UNDERSTANDING

COMPUTER FORENSICS
Hsuital,
Syllabus

U'nderstanding
Computer Forensics: Introducion,
Needfor Computer Förensics, gber forensics and Digital Forensics Science,
Digital Forenaícs Life Cycle, Chain of Digital Evidence, Forensics
The
Analysis
of EMail,
Approaching a Computer Forensics Custody Concept, Network
Forensics,

Forensics and Social Networking

Investigation.
Sites: The Security/Privacy Threats,
Computer Forensics Challenges in

4.1 INTRODUCTION

Computer forensics is a branch of digital forensic science that involves the

nreservation, identification, extraction, documentation and interpretation of
aloctronic data to be used as evidence in legal cases. Its main focus lies in the
investigation of digital devices and data, aiming to unveil and analyze information
pertaining to criminal or unauthorized activities. It involves a systematic investigation
of digital storage devices such as hard drives, disks and tapes to gather evidence.
Essentially, it encompasses the collection, safeguarding, scrutiny and demonstration
a variety of
of evidence linked to computers. Furthermore, this field is referred to by evidence
discovery, electronic
terms, including computer forensic analysis,electronic
discovery, computer analysis and
discovery, digital discovery, data recovery, data criminal
computer examination. The findings fromcomputer forensics are valuable in
human resources and employment
mvestigations, civil disagreements, as well as
related matters.
specialized branch of forensic science that concentrates
Computer forensics is a evidence to investigate and prevent
on digital
collecting, analyzing, and safeguarding domain. Specialised tools and
specialized
cybercrime. Computer forensics is a of information, like deleted files,
different kinds
methodologies are used to retrieve
203
 204 Cyber Security
internet history, and emails, from devices like computers,
devices. This information can be used to investigate a wide range o smartphones,
and
fraud, theft and cyber attacks. As aresult, computer forensicssis of crimes, in
a critical
modernlaw enforcement and cybersecurity, as it helpsto identify and:
who use technology to commit crimes. Computer forensics,
forensic science, primarily involves data recovery while also known ci
as
prosecutcompone
e rty
guidelines to ensurethe admissibility of the information inadhering to legal
digital forensics and cyber forensics are often used legal coTcmpoTiampt a
proceedings.
forensics. Digital forensics commences with the collection interchangeably The1erta
of with
t preserves its integrity. Investigators
then information in compt
ascertain any alterations, the nature of the proceed to analyse the data
changes. The forensic process is also utilised changes and the responsible amarna,
in data recOvery party Tor
retrieve data from scenarios such as a crashed procedures, these
system(0S), or any other situation where asystem server, failed drive,
hassunexpectedly reformatted ai rming
It is a process of extracting data as proof ceased operairs
while following proper investigation rules tofor a crime (that involves electronic
nab the culprit by
funcioning,
to the court. Cyber forensics is also
known presenting the
cyber forensics is to maintain the thread of as computer forensics. The mainevdence
evidence and
who did the crime digitally. documentation to ind at
Computer forensics can do the following:
" It can recover deleted files,
chat logs, e-mails, etç.
" It can also get deleted SMS, Phone calls.
" It can get recorded audio of phone
conversations.
" Itcan determine which user
used which system and for how much time.
" Itcan identify which user ran
which program.
4.2 DIGITAL FORENSICS
SCIENCE
Digital Forensics Scienceis an interdisciplinary
the identification, preservation, field that involves To see

electronic data to investigate and analysis

Digital Forensic
and interpretation of Science
prevent cybercrimes and other
digital incidents. It utilises scientific
in Acion

methodologies to acquire, safeguard,principles and specialised

electronic evidence in a legally acceptable scrutinise, and present
the comprehensive procedure of manner. This constitutes Scan QR Code

and presenting digital evidence. identifying, preserving, analysing,

 Understanding Computer Forensics
aspects
and components of 205
digital forensics
Key

Objective and Purpose

science are:
objectiveeof
digital forensics science is to
collect, preserve ard aral
T h ep r i m a r y

to support legal
sktonic
cevidence
investigations and
heused|to prove or disprove facts, establish timelines proceedings. This eiderce
andidentify individuals inrvokved
csid
n igital,activities.

