UNIT – II

Cyber Forensics
Cyber forensics is a process of extracting data as
proof for a crime (that involves electronic devices)
while following proper investigation rules to nab
the culprit by presenting the evidence to the court.

Cyber forensics is also known as computer

forensics. The main aim of cyber forensics is to
maintain the thread of evidence and documentation
to find out who did the crime digitally.
Cyber forensics can do the following:
•It can recover deleted files, chat logs, emails, etc
•It can also get deleted SMS, Phone calls.
•It can get recorded audio of phone conversations.
•It can determine which user used which system
and for how much time.
•It can identify which user ran which program.
The Process Involved in Cyber Forensics:
•Obtaining a digital copy of the system that is being
or is required to be inspected.
•Authenticating and verifying the reproduction.
•Recovering deleted files (using Autopsy Tool).
•Using keywords to find the information you need.
•Establishing a technical report.
Types of computer forensics
There are multiple types of computer forensics depending
on the field in which digital investigation is needed. The
fields are:
• Network forensics: This involves monitoring and
analyzing the network traffic to and from the criminal’s
network. The tools used here are network intrusion
detection systems and other automated tools.

• Email forensics: In this type of forensics, the experts

check the email of the criminal and recover deleted
email threads to extract out crucial information related
to the case.
•Malware forensics: This branch of forensics involves
hacking related crimes. Here, the forensics expert
examines the malware, Trojans to identify the hacker
involved behind this.

•Memory forensics: This branch of forensics deals with

collecting data from the memory(like cache, RAM, etc.) in
raw and then retrieve information from that data
•Mobile Phone forensics: This branch of forensics
generally deals with mobile phones. They examine and
analyze data from the mobile phone.

•Database forensics: This branch of forensics examines

and analyzes the data from databases and their related
metadata.

•Disk forensics: This branch of forensics extracts data

from storage media by searching modified, active, or
deleted files.
CHARACTERISTICS-
Identification: Identifying what evidence is present, where
it is stored, and how it is stored (in which format).
Electronic devices can be personal computers, Mobile
phones, PDAs, etc.

Preservation: Data is isolated, secured, and preserved. It

includes prohibiting unauthorized personnel from using the
digital device so that digital evidence, mistakenly or
purposely, is not tampered with and making a copy of the
original evidence.
Analysis: Forensic lab personnel reconstruct fragments of
data and draw conclusions based on evidence.

Documentation: A record of all the visible data is created.

It helps in recreating and reviewing the crime scene. All
the findings from the investigations are documented.

Presentation: All the documented findings are produced

in a court of law for further investigations.
Process Involved in Cyber Forensics-
Historical background of Cyber forensics-
The history of cyber forensics, also known as digital
forensics, began in the 1970s and 1980s with the rise of
personal computers.
The field has evolved rapidly since then with the rise of
Smartphone's, the internet, and cloud platforms.

1970s – Emergence of Digital Data: The earliest forms of

digital forensics can be traced back to the 1970s, when
digital data started becoming more prevalent. Computers
were primarily mainframes and minicomputers at this time.
1980s – Growth of Personal Computers: With the rise of
personal computers in the 1980s, there was an increased
need for methods to investigate computer-related crimes.
Early digital forensics efforts focused on analyzing
computer systems to recover evidence

1990s – Establishment of Techniques: The 1990s saw the

establishment of foundational techniques and tools for
digital forensics. Law enforcement agencies and
cybersecurity experts began developing protocols and
methodologies for investigating digital crimes.
Late 1990s – Internet and Cybercrimes: As the internet
became more accessible and widespread, cybercrimes
emerged as a major concern. Digital forensics had to adapt
to the challenges posed by crimes committed online, such
as hacking, identity theft, and online fraud.

Early 2000s – Formalization and Standardization: The

early 2000s brought about greater formalization and
standardization of digital forensics processes.
Organizations like the International Association of
Computer Investigative Specialists (IACIS) and
the National Institute of Standards and Technology
(NIST) started providing guidelines and best practices for
digital investigations.
Mid 2000s – Mobile Devices and Digital Media: The
increase of mobile devices and digital media storage
expanded the scope of digital forensics. Analysts had to
develop techniques for extracting evidence from a variety
of devices, including cell phones, USB drives, and memory
cards.

Late 2000s – Cloud Computing and Virtualization: The

advent of cloud computing and virtualization presented
new challenges for digital forensics. Investigators had to
adapt to the decentralized nature of data storage and the
complexities of virtual environments.
2010s – Big Data and Advanced Techniques: The
explosion of big data and the use of advanced technologies
like machine learning and artificial intelligence started
influencing digital forensics. These technologies allowed
for more efficient analysis of large volumes of data to
uncover patterns and insights.

