic keyword search is feature used to find evidence from large
amount of electronic data. During the cyber crime investigation forensic email
search is performed on basis of keywords that you enter in computer forensics tool.
Keyword search consists of specific keywords. It is widely used easy technique
that speeds up manual browsing. The list of found data objects is output of keyword
search. However, there are two problems with keyword search: False Positive and
False Negative.
 (i). False Positive :
Keyword searches gives approximate required type of data objects. Because
of this output of this could have false positives. False Positives means objects
that do not belong to any particular type even though they contain specified
keywords. A Forensic Analyst has to browse keyword search data objects
manually to discard false positives.
 (ii). False Negative :
False Negatives means that there are objects of particular given type but they
are missed by search. If search utility fails to correctly interpret data objects

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 38

then result is false negative. Encryption, Compression or lack of ability of

search utility to interpret new data might be reason for this to happen.
2. Regular Expression Search –
Regular expression (Regex) is powerful way used to search anything in text based
files for data with an identifiable pattern. This search gives more expressible
language for describing object of interest than keywords. This is an extension of
keyword search. These are also used to specify searches of e-mail addresses and
files of precise type. To perform regular expression searches Encase Tool is used.
Not all type of data can be sufficiently described using regex. Regular Expression
Search also results in false positives and false negatives.
3. Approximate Matching Search –
An expansion of regular expression search is Approximate Matching Search. It
uses Matching algorithm. Approximate matching Search algorithm allows
character mismatches while searching for keyword. It detects misspelled words
which gives mismatches and raises lot of false positives. The agrep is used for
approximate matches.
4. Custom Searches –
Heuristic procedure is used by this tool to find full names of people in gathered
information/data. These programs are written for more complex searches like
FILTER_1 tool from new Technologies Inc. because regular expressions have
limited expressiveness. This too suffers from false positives and false negatives.
5. Search of Modifications –
This is used for data objects that have been modified since specified instant in past.
The modifications of data objects that are not frequent like operating system
utilities. These utilities are detected by comparing their current hash with their
expected hash. A library of expected hashes is built before search.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 39

1.7 Top Digital Forensics Tools

These 16 products are important forensic software’s used commonly in the market.

1. Paraben Corporation

Paraben Corporation entered the cybersecurity marketplace in 1999, focused on

digital forensics, risk assessment, and security solutions. Today, in a world with billions
of devices, Paraben covers forensic investigations involving email, computers,
smartphones, and Internet of Things (IoT) devices.

Key Differentiators

 The Paraben E3 Forensic Platform streamlines data from multiple sources.

 E3:Universal covers all devices, E3:DS is for mobile forensics, E3:P2C is for
computer forensics, and E3:EMAIL for email.

 There are hash databases for filtering; viewers for files, hex, text, RTF, and emails;
and automated embedded data detection (OLE).

 Paraben provides remote access with collection from machines and cloud storage.

 Paraben offers IoT support for brands like Xbox and Amazon Echo and cloud
support for Google, Dropbox, and Slack.

 Users have the ability to work with multiple data sources together for analysis; can
collect from a wide range of sources including computers, smartphones, IoT, and

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 40

cloud to sort the data to logical categories; recover information; and search in
multiple languages.

 Capabilities provided at a single price point with components such as cloud for
computers and mobile are included.

 Monthly pricing is available for access to training courses with a software license
included.

2. The Sleuth Kit And Autopsy

The Sleuth Kit (TSK) and Autopsy are popular open-source digital investigation tools.
Sleuth Kit enables administrators to analyze file system data via a library of command-
line tools for investigating disk images. Autopsy is its graphical user interface (GUI)
and a digital forensics platform used in public and private computer system
investigations to boost TSK’s abilities.

Key Differentiators

 TSK offers well-regarded and reviewed disk and data capture tools.

 Capabilities include timeline analysis, hash filtering, file and folder flagging, and
multimedia extraction.

 Autopsy allows users to efficiently analyze hard drives and smartphones.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 41

 Its plug-in architecture allows users to find add-on modules or develop custom
modules in Java or Python.