2 Digital
Evidence Types
D i g i
encompasses a wide range of data, including files, e-mails, chat
t a l
evidence
ogs,system configurations, metadata, network traffic, digital images, videos and m
and non-volatile data are crucial for investigations.
volatile

Both
3F
. orensic
Process

Thedigital
forensics process typically involves severalI stages, incduding identification
Scoping, evidence collection and preservation, analysis, reconstruction,
and
documentation andreport presentation. Thesestages follow established procedures to
maintain the integrity and admissibility of evidence./
and Tools.
4,Techniques
forensic investigators use specialized methods and tools to gather, analyze,
Digital
understand digital evidence. These tools help in data recovery, password cracking.
and
analysis and more.
disk imaging, metadata
5. Forensic Principles
Principle: Itposits that every interaction leaves behind a
" Locard's Exchange inevitably leave behind cues pertaining
individuals
tangible mark, suggesting that
subsequently be subjected to forensic
analysis.
can
to their actions, which and secure record of
documented
the
Custody: Maintaining
a presentation in
" Chain of from its acquisition to
its
movement of evidence
handling and admissibility.
integrity and
Court, ensuring its
6. SuSubfields within Digital Forensics computers and
related devices.
Investigating data on
Forensics:
mobile devices likesmartphones
Analysing data on
omputer
Forensics:
Mobile Device
and tablets.
 206 Cyber Security

Network Forensics: Networkforensics is like carefullyylooking

to find securityproblems and unauthorized access. at
" Cloud Forensies: Analysing data storedin cloud environments and
cloud-related incidents.
7. Skills and Expertise
Digital forensic professionals require expertise in computer
systems, file systems, networks, cybersecurity, forensict tools, systerms, o
and legal aspects related to digital evidence. progranming,
8. Legal Admissibility
Ensuring that digital evidence is gathered and examined in such
conforms to legal rules and can be used in court includes a way
proper
chain of custody, and compliance with legal and privacy regulations. docurnentatia,
9. Challenges and Future Trends
Challenges include rapid technological advancements,
techniques, cloud forensics and the sheer volume eand variety ofencryption, anti-foxeri
Future trends include advancements in Al for forensic analysis, digital devices a
increased emphasis on loT and cloud investigations. blockchainfforensics
axd.
Digital forensics science is an essential discipline in today's digital
solving cybercrimes, enhancing cybersecurity, providing crucial evidence age, aidine :
proceedings and ensuring the integrity and trustworthiness of digital informaticnt for le
continues to evolve to meet the challenges posed by advancements in technologyert
the changing landscape of cyber threats.

4.3 NEED OF COMPUTER FORENSICS

Computer forensics is vital for investigating and solving crimes, ensuring legal admissti
of digital evidence, safeguarding data and intellectualproperty, responding to secut
incidents and overallcontributing to a safer digital environment for individuals and
organisations. Computer forensics is crucial for various reasons, particularily in t
modern digital age where a significant amount of information and communicatin
occurs electronically.
Some key reasons why computer forensics is important are:
1. Criminal Investigations: Computer forensicsshelps lawenforcemen'agencis incude

to investigate and solve crimes involving digital evidence. This can

cybercrimes, fraud, identity theft, hacking and more
 Understanding Computer Forensics 207

Eidence Recovery: It allows for the recovery and preservation of

D i g i t a l

that may be crucial in criminal investigations. This evidence

e v i d e n c e

2 digital

help
identify
suspects, establishtimelines and provide insights into críminal
can
activities.

and Leyal Proceedings: Digital evidence is now common in

Computer forensics helps in discoverina. analysing and presenting
Litigation

.
evidence in alegally admissible format during court proceedings.
cases.
l e g a l ,

or security
and Incident Response: In cases of data breaches
e l e c t r o n i c

Breach
impact of
Data computer
Durce, externt and
forensics is used to identify the source,
4. incidents,
organisations respond effectively and implement measures
breach. It helps
the future OCcurrences.
to
prevent

Companies use computer forensics to investigate

|Property Theft: formulas, or private business
secret
6. I n t e l l e c t u a l

information like trade secrets,

valuable businesses.
when stolen, either by employees or rival
strategies are forensics to look into claims
computer
Misconduct: Employers use allegations of employee misconduc
within the
Employee.
7. ofemployee wrong doing, like investigate access, or policy violations
unauthorized data
harassment,
Such as compliance
organization.

