UNIT 4

Understanding Computer Forensics

Introduction
Computer Forensics is a scientific method of investigation and analysis in order to gather
evidence from digital devices or computer networks and components which is suitable for
presentation in a court of law or legal body. It involves performing a structured investigation
while maintaining a documented chain of evidence to find out exactly what happened on a
computer and who was responsible for it.
Types of Computer Forensics
 Disk Forensics: It deals with extracting raw data from the primary or secondary storage
of the device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring
and analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their
related metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying
viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones
and smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS,
etc., and other data present in it.
Characteristics
 Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile phones,
PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence,
mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions
based on evidence.
 Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
 Presentation: All the documented findings are produced in a court of law for further
investigations.

Procedure
The procedure starts with identifying the devices used and collecting the preliminary evidence
on the crime scene. Then the court warrant is obtained for the seizure of the evidence which
leads to the seizure of the evidence. The evidence are then transported to the forensics lab for
further investigations and the procedure of transportation of the evidence from the crime scene
to labs are called chain of custody. The evidence are then copied for analysis and the original
evidence is kept safe because analysis are always done on the copied evidence and not the
original evidence.
The analysis is then done on the copied evidence for suspicious activities and accordingly, the
findings are documented in a nontechnical tone. The documented findings are then presented
in a court of law for further investigations.
Some Tools used for Investigation:
Tools for Laptop or PC –
 COFFEE – A suite of tools for Windows developed by Microsoft.
 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.
Tools for Memory :
 Volatility
 WindowsSCOPE
Tools for Mobile Device :
MicroSystemation XRY/XACT
Applications
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
Advantages of Computer Forensics:
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or
networks potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.
Disadvantages
 Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in a
court of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the desired
result.
Digital Forensics Science
Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting any valuable digital information in the digital devices related to the
computer crimes, as a part of the investigation. In simple words, Digital Forensics is the process
of identifying, preserving, analyzing and presenting digital evidences. The first computer
crimes were recognized in the 1978 Florida computers act and after this, the field of digital
forensics grew pretty fast in the late 1980-90’s. It includes the area of analysis like storage
media, hardware, operating system, network and applications. It consists of 5 steps at high
level:
 1. Identification of evidence: It includes of identifying evidences related to the digital
crime in storage media, hardware, operating system, network and/or applications. It is
the most important and basic step.
2. Collection: It includes preserving the digital evidences identified in the first step so
that they doesn’t degrade to vanish with time. Preserving the digital evidences is very
important and crucial.
3. Analysis: It includes analyzing the collected digital evidences of the committed
computer crime in order to trace the criminal and possible path used to breach into the
system.
4. Documentation: It includes the proper documentation of the whole digital
investigation, digital evidences, loop holes of the attacked system etc. so that the case
can be studied and analysed in future also and can be presented in the court in a proper
format.
5. Presentation: It includes the presentation of all the digital evidences and
documentation in the court in order to prove the digital crime committed and identify
the criminal.
Branches of Digital Forensics
 Media Forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidences during the
investigation process.
 Cyber Forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
cyber crime.