 Sleuth Kit is a collection of command-line tools and a C library to analyze disk

images and recover files.

 Commercial training, support, and custom development is available from Basis

Technology.

 The core functionality of TSK is to analyze volume and file system data.

 The library can be incorporated into larger digital forensics tools, and the command-
line tools can be directly used to find evidence.

 TSK is uUsed by law enforcement, military, and corporate examiners to investigate

what happened on a computer.

 TSK can be used to recover photos from a camera’s memory card.

3. OpenText

Founded in 1991 in Waterloo, Ontario, OpenText offers enterprise content

management, networking, automation, discovery, security, and analytics services.
OpenText EnCase solutions include Endpoint Security (endpoint detection and
response, or EDR), Endpoint Investigator (DFIR), Forensic, Mobile Investigator, and
Advanced Detection. These solutions help with recovering of evidence from multiple
device types and hard drives, automating the preparation of evidence, deep and triage
analysis, and evidence collection and preservation.

Key Differentiators

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 42

 EnCase Forensic is court-proven in finding, decrypting, collecting, and preserving

forensic data from a variety of devices, while ensuring evidence integrity and
integrating with investigation workflows.

 EnCase can acquire evidence from a variety of sources and dig deep into each source
to uncover potentially relevant information.

 Predefined or customized conditions and filters can quickly locate evidence.

 Evidence processing, integrated workflows, and flexible reporting are all features
offered by EnCase.

 EnCase works across computers, laptops, and mobile devices to determine whether
further investigation is warranted.

 The platform ranks evidence by importance.

 Real-time evaluation of evidence is provided.

4.Magnet Forensics

Noticing that digital forensic tools used by law enforcement were insufficient, Canadian
police officer Jad Saliba founded Magnet Forensics in 2011. The company offers digital
forensic investigative tools to public and private organizations. Products include
Magnet Axiom Cyber for incident response, Magnet Automate Enterprise, and Magnet
Ignite for triage.

Key Differentiators

 Magnet Forensics now has more than 4,000 customers in over 100 countries.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 43

 Magnet supports every digital evidence source, not just Linux and Windows OS.

 Magnet Axiom Cyber incident response is used to perform remote acquisitions and
recover and analyze evidence from computers, the cloud, and mobile devices.

 Magnet Automate Enterprise is an automation solution used to simultaneously

collect and process evidence from multiple endpoints in the wake of a security
incident.

 Magnet Ignite performs fast, remote scans and initial analysis of endpoints as a triage
action.

 Magnet Forensics performs remote acquisitions of Mac, Windows, and Linux

endpoints, even when they aren’t connected to company networks.

 Data can be recovered from apps such as Microsoft Office 365 and Slack as well as
storage services like Amazon Web Services and Microsoft Azure.

 All evidence is brought into one location where security teams can analyze it.

 Evidence can simultaneously be recovered and processed from multiple endpoints.

 SIEM (security information and event management) and EDR tools are integrated
into workflows and a digital investigation can automatically be triggered when a
threat is detected.

5.CAINE

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 44

The Computer-Aided Investigative Environment (CAINE) is an Italian open-source

Ubuntu- and Linux-based distribution for digital forensic purposes. CAINE integrates
with existing Windows, Linux, and Unix systems security tools.

Key Differentiators

 CAINE provides automatic extraction of timelines from RAM (random access

memory).

 It is an interoperable environment that supports the digital investigator during the

four phases of the digital investigation.

 All block devices are blocked in read-only mode.

 CAINE can be used with a GUI named Unblock, which is present on CAINE’s
desktop.

 CAINE assures that all disks are protected against accidental writing operations.

 If the user needs to write a disk, it can be unlocked.

6.Kroll Computer Forensics

Kroll’s computer forensics tools and experts ensure that no digital evidence is
overlooked and assist at any stage of an investigation or litigation, regardless of the
number or location of data sources.

Key Differentiators

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 45

 Physical and digital evidence is examined to uncover what did or did not happen,
using a combination of computer forensic expertise and traditional investigative
techniques.

 Defensible methodologies and solutions are available to identify and preserve

electronic data.