industries have specific

Regulations: Many Computer forensics helps
and privacy.
data security and
audits.
8. Compliance related to investigations and
assisting in
requirements regulations by
compliance with
these forensics to investigate
ensure agencies use computer identifying and
Government by
Security: national security
9. National and attacks,
ensuring
cyber threats actors. evidence from
potential threat analyzing digital
apprehending
P r e v e n t i o n : By systems and
security
and in their reducing the risk of
Management
discover flaws
10. Risk organizations
can
security
measures and
incidents,
past improving
This helps in as divorce
disputes, such
procedures.
future incidents. in civil
is usedevidence support or
refute
forensics that can
Computer
digital
11. Civil Disputes: disputes, to uncover
in court
cases or contract may testify
parties involved. experts of the
claims made by
forensic interpretations

Testimony:
Computer
explanations
and information.
12. Expert Witness technical complex
digital
providingg understand
às expert witnesses, andjury
judge
evidence to help the
 208 Cyber Security
4.4 OBJECTIVE AND USES OF COMPUTER
Some esential objectives of using computer forensics are:
FORENSICS
" It involves the recovery, analysis, and preservation of
computer and related materials in a manner that enables ComputObjeectForle em
investigative agencies to present them as evidence in a
court of law.
It helps to postulate the motive behind the crime and identity
of the main culprit. Scan QR Code
Designing procedures at a suspected crime sceneewhich helps t
digital evidence obtained is not corrupted. to ensure
that
It helps in data acquisition and duplication, recovering deleted
partitions from digital media to extract the evidence and files and delea
Helps to identify the evidence quickly and also allows to
validate them.
impact of the malicious activity on the victim. estimate the potenta
Producing a computer forensic report which offers a complete
investigation process. report on te
Preserving the evidence by following the chain of custody.
Uses of Digital Forensics
In recent time, commercial organisations have used digital forensics in
followinoa
type of cases:
" Intellectual Property theft
" Industrial espionage
Employment disputes
Fraud investigations
Inappropriate use of the Internet and e-mail in the workplace
Forgeries related matters
Bankruptcy investigations
Issues concern with the regulatory compliance
4.5 COMPUTER FORENSICS SERVICES To see
ComputerForenslcs
Services

Computer forensics professionals should be able to successuly inAction

perform complex evidence recovery procedures with the skilland

expertise that lends credibility to your case. For example, they
should be able to perform the following services: ScanQRCode
 Understanding Computer Forernsics 213

other legal matters where digital evidence frorn scial retwors

d i s p u t e sa n d

helps law enforcement, legal professionals and diqital forensic expETtS

Ttinent It support investigations and legal proceedings.
critical evidence

12her
PROCESS OF DIGITAL FORENSICS
4.7

forensicS
process involves a series of steps aimed at Proress f Dtaf

The
digital

preserving, analysing and presenting digital evidence Forensice

a
ing,

forensically
ntit sOund manner for investigative or legal purposes.
typically includes the following key stages:
process

The
ldentification Scan OR Code

forensic process. The identification

step in the
theffirst stored and lastiy.
It is mainly.includes things like what evidence is present, where itis
media can be personal computers,
process

(in which format). Electronic storage

stored

howitis PDAs, etc.

Mobile
phones,
recognising and defining the scope of the investigation
for
establishing goals, objectives and
responsible

