Forensic(CS)
Forensic(CS)
COMPUTER FORENSICS
Hsuital,
Syllabus
U'nderstanding
Computer Forensics: Introducion,
Needfor Computer Förensics, gber forensics and Digital Forensics Science,
Digital Forenaícs Life Cycle, Chain of Digital Evidence, Forensics
The
Analysis
of EMail,
Approaching a Computer Forensics Custody Concept, Network
Forensics,
4.1 INTRODUCTION
to support legal
sktonic
cevidence
investigations and
heused|to prove or disprove facts, establish timelines proceedings. This eiderce
andidentify individuals inrvokved
csid
n igital,activities.
2 Digital
Evidence Types
D i g i
encompasses a wide range of data, including files, e-mails, chat
t a l
evidence
ogs,system configurations, metadata, network traffic, digital images, videos and m
and non-volatile data are crucial for investigations.
volatile
Both
3F
. orensic
Process
Thedigital
forensics process typically involves severalI stages, incduding identification
Scoping, evidence collection and preservation, analysis, reconstruction,
and
documentation andreport presentation. Thesestages follow established procedures to
maintain the integrity and admissibility of evidence./
and Tools.
4,Techniques
forensic investigators use specialized methods and tools to gather, analyze,
Digital
understand digital evidence. These tools help in data recovery, password cracking.
and
analysis and more.
disk imaging, metadata
5. Forensic Principles
Principle: Itposits that every interaction leaves behind a
" Locard's Exchange inevitably leave behind cues pertaining
individuals
tangible mark, suggesting that
subsequently be subjected to forensic
analysis.
can
to their actions, which and secure record of
documented
the
Custody: Maintaining
a presentation in
" Chain of from its acquisition to
its
movement of evidence
handling and admissibility.
integrity and
Court, ensuring its
6. SuSubfields within Digital Forensics computers and
related devices.
Investigating data on
Forensics:
mobile devices likesmartphones
Analysing data on
omputer
Forensics:
Mobile Device
and tablets.
206 Cyber Security
2 digital
help
identify
suspects, establishtimelines and provide insights into críminal
can
activities.
.
evidence in alegally admissible format during court proceedings.
cases.
l e g a l ,
or security
and Incident Response: In cases of data breaches
e l e c t r o n i c
Breach
impact of
Data computer
Durce, externt and
forensics is used to identify the source,
4. incidents,
organisations respond effectively and implement measures
breach. It helps
the future OCcurrences.
to
prevent
Testimony:
Computer
explanations
and information.
12. Expert Witness technical complex
digital
providingg understand
às expert witnesses, andjury
judge
evidence to help the
208 Cyber Security
4.4 OBJECTIVE AND USES OF COMPUTER
Some esential objectives of using computer forensics are:
FORENSICS
" It involves the recovery, analysis, and preservation of
computer and related materials in a manner that enables ComputObjeectForle em
investigative agencies to present them as evidence in a
court of law.
It helps to postulate the motive behind the crime and identity
of the main culprit. Scan QR Code
Designing procedures at a suspected crime sceneewhich helps t
digital evidence obtained is not corrupted. to ensure
that
It helps in data acquisition and duplication, recovering deleted
partitions from digital media to extract the evidence and files and delea
Helps to identify the evidence quickly and also allows to
validate them.
impact of the malicious activity on the victim. estimate the potenta
Producing a computer forensic report which offers a complete
investigation process. report on te
Preserving the evidence by following the chain of custody.
Uses of Digital Forensics
In recent time, commercial organisations have used digital forensics in
followinoa
type of cases:
" Intellectual Property theft
" Industrial espionage
Employment disputes
Fraud investigations
Inappropriate use of the Internet and e-mail in the workplace
Forgeries related matters
Bankruptcy investigations
Issues concern with the regulatory compliance
4.5 COMPUTER FORENSICS SERVICES To see
ComputerForenslcs
Services
12her
PROCESS OF DIGITAL FORENSICS
4.7
forensicS
process involves a series of steps aimed at Proress f Dtaf
The
digital
a
ing,
forensically
ntit sOund manner for investigative or legal purposes.
