UNIT 2

Cyberspace and the Law & Cyber Forensics: Introduction, Cyber Security Regulations, Roles of
International Law. The INDIAN Cyberspace, National Cyber Security Policy.

Introduction, Historical background of Cyber forensics, Digital Forensics Science, The Need for
Computer Forensics, Cyber Forensics and Digital evidence, Forensics Analysis of Email, Digital
Forensics Lifecycle, Forensics Investigation, Challenges in Computer Forensics, Special Techniques for
Forensics Auditing

Cyber Security Regulations

Cyber security regulations are rules and guidelines established by governments or regulatory bodies to ensure the protection of
sensitive information, infrastructure, and systems from cyber threats. Several cyber attacks are possible such as viruses, phishing ,
Trojan horses, worms, Denial of service(DOS) attacks, illegal access and many. These regulations aim to safeguard data privacy,
prevent cyber attacks, and promote the resilience of critical systems.

In response to this growing cyber threats, new regulations are being implemented to protect organizations, their data and their
customers.

From EU’s General Data Protection Regulation(GDPR) and HIPPA to PCI security standards and privacy laws throughout the
world, cyber security regulations have never been as voluminous or complicated . To comply with increasingly complex cyber
security regulations organizations need powerfull tools for monitoring cyber security risk, managing cyber security governance.

Here are some common aspects and examples of cyber security regulations:

1. Data Protection Laws: These regulations focus on safeguarding personal data and may include requirements for data
encryption, secure storage, and notification of data breaches. Examples include the European Union's General Data
Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Industry-specific Regulations: Certain industries, such as finance, healthcare, and energy, have specific cybersecurity
regulations tailored to their unique risks and requirements. For instance, the financial sector may be governed by
regulations like the Payment Card Industry Data Security Standard (PCI DSS), while the healthcare sector may adhere
to the Health Insurance Portability and Accountability Act (HIPAA).
3. Government Standards and Guidelines: Governments often issue cybersecurity standards and guidelines to protect
critical infrastructure and government systems. Examples include the NIST Cybersecurity Framework in the United
States and the Cyber Essentials scheme in the United Kingdom.
4. Mandatory Reporting Requirements: Many regulations require organizations to report cybersecurity incidents or
breaches to relevant authorities or affected individuals within a specified timeframe. Failure to comply may result in
penalties or fines.
5. Compliance Audits and Assessments: Some regulations mandate regular audits or assessments to ensure that
organizations are compliace with cybersecurity requirements. These audits may be conducted by internal teams or
third-party assessors.
6. Cybersecurity Training and Awareness: Regulations may require organizations to provide cybersecurity training to
employees and raise awareness about common cyber threats and best practices for mitigating risks.
7. Supply Chain Security: With the increasing interconnectedness of supply chains, some regulations now focus on
ensuring the cybersecurity of third-party vendors and suppliers.

Compliance with cybersecurity regulations is essential for organizations to protect themselves from legal liabilities, reputational
damage, and financial losses resulting from cyber incidents. Non-compliance can lead to severe consequences, including fines,
legal action, and loss of customer trust. Therefore, businesses must stay abreast of relevant regulations and implement robust
cybersecurity measures to ensure compliance and mitigate cyber risks.
Role of International Law

Cyber law plays a predominant role in today’s technology era as all transactions and communications are concerned with Internet
or other communication devices. Every action in the cyberspace has its own corresponding reaction that possess legal and cyber
legal views even if one is ignorant about it.

International legal regimes relating to Cybercrimes

The cyber law scenario is globally more complicated than traditional laws due to the reason that a wide range of activities which
are governed by these laws are largely technology driven, an area which is dynamically changing and is beyond anyone’s control.
The aim of cyber laws or cyber related laws worldwide is to harmonize the existing laws.

The main important milestones in making international cyber law are:

1.UNCITRAL Model Law on Electronics Commerce,1996

The UNCITRAL Model Law on Electronic Commerce, adopted by the United Nations Commission on International Trade Law
(UNCITRAL) in 1996, serves as a template for countries to enact legislation governing electronic commerce. It aims to provide
legal certainty and facilitate electronic transactions by establishing rules regarding the use of electronic communications in
contractual agreements, such as the formation and validity of contracts, the use of electronic signatures, and the exchange of
electronic messages.

Key provisions of the Model Law include:

a) Legal Recognition of Electronic Records and Signatures

b) Provides legality of Electronic Signatures

c) The Model Law addresses the liability of intermediaries

d) Consumer Protection, Privacy and Data Protection.

