Understa

nd
Computer
Forensics
Computer Security Incident
• A computer security incident is any event that
compromises the confidentiality, integrity, or
availability of information, systems, or networks.

• These incidents can range from minor breaches, such as

unauthorized access to a single computer, to major
events like widespread malware infections, data
breaches, or denial-of-service (DoS) attacks.
Understanding Computer Forensics
• Computer forensics (also known as digital forensics) is a
branch of forensic science that involves the identification,
preservation, analysis, and presentation of electronic
evidence in a legally acceptable manner.

• The primary goal of computer forensics is to investigate digital

devices and media to uncover and preserve evidence that can be
used in a court of law or for internal investigations

• Digital forensics is the process of collecting and analyzing

digital evidence in a way that maintains its integrity and
admissibility in court.
 History of Computer Forensics
Formalization
with dedicated Integration
Originated tools like with
with early EnCase; cybersecurity;
computer creation of automation
crime digital forensic and AI began
investigations. labs. to play a role.

1980 1990 2000 2010

1970s 2020s
s s s s

Law Expanded to Focus on AI,

enforcement include cloud
began network and forensics, and
developing mobile forensic
forensic tools forensics; readiness in
for digital greater organizations.
evidence. investment in
forensic
capabilities.
Objetives of Computer Forensics
Identifying Evidence: Locate and identify relevant digital evidence
Identifying from devices and networks.

Preserving Evidence: Safeguard digital evidence to prevent alteration

Preserving or tampering.

Analyzing Evidence: Examine data to uncover insights and patterns

Analyzing related to the incident.

Presenting Evidence: Prepare findings in a clear format suitable for

Presenting legal proceedings.

Supportin Supporting Legal and Investigative Processes: Provide expert

g technical support during investigations and in court.
 Preventing Future Incidents: Use forensic insights to help prevent
Preventing future security breaches.

Reconstructi Reconstructing Events: Rebuild the sequence of events leading to and

ng following the incident.

Ensuring Compliance: Ensure handling of evidence meets legal and

Ensuring regulatory standards.

Maintaining Confidentiality: Protect sensitive information throughout

Maintaining the forensic process.
 When to use computer forensics:
After a Cyber Attack: Immediately following a breach,
ransomware attack, or other cyber incident to assess damage and
identify culprits.
During Legal Proceedings: When digital evidence is required to
support a legal case, whether criminal, civil, or corporate.
In Internal Investigations: When suspicious activity is detected
within an organization, necessitating an examination of digital
records.
For Compliance Audits: When ensuring that digital evidence
handling meets regulatory or legal standards, especially in highly
regulated industries.
Following Data Loss: When crucial data has been accidentally
deleted, corrupted, or lost due to hardware failure, and recovery is
needed.
Types
Of
Cyber
Crimes
 Cyber Crime Investigation
The investigation of any crime involves the meticulous
collection of clues and forensic evidence with attention to
detail.
Inevitably, at least one electronic device will be found during
the investigation, such as a computer, cell phone, printer, or
fax machine
The electronic device acquired from the crime scene might
contain valuable evidence and play a major role in solving the
case
Therefore, the information contained in the device must be
investigated in a forensically sound manner in order to be
accepted by the court of law
Types of cybercrime investigation cases are as
follows: Adminitrati
Civil Criminal
ve

Processes such as collection of data, analysis,

and presentation differ based on the type of
case
Introduction To
Digital Evidence
• Digital evidence refers to any
information or data that is stored or
transmitted in digital form and can be
used in court to prove or disprove facts
related to a crime.
• This type of evidence is crucial in
modern investigations, particularly in
cybercrime cases, but it can also play a
significant role in other types of criminal,
civil, and administrative investigations.
Types of Digital Evidence

Volatile Non Volatile

Volatile Digital Evidence
Volatile digital evidence refers to data that is stored in
temporary memory and is lost when the system is powered off
or reset.

This type of evidence is typically found in areas of a computer

or device that rely on electrical power to maintain the stored
information.

RAM (Random Access Memory):

Examples of Volatile Digital
CPU Registers and Cache:
Evidence:
System and Network State:
Non-Volatile Digital Evidence
• Non-volatile digital evidence refers to data that
remains intact even when the system is powered off.
• This type of evidence is stored on permanent storage
media and is generally easier to collect and analyze
because it does not disappear with power loss.
• Examples of Non-Volatile Digital Evidence:
• Hard Drives and SSDs:
• Removable Media:
• Mobile Devices:
• Cloud Storage:
Example of cases where digital
evidence may assist.
Cyberstalki
Intellectual
Cybercrime Fraud ng and
Property
Cases Cases Harassmen
Theft
t
Accident
Child Criminal
Civil and
Exploitation Investigatio
Litigation Insurance
and Abuse ns
Claims

Corporate
Espionage
 Forensic Readiness

• Forensic readiness refers to an

organization's ability to efficiently
and effectively collect, preserve,
and analyze digital evidence in
response to security incidents,
legal disputes, or regulatory
requirements.
• The concept is crucial in both
preventing and responding to
cybercrime, data breaches, or
other malicious activities.
Benefits of Forensic
Readiness
Quick Response to Incidents:
Enables rapid gathering and analysis of evidence during
a security breach, reducing damage and downtime.
Legal and Regulatory Compliance:
Helps meet legal requirements and supports the
organization in legal cases, avoiding fines and penalties.
Efficient Investigations:
Ensures proper evidence collection and thorough
analysis, leading to quicker resolution and prevention of
future incidents.
Cost Savings:
Reduces costs associated with investigations, legal fees,
and fines by being prepared.
Stronger Security Posture:
Proactive risk management and regular updates to
forensic practices strengthen overall cybersecurity.
Enhanced Reputation:
Builds trust with customers, partners, and
regulators by demonstrating a commitment to
security and transparency.
Operational Efficiency:
Streamlines incident response processes, making
operations more efficient and retaining critical
knowledge.
Competitive Advantage:
Differentiates the organization in the market,
especially in industries where data security is
crucial.
Forensic Readiness and Business
Continuity
Incident Response and Continuity:
• Forensic Readiness: Ensures that an organization is
prepared to collect and analyze digital evidence in the
event of a security breach or other incidents.
• Business Continuity: Focuses on maintaining
essential business operations during and after a
disruption.
• Link: Forensic readiness helps quickly identify the cause
of an incident, allowing for a more efficient response,
which supports business continuity by reducing the
impact and duration of disruptions.
Minimizing Downtime:

•Forensic Readiness: Enables rapid investigation

and resolution of incidents by having the necessary
tools, procedures, and trained personnel in place.

•Business Continuity: Aims to keep critical

functions running or restore them as quickly as
possible after an interruption.

•Link: By swiftly addressing the root cause of an

issue through forensic practices, the organization
can resume normal operations faster, aligning with
business continuity goals.
Legal and Compliance
Considerations:
• Forensic Readiness: Ensures that
digital evidence is handled in
compliance with legal and regulatory
requirements.
• Business Continuity: Involves
planning for compliance with
regulations that may affect how the
business operates during and after an
incident.
• Link: Properly managed forensic
readiness supports compliance, which
is often a key aspect of business
continuity planning, especially in
regulated industries.
Reputation Management:
• Forensic Readiness: Helps the organization respond transparently
and effectively to incidents, preserving its reputation.
• Business Continuity: Ensures that the organization can continue to
meet customer needs and maintain stakeholder confidence during a
disruption.
• Link: By demonstrating control over security incidents through forensic
readiness, the organization can maintain trust and minimize
reputational damage, which is essential for business continuity.
Forensic Readiness
Planning
Assess Capabilities: Evaluate current forensic tools
and identify gaps.
Develop Policy: Create a policy for evidence handling
and align it with legal requirements.
Implement Monitoring: Set up continuous logging and
monitoring systems.
Data Retention: Establish secure data storage and
backup protocols.
Training: Educate staff on evidence handling and
forensic tools.
Integrate with Incident Response: Ensure forensic
readiness is part of the incident response plan.
Regular Reviews: Periodically update the plan and
conduct drills.
Legal Compliance: Ensure adherence to legal
What is a SOC?
• A security operations center (SOC) improves an
organization's threat detection, response and
prevention capabilities by unifying and coordinating all
cybersecurity technologies and operations.
• The SOC also selects, operates and maintains the
organization's cybersecurity technologies and
continually analyzes threat data to find ways to improve
the organization's security posture.
Role of SOC in Computer Forensics

Monitoring and Detection: Initial Evidence

SOC continuously monitors Collection: SOC collects
networks and systems to initial digital evidence, such
detect suspicious activities as logs and network data,
that may require forensic immediately after detecting
investigation. an incident.

Incident Response
Support for Forensic
Coordination: SOC
Investigations: SOC
coordinates the response to
provides data, context, and
security incidents, ensuring
technical support to forensic
that digital evidence is
teams during detailed
preserved for forensic
investigations.
analysis.
Role of SOC in Computer Forensics
Threat Intelligence Integration: SOC uses threat
intelligence to guide forensic efforts by understanding
attacker behavior and potential risks.

Documentation and Reporting: SOC documents the

incident and forensic findings, creating reports for legal or
internal review.

Post-Incident Analysis: SOC participates in post-incident

reviews, using forensic evidence to improve future security
measures.
 Analyzing Evidence: Detailed examination of digital
evidence.

Reconstructing Incidents: Recreating events and

understanding breaches.

Legal Compliance: Ensuring evidence is admissible in

court.

Need For Technical Expertise: Using advanced tools and techniques.

Forensic
Investigator Root Cause Identification: Finding the cause of incidents.

Regulatory Adherence