typically includes the following key stages:
process
The
ldentification Scan OR Code
the
Preservation
and its
2 Collection
must be collected in a way that maintains
Flectronically stored
information
under investigation to ensure
physically isolating the device digital
intearity. This often involves with. Examiners make a
or tampered
accidentally contaminated then they lock the
#cannot be image, of the device's storage media and condition. The
forensic
copy, also called a secure facility to maintain its pristine
original device in a safe
or other gathers all relevant digital evidence
on the digital copy. It devices,
investigation is conducted mobile devices, network
servers, and
including computers, collects both volatile
from various sources, storage mediums and
storage and any other potential
doud
people
non-volatile data.
preserve the data and not allowother
step is to safely preservation of
ensures the
Ater collection next tamper data. This
step
that device so that noone can sound copy or image. This
OUse forensically
evidence by creating a
original
original digital data source without altering the
e the original unauthorized
involves makingan exact replica of includes prohibiting
preserved. It purposely,
way. Data is isolated, secured and evidence, mistakenly or
any that digital
personnelIfrom using the digital device so of the original evidence.
is not tampered with and making a copy
214 Cyber Security
3. Examination and Analysis
It is needed to conduct a detailed examination of
the
using specialised forensic tools and techniques. Analysing theacquired digital
potential leads, patterns, anomalies,or traces of malicious data is useful to eviderice
Deving deeper into the data to identify, extract and
activities. uncover
anaBysis is needed. After examination, the next interpret relevant
Here the expert recovers the deleted files and step
verifies
is to analyse the daata or information,
evidence that the criminal tried to erase by the recovered data and system.
several iterations to reach the final deleting secret files. This finds the
storage media in a sterile environment
process
concusion. Investigators analyse digital might take
tools are used to assist in this process, to gather the information for a case. copies of
drive investigations and the including Basis T Various
useful when examining a Wireshark Technology's
network protocol analyzer. Amouse hard Autopsy for
computer to keep it from falling asleep iggler ie
memory data that is lost when the computer goes to sleep or and losing volatlo
4. Documentation loses power.
After analysing data a record is
available (not deleted) data which created. This record contains all the recovered and
helps in recreating
all the visible data must bethe crime scene and reviewing
it. In this process, a record of
the crime scene and created. It helps in
reviewing it. It Involves proper recreating
along with photographing, sketching documentation of the crime scene
all steps, methods, findings and and crime-scene mapping. It invokves
conclusions throughout the digital forensicdocumenting
maintaining a detailed chain of custody to ensure the admissibility of process and
5. Presentation evidence in court.
Thís is the final step in which the
to solve cases. The forensic analysed data is presented in front of the
investigators present court
where a judge or jury uses them to help their findings in a legal proceeding,
recovery situation, forensic investigators determine the result of a lawsuit. In a data
a compromised system. It is the present what they were able to recover from
last
summarising the findings and analysis step and
to of preparing a comprehensive
presenting the
report
and understandable manner, suitable findings in a clear, concise
for legal or investigative purposes.
Throughout the entire process, it's crucial to adhere to legal
maintain the integrity and authenticity of the and ethical guidelines,
confidentiality. The objective is to ensure that the evidence and respect privacy and
digital forensic process is thorough,
accurate and in compliance with applicable laws and regulations.
Understanding Computer Forensics 223
D I G I T A L F
he
4 . 1 0 . 1
Digital Forensic life cycle phase
Forensic life cycle phases are:
D i g i t a l
Preparation
and identification
and recording
-
Collection
2 and transporting
Storing
3.
1 Examination/investigation
Analysis,
interpretation and attribution
5.
6. Reporting
1. ldentification/
preparation
"Recognize incident
" Tools and techniques 2. Search and scizure
6. Reporting "Search warrants "Recoognize evicerca
" Summarize
" Authorization "Collect evidence
"Translate
"Explain conclusions
Digital
evidence
documentation
3. Preservation
5. Analysis
"Determine
"Secure evicence
"Protect the integrty of
"Significance
evidence
"Reconstruct fragments
of data
"Draw conclusions 4. Examination
"Duplicate evidence
" Recover data
is needed s o
eiéNs
packets by ensuring real time which depends on using hash uncáon and
challenge
property. udge the
Forensics attribute was proposed as a solution which can help invesigators to view data
Data privacy
forensics attribution, other it will support verification for each packet sigpature whereas it onenforces
rteresfirg trg
prosperity. aritute
challenge
Proposed solution for this issue can support both group
signature and BBC short signature.
Intelligent
network
forensics
tools
High speed
data Data
transmission extraction
locations
Network
forensics
Data
storage on challenges Access to IP
the network address
devices
Data Data
integrity privacy
Network Forensics
Fig. 4.6 (b) Challenges in