 Regardless of the volume and complexity of collection needs, Kroll gathers data for
electronic investigation and forensic analysis or forensic discovery.

 Whether data was deleted or manipulated on purpose or by accident, Kroll analyzes

the digital clues left behind to uncover critical information.

 Experts are available on call to serve as an expert witness or special master.

7. SANS SIFT

SIFT Workstation is a collection of free and open-source incident response and forensic
tools to perform digital forensic examinations. Offering an array of free and open-source
DFIR solutions, the SIFT Workstation provides various options for deployment
including virtual machine (VM), native installation on Ubuntu, or installation on
Windows via a Linux subsystem.

Key Differentiators

 Developed by the SANS Institute in 2007, SIFT works on 64-bit OS, automatically
updates the software with the latest forensic tools and techniques, and is a memory
optimizer.
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 46

 SIFT Workstation is continually updated and has over 125,000 downloads.

 SIFT Workstation is used as part of SANS Institute training on incident response,

network forensics, and cyber threat intelligence.

 It can analyze file systems, network evidence, memory images, and more.

 Support is available for NTFS, ISO9660 CD, HFS, and FAT.

 SIFT Workstation has been upgraded to improve memory utilization.

 There is cross compatibility between Linux and Windows systems.

8. Exterro

Hailing from Portland, Oregon, Exterro launched in 2004 and specialized in workflow-
driven software and governance, risk, and compliance (GRC) solutions. While all of
our picks inherently support organizations’ needs to maintain compliance, Exterro is
especially valuable to assist in-house legal teams, streamline compliance processes, and
control risks.

Exterro offers products across e-discovery, privacy, risk management, and digital
forensics. Known for its forensics-focused products dubbed FTK, its capabilities
include Mac and mobile data investigations, remote agent endpoint collection, scalable
DPE (data processing environment), and automated workflows.

Key Differentiators

 Exterro’s operations are SOC 2 Type 2 certified and FedRAMP authorized.

 Products are split into FTK Imager, FTK Lab, FTK Central, FTK Enterprise, and
FTK Connect (previously known as API-specific solutions).

 The overall Exterro FTK Forensic Toolkit has been used in digital forensics for over
30 years for repeatable, reliable investigations.
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 47

 All FTK solutions feature fast data processing, including for mobile data extractions.

 Exterro provides remote endpoint investigation, triage, collection, and remediation.

 Unlimited DPE scalability is available to meet heavy demand.

 Exterro requires minimal training.

 Exterro is a web-based, collaborative platform to centralize forensic evidence.

 Automation is available for workflow tasks and orchestration with SIEM and SOAR
(security orchestration, automation, and response) platforms.

 Examiners can perform a rapid risk assessment of a suspected compromised endpoint

— even if it is disconnected from the VPN network — by previewing the live
contents of an off-network endpoint before performing a time-consuming collection.

 Integration with cybersecurity platforms, such as Palo Alto Cortex XSOAR, allows
users to capture and preserve endpoint data immediately upon detection of a possible
threat.

 No API (application programming interface) or Python scripting is required.

9. Volatility

Volatility is a command-line memory analysis and forensics tool for extracting

artifacts from memory dumps. Volatility Workbench is free, open-source, and runs in
Windows. This forensics framework for incident response and malware analysis is
written in Python and supports Microsoft Windows, Mac OS X, and Linux.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 48

Key Differentiators

 There is no need to install a Python script interpreter.

 Memory forensics technology enables investigators to analyze runtime states using

RAM data.

 Knowledge of operating system (OS) internals, malicious code, and anomalies is

used to enhance its tools.

 Embedded API can be used for lookups of PTE (page table entry) flags.

 Volatility has support for kernel address space layout randomization (KASLR).

 There is an automated execution of a failure command after multiple failed starts.

 In 2020, the Volatility Foundation released a complete rewrite of the framework

known as Volatility 3 to address technical and performance challenges associated
with the original code base released in 2007.

10. X-Ways

X-Ways Forensics is a work environment for computer forensic examiners.

Known for not being resource-hungry, yet speedy, it is based on the WinHex hex and
disk editor and offers additional disk and data capture software, cloning, imaging, and
other tools.