By providing a harmonized legal framework for electronic commerce, the UNCITRAL Model Law on Electronic Commerce
promotes the growth of international trade and electronic business transactions while ensuring legal certainty and consumer
protection. Many countries have adopted or used the Model Law as a basis for their own legislation on electronic commerce.

2.European Convention on Cybercrimes

The European Convention on Cybercrime, also known as the Budapest Convention, is an international treaty aimed at addressing
crimes committed via the internet and other computer networks. It was drafted by the Council of Europe and opened for signature
in Budapest, Hungary, in November 2001. The Convention came into force in July 2004. . It was drafted by the Council of
Europe(COE) along with Canada,Japan,South Africa and the United States of America.This convention consists of 4 Chapters
and 48 Articles in total.

The Convention covers a wide range of cybercrimes, including offenses related to computer systems, data, and content, such as
illegal access, interception of data, data interference, system interference, and content-related offenses (e.g., child pornogra phy,
racism, and xenophobia).

This convention is a criminal justice multilateral treaty that provides states with:

a)International Cooperation: It promotes international cooperation among signatory states in investigating and prosecuting
cybercrimes. This includes measures for extradition, mutual legal assistance, and the establishment of 24/7 points of contact for
urgent requests.
b) Procedural Law and Jurisdiction: The Convention provides guidelines for harmonizing procedural laws related to
cybercrime investigations and prosecutions, including rules on jurisdiction, search and seizure of electronic evidence, and the
preservation of data.

c)Data Protection and Privacy: It includes provisions aimed at protecting the privacy and personal data of individuals, ensuring
that investigations and prosecutions of cybercrimes comply with international human rights standards.

d) Capacity Building and Technical Assistance: The Convention encourages signatory states to enhance their capacity to
prevent, investigate, and prosecute cybercrimes through training programs, technical assistance, and the exchange of best practice

3.The Organization for Economic Cooperation and Development (OECD)

The Organization for Economic Cooperation and Development (OECD) is an international organization composed of 38 member
countries, founded in 1961 to promote economic progress and cooperation among nations.

In 1983 committee was appointed by the OECD to discuss computer and cyber crimes and criminal law reforms.

In December 1999, the OECD officially approved the guidelines for Consumer Protection in the context of Electronic
Commerce.

The OECD adopted guidelines for the security of Information Systems and Networks in 2002. To promote security among all
participants protecting information systems and networks.

4.Global International Efforts by the United Nations

In 1990 the general assembly of the UN adopted the guidelines concerning Computerized Personal data files; it aimed at taking
proper measures to protect the files against both natural and artificial dangers. Various resolutions have been endorsed by the UN
General Assembly with the same motive to improve cyber security awareness internationally, to fight the criminal misuse of
information systems and to prevent cyber crime.

5.Microsoft-drafted model privacy bill

6.Personal Information Protection and Electronic Documents Act (PIPEDA)

7.ECPA- Electronic Commerce Protection Act

8.Florida Computer Crimes Act

In today’s world technological advancements are directly proportional to the security risks contained in it. Cybercrime ia an
international menance which has to be regulated at an international level.

Although good number of countries in the world have implemented laws to curb cyber attacks, they are not sufficient due to the
geographical differences and morality factor that differs with each place. What could be legal in one country might not be
acceptable in another.The network connectivity of cyber crime makes it one of the most dangerous and globalized crimes.

There needs to be a universal level of cooperation between countries in addressing these complexities only then can the
technology serve the future with the best ,since cyberspace is evolving.
The INDIAN Cyberspace

India's cyberspace landscape is complex and rapidly evolving, reflecting the country's growing digital economy, increasing
internet penetration, and the government's push towards digital initiatives. Here are some key aspects of Indian cyberspace:

1. Digital Economy and Internet Penetration

• Growth in Internet Users: India has one of the largest populations of internet users in the world, with over 700
million users as of 2023. This number is expected to grow as internet accessibility improves in rural areas.
• E-Commerce and Digital Payments: The e-commerce market in India is booming, driven by major players like
Amazon, Flipkart, and local startups. Digital payment platforms like Paytm, Google Pay, and PhonePe are widely used,
supported by the Unified Payments Interface (UPI) system.

2.Cybersecurity

• Cyber Threat Landscape: India faces significant cybersecurity threats, including phishing, ransomware attacks, and
data breaches. The increasing digitization has made critical sectors like finance, healthcare, and infrastructure
vulnerable to cyber-attacks.
• Cybersecurity Frameworks: The National Cyber Security Policy (2013) outlines measures to protect public and
private infrastructure from cyber threats. The policy is under revision to address the evolving threat landscape.
• CERT-In: The Indian Computer Emergency Response Team (CERT-In) is the national agency for cybersecurity
incident response. It monitors cyber threats and issues alerts and advisories.