Present and Beyond – Evolving Landscape: Digital

forensics continues to evolve as technology advances. The
increasing use of encryption, the Internet of Things (IoT),
block chain, and other emerging technologies presents both
new opportunities and challenges for digital investigators.
Digital Forensics Science-
Digital Forensics is used to investigate cyber crime by the
recovered data from computer system, Smartphone, drives
found from crime scene.

Forensic science is the use of science to address legal

issues, where both law and science are closely connected,
and the value of scientific evidence depends on its
admissibility in a court of law.
Digital forensics tools are used to extract, identify and
analyze the cyber crime cases. There are many digital
forensic tools which forensic examiner can use but some
mainly known tools and mostly used will be listed below.
•Autopsy
•FTK Imager (Forensic Toolkit)
•EnCase
•Wireshark
•Email Forensic
•Disk Manager
•Cyber Triage
•Bulk Extractor
Types of Digital Forensics
Computer Forensics: Computer forensics is a field in
which the investigation techniques are applied on computer
device to extract the evidence.
Mobile Device Forensics: Mobile forensics where the
collection and extraction of digital evidences from a
mobile.
Network Forensics: network forensics is used to analyze
and monitor network traffic and data packets transferred
over network.
Email Forensics: Email forensics is forensic technique
used to track the cyber crimes happen through sending
suspicious mail, phishing mails and other techniques.
Challenges Faced by Digital Forensics
•The encryption techniques and security features to protect
data can prevent forensic analysts from accessing it.
•The large amount of data creates a problem in storing and
analyzing and filtering the relevant information is difficult
from large amount of data.
•The technology is changing day-by-day and new features,
operating systems, application which makes it challenging
because of old tools and it requires continues update of
tools.
•Data privacy laws can restrict the access of data which
makes challenging in finding out the all the evidences.
Need for Computer Forensics in Today's Digital Age
The relationship between computer forensics and cybersecurity is
paramount in the ever-connected digital landscape-

Digital Evidence Integrity: In legal and criminal justice systems,

computer forensics ensures the integrity of digital evidence presented
in court cases.

Solving Cybercrimes: As technology becomes ubiquitous in our

lives, digital evidence becomes critical in resolving crimes, not just
in the digital domain but also in the physical world.

Business Security: Organizations rely on multilayered security

strategies encompassing data management, governance, and network
security to secure proprietary information
Cyber Forensics and Digital evidence-
Today digital evidence collection is used in the
investigation of a wide variety of crimes such as fraud,
espionage, cyber stalking, etc.

The knowledge of forensic experts and techniques are used

to explain the contemporaneous state of the digital artifacts
from the seized evidence such as computer systems,
storage devices (like SSDs, hard disks, CD-ROM, USB
flash drives, etc.), or electronic documents such as emails,
images, documents, chat logs, phone logs, etc.
Process Involved in Digital Evidence Collection
Data collection: In this process, data is identified and
collected for investigation.

Examination: In the second step the collected data is

examined carefully.

Analysis: In this process, different tools and techniques are

used and the collected evidence is analyzed to reach some
conclusion.

Reporting: In this final step all the documentation and

reports are compiled so that they can be submitted in court.
Email Forensics:
Email forensics is the process of examining the content,
structure, and metadata of emails to uncover valuable
information for various purposes, including legal
investigations, cybersecurity incidents, and corporate
compliance.

It involves a combination of technical expertise, legal

knowledge, and a meticulous attention to detail.
Key Elements of Email Forensics
Metadata Analysis:
Header Information: The email header contains crucial
metadata, including sender and recipient addresses,
timestamps, routing information, and more. This
information can be crucial in tracking the source of an
email or establishing a timeline.

IP Address Tracking: Examining the IP addresses

associated with an email can help determine the sender's
location and trace the email's path through various servers.
Content Analysis:
Message Content: Analyzing the content of an email is essential for
understanding the message's context, intent, and potential relevance
in an investigation.

Attachments: Email attachments, such as documents or images, can

contain vital clues or evidence.

Email Authentication:
Sender Verification: Email forensics helps verify the authenticity of
an email sender. Techniques like Domain Keys Identified Mail
(DKIM) and Sender Policy Framework (SPF) are used to prevent
email spoofing and phishing.
Recovery of Deleted Emails:
In some cases, deleted emails may be critical evidence.
Email forensics experts can use specialized software to
recover these messages.