Key Differentiators

 X-Ways is portable and runs off of a USB stick on any given Windows system
without installation if desired.

 X-Ways downloads and installs within seconds.

 Computer forensic examiners are enabled to share data and collaborate with
investigators that use X-Ways Investigator.
DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 49

 X-Ways runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11,

32-bit/64-bit, and standard/PE/FE.

 Automatic detection of lost or deleted partitions is made.

 Read partitioning is available for file system structures inside .dd image files.

 X-Ways provides analysis of remote computers.

 X-Ways can access disk and RAID configurations and detect NTFS (new technology
file systems) and ADS (alternate data streams).

 There are templates to view and edit binary data.

 X-Ways offers built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and
RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2.

 Native support is available for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, and UDF.

11. Cellebrite

Started in 1999 in Israel, Cellebrite specializes in mobile device forensics for law
enforcement and enterprises that need to collect, review, analyze, or manage device
data. The Digital Intelligence Investigative Platform helps unify the investigative life
cycle and preserve digital evidence.

Key Differentiators

 Cellebrite Universal Forensic Extraction Device (UFED) can extract physical and
logical data.

 Recovery methods include exclusive bootloaders, automatic EDL (emergency

download) capability, and smart ADB (Android Debug Bridge).

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 50

 Cellebrite can provide analysis on Windows and Mac.

 Users can find internet history, downloads, recent searches, top sites, locations,
media, messages, recycle bin, USB connections, and more.

 AI-assisted picture and video categorization, filtering, and support for whole disk
encryption are available features.

 Cellebrite shows the timeline of an event and reveals the real story behind each case.

 Cellebrite is designed to scale and sift through large datasets.

 Cellebrite creates customized, court-ready reports.

 The platform exports findings easily.

12. ProDiscover

ProDiscover launched in 2001 to help public and private organizations solve digital
crimes. As of 2021, the India-based provider works in over 70 countries with more than
400 clients, including the NIST, NASA, and Wells Fargo. ProDiscover Forensics
captures evidence from computer systems for use in forensic investigation to collect,
preserve, filter, and analyze evidence.

Key Differentiators

 ProDiscover offers three products that prioritize computer forensics, incident

response, electronic discovery, and corporate policy compliance investigations.

 ProDiscover locates data on a computer disk as well as protecting evidence and

creating reports.

 EXIF data can be extracted from JPEG files.

 Copies of suspicious disks can be made.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 51

 Support is available for VMware to run captured images.

 ProDiscover supports Windows, Mac, and Linux file systems.

 Evidentiary reports can be prepared and presented in court.

 ProDiscover previews and images disks.

 Memory forensics is available.

 ProDiscover offers text search with multilingual capabilities.

 ProDiscover includes cloud, social media, Web, and email investigation.

13. Wireshark

First developed in 1998, Wireshark does forensic investigation and analysis of network
packets and conducts testing and troubleshooting of networks. This includes inspection
of hundreds of protocols in a three-pane packet browser that encapsulates data
structures.

Key Differentiators

 Wireshark is multi-platform compatible, running on Windows, Linus, macOS,

Solaris, FreeBSD, and NetBSD.

 Network analysis is available with VoIP (voice over Internet Protocol) analysis.

 Wireshark can capture files compressed with gzip and export outputs to XML, CSV,
or plain text.

 Users can see what’s happening on a network.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM
COLLEGE OF ENGINEERING
 52

 Live capture and offline analysis are available.

 Captured network data can be browsed via a GUI, or via the teletypewriter (TTY)-
mode TShark utility.

 Wireshark can read and write many different capture file formats: tcpdump (libpcap),
Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor,
Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray,
Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM
WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks
Visual UpTime, and WildPackets EtherPeek/TokenPeek/AiroPeek.

 Decryption support is available, including IPsec, ISAKMP, Kerberos, SNMPv3,

SSL/TLS, WEP, and WPA/WPA2.