3.Regulations and Legislation

• Information Technology Act, 2000: The primary law governing cyberspace in India, covering cybercrimes, electronic
commerce, and data protection. Amendments in 2008 introduced stronger penalties for cybercrimes.
• Personal Data Protection Bill: Proposed legislation aiming to protect individuals' data privacy and establish a
framework for data processing by organizations. The bill has undergone several revisions and is expected to be enacted
soon.
National Cyber Security Policy

The National Cyber Security Policy of India was introduced in 2013 by the Ministry of Electronics and Information Technology
(MeitY) Government of India to protect public and private infrastructure from cyber threats and secure the data of individuals
and businesses. With rapid information flow and transactions occurring via cyberspace, a national policy was much needed.

The National Cyber Security Policy aims at:

1. Facilitating the creation of secure computing environment.

2. Enabling adequate trust and confidence in electronic transactions.
3. Guiding stakeholder’s action for the protection of cyber space.

Main focus of National Cyber Security Policy 2020

In attempt of creating a ‘cyber-secure nation’ for business and individuals, the Government of India is reportedly set to unveil its
cybersecurity policy in January 2020 to achieve target of a $5 trillion economy.

The initiatives it has taken towards drafting its cybersecurity strategy are:
Introduction
Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found
in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound
manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital
information.

Historical Background of Cyberforensics

The earliest computer crimes occurred in 1969 and 1970 when student protesters burned computers at various universities. The
Florida Computer Crimes Act (1978) was the first computer law to address computer fraud and intrusion. The focus of computer
forensics is to find out digital evidence to establish whether or not a fraud or a crime has been conducted.
• Computer forensics is relatively new discipline in the domian of computer security, it is a rapidly growing discipline
and a fast growing profession as well as business.
• The focus of computer forensics is to find out the Digital evidence- such digital evidence is required to establish
whether or not a fraud or crime has been conducted.
• Computer forensics is primarily concerned with the systematic “identification” , ”acquisation” , ”preservation” and
“analysis” of the digital evidence , typically after an unauthorised access to computer or unauthorised use of computer
has taken place.
• While main focus of “computer security” is the prevention of unauthorised access to computer systems as well as
maintaining “confidentiality” , “ integrity” and “availability” of computer system.
• There are two categories of computer crime:
1.criminal activity that involves using a computer to commit a crime.
2.criminal activity that has computer as a target.

Computer forensics deals with proving unauthorized access has taken place while computer security deals with preventing
unauthorized access.
Typical types of data requested for a digital forensics examination by the law enforcement agencies include:

• investigating email
• website history
• cell phone usage
• VoIP usage
• file access history
• file creation or deletion
• chat history
 • account login/logout records

Forensics means a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based
upon proof (or high statistical confidence level).

Digital Forensics Science

Digital forensics is the application of analysis techniques to the reliable and unbiased collection, analysis, interpretation and
presentation of digital evidence.
Computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve
evidence/information which is magnetically stored or encoded.

In general, role of digital forensics is to:

• Uncover and document evidence and leads

• Confirm the evidence discovered in other ways
• Assist in showing a pattern of events
• Connect attack and victim computers
• Reveal an end-to-end path of events leading to a compromise attempt, successful or not
• Extract data that may be hidden, deleted or otherwise not directly available

Typical scenarios involved are:

• Employee Internet abuse

• Data leak/data breach
• Industrial espionage
• Damage assessment
• Criminal fraud and deception cases
• Criminal cases
• Copyright violation

The following figure shows the types of data you see using forensic tools:
Using digital forensics techniques, one can:

• Confirm and clarify evidence otherwise discovered

• Generate investigative leads for follow-up and verification in other ways
• Provide help to verify an intrusion hypothesis
• Eliminate incorrect assumptions

The Need for Computer Forensics

In this article we will look at what is the need for computer forensics and what are the challenges faced by forensics investigators
while dealing with storage devices.
The advances in ICT and computers provides avenues for misuse as well as opportunities for committing crime.
The widespread use of computer forensics is the result of two factors:

• The increasing dependence of law enforcement on digital evidence

• Ubiquity of computers that followed from the microcomputer revolution
• There are many challenges for the forensics investigator because storage devices are available in various shapes and
sizes as shown in the following figure:
Looking for Digital Forensics Evidence (DFE) is like looking for a needle in the haystack.
Chain of Custody
Chain of Custody means the chronological documentation trail, that indicates seizure, custody, transfer, analysis, and disposition
of evidence. Evidence must be handled in a careful manner to avoid later allegations of tampering or misconduct. The purpose of
the chain of custody is to establish that the alleged evidence is, indeed, related to the crime. Documentation must include:

• Conditions under which the evidence is collected

• Identity of all those who handled the evidence
• Duration of evidence custody
• Security conditions while handling or storing the evidence
• Manner in which evidence is transferred to subsequent custodians
• Signatures of persons involved at each step

Cyberforensics and Digital Evidence

In this article we will look at cyberforensics and digital evidence. We will look at the differences between physical evidence and
digital evidence. Then we will look at the guidelines for collecting digital evidence.
Cyberforensics can be divided into two domains:

• Computer forensics
• Network forensics

Network forensics is the study of network traffic to search for truth in civil, criminal, and administrative matters to protect users
and resources from exploitation, invasion of privacy, and any other crime.

Digital evidence is different from physical evidence because of the following characteristics:

• Digital evidence is much easier to change/manipulate

• Perfect copies can be made without harming the original
• Different information is available at different levels of abstraction

Computer forensics experts know the techniques to retrieve data from files listed in standard directory search, hidden files,
deleted files, deleted E-Mail and passwords, login ids, encrypted files, hidden partitions, etc. Computer systems have the
following:

• Logical file system that consists of:

o File system
 o Random Access Memory (RAM)
o Physical storage media
▪ Slack space: It is a space allocated to the file but is not actually used due to internal fragmentation
▪ Unallocated space
• User created files
• Computer created files (backups, cookies, config. Files, history files, log files, swap files, system files, temp. files, etc.)
• Computer networks

The Rules of Evidence

According to Indian Evidence Act 1872, evidence means:

• All statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under
inquiry, are called oral evidence.
• All documents that are produced for the inspection of the court are called documentary evidence.

Newly added provisions in the Indian Evidence Act 1972 through the ITA 2000, constitute the body of law applicable to
electronic evidence.
Digital evidence by its very nature is invisible to the eye. Digital evidence must be developed using tools other than the human
eye. Acquisition of digital evidence is both a legal and technical problem. Difficulties associated with gathering digital evidence:

• Determining what piece of digital evidence is required

• Where the evidence is physically located

Different contexts involved in actually identifying a piece of digital evidence:

Physical context

o It is definable by its physical form, that is, it should reside on a specific piece of media

Logical context

o It must be identifiable as to its logical position, that is, where does it reside relative to the file system

Legal context

o The evidence must be placed in the correct context to read its meaning
o This may require looking at the evidence as machine language

Guidelines for digital evidence collection phase:

• Follow site’s security policy and engage the appropriate incident handling and law enforcement personnel
• Capture a picture of the system as accurately as possible
• Keep detailed notes with dates and times
• Be prepared to testify outlining all actions you took and at what times
• Minimize changes to the data as you are collecting it
• Remove external avenues for change
• Always choose collection before analysis
• Your procedures should be implementable
• For each device systematic approach should be adopted follow guidelines of collection procedure. Manage the work
among the team members
• Proceed from most volatile to less volatile areas while collecting evidence:
o Registers, cache
o Routing table, ARP cache, process table, kernel statistics, RAM
 o Temporary file systems
o Disk
o Remote logging and monitoring data
o Physical configuration and network topology
o Archival media
• Do a bit-level copy of the media (try to avoid conducting forensics on the evidence copy)

Forensic Analysis of E-Mail

Introduction to E-Mail System

An E-Mail system is a combination of hardware and software that controls the flow of E-Mail. Two most important components
of an email system are:

• E-Mail server
• E-Mail gateway
• E-Mail servers are computers that forward, collect, store, and deliver email to their clients. The general overview of
how an email system works is shown in the following figure:

E-Mail gateways are the connections between email servers. Mail server software is a software which controls the flow of email.
Mail client is the software which is used to send and receive (read) emails.
An email contains two parts:

• Header
• Body

Email Header Forensics Analysis

Email header is very important from forensics point of view. A full header view of an email provides the entire path email’s
journey from its source to destination. The header also includes IP and other useful information. Header is a sequence of fields
(key-value pair).
Header information varies with E-mail service provider, Email applications and system configuration.
Header part carries information that is needed for Email routing, subject line and time stamps where as body contains the actual
message/data of an Email.
Header of the email can easily be “spoofed” by spammers and other irresponsible network users.
Email header examples

