Digital Forensics

Digital Forensics is a branch of forensic science which includes the identification, collection, analysis
and reporting any valuable digital information in the digital devices related to the computer crimes, as a
part of the investigation. In simple words, Digital Forensics is the process of identifying, preserving,
analyzing and presenting digital evidences. The first computer crimes were recognized in the 1978
Florida computers act and after this; the field of digital forensics grew pretty fast in the late 1980-90’s. It
includes the area of analysis like storage media, hardware, operating system, network and applications.

It consists of 5 steps at high level:

1. Identification of evidence: It includes of identifying evidences related to the digital crime in

storage media, hardware, operating system, network and/or applications. It is the most important
and basic step.

2. Collection: It includes preserving the digital evidences identified in the first step so that they
don’t degrade to vanish with time. Preserving the digital evidences is very important and crucial.

3. Analysis: It includes analyzing the collected digital evidences of the committed computer crime
in order to trace the criminal and possible path used to breach into the system.

4. Documentation: It includes the proper documentation of the whole digital investigation, digital
evidences, loop holes of the attacked system etc. so that the case can be studied and analyzed in
future also and can be presented in the court in a proper format.

5. Presentation: It includes the presentation of all the digital evidences and documentation in the
court in order to prove the digital crime committed and identify the criminal.
Branches of Digital Forensics:

 Media forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of audio, video and image evidences during the investigation process.

 Cyber forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidences during the investigation of a cyber crime.

 Mobile forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidences during the investigation of a crime committed
through a mobile device like mobile phones, GPS device, tablet, and laptop.

 Software forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidences during the investigation of a crime related to
software only.

Challenges faced by Digital Forensics

Here, are major challenges faced by the Digital Forensic:

 The increase of PC’s and extensive use of internet access

 Easy availability of hacking tools

 Lack of physical evidence makes prosecution difficult.

 The large amount of storage space into Terabytes that makes this investigation job difficult.

 Any technological changes require an upgrade or changes to solutions.

Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type of cases:

 Intellectual Property theft

 Industrial espionage

 Employment disputes

 Fraud investigations

 Inappropriate use of the Internet and email in the workplace

 Forgeries related matters

 Bankruptcy investigations

 Issues concern with the regulatory compliance

Advantages of Digital forensics

 To ensure the integrity of the computer system.

 To produce evidence in the court, which can lead to the punishment of the culprit?

 It helps the companies to capture important information if their computer systems or networks are
compromised.

 Efficiently tracks down cybercriminals from anywhere in the world.

 Helps to protect the organization’s money and valuable time.

 Allows extracting, process, and interpreting the factual evidence, so it proves the cybercriminal
action’s in the court.

Disadvantages of Digital Forensics

 Digital evidence accepted into court. However, it is must be proved that there is no tampering

 Producing electronic records and storing them is an extremely costly affair

 Legal practitioners must have extensive computer knowledge

 Need to produce authentic and convincing evidence

 If the tool used for digital forensic is not according to specified standards, then in the court of
law, the evidence can be disapproved by justice.

 Lack of technical knowledge by the investigating officer might not offer the desired result

Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can
be found on a computer hard drive, a mobile phone, among other place s. Digital evidence is commonly
associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However,
digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-
mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the
time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led
investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at
least 10 victims.

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement
agencies are incorporating the collection and analysis of digital evidence, also known as computer
forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train officers
to collect digital evidence and keep up with rapidly evolving technologies such as computer operating
systems.

Email Forensics – Definition and Guideline

Email forensics is dedicated to investigating, extracting, and analyzing emails to collect digital evidence
as findings in order to crack crimes and certain incidents, in a forensically sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which mainly includes

 Email messages

 Email addresses(sender and recipient)

 IP addresses

 Date and time

 User information

 Attachments

 Passwords

 logs (Cloud, server, and local computer)

To deeply and overall investigate the above crucial elements of email, potential clues are going to be
obtained to help push the progress of a criminal investigation.

Hence, knowing how to conduct scientific and effective email forensics has come into account.

But before diving deep into practical email forensics, without a full understanding of the operation and
theory of emails themselves, the forensic work is likely to be stuck.

Email Programs and Protocols

During the process, there are 3 protocols and 3 email programs tightly related and are vital to be known.

 Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to transmit and send
emails.

 Internet Message Access Protocol (IMAP): it is one of the standard protocols used for receiving
emails.

 POP3 (Post Office Protocol 3): it is one of the standard protocols used to receive mail.

 Mail Transfer Agent (MTA): sends and forwards emails through SMTP. E.g. Send mail, postfix.

 Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or POP3 protocol
to communicate with the server. e.g. Outlook, Apple Mail, Gmail.

 Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud disk or designated
location, meanwhile it usually scans for spam mails and viruses. e.g. Promail, Dropmail.

 Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts with MUA. e.g.
dovecot

Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer,
analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is
essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the
chain of custody is about following the correct and consistent procedure and hence ensuring the quality
of evidence.

The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or
chronological documentation of the evidence.

 Chain of custody indicates the collection, sequence of control, transfer and analysis.

 It also documents details of each person who handled the evidence, date and time it was collected
or transferred, and the purpose of the transfer.

 It demonstrates trust to the courts and to the client that the evidence has not tampered.

Digital evidence is acquired from the myriad of devices like a vast number of IoT devices, audio
evidence, video recordings, images, and other data stored on hard drives, flash drives, and other physical
media.

Importance to Examiner:

 To preserve the integrity of the evidence.

 To prevent the evidence from contamination, which can alter the state of the evidence?

 In case you obtained metadata for a piece of evidence but unable to extract any meaningful
information from the metadata. In such a case, the chain of custody helps to show where possible
evidence might lie, where it came from, who created it, and the type of equipment used. This will
help you to generate an exemplar and compare it to the evidence to confirm the evidence
properties.

Importance to the Court: If not preserved, the evidence submitted in the court might be challenged and
ruled inadmissible.

Chain of Custody Process

In order to preserve digital evidence, the chain of custody should span from the first step of data
collection to examination, analysis, reporting, and the time of presentation to the Courts. This is very
important to avoid the possibility of any suggestion that the evidence has been compromised in any way.

1. Data Collection: This is where chain of custody process is initiated. It involves identification,
labeling, recording, and the acquisition of data from all the possible relevant sources that preserve
the integrity of the data and evidence collected.

2. Examination: During this process, the chain of custody information is documented outlining the
forensic process undertaken. It is important to capture screenshots throughout the process to show
the tasks that are completed and the evidence uncovered.
 3. Analysis: This stage is the result of the examination stage. In the Analysis stage, legally
justifiable methods and techniques are used to derive useful information to address questions
posed in the particular case.

4. Reporting: This is the documentation phase of the Examination and Analysis stage. Reporting
includes the following:

 Statement regarding Chain of Custody.

 Explanation of the various tools used.

 A description of the analysis of various data sources.

 Issues identified.

 Vulnerabilities identified.

 Recommendation for additional forensics measures that can be taken.

Network forensics is a subcategory of digital forensics that essentially deals with the examination of
the network and its traffic going across a network that is suspected to be involved in malicious
activities, and its investigation for example a network that is spreading malware for stealing credentials
or for the purpose analyzing the cyber-attacks. As the internet grew cybercrimes also grew along with it
and so did the significance of network forensics, with the development and acceptance of network-
based services such as the World Wide Web, e-mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file transfers, e-
mails, and, web browsing history, and reconstructed to expose the original transaction. It is also
possible that the payload in the uppermost layer packet might wind up on the disc, but the envelopes
used for delivering it are only captured in network traffic. Hence, the network protocol data that
enclose each dialog is often very valuable.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
 Identification: In this process, investigators identify and evaluate the incident based on the
network pointers.
 Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the metadata.
 Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
 Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:
 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.
Advantages:
 Network forensics helps in identifying security threats and vulnerabilities.
 It analyzes and monitors network performance demands.
 Network forensics helps in reducing downtime.
 Network resources can be used in a better way by reporting and better planning.
 It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
 The only disadvantage of network forensics is that It is difficult to implement.