14.Xplico

Created in 2007, Xplico is a network forensics analysis tool that restructures data via a
packet sniffer. It specializes in port independent protocol identification (PIPI) to
reconstruct application data to identify its protocols. Available as a free and open-source
tool, Xplico’s primary objective is to extract application data from an internet traffic
capture.

Key Differentiators

 Xplico supports HTTP, IMAP, POP, SMTP, IPv6, and more.

 Xplico creates XML files that identify the flows and pcap (inputs file) contained in
each data structure reassembled.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 53

 Multithreading is possible.

 There are no data entry limits.

 Xplico can execute reserve DNS (Domain Name System) lookup from DNS pack.

 Xplico provides output data and information in SQLite database or Mysql database
and/or files.

 All data reassembled by Xplico has an associated XML file that uniquely identifies
it.

 Realtime elaboration.

 TCP (Transmission Control Protocol) reassembly with ACK (acknowledgement)

verification is available for any packet or soft ACK verification.

 Reverse DNS lookup from DNS packages is contained in the input files, not from an
external DNS server.

15.LogRhythm

LogRhythm is best known for SIEM, threat intelligence, and UEBA (user and entity
behavior analytics). Started in 2003 out of Boulder, Colorado, it now includes network
forensics via a feature known as NetMon that is part of a larger suite but also available
as a stand-alone solution.

Key Differentiators

 LogRhythm aggregates packet capture and derived metadata, preserves the log data,
and uses network forensic sensors to fill in the gaps.

 LogRhythm measures mean time to respond (MTTR).

 Dashboards are able to identify threats.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 54

 LogRhythm offers application recognition of over 3,000 applications and metadata

for visibility into network sessions.

 Script-based deep packet analytics (DPA) is available for real-time detection.

 LogRhythm provides session-based full packet capture.

 LogRhythm offers Layer 4–7 analysis with application ID.

 SmartCapture selective packet capture is available.

 Automation actions can obtain sessions through packet capture and future case
analysis.

16.Global Digital Forensic

Global Digital Forensics has been involved in computer forensic analysis and litigation
support for over two decades. It offers a range of forensic services covering all digital
devices. Founded in 1992, GDF also provides e-discovery services, penetration testing,
and breach response services.

Key Differentiators

 Global Digital Forensics has its own labs as well as a global network of responders,
allowing it to perform forensic analysis for virtually anything in any environment.

 GDF provides expert computer witness testimony in cases.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 55

 Features include investigative tools for computers, email, mobile devices, social
networks, and disk drives.

 Data retrieval and recovery services are available.

 GDF provides forensic readiness assessments.

 GPS and smartphone tracking, internet history analysis, image recovery and
authentication, and chip-off analysis are available.

 GDF offers recovery of data from all devices, from mainframes to smartphones.

 Users can find evidence in log files and video.

1.8 DIGITAL FORENSICS FRAMEWORK AND MODELS:

1.8.1 FRAMEWORK:

Investigation process

All models agree on the importance of some phases as we will see later, most of
the proposed frameworks accept some common starting points and give an abstract
frame that forensic researchers and practitioners apply and use to develop new research
horizons to fill in continually evolving requirements.

Computer forensic investigative process

Back in 1984, Politt proposed the first methodology to deal with digital evidence
in a way to remain scientifically reliable and legally acceptable, the model proposed
was discussed in Proceeding of the National Information Security Conference, this
model consists of four main phases as you can see in the following diagram:

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 56

Figure 1 Computer Forensic Investigative Process

The first phase is Acquisition, where evidence is acquired with approval from
authorities and in an acceptable manner, it’s followed by Identification step whereby all
evidence is transformed from digital format to a human understandable format. The
Evaluation phase comprises of tasks that determinate the accuracy of gathered evidence,
and if indeed they can be considered as relevant to the being investigated case. The final
step is Admission where all extracted evidence is presented.