 Mobile Forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime committed through a mobile device like mobile phones, GPS device, tablet,
laptop.
 Software Forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime related to softwares only.
Cyber Forensics
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the evidence
to the court. Cyber forensics is also known as computer forensics. The main aim of cyber
forensics is to maintain the thread of evidence and documentation to find out who did the crime
digitally. Cyber forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.
Why is cyber forensics important?
In todays technology driven generation, the importance of cyber forensics is immense.
Technology combined with forensic forensics paves the way for quicker investigations and
accurate results. Below are the points depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see.
For example: in a smart house, for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected
online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.
The Process Involved in Cyber Forensics
1. Obtaining a digital copy of the system that is being or is required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.
How did Cyber Forensics Experts work?
Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic experts
follow are:
 1. Identification: The first step of cyber forensics experts are to identify what evidence
is present, where it is stored, and in which format it is stored.
2. Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
3. Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.
4. Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available (not deleted) data which helps in recreating the crime scene
and reviewing it.
5. Presentation: This is the final step in which the analyzed data is presented in front of
the court to solve cases.
Techniques that cyber forensic investigators use
Cyber forensic investigators use various techniques and tools to examine the data and some of
the commonly used techniques are:
 Reverse Steganography: Steganography is a method of hiding important data inside
the digital file, image, etc. So, cyber forensic experts do reverse steganography to
analyze the data and find a relation with the case.
 Stochastic Forensics: In Stochastic forensics, the experts analyze and reconstruct
digital activity without using digital artifacts. Here, artifacts mean unintended
alterations of data that occur from digital processes.
 Cross-drive Analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
 Live Analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
 Deleted File Recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.
Advantages of Cyber Forensics
 Cyber forensics ensures the integrity of the computer.
  Through cyber forensics, many people, companies, etc get to know about such crimes,
thus taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in court,
which can lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public aware of it.
What are the required set of skills needed to be a cyber forensic expert?
The following skills are required to be a cyber forensic expert:
 As we know, cyber forensic based on technology. So, knowledge of various
technologies, computers, mobile phones, network hacks, security breaches, etc. is
required.
 The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
 The expert must be aware of criminal laws, a criminal investigation, etc.
 As we know, over time technology always changes, so the experts must be updated
with the latest technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions from it and
make proper interpretations.
 The communication skill of the expert must be good so that while presenting evidence
in front of the court, everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.
Digital Evidence
Digital Evidence Collection in Cybersecurity
In the early 80s PCs became more popular and easily accessible to the general population, this
also led to the increased use of computers in all fields and criminal activities were no exception
to this. As more and more computer-related crimes began to surface like computer frauds,
software cracking, etc. the computer forensics discipline emerged along with it. Today digital
evidence collection is used in the investigation of a wide variety of crimes such as fraud,
espionage, cyberstalking, etc. The knowledge of forensic experts and techniques are used to
explain the contemporaneous state of the digital artifacts from the seized evidence such as
computer systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash drives, etc.),
or electronic documents such as emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected
evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they
can be submitted in court.