Chain of Custody:
A chain of custody is the process of validating how
evidences have been gathered, tracked, and protected on
the way to the court of law. Forensic professionals know
that if you do not have a chain of custody, the evidence is
worthless.
Applications of Email Forensics
Email forensics plays a pivotal role in various domains:
Legal Investigations: Email evidence is frequently used in legal
cases, including criminal, civil, and corporate disputes. It can help
establish motives, timelines, and the authenticity of communications.

Cybersecurity: In the realm of cybersecurity, email forensics can

uncover the source of a cyberattack, trace malicious actors, and
determine the extent of a security breach.

Corporate Compliance: Organizations may use email forensics to

ensure compliance with regulations, investigate internal misconduct,
or detect data leakage.
Digital forensics life cycle-
Digital forensics is a crucial field in today’s technology-driven
world, where cybercrime and digital evidence are becoming
increasingly prevalent. The digital forensics lifecycle is a structured
approach to investigating and analyzing digital evidence, ensuring
integrity and reliability throughout the process.

Identification
The first step in the digital forensics lifecycle is identification. This
stage involves recognizing and determining potential sources of
digital evidence. During this phase, forensic investigators identify
devices, data, and relevant information that might be pertinent to the
investigation. Common sources include computers, mobile devices,
servers, cloud storage, and network logs.
Preservation
Once potential evidence is identified, the next step is preservation.
This involves securing and preserving the integrity of the digital
evidence to prevent tampering, alteration, or destruction. Chain of
custody protocols are established to maintain a detailed log of who
handled the evidence and when.

Collection
The collection phase involves the systematic gathering of digital
evidence from identified sources. This step requires careful handling
to ensure that data is collected in a forensically sound manner
without altering the original evidence.
Examination
During the examination phase, forensic experts scrutinize the
collected evidence to identify relevant information. This involves
using specialized tools and techniques to recover deleted files,
analyze metadata, and uncover hidden data.

Analysis
The analysis phase is where the extracted and examined data is
interpreted to draw meaningful conclusions. This involves
correlating findings with the context of the investigation, identifying
patterns, and reconstructing events.
Presentation
In the presentation phase, the findings are compiled into a clear,
concise, and understandable format for stakeholders, such as law
enforcement, legal professionals, or corporate management. This
may include written reports, visualizations, and expert testimony.

Documentation and Reporting

Throughout the digital forensics lifecycle, meticulous documentation
is crucial. This final phase involves compiling all records, logs, and
findings into comprehensive documentation that supports the
investigation's integrity.
Digital forensics life cycle-
Forensics Investigation -
Computer Forensics relates to retrieving, examining, and
interpreting digital data and is frequently employed to
identify proof in legal disputes, criminal prosecutions, or
internal inquiries.

In many situations, electronic data can offer crucial

evidence and hints that help identify cybercrime, data theft,
crypto crimes, security lapses, hacking incidents, etc.
Investigating complicated data problems is made easier
with the help of computer or digital forensics.
Phases of Computer Forensics Investigation -
Computer Forensics Investigation Phase 1: Identification
A computer forensics investigation procedure starts with
identifying the resources and devices that hold data that
will be the subject of the inquiry. Investigational data may
be found on personal devices like tablets and mobile
phones, or any equipment i.e. used by users, such as PCs or
laptops.

After that, these devices or gadgets are seized and sealed

off to prevent any potential for manipulation of data. If the
data is stored on a server, network, or cloud, the
organization or investigator must guarantee that access to it
is restricted to the investigating team only.
Computer Forensics Investigation Phase 2: Extraction of
Data and Preservation
A computer forensics expert or forensics analyst then
employs forensics techniques to retrieve any data that may
be relevant to the inquiry once the devices involved in it
have been confiscated and secured in a safe and secure
location.
They then keep the material securely. During this phase, a
digital replica, or "Forensics Image" of the pertinent data,
may be created. The original data and equipment are stored
in a secure place, and this created copy of data is utilized
for analysis and review. This keeps the original data
unaltered even if the inquiry is hampered.
Computer Forensics Investigation Phase 3: Analysis
After identifying and isolating the devices in inquiry, as
well as copying and securely storing the data, digital
forensic investigators employ a range of methodologies to
retrieve relevant data and scrutinize it, seeking out clues or
proof that suggests misconduct.
This frequently entails seeking to recover and inspect
erased, corrupted, or encrypted files through the use of
techniques like:
Reverse Steganography: It is a technique that is mainly
used for extracting hidden info by looking at the hash or
character string behind an image or other piece of data.
Data Carving or Deleted File Recovery: It is a process of
identifying and retrieving erased or deleted files by looking
for any fragments that the deleted files could have left
behind.