This step is crime, or issue at hand and

the incident,
hased on
involvement of digital devices
and data.
potential

the
Preservation
and its
2 Collection
must be collected in a way that maintains
Flectronically stored
information
under investigation to ensure
physically isolating the device digital
intearity. This often involves with. Examiners make a
or tampered
accidentally contaminated then they lock the
#cannot be image, of the device's storage media and condition. The
forensic
copy, also called a secure facility to maintain its pristine
original device in a safe
or other gathers all relevant digital evidence
on the digital copy. It devices,
investigation is conducted mobile devices, network
servers, and
including computers, collects both volatile
from various sources, storage mediums and
storage and any other potential
doud
people
non-volatile data.
preserve the data and not allowother
step is to safely preservation of
ensures the
Ater collection next tamper data. This
step
that device so that noone can sound copy or image. This
OUse forensically
evidence by creating a
original
original digital data source without altering the
e the original unauthorized
involves makingan exact replica of includes prohibiting
preserved. It purposely,
way. Data is isolated, secured and evidence, mistakenly or
any that digital
personnelIfrom using the digital device so of the original evidence.
is not tampered with and making a copy
 214 Cyber Security
3. Examination and Analysis
It is needed to conduct a detailed examination of
the
using specialised forensic tools and techniques. Analysing theacquired digital
potential leads, patterns, anomalies,or traces of malicious data is useful to eviderice
Deving deeper into the data to identify, extract and
activities. uncover
anaBysis is needed. After examination, the next interpret relevant
Here the expert recovers the deleted files and step
verifies
is to analyse the daata or information,
evidence that the criminal tried to erase by the recovered data and system.
several iterations to reach the final deleting secret files. This finds the
storage media in a sterile environment
process
concusion. Investigators analyse digital might take
tools are used to assist in this process, to gather the information for a case. copies of
drive investigations and the including Basis T Various
useful when examining a Wireshark Technology's
network protocol analyzer. Amouse hard Autopsy for
computer to keep it from falling asleep iggler ie
memory data that is lost when the computer goes to sleep or and losing volatlo
4. Documentation loses power.
After analysing data a record is
available (not deleted) data which created. This record contains all the recovered and
helps in recreating
all the visible data must bethe crime scene and reviewing
it. In this process, a record of
the crime scene and created. It helps in
reviewing it. It Involves proper recreating
along with photographing, sketching documentation of the crime scene
all steps, methods, findings and and crime-scene mapping. It invokves
conclusions throughout the digital forensicdocumenting
maintaining a detailed chain of custody to ensure the admissibility of process and
5. Presentation evidence in court.
Thís is the final step in which the
to solve cases. The forensic analysed data is presented in front of the
investigators present court
where a judge or jury uses them to help their findings in a legal proceeding,
recovery situation, forensic investigators determine the result of a lawsuit. In a data
a compromised system. It is the present what they were able to recover from
last
summarising the findings and analysis step and
to of preparing a comprehensive
presenting the
report
and understandable manner, suitable findings in a clear, concise
for legal or investigative purposes.
Throughout the entire process, it's crucial to adhere to legal
maintain the integrity and authenticity of the and ethical guidelines,
confidentiality. The objective is to ensure that the evidence and respect privacy and
digital forensic process is thorough,
accurate and in compliance with applicable laws and regulations.
 Understanding Computer Forensics 223

D I G I T A L F

FORENSICS LIFE CYCLE

10
4. Forensics Life Cycle is a structured and systermatic
Digital
digital investigations to ensure that evidence
used in
p r e s e r v e d
analysed and reported in a reliable and
cted, It involves a series of well-defined stages or
Aensible manner.

investigators through the entire process, from

guide
that
initalpreparationto thefinal reporting.

he
4 . 1 0 . 1
Digital Forensic life cycle phase
Forensic life cycle phases are:
D i g i t a l

Preparation
and identification

and recording
-

Collection

2 and transporting
Storing
3.
1 Examination/investigation

Analysis,
interpretation and attribution
5.
6. Reporting

1. ldentification/
preparation
"Recognize incident
" Tools and techniques 2. Search and scizure
6. Reporting "Search warrants "Recoognize evicerca
" Summarize
" Authorization "Collect evidence
"Translate
"Explain conclusions

Digital
evidence
documentation
3. Preservation
5. Analysis
"Determine
"Secure evicence
"Protect the integrty of
"Significance
evidence
"Reconstruct fragments
of data
"Draw conclusions 4. Examination
"Duplicate evidence
" Recover data