Types of Collectible Data:

The computer investigator and experts who investigate the seized devices have to understand
what kind of potential shreds of evidence could there be and what type of shreds of evidence
they are looking for. So, that they could structure their search pattern. Crimes and criminal
activities that involve computers can range across a wide spectrum; they could go from trading
illegal things such as rare and endangered animals, damaging intellectual property, to personal
data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been deleted
from the computer, they could be damaged or may even be encrypted, So the investigator
should be familiar with a variety of tools, methods, and also the software to prevent the data
from damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent Data: It is the data that is stored on a non-volatile memory type storage
device such as a local hard drive, external storage devices like SSDs, HDDs, pen drives,
CDs, etc. the data on these devices is preserved even when the computer is turned off.
 Volatile Data: It is the data that is stored on a volatile memory type storage such as
memory, registers, cache, RAM, or it exists in transit, that will be lost once the
computer is turned off or it loses power. Since volatile data is evanescent, it is crucial
that an investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the claims
in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such
as flash drives, hard drives, documents, etc. an eyewitness can also be considered as a
shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements.
These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a
person who is not a testifying witness. It is done in order to prove that the statement
was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their
statement in court. The shreds of evidence presented should be authentic, accurate,
reliable, and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic media and
it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be legally
defensible to ensure that original pieces of evidence and data have not been altered in any way
and that no data was deleted or added from the original evidence.
Email Forensics
Email forensics is exactly what it sounds like. The analysis of emails and the content within to
determine the legitimacy, source, date, time, the actual sender, and recipients in a forensically
sound manner. The aim of this is to provide admissible digital evidence for use in civil or
criminal courts.
Role of Email in Investigation
Emails play a very important role in business communications and have emerged as one of the
most important applications on internet. They are a convenient mode for sending messages as
well as documents, not only from computers but also from other electronic gadgets such as
mobile phones and tablets.
The negative side of emails is that criminals may leak important information about their
company. Hence, the role of emails in digital forensics has been increased in recent years. In
digital forensics, emails are considered as crucial evidences and Email Header Analysis has
become important to collect evidence during forensic process.
An investigator has the following goals while performing email forensics −
 To identify the main criminal
 To collect necessary evidences
 To presenting the findings
 To build the case
Challenges in Email Forensics
Email forensics play a very important role in investigation as most of the communication in
present era relies on emails. However, an email forensic investigator may face the following
challenges during the investigation −
Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary email
which is a service that allows a registered user to receive email at a temporary address that
expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an email
as someone else’s. In this case the machine will receive both fake as well as original IP address.
Anonymous Re-emailing
Here, the Email server strips identifying information from the email message before forwarding
it further. This leads to another big challenge for email investigations.
Techniques Used in Email Forensic Investigation
Email forensics is the study of source and content of email as evidence to identify the actual
sender and recipient of a message along with some other information such as date/time of
transmission and intention of sender. It involves investigating metadata, port scanning as well
as keyword searching.
Some of the common techniques which can be used for email forensic investigation are
 Header Analysis
 Server investigation
 Network Device Investigation
 Sender Mailer Fingerprints
 Software Embedded Identifiers
Extraction of Information from EML files
EML files are basically emails in file format which are widely used for storing email messages.
They are structured text files that are compatible across multiple email clients such as Microsoft
Outlook, Outlook Express, and Windows Live Mail.
An EML file stores email headers, body content, attachment data as plain text. It uses base64
to encode binary data and Quoted-Printable (QP) encoding to store content information. The
Python script that can be used to extract information from EML file is given below −
First, import the following Python libraries as shown below −
from __future__ import print_function
from argparse import ArgumentParser, FileType
from email import message_from_file
import os
import quopri
import base64
In the above libraries, quopri is used to decode the QP encoded values from EML files. Any
base64 encoded data can be decoded with the help of base64 library.
Next, let us provide argument for command-line handler. Note that here it will accept only one
argument which would be the path to EML file as shown below −
if __name__ == '__main__':
parser = ArgumentParser('Extracting information from EML file')
parser.add_argument("EML_FILE",help="Path to EML File", type=FileType('r'))
args = parser.parse_args()
main(args.EML_FILE)
Now, we need to define main() function in which we will use the method named
message_from_file() from email library to read the file like object. Here we will access the
headers, body content, attachments and other payload information by using resulting variable
named emlfile as shown in the code given below −
def main(input_file):
emlfile = message_from_file(input_file)
for key, value in emlfile._headers:
print("{}: {}".format(key, value))
print("\nBody\n")
if emlfile.is_multipart():
for part in emlfile.get_payload():
process_payload(part)
else:
process_payload(emlfile[1])
Now, we need to define process_payload() method in which we will extract message body
content by using get_payload() method. We will decode QP encoded data by using
quopri.decodestring() function. We will also check the content MIME type so that it can handle
the storage of the email properly. Observe the code given below −
def process_payload(payload):
print(payload.get_content_type() + "\n" + "=" * len(payload.get_content_type()))
body = quopri.decodestring(payload.get_payload())
if payload.get_charset():
body = body.decode(payload.get_charset())
else:
try:
body = body.decode()
except UnicodeDecodeError:
body = body.decode('cp1252')
if payload.get_content_type() == "text/html":
outfile = os.path.basename(args.EML_FILE.name) + ".html"
open(outfile, 'w').write(body)
elif payload.get_content_type().startswith('application'):
outfile = open(payload.get_filename(), 'wb')
body = base64.b64decode(payload.get_payload())
outfile.write(body)
outfile.close()
print("Exported: {}\n".format(outfile.name))
else:
print(body)
After executing the above script, we will get the header information along with various
payloads on the console.
Analyzing MSG Files using Python
Email messages come in many different formats. MSG is one such kind of format used by
Microsoft Outlook and Exchange. Files with MSG extension may contain plain ASCII text for
the headers and the main message body as well as hyperlinks and attachments.