1.8.2 DFRWS investigative model

The research roadmap from Digital Research Workshops proposed in 2001 a

general purpose digital forensic framework composed of six main phases:

Figure 2 DFRWS Investigative Model

This model was the base fundament of further enhancement since it was very
consistent and standardized, the phases namely: Identification, Preservation, Collection,
Examination, Analysis and Presentation (then a pseudo additional step: Decision). Each
phase consists of some candidate techniques or methods. The first is Identification and
comprises event or crime detection, resolving signature, anomalous detection, system
monitoring, audit analysis, etc.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 57

Followed by Preservation step in which a proper case management is set,

imaging technologies are used, and all measurement are taken to ensure an accurate and
acceptable chain of custody, preservation is a guarded principle across all forensic
phases. Collection comes directly after in which relevant data is collected based on
approved methods, software, and hardware; in this step, we make use also of different
recovery techniques and lossless compression.

Following this step are two interesting and very crucial phases, Examination and
Analysis, whereby evidence traceability, pattern matching are guaranteed, then hidden
data must be discovered and extracted, at this point data mining and timeline are
performed.

The latest phase of this model is Presentation. Tasks related to this step are
documentation, clarification, mission impact statement, recommendation and
countermeasures are taken and experts testimony.

1.8.3 Abstract digital forensics model (ADFM)

As seen DFRWS Investigative Model was meant to be a generic “technology-

independent” model, and in 2002 Mark Reith, Clint Carr, and Gregg Gunsch was
inspired from DFRWS and presented the Abstract Digital Forensic Model an
enhanced model composed of nine phases:

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 58

Figure 3 Abstract Digital Forensics Model (ADFM)

As, by this model, the Identification phase assumes that the incident type is well
recognized and determined, this is an important step since all upcoming steps depend
on it. Followed by the Preparation step, this is the first introduced step where tools,
techniques, search warrants, monitoring authorization and management support are
prepared, this step is followed by the second introduced step Approach Strategy, this
step is meant to maximize the collection of the evidence while minimizing the impact
on the victim by formulating different approaches and procedures to follow. In the
following phase, Preservation, all acquired data must be isolated and secured to keep
them in their actual state.

All acquired digital evidence is duplicated, and the physical scene is recorded,
based on standardized procedures, these tasks are performed under the Collection phase.

The next phase is Examination whereby an in-depth systemic analysis is

conducted to search the evidence relating to the current case. The probative value of the
examined evidence is determined in Analysis phase.

The following step is Presentation where a summary of the process is developed,

then comes the third introduced step: Returning Evidence that closes the investigation
process by returning physical and digital evidence to the proper owner.

The most important value that added this model (in contrast with DFRWS
Investigative Model) consists of a comprehensive pre and post investigation procedures.

1.8.4 Integrated digital investigation process (IDIP)

The model was first proposed by Carrier and Spafford in 2003, the goal was to
“integrate” all available models and investigative procedures, the effort was held to map
the digital investigative process to the physical investigative one. The model itself is
quite big since it organized into five groups consisting of 17 phases.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 59

Figure 4 The five groups of phases in the IDIP model

The model starts with the Readiness phase, which ensures that we are fully able
to support fully the investigation (including operations readiness, a phase in which we
provide all training and equipment for investigators; and infrastructure readiness phase
that ensures that the needed data exists).

This is followed by the Deployment phase, a phase where we provide

mechanisms for an incident to be detected and confirmed, this phase consists
of detection and notification then confirmation and authorization phases. Followed
immediately by Physical Crime Scene Investigation phase where we collect and analyze
physical evidence, this is meant to reproduce the actions that took place during the
incident, this phase consists of six phases as shown below:

After this comes the Digital Crime Scene Investigation phase, this model consider each
digital device as a separate crime scene, this phase ensure the collection of all electronic
evidence, and just like the previous, this phase contains six ‘identical’ phases:

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING
 60

Both phases include Preservation, Survey for Physical/Digital Evidence,

Document Evidence and Scene, Search for Physical/Digital evidence, Physical/Digital
Crime Scene Reconstruction and Presentation of Physical/Digital Scene Theory. The
latest phase of the model is the Review phase in which the whole process is reviewed
to find points of improvements and to identify new procedures or new training
requirements.

DIGITAL FORENSICS MODULE 1- DEPARTMENT OF AI&DS AND CYBER SECURITY- KARPAGAM

COLLEGE OF ENGINEERING