Digital Forensic life

cycle phases
Fig. 4.4.
the Evidence and Identifying the Evidence
Teparing for potential sources of evidence
identify
Understand the scope of the investigation, investigation. In order to
and plan the approach, resources and tools needed for the possible that
must first be identified. It might be
processed and analysed, evidence
 226 Cyber Security
the evidence may be overlooked andnot identified at al. AsequerIce of everts in a
computer might include interactíons between:
Different files
Files and file systerms
Processes and files
" Log files
In case of a network, the interactions can be between devices in the organisztin
or across the Internet. If the evidence is never identified as relevant, it may never be
collected and processed.
2. Collecting and Recording Digital Evidence
Digitalevidence can be sourced froma variety of places. Evident sources incude:
" Cell phones
Cameras
Computer hard drives
Compact discs
" USB storage devices
Handling digital evidence with care is crucial since it can be easily altered. Any
alterations render the evidence ineligible for further analysis. To address this, a
cryptographic hash can be computed for the evidence file and subsequently used to
verify if any modifications were made to the file. At tímes, valuable evidence may be
present in volatile memory, necessitating specialised technical skills to collect volatile data.
3.Storing and Transporting Digital Evidence
Guidelines for the Handling of Digital Evidence:
Ensure data integrity by using awrite-blocking tool to image computer media,
preventing any addition of data to the suspect device.
Establish anduphold the chain of custody for the evidence.
Thoroughly document every action taken during the handling of the evidence.
Exclusively utilise tested and evaluated tools and methods to validate their
precision and dependability.
" It's essential to track the movement of evidence accurately to prevent mishandling.
Attimes, evidence needs to be transported, either physically or through anetwork.
It's crucial to ensure that the evidence remains unchanged during transit. Typically,
analysis is performed on a copy of the real evidence. In case of any dispute regarding
the copy, the actual evidence can be presented in court.
 236
Cyber Security
timelines based on network event logs recorded by the Network Control Systerns (NCS)
and deriye valuable insights to aid in investigations.
4.12.1 Processes Involved in Network Forensics
Network forensics involves several critical processes to effectively investigate incidents
and analyse network data. Here are the key steps involved:
1. Identification: This step includes the process of recognising anddetermining
an incident based on network indicators. It also investigates and evaluates the
incident based on network indicators to determine the nature and extent of the
incident.
2. Preservation: In the second process, the examiner isolates the data to
ensure
preservation and security, preventing unauthorised access to the digital device
and ensuring the integrity of digital evidence. Various software tools, including
Autopsyand Encase, are employed for data preservation,aiding in maintaining
the pristine condition of the evidence and protecting it from tampering or
alterations. It securely preserve and protects the data to prevent any unauthorised
alteration or tampering, ensuring data integrity.
3. Collection: Collection is the process of recording the physical
scene and
duplicating digital evidence using standardised methods and procedures. It
documents a comprehensive report of the crime scene and duplicates all collected
digital pieces of evidence for further analysis.
4. Monitoring and Examination: It keeps track of all visible data and metadata,
meticulously observing network activities to gather relevant information. The
examiner might find many pieces of metadata from data which might be helpful
to bring to court.
5. Investigation and Analysis: Following the identification and preservation of
evidence (data), investigative agents proceed to reconstruct fragments of data.
Through a meticulous analysis of this data, agents draw conclusions based on the
evidence at hand. Notably, Security Information and Event Management (SIEM)
software plays a crucial role in this process. In this process, a final conclusion is
drawn from the collected shreds of evidence.
6. Documentation: Document and organise all pieces of
evidence, reports,
conclusions and findings, preparing them for presentation in court, ensuring a
structured and organised case presentation.
 Understanding Computer Forensics
237
4.
12.2
gállenges in Network Forensics
common challenges are motioned below:
Some "Specialized F
ports that caphure high speed data
Netuorkspeed
.Distributed package capt1ring, the parkages
load balancing among hitiom prepred toshe hie in
several noces, the soston
sIecific hardware or emvironment fonerde re cnnyrk e
prored for hs nhtem
c h a l l e n g e

is needed s o
eiéNs

.Compress bibmap index real time on

S t o r a g ec a p a c i t y

"Index offloaded to GPUinarchitechure GPU. which can storé up to l85

mion rersgd ger ed
c h a l l e n g e

Systematic analysis using GUl-based monitoring.

Data integrity

packets by ensuring real time which depends on using hash uncáon and
challenge
property. udge the

Forensics attribute was proposed as a solution which can help invesigators to view data
Data privacy
forensics attribution, other it will support verification for each packet sigpature whereas it onenforces
rteresfirg trg
prosperity. aritute
challenge
Proposed solution for this issue can support both group
signature and BBC short signature.

. Which refer to other known issue in network

forensics, which
central log repository was proposed as a solution to deal with related to the location of the data or endence.
this isSue, which alow al network trafic o
Data extraction through central device. pass
. Other solution proposed to deal with this issue reer to
location targeting
Other solution proposed to solve the issue of data extraction primary network devices.
depends on targeting primary network devices,
this solution may be useful in single event of interest.

Fig. 4.6 (a) Challenges in Network Forensics

Intelligent
network
forensics
tools
High speed
data Data
transmission extraction
locations

Network
forensics
Data
storage on challenges Access to IP
the network address
devices

Data Data
integrity privacy

Network Forensics
Fig. 4.6 (b) Challenges in