In this section, we will learn how to extract information from MSG file using Outlook API.
Note that the following Python script will work only on Windows. For this, we need to install
third party Python library named pywin32 as follows −
pip install pywin32
Now, import the following libraries using the commands shown −
from __future__ import print_function
from argparse import ArgumentParser
import os
import win32com.client
import pywintypes
Now, let us provide an argument for command-line handler. Here it will accept two arguments
one would be the path to MSG file and other would be the desired output folder as follows −
if __name__ == '__main__':
parser = ArgumentParser(‘Extracting information from MSG file’)
parser.add_argument("MSG_FILE", help="Path to MSG file")
parser.add_argument("OUTPUT_DIR", help="Path to output folder")
args = parser.parse_args()
out_dir = args.OUTPUT_DIR
if not os.path.exists(out_dir):
os.makedirs(out_dir)
main(args.MSG_FILE, args.OUTPUT_DIR)
Now, we need to define main() function in which we will call win32com library for setting up
Outlook API which further allows access to the MAPI namespace.
def main(msg_file, output_dir):
mapi = win32com.client.Dispatch("Outlook.Application").GetNamespace("MAPI")
msg = mapi.OpenSharedItem(os.path.abspath(args.MSG_FILE))
display_msg_attribs(msg)
display_msg_recipients(msg)
extract_msg_body(msg, output_dir)
extract_attachments(msg, output_dir)
Now, define different functions which we are using in this script. The code given below shows
defining the display_msg_attribs() function that allow us to display various attributes of a
message like subject, to , BCC, CC, Size, SenderName, sent, etc.
def display_msg_attribs(msg):
attribs = [
'Application', 'AutoForwarded', 'BCC', 'CC', 'Class',
'ConversationID', 'ConversationTopic', 'CreationTime',
 'ExpiryTime', 'Importance', 'InternetCodePage', 'IsMarkedAsTask',
'LastModificationTime', 'Links','ReceivedTime', 'ReminderSet',
'ReminderTime', 'ReplyRecipientNames', 'Saved', 'Sender',
'SenderEmailAddress', 'SenderEmailType', 'SenderName', 'Sent',
'SentOn', 'SentOnBehalfOfName', 'Size', 'Subject',
'TaskCompletedDate', 'TaskDueDate', 'To', 'UnRead'
]
print("\nMessage Attributes")
for entry in attribs:
print("{}: {}".format(entry, getattr(msg, entry, 'N/A')))
Now, define the display_msg_recipeints() function that iterates through the messages and
displays the recipient details.
def display_msg_recipients(msg):
recipient_attrib = ['Address', 'AutoResponse', 'Name', 'Resolved', 'Sendable']
i=1
while True:
try:
recipient = msg.Recipients(i)
except pywintypes.com_error:
break
print("\nRecipient {}".format(i))
print("=" * 15)
for entry in recipient_attrib:
print("{}: {}".format(entry, getattr(recipient, entry, 'N/A')))
i += 1
Next, we define extract_msg_body() function that extracts the body content, HTML as well as
Plain text, from the message.
def extract_msg_body(msg, out_dir):
html_data = msg.HTMLBody.encode('cp1252')
outfile = os.path.join(out_dir, os.path.basename(args.MSG_FILE))
open(outfile + ".body.html", 'wb').write(html_data)
print("Exported: {}".format(outfile + ".body.html"))
body_data = msg.Body.encode('cp1252')
open(outfile + ".body.txt", 'wb').write(body_data)
print("Exported: {}".format(outfile + ".body.txt"))
Next, we shall define the extract_attachments() function that exports attachment data into
desired output directory.
def extract_attachments(msg, out_dir):
attachment_attribs = ['DisplayName', 'FileName', 'PathName', 'Position', 'Size']
i = 1 # Attachments start at 1
while True:
try:
attachment = msg.Attachments(i)
except pywintypes.com_error:
break
Once all the functions are defined, we will print all the attributes to the console with the
following line of codes −
print("\nAttachment {}".format(i))
print("=" * 15)
for entry in attachment_attribs:
print('{}: {}'.format(entry, getattr(attachment, entry,"N/A")))