IN table 7.1 elements 2,3 and 4 show the route taken by the message from sending to delivery. Every computer that receives this
message adds a “Received: field” with its complete address and time stamp; this helps in delivery tracking problems.
Element 5 of the mail header is the Message-ID a unique identifier for this specific message. The Message-ID is logged and it
can be traced through computers that are on the message route if there is a need to track the mail.
Element 6 Email header shows where the email was received from with the IP address of the sender. It also shows date and time
when the message was sent.
Element 7 shows only originating IP address of the sender, but without date and time.IP address will not allow you to identify
specific user.If IP address is “static “ Address, you will be able to identify the specific user( most IP addresses are “dynamically”
assigned).
Element 8 indicates name of the sender usually it is domain name we want to trace.
Element 9 shows name and email address of primary recipient;the address may be for a mailing list.
Element 10 sample mail header lists the names and email addresses of the “courtesy copy” receipients of the message.
The body of email contains actual message. Headers can be easily spoofed by spammers. Header protocol analysis is important
for investigating evidence. After getting the source IP address we find the ISP’s details. By contacting ISP, we can get further
information like:

• Name
• Address
• Contact number
• Internet facility
• Type of IP address
• Any other relevant information

Email headers are organized bottom-up.This means that the Email was handed from the machines at the bottom of the Email
header to the ones at the top of it.These machines are referred to as Message Transfer Agents(MTA).Each of them adds a
“received” section to the Email Header.The order of received sections is like a stack of pancakes, with one receiving the Email
last at the top of the stack.
Refer figure below
There are three received sections ,this means that three MTA’s were involved in the delivery of the message with one at the
bottom being the one receiving the original message from the sender.

How Fake E-Mails can be detected:

RFC 2822:
It is important during investigations that logs of all servers in the chain need to be examined as soon as possible. If the server
mentioned in the bottom received section does not match the server of the email sender, it is a fake email. The Message-ID will
help to find a particular email log entry in a email server.
RFC2822 defines the Internet message format. According to RFC2822:

• Each email must have a globally unique identifier

• Defines the syntax of Message-ID
• Message-ID can appear in three header fields:
o Message-ID header
o In-reply-to header
o References header

Digital Forensics Life Cycle

Digital forensics life cycle. We will explore different phases or steps in the digital forensics life cycle.

The digital forensics process is shown in the following figure. Forensic life cycle phases are:

1. Preparation and identification

2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. It might be possible that the evidence may be overlooked
and not identified at all. A sequence of events in a computer might include interactions between:

• Different files
• Files and file systems
• Processes and files
• Log files

In case of a network, the interactions can be between devices in the organization or across the globe (Internet). If the evidence is
never identified as relevant, it may never be collected and processed.
2. Collecting and Recording Digital Evidence
Digital evidence can be collected from many sources. The obvious sources can be:

• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices

Non-obvious sources can be:

• Digital thermometer settings

• Black boxes inside automobiles
• RFID tags

Proper care should be taken while handling digital evidence as it can be changed easily. Once changed, the evidence cannot be
analysed further. A cryptographic hash can be calculated for the evidence file and later checked if there were any changes made
to the file or not. Sometimes important evidence might reside in the volatile memory. Gathering volatile data requires special
technical skills.

3. Storing and Transporting Digital Evidence

Some guidelines for handling of digital evidence:

• Image computer-media using a write-blocking tool to ensure that no data is added to the suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability

Care should be taken that evidence does not go anywhere without properly being traced. Things that can go wrong in storage
include:

• Decay over time (natural or unnatural)

• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batte-ries and other media preserving mechanisms

Sometimes evidence must be transported from place to place either physically or through a network. Care should be taken that
the evidence is not changed while in transit. Analysis is generally done on the copy of real evidence. If there is any dispute over
the copy, the real can be produced in court.
4. Examining/Investigating Digital Evidence
Forensics specialist should ensure that he/she has proper legal authority to seize, copy and examine the data. As a general rule,
one should not examine digital information unless one has the legal authority to do so. Forensic investigation performed on data
at rest (hard disk) is called dead analysis.
Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits the information in the computer’s
main memory. Performing forensic investigation on main memory is called live analysis. Sometimes the decryption key might be
available only in RAM. Turning off the system will erase the decryption key.
For the purpose of digital evidence examination “imaging of electronic media” is necessary The process of creating and exact
duplicate of the original evidence is called imaging. Using a stand alone hard drive duplicator or software imaging tools the entire
hard drive is completely duplicated.Some tools which can create entire hard drive images are:

• DCFLdd
• Iximager
• Guymager

The original drive is moved to secure storage to prevent tampering. During imaging , a write protection device or application is
used to ensure that no information is introduced onto evidentiary media during forensics process. The imaging process is verified
by using the SHA-1 or any other hashing algorithms. At critical points throughout the analysis, the media is verified again ,
known as “hashing” to ensure that the evidence is still in its original state.
5. Analysis, Interpretation and Attribution
Analysis, Interpretation and Attribution of evidence are the most difficult aspects encountered by most forensic analysts.In digital
forensics, only a few sequences of events might produce evidence. But the possible number of sequences is very huge. The
digital evidence must be analyzed to determine the type of information stored on it. For this purpose speciality tools are used that
can display information in a format useful to investigators.Examples of forensics tools:

• Forensics Tool Kit (FTK)

• EnCase
• Scalpel (file carving tool)-Process of recovering files from an investigative target, potentially without knowledge of the
file system structure.
• The Sleuth Kit (TSK)-library and collection of Unix and Windows based tools and utilities to allow for forensic
analysis of computer systems.
• Autopsy

Forensic analysis includes the following activities:

• Manual review of data on the media

• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images

Types of digital analysis:

• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
6. Reporting

After the analysis is done, a report is generated. The report may be in oral form or in written form or both. The report contains all
the details about the evidence in analysis, interpretation, and attribution steps. As a result of the findings in this phase, it should
be possible to confirm or discard the allegations with regard to particular crime or suspected incident
There is some substantial amount of scientific literature on methods of presentation and their impact on those who observe those
presentations.Aspects ranging from order of presentation of information to use of graphics and demonstrations . In general,
reporting is a complex and tricky process. Some of the general elements in the report are:

• Identity of the reporting agency;

• Case identifier or submission number;
• Case investigator;
• Identity of the submitter;
• Date of receipt;
• Date of report;
• Descriptive list of items submitted for examination;
• Identity and signature of the examiner;
• Brief description of steps taken during examination;
• Results / conclusions.

7. Testifying

This phase involves presentation and cross-examination of expert witnesses. A computer forensic expert witness possesses the
expertise to uncover hidden or deleted data, recover information from damaged devices, and identify digital footprints left behind
by users. Their technical proficiency enables them to uncover relevant evidence that will lead the direction of the particular case. .
Their role is to provide an unbiased analysis of the electronic evidence and present their findings based on ethical principles.
An expert witness can testify in the form of:

• Testimony is based on sufficient facts or data

• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of the case

Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be taken when collecting digital
evidence are:

• No action taken by law enforcement agencies or their agents should change the evidence
• When a person to access the original data held on a computer, the person must be competent to do so
• An audit trial or other record of all processes applied to digital evidence should be created and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the law and these are adhered to

Chain of Custody
A chain of custody is the process of validating how evidences have been gathered, tracked, and protected on the way to the court
of law. Forensic professionals know that if you do not have a chain of custody, the evidence is worthless.
The chain of custody is a chronological written record of those individuals who have had custody of the evidence from its initial
acquisition to its final disposition. A chain of custody begins when an evidence is collected and the chain is maintained until it is
disposed off. The chain of custody assumes continuous accountability.
Approaching a Computer Forensics Investigation
The process in approaching a computer forensics investigation.
The phases in a computer forensics investigation are:

• Secure the subject system

• Take a copy of hard drive/disk
• Identify and recover all files
• Access/view/copy hidden, protected, and temp files
• Study special areas on the drive
• Investigate the settings and any data from programs on the system
• Consider the system from various perspectives
• Create detailed report containing an assessment of the data and information collected

Things to be avoided during forensics investigation:

• Changing date/timestamps of the files

• Overwriting unallocated space

Things that should not be avoided during forensics investigation:

• Engagement contract-
• Non-Disclosure Agreement (NDA)

Typical Elements Addressed in a Forensics Investigation Engagement Contract:

1. Authorization: the customer will be asked to authorize the computer forensics laboratory or its agents to conduct an
evaluation of the data/media/equipment onsite or offsite to determine the nature and scope of the engagement and to
enable the company to provide an estimate of the cost of forensics investigation.
2. Confidentiality: the concerned computer forensics is supposed to use any information contained in the data, media
provided to the company by the customer only for the purpose of the fulfilling the engagement.
3. Payment: customer agrees to pay the computer forensics laboratory all sums authorized from time to time by customer.
4. Consent and acknowledgement: any consent required of either party becomes effective only if provided in a
commercially reasonable manner. The customer needs to acknowledge that the efforts of computer forensics laboratory
to complete forensic investigation engagement may result in the destruction of or damage to the equipment/data/media.
5. Limitation of liability: the concerned computer forensics laboratory will not consider itself to be liable for any claims
regarding physical functioning of the equipment/data/media..