Live Analysis: It is a technique by which the volatile data

that is kept in RAM or cache is located, analyzed, and
extracted using system tools when the operating system is
working or live. To effectively preserve the chain of
evidence, live analyses are mainly conducted or examined
in a forensic lab.
Keyword Searches: It is a process of investigation that
makes use of keywords to find and examine data that has
been erased that is relevant to the inquiry.

Cross-drive Analysis (CDA): Cross-drive analysis is also

used in the process of investigation analysis and is a
feature extraction technique that enables investigators to
examine data from many sources at once.
Computer Forensics Investigation Phase 4: Documentation
After the analysis phase is completed, the investigation's
results are accurately documented in a manner that
facilitates visualizing the complete inquiry process and its
conclusions.

A chronology of the actions that caused misconduct, such

as data breaches, data leaks, financial crime, cyber
espionage, or network breaches, may be created with the
use of proper documentation.
Computer Forensics Investigation Phase 5: Presentation
Once all the above phases are complete, the results or
findings are submitted to the committee or court that will
decide how to proceed with a lawsuit or internal complaint.
Investigators using computer forensics can serve as expert
witnesses, providing a summary and presentation of the
evidence that they gathered and sharing their
conclusions.
Challenges in Digital Forensics
Digital forensics also known as computer forensics, is the
application of scientific methods and techniques to
identify, preserve, analyze, and present digital evidence in
a manner that is legally admissible. It is a branch of
forensic science that deals specifically with digital devices,
networks, and storage media -

Data Encryption: Encryption can make it difficult to

access the data on a device or network, making it harder
for forensic investigators to collect evidence. This can
require specialized decryption tools and techniques.
Data Destruction: Criminals may attempt to destroy
digital evidence by wiping or destroying devices. This can
require specialized data recovery techniques.
Data Storage: The sheer amount of data that can be stored
on modern digital devices can make it difficult for forensic
investigators to locate relevant information. This can
require specialized data carving techniques to extract
relevant information.

Digital forensics is a rapidly evolving field that requires a

combination of technical knowledge, an understanding of
legal principles, and investigative skills to be successful.
Special Techniques for Forensics Auditing
Forensic auditing is an accounting form that checks in
detail a company's different financial records to identify
any signs of fraud being committed. Forensic audit firms
also provide deep analysis of the financial books, which
can be submitted to a court of law.

Forensic auditors are considered detectives in the

business and economic fields. These professionals check
every transaction to identify illegal or fraudulent activity
in the industry.
Computer Assisted Audit Techniques (CAATs)
CAATs are computer programs that auditors use as part of
the audit procures to process data from a client information
system that is relevant to the audit without involving the
client

Data Analytics
Data analytics is the study of comprehensive data sets to
find patterns and irregularities for further investigation,
and research and to provide audit evidence. This tool is
majorly used to analyze data from the entire population.
Data Mining Techniques
Assisted examination techniques, known as data mining,
are used to automatically comb enormous amounts of data
for new, obscure, or unexpected information systems or
patterns.

Generalized Audit Software (GAS)

A class of CAATs known as generalized audit software
enables auditors to do data extraction, querying,
manipulation, summarization, and analytical tasks. In
database auditing, GAS support and enable auditors to
quickly, flexibly, independently, and interactively analyze
the entity’s data.
Other Methods
When conducting the forensic audit, the auditors may
consider additional methodologies in addition to those
mentioned above, like typical software tools, ratio analysis,
digital forensic techniques, trend analysis, and more.
Conducting a forensic audit
A forensic audit is carried out in a manner that is very
similar to conventional audits. These involve the same
steps as planning, gathering audit evidence, and preparing
a report, plus the potential for a court appearance.

•Planning and fact-finding investigations

At this point, the forensic auditor and the entire team will
organize their investigation to accomplish the main goals
of the forensic audit, which include identifying the amount
of fraud, pinpointing the time frame in which it took place,
learning how the crime was covered up, and other things
that are required during an investigation.
Gathering information
The required documents and other evidence should not be
damaged or altered intentionally or unintentionally during
the forensic audit because they are helpful to the clients in
the event of litigation. The audit findings should have
produced adequate proof of the fraud.

Reporting
After carrying out all necessary steps during the forensic
audit, the customer will receive a written report on the
fraud with all necessary in-depth information on the audit,
enabling users to move forward with filing a legal
complaint.