outfile = os.path.join(os.path.abspath(out_dir),os.path.split(args.MSG_FILE)[-1])
if not os.path.exists(outfile):
os.makedirs(outfile)
outfile = os.path.join(outfile, attachment.FileName)
attachment.SaveAsFile(outfile)
print("Exported: {}".format(outfile))
i += 1
After running the above script, we will get the attributes of message and its attachments in the
console window along with several files in the output directory.
Structuring MBOX files from Google Takeout using Python
MBOX files are text files with special formatting that split messages stored within. They are
often found in association with UNIX systems, Thunderbolt, and Google Takeouts.
In this section, you will see a Python script, where we will be structuring MBOX files got from
Google Takeouts. But before that we must know that how we can generate these MBOX files
by using our Google account or Gmail account.
Acquiring Google Account Mailbox into MBX Format
Acquiring of Google account mailbox implies taking backup of our Gmail account. Backup
can be taken for various personal or professional reasons. Note that Google provides backing
up of Gmail data. To acquire our Google account mailbox into MBOX format, you need to
Follow the steps given below −
 Open My account dashboard.
 Go to Personal info & privacy section and select Control your content link.
 You can create a new archive or can manage existing one. If we click, CREATE
ARCHIVE link, then we will get some check boxes for each Google product we wish
to include.
 After selecting the products, we will get the freedom to choose file type and maximum
size for our archive along with the delivery method to select from list.
 Finally, we will get this backup in MBOX format.
Python Code
Now, the MBOX file discussed above can be structured using Python as shown below −
First, need to import Python libraries as follows −
from __future__ import print_function
from argparse import ArgumentParser
import mailbox
import os
import time
import csv
from tqdm import tqdm
import base64
All the libraries have been used and explained in earlier scripts, except the mailbox library
which is used to parse MBOX files.
Now, provide an argument for command-line handler. Here it will accept two arguments− one
would be the path to MBOX file, and the other would be the desired output folder.
if __name__ == '__main__':
parser = ArgumentParser('Parsing MBOX files')
parser.add_argument("MBOX", help="Path to mbox file")
parser.add_argument(
"OUTPUT_DIR",help = "Path to output directory to write report ""and exported content")
args = parser.parse_args()
main(args.MBOX, args.OUTPUT_DIR)
Now, will define main() function and call mbox class of mailbox library with the help of which
we can parse a MBOX file by providing its path −
def main(mbox_file, output_dir):
print("Reading mbox file")
mbox = mailbox.mbox(mbox_file, factory=custom_reader)
print("{} messages to parse".format(len(mbox)))
Now, define a reader method for mailbox library as follows −
def custom_reader(data_stream):
data = data_stream.read()
try:
content = data.decode("ascii")
except (UnicodeDecodeError, UnicodeEncodeError) as e:
content = data.decode("cp1252", errors="replace")
return mailbox.mboxMessage(content)
Now, create some variables for further processing as follows −
parsed_data = []
attachments_dir = os.path.join(output_dir, "attachments")
if not os.path.exists(attachments_dir):
os.makedirs(attachments_dir)
columns = [
"Date", "From", "To", "Subject", "X-Gmail-Labels", "Return-Path", "Received",
"Content-Type", "Message-ID","X-GM-THRID", "num_attachments_exported",
"export_path"]
Next, use tqdm to generate a progress bar and to track the iteration process as follows −
for message in tqdm(mbox):
msg_data = dict()
header_data = dict(message._headers)
for hdr in columns:
msg_data[hdr] = header_data.get(hdr, "N/A")
Now, check weather message is having payloads or not. If it is having then we will define
write_payload() method as follows −