General steps in solving a computer forensics case are:

1. Prepare for the forensic examination

2. Talk to key people about the case and what you are looking for
3. If you are convinced that case has strong foundation, start assembling tools to collect the data and identify the target
media.
4. Collect the data from the target media.You will be creating an exact duplicate image of the device in question.To do
this they need to use imaging software application like the commercial EnCase or the open source Slueth kit/Autopsy
5. Use a write blocking tool while performing imaging of the disk.This makes sure nothing is added to the device when
you are creating your image.
6. Check emails records too while collecting evidence
7. Examine the collected evidence on the image that is created, document anything that you find and where you found
8. Analyze the evidence you have collected .
9. Report your finding to your client
Challenges in Computer Forensics
challenges in computer forensics. We will look at various challenges in network forensics, technical forensics and legal forensics.
Although there are well-developed forensic techniques, cybercrime investigation is not easy. Huge amount of data is available
and searching for evidence in that enormous data is not easy. Most of the existing tools allow anyone to change the attribute
associated with digital data.
Cybercrime investigators often face a problem of collecting evidence from very large groups of files. They need to use techniques
like link analysis and visualization. To find leads they need to use machine learning techniques (patterns). Using text mining or
data mining techniques
Challenges in network forensics

• Networks span multiple time zones and multiple jurisdictions,ensure that all jurisdictions collaborate.
• Network data will be available offline and online (real-time)
• Real-time data requires ability to capture and analyze data on the fly
• The data may involve different protocols and the data may be huge due to increasing bandwidth
• A protocol might also involve multiple layers of signal (VoIP, HTTP tunneling)
• Current forensic tools will not be able to handle real-time data and huge amount of data , techniques are required for
rapidly tracing a computer criminal’s network activities

There need to be a paradigm shift for network forensics techniques to analyze the real-time data and huge amounts of data.
Duration of forensics investigation may vary, some simple cases might take a few hours and complex cases may take some years
to solve.
Certain digital information other than the data itself may help in solving the case. Such information might include, data and
timestamps of files, folder structure and message transmission tags. Real-time data collection is more complex as it needs to
address legalities and privileges involved in surveillance.
Technical Challenges
The two challenges faced in a digital forensic investigation are complexity and quantity.
The complexity problem refers to the data collected being at the lowest level or in raw format. Non-technical people will find it
difficult to understand such data.
Tools can be used to transform the data from low level format to readable format.
The quantity problem refers to the amount of data that needs to be analyzed. Data reduction techniques can be used to group data
or remove known data. Data reduction techniques include:

• Identifying known network packets using IDS signatures

• Identifying unknown entries during log processing
• Identifying known files using hash databases
• Sorting files by their types

Legal challenges
• Digital evidence can be tampered easily, sometimes, even without any traces. It is common for modern computers to
have multiple gigabyte sized disks. Seizing and freezing of digital evidence can no longer be accomplished just by
burning a CD-ROM. Failure to freeze the evidence prior to opening files has invalidated critical evidence.
• There is also the problem of finding relevant evidence within massive amounts of data which is a daunting task.
• The real legal challenges involve the artificial limitations imposed by constitutional, statutory and procedural issues.
• There are many types of personnel involved in digital/computer forensics like a) technicians, b) policy makers, and
c)professionals.
• Technicians have sound knowledge and skills to gather information from digital devices, understand software and
hardware as well as networks. Understanding various types of OS, forensic products software and hardware available
in market. In addition Professional training is a must to enter this domain.
 • Policy makers establish forensics policies that reflect broad considerations. Policy makers focus is on big picture , but
they must be familiar with computing and forensics also.
• Professionals are the link between policy and execution who have extensive technical skills as well as good
understanding of the legal procedures.
• Skills for digital forensics professionals are the following:
1. Identify relevant electronic device associated with violations of specific laws;
2. Identify cause necessary to Obtain a search warrant and recognize limits of the warrans;
3. Locate and recover electronic device from computer systems using tools;
4. Recognize and maintain chain of custody;
5. Follow a documented forensics investigation process.
Detection and recovery is heart of computer forensics. This aspect which matters in legal presentation of a cybercrime case in the
courthe.Goal of detection and recovery is to recognize the digital object that may contain information about the incident and
document them. By “forensic acquisition of media” we mean process of making bit-for-bit copy or image file of a piece of media,
where these image files are frequently used in civil or criminal court proceeding.Therefore completeness and accuracy of
acquisition process is required.The source of the evidence must remain and not get altered by attackers or by normal processes.
Technical persons involved in digital forensics /computer forensics need simple technical skills such as understanding the various
kinds of filesystems, system software, data organization and specific OS.
The legal professionals need to understand the working of court system, the legislations, Laws(for cybercrime) and the
investigative process and the evidential value of the electronic artifacts recovered/seized as potential evidence to be presented in
court while putting up the case.
Forensics Auditing
Forensics auditing is also known as forensics accounting. Forensics auditing includes the steps needed to detect and deter fraud.
Forensics auditor makes use of the latest technology to examine financial documents and investigate white collar crimes like
frauds, identity theft, securities fraud, insider trading, etc.

Forensic accounting is specialized form of accounting; it uses 1.accounting , 2.auditing and 2.investigative techniques.

Forensics auditors are responsible for detecting fraud, identifying individuals involved, collecting evidence, presenting the
evidencein criminal proceedings, etc.Forensic Auditors can work in both small and large organizations like insurance companies,
banks, courts, Government departments or agencies and law firms.

-Forensic auditing is a specialized field of accounting that involves investigating financial records to uncover potential fraud or
other financial irregularities. Forensic auditors use a variety of techniques to analyze financial data and identify any discrepancies
or fraudulent activities. Some common forensic auditing techniques include:

1. Data Analysis: Forensic auditors use data analysis tools and techniques to examine large volumes of financial data
for patterns, anomalies, or inconsistencies that may indicate fraudulent activity.
2. Interviews and Interrogations: Forensic auditors may conduct interviews with employees, management, or other
individuals to gather information and evidence related to the audit investigation.
3. Document Examination: Forensic auditors review financial documents such as invoices, receipts, bank statements,
and contracts to identify any discrepancies or irregularities that may indicate fraud.
4. Surveillance: In some cases, forensic auditors may conduct surveillance to observe individuals or activities that are
suspected of being involved in fraudulent activities.
5. Financial Statement Analysis: Forensic auditors analyze financial statements to assess the accuracy and
completeness of the information presented and to identify any potential red flags or inconsistencies.
6. Forensic Technology: Forensic auditors use specialized technology tools and software to aid in the investigation
and analysis of financial data, such as forensic accounting software, data analytics tools, and e-discovery tools.
7. Tracing Assets: Forensic auditors may trace the flow of funds or assets through various accounts and transactions
to identify any fraudulent activities such as money laundering or embezzlement.
8. Expert Witness Testimony: Forensic auditors may provide expert witness testimony in legal proceedings to
explain their findings and opinions related to financial fraud or misconduct.
These are just a few of the techniques that forensic auditors use to investigate financial fraud and misconduct. The specific
techniques used in a forensic audit will vary depending on the nature of the investigation and the specific circumstances of the
case.

Forensic auditors need to collect the evidence, conduct interviews, analyse the collected documents, and collect data from
different sources, use data analysis tools, and prevention techniques. The four divisions in the process of the forensic audit are as
follows: investigation, observation, analytical analysis and recalculation. Forensic auditors need to communicate with internal
executives and coordinate with the top management. The report produced by the forensic auditors solve the dispute.

The forensic report after a forensic audit is trustworthy for the government authorities, court officials and regulatory bodies. The
techniques differ as per the fraud activity and business mode

Short Answer Questions

1. What are Cyber Security Regulations?

2. What is the aim of National Cyber Security Policy?
3. What is the difference between computer security and computer forensics?
4. Define Computer forensics and Digital forensics.
5. Explain the importance of “Chain of custody” concept.
6. What are the “rules of Evidence”?
7. What are “complexity” and “quantity” problems faced in digital forensics investigation?
8. Explain the types of Computer Forensics tools?
9. Define Financial Accounting.
Long Answer Questions

1. Explain the Roles of International Law in controlling cybercrimes.

2. What is National Cyber Security Policy? What are the key aspects of National Security Policy?
3. Write about the Historical background of Cyber Forensics and Digital Forensics science.
4. What precautions should be taken while collecting electronic evidence?
5. What are the various phases and activities involved in the lifecycle of a forensics investigation process?
6. What are the typical elements of a digital forensics investigation report?
7. What are the different types of digital analysis that can be performed on the captured forensics evidence?
8. What are the things to be avoided and what are the things that cannot be avoided during a cyberforensic/digital forensics
investigation? What are the typical elements addressed in a Forensics Investigation Engagement Contract?
9. Highlight the key steps to be performed in solving a computer forensics case.
10. Explain the Challenges in Computer Forensics.
11. What are the special techniques of Auditing?