Approach to forensic investigation

 • Test the design
 Review the decisions you’ve made and the steps you’ve completed. If you
 have already copied the original media, a standard part of testing the design
 involves comparing hash values to ensure that you copied the original media
 correctly.
 • Analyze and recover the digital evidence
 Using the software tools and other resources you’ve gathered, and making
 sure you’ve addressed any risks and obstacles, examine the disk to find digital
 evidence.
 • Investigate the data you recover
 View the information recovered from the disk, including existing files,
 deleted files, e-mail, and Web history, and organizes the files to help find
 information relevant to the case.
 • Complete the case report
 Write a complete report detailing what you did and what you found.
 • Critique the case
 Self-evaluation and peer review are essential parts of professional growth.
 After you complete a case, review it to identify successful decisions and actions
 and determine how you could have improved your performance
 Identification – it recognizes an incident from indicators and determines its type. This component
is important because it impacts other steps but it is not explicit within the field of forensic.
 Preparation – it involves the preparation of tools, techniques, search warrants and monitoring
authorization and management support.
 Approach strategy – formulating procedures and approach to use in order to maximize the
collection of untainted evidence while minimizing the impact to the victim
 Preservation – it involves the isolation, securing and preserving the state of physical and digital
evidence
 Collection – This is to record the physical scene and duplicate digital evidence using standardized
and accepted procedures
 Examination – An in-depth systematic search of evidence relating to the suspected crime. This
focuses on identifying and locating potential evidence.
 Analysis – This determines importance and probative value to the case of the examined product
Presentation - Summary and explanation of conclusion
 Returning Evidence – Physical and digital property returned to proper owner
 • Test the design
 Review the decisions you’ve made and the steps you’ve completed. If you
 have already copied the original media, a standard part of testing the design
 involves comparing hash values to ensure that you copied the original media
 correctly.
 • Analyze and recover the digital evidence
 Using the software tools and other resources you’ve gathered, and making
 sure you’ve addressed any risks and obstacles, examine the disk to find digital
 evidence.
  • Investigate the data you recover
 View the information recovered from the disk, including existing files,
 deleted files, e-mail, and Web history, and organizes the files to help find
 information relevant to the case.
 • Complete the case report
 Write a complete report detailing what you did and what you found.
 • Critique the case
 Self-evaluation and peer review are essential parts of professional growth.
 After you complete a case, review it to identify successful decisions and actions
your performa

Social media networks have become an integral part of our daily lives, offering platforms for
communication, networking, and sharing information. With the vast amount of data generated and shared
on these platforms, the field of forensic analysis has extended into the realm of social media. Digital
forensics in social media, often referred to as "social media forensics," involves the systematic
investigation and analysis of digital information from social media platforms to gather evidence for
various purposes, including legal investigations, cyber security, and reputation management.

Key aspects of forensic analysis in social media networks include:

1. Legal Investigations: Social media content is increasingly being used as evidence in legal proceedings.
Forensic experts can examine posts, messages, images, and other digital artifacts to establish the
authenticity and veracity of digital evidence. This can be crucial in cases involving cyber bullying,
harassment, defamation, or criminal activity.

2. Cyber security: Social media is a prime target for cyber attacks and data breaches. Forensic analysts
play a vital role in investigating security incidents, identifying the source of the breach, and assessing the
impact. This helps organizations take necessary measures to protect their data and prevent future
breaches.

3. Incident Response: Social media forensics is essential for incident response in cases of online threats,
data leaks, or unauthorized access. By analyzing the digital footprints left on social media platforms,
investigators can track the activities of threat actors and formulate a response strategy.

4. Brand and Reputation Management: Companies and individuals often require social media forensics to
monitor their online reputation and handle issues such as fake accounts, defamatory content, or
unauthorized use of intellectual property. Forensic experts can trace the source of such content and help in
taking appropriate action.

5. Digital Evidence Preservation: The preservation and documentation of digital evidence from social
media are critical to ensure its admissibility in legal proceedings. Experts use specialized tools and
techniques to capture, store, and maintain the integrity of digital evidence.

6. Metadata Analysis: Metadata associated with social media posts, such as timestamps, geolocation data,
and user activity, can provide valuable insights during forensic analysis. This information helps in
establishing timelines and the context of digital artifacts.
Challenges in social media forensics include the dynamic nature of social platforms, privacy concerns, the
prevalence of fake accounts and manipulated content, and the need for cooperation with social media
companies to access certain data.