if len(message.get_payload()):
export_path = write_payload(message, attachments_dir)
msg_data['num_attachments_exported'] = len(export_path)
msg_data['export_path'] = ", ".join(export_path)
Now, data need to be appended. Then we will call create_report() method as follows −

parsed_data.append(msg_data)
create_report(
parsed_data, os.path.join(output_dir, "mbox_report.csv"), columns)
def write_payload(msg, out_dir):
pyld = msg.get_payload()
export_path = []

if msg.is_multipart():
for entry in pyld:
export_path += write_payload(entry, out_dir)
else:
content_type = msg.get_content_type()
if "application/" in content_type.lower():
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
elif "image/" in content_type.lower():
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))

elif "video/" in content_type.lower():

content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
elif "audio/" in content_type.lower():
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
elif "text/csv" in content_type.lower():
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
elif "info/" in content_type.lower():
export_path.append(export_content(msg, out_dir,
msg.get_payload()))
elif "text/calendar" in content_type.lower():
export_path.append(export_content(msg, out_dir,
msg.get_payload()))
elif "text/rtf" in content_type.lower():
 export_path.append(export_content(msg, out_dir,
msg.get_payload()))
else:
if "name=" in msg.get('Content-Disposition', "N/A"):
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
elif "name=" in msg.get('Content-Type', "N/A"):
content = base64.b64decode(msg.get_payload())
export_path.append(export_content(msg, out_dir, content))
return export_path
Observe that the above if-else statements are easy to understand. Now, we need to define a
method that will extract the filename from the msg object as follows −

def export_content(msg, out_dir, content_data):

file_name = get_filename(msg)
file_ext = "FILE"

if "." in file_name: file_ext = file_name.rsplit(".", 1)[-1]

file_name = "{}_{:.4f}.{}".format(file_name.rsplit(".", 1)[0], time.time(), file_ext)
file_name = os.path.join(out_dir, file_name)
Now, with the help of following lines of code, you can actually export the file −

if isinstance(content_data, str):
open(file_name, 'w').write(content_data)
else:
open(file_name, 'wb').write(content_data)
return file_name
Now, let us define a function to extract filenames from the message to accurately represent
the names of these files as follows −

def get_filename(msg):
if 'name=' in msg.get("Content-Disposition", "N/A"):
fname_data = msg["Content-Disposition"].replace("\r\n", " ")
fname = [x for x in fname_data.split("; ") if 'name=' in x]
file_name = fname[0].split("=", 1)[-1]
elif 'name=' in msg.get("Content-Type", "N/A"):
fname_data = msg["Content-Type"].replace("\r\n", " ")
fname = [x for x in fname_data.split("; ") if 'name=' in x]
file_name = fname[0].split("=", 1)[-1]
else:
file_name = "NO_FILENAME"
fchars = [x for x in file_name if x.isalnum() or x.isspace() or x == "."]
return "".join(fchars)
Now, we can write a CSV file by defining the create_report() function as follows −

def create_report(output_data, output_file, columns):

with open(output_file, 'w', newline="") as outfile:
csvfile = csv.DictWriter(outfile, columns)
csvfile.writeheader()
csvfile.writerows(output_data)
Once you run the script given above, we will get the CSV report and directory full of
attachments.
Digital Forensic Life Cycle
Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4)
Documentation and, 5) Presentation. Different types of Digital Forensics are Disk Forensics,
Network Forensics, Wireless Forensics, Database Forensics, Malware Forensics, Email
Forensics, Memory Forensics, etc
Chain of Custody
Chain of Custody refers to the logical sequence that records the sequence of custody, control,
transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in
the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say
that preserving the chain of custody is about following the correct and consistent procedure
and hence ensuring the quality of evidence.
we will be discussing-
1. What Chain of Custody entails in Digital Forensics.
2. Importance of maintaining Chain of Custody.
3. Chain of Custody Process.
4. The Chain of Custody Form.
5. Procedure to establish the Chain of Custody
6. How Chain of Custody can be assured?
Let’s get started with each section in detail.
What the Chain of Custody entails in Digital Cyber Forensics?
If you are in the field of Cyber Security, you will be at one point in your career will be involved
in Digital Forensics. One of the concepts that is most essential in Digital Forensics is the Chain
of Custody.
The chain of custody in digital cyber forensics is also known as the paper trail or forensic link,
or chronological documentation of the evidence.

 Chain of custody indicates the collection, sequence of control, transfer and analysis.
 It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not tampered.
Digital evidence is acquired from the myriad of devices like a vast number of IoT devices,
audio evidence, video recordings, images, and other data stored on hard drives, flash drives,
and other physical media.
Importance of maintaining Chain of Custody?
Importance to Examiner:
 To preserve the integrity of the evidence.
 To prevent the evidence from contamination, which can alter the state of the evidence.
 In case you obtained metadata for a piece of evidence but unable to extract any
meaningful information from the metadata. In such a case, the chain of custody helps
to show where possible evidence might lie, where it came from, who created it, and the
type of equipment used. This will help you to generate an exemplar and compare it to
the evidence to confirm the evidence properties.
Importance to the Court: If not preserved, the evidence submitted in the court might be
challenged and ruled inadmissible.
Chain of Custody Process
In order to preserve digital evidence, the chain of custody should span from the first step of
data collection to examination, analysis, reporting, and the time of presentation to the Courts.
This is very important to avoid the possibility of any suggestion that the evidence has been
compromised in any way.

Let’s discuss each stage of the chain of custody in detail:

1. Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the possible
relevant sources that preserve the integrity of the data and evidence collected.
2. Examination: During this process, the chain of custody information is documented
outlining the forensic process undertaken. It is important to capture screenshots
 throughout the process to show the tasks that are completed and the evidence
uncovered.
3. Analysis: This stage is the result of the examination stage. In the Analysis stage, legally
justifiable methods and techniques are used to derive useful information to address
questions posed in the particular case.
4. Reporting: This is the documentation phase of the Examination and Analysis stage.
Reporting includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be taken.
The Chain of Custody Form
In order to prove a chain of custody, you’ll need a form that lists out the details of how the
evidence was handled every step of the way. The form should answer the following questions:
 What is the evidence?: For example- digital information includes the filename, md5
hash, and Hardware information includes serial number, asset ID, hostname, photos,
description.
 How did you get it?: For example- Bagged, tagged or pulled from the desktop.
 When it was collected?: Date, Time
 Who has handle it?
 Why did that person handled it?
 Where was it stored?: This includes the information about the physical location in
which proof is stored or information of the storage used to store the forensic image.
 How you transported it?: For example- in a sealed static-free bag, or in a secure storage
container.
 How it was tracked?
 How it was stored?: For example- in a secure storage container.
 Who has access to the evidence?: This involves developing a check-in/ check-out
process.
The CoC form must be kept up-to-date. This means every time the best evidence is handled
off, the chain of custody form needs to be updated.
Procedure to establish the Chain of Custody
In order to assure the authenticity of the chain of custody, a series of steps must be followed.
It is important to note that the more information Forensic expert obtains concerning the
evidence, the more authentic is the created chain of custody. You should ensure that the
following procedure is followed according to the chain of custody for electronic devices:
 Save the original material
 Take photos of the physical evidence
 Take screenshots of the digital evidence.
 Document date, time, and any other information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence content into forensic computers.
 Perform a hash test analysis to authenticate the working clone.
How can the Chain of Custody be assured?
A couple of considerations are involved when dealing with digital evidence and Chain of
Custody. We shall discuss the most common and globally accepted and practiced best practices.
1. Never ever work with the Original Evidence: The biggest consideration that needs to
be taken care of while dealing with digital evidence is that the forensic expert has to
make a full copy of the evidence for forensic analysis. This cannot be overlooked as
when errors are made to working copies or comparisons need to be done, then, in that
case, we need an original copy.
2. Ensuring storage media is sterilized: It is important to ensure that the examiner’s storage
device is forensically clean when acquiring the evidence. Suppose if the examiner’s
storage media is infected with malware, in that case, malware can escape into the
machine being examined and all of the evidence will eventually get compromised.
3. Document any extra scope: During the process of examination, it is important to
document all such information that is beyond the scope of current legal authority and
later brought to the attention of the case agent. A comprehensive report must contain
following sections:
 Identity of the reporting agency.
 Case identifier.
 Case investigator.
 Identity of the submitter.
 Date of receipt.
 Date of report.
  Descriptive list of items submitted for examination: This includes the serial
number, make, and model.
 Identity and signature of the examiner
 Brief description of steps taken during the examination: For example- string
searches, graphics image searches, and recovering erased files.
 Results.
4. Consider the safety of the personnel at the scene: It is very important to ensure that the
crime scene is fully secure before and during the search. In some cases, the examiner
may only be able to do the following while onsite:
 Identify the number and type of computers.
 Interview the system administrator and users.
 Identify and document the types and volume of media: This includes
removable media also.
 Determine if a network is present.
 Document the information about the location from which the media was
removed.
 Identify offsite storage areas and/or remote computing locations.
 Identify proprietary software.
 Determine the operating system in question.
The Digital evidence and Digital Chain of Custody are the backbones of any action taken by
digital forensic specialists. In this article, we have examined the seriousness of the digital
evidence and what it entails and how slight tampering with the digital evidence can change the
course of the forensic expert’s investigation.
Network Forensics
The word “forensics” means the use of science and technology to investigate and establish facts
in criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge
for the purpose of analyzing the evidence and presenting them in court.
Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is spreading
malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet
grew cybercrimes also grew along with it and so did the significance of network forensics, with
the development and acceptance of network-based services such as the World Wide Web, e-
mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence,
the network protocol data that enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols and
applications such as web protocols, Email protocols, Network protocols, file transfer protocols,
etc.
Investigators use network forensics to examine network traffic data gathered from the networks
that are involved or suspected of being involved in cyber-crime or any type of cyber-attack.
After that, the experts will look for data that points in the direction of any file manipulation,
human communication, etc. With the help of network forensics, generally, investigators and
cybercrime experts can track down all the communications and establish timelines based on
network events logs logged by the NCS.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
 Identification: In this process, investigators identify and evaluate the incident based
on the network pointers.
 Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is documented and all
the collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the metadata.
 Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
 Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:
 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.
Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.
Approaching a Computer Forensics Investigation
The phases in a computer forensics investigation are:
 Secure the subject system
 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
 Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information collected
Things to be avoided during forensics investigation:
 Changing date/timestamps of the files
 Overwriting unallocated space
Things that should not be avoided during forensics investigation:
 Engagement contract
 Non-Disclosure Agreement (NDA)
Elements addressed before drawing up a forensics investigation engagement contract:
 Authorization
 Confidentiality
 Payment
 Consent and acknowledgement
 Limitation of liability
General steps in solving a computer forensics case are:
 Prepare for the forensic examination
 Talk to key people about the case and what you are looking for
 Start assembling tools to collect the data and identify the target media
 Collect the data from the target media
 Use a write blocking tool while performing imaging of the disk
 Check emails records too while collecting evidence
 Examine the collected evidence on the image that is created
 Analyze the evidence
 Report your finding to your client
Forensics and Social Networking Sites
Challenges in Digital Forensics
Digital forensics also known as computer forensics, is the application of scientific methods and
techniques to identify, preserve, analyze, and present digital evidence in a manner that is legally
admissible. It is a branch of forensic science that deals specifically with digital devices,
networks, and storage media.
Techniques Used in Digital Forensics
 Acquisition: The process of collecting digital evidence from a device or network. This
is done through various methods such as imaging, logging, and live acquisition.

 Analysis: The process of examining the acquired evidence to identify relevant

information. This can be done through manual or automated means.

 Reporting: The process of documenting the findings of the analysis and presenting
them in a clear and concise manner. This can include creating a detailed report, as well
as providing expert testimony in court.
Tools Used in Digital Forensics
 Forensic Software: Specialized software that can analyze and extract data from digital
devices and networks. Some examples include EnCase, FTK, and X-Ways Forensics.

 Forensic Imaging: The process of making a bit-by-bit copy of a digital device or

network, also known as disk cloning or disk imaging. This can be done through
hardware or software means.
  Forensic Analysis Software: Used to analyze the data from a forensic image.
Examples include Sleuth Kit, Autopsy, and the open-source toolkit The Coroner’s
Toolkit (TCT).

Challenges in Digital Forensics

 Data Encryption: Encryption can make it difficult to access the data on a device or
network, making it harder for forensic investigators to collect evidence. This can
require specialized decryption tools and techniques.

 Data Destruction: Criminals may attempt to destroy digital evidence by wiping or

destroying devices. This can require specialized data recovery techniques.

 Data Storage: The sheer amount of data that can be stored on modern digital devices
can make it difficult for forensic investigators to locate relevant information. This can
require specialized data carving techniques to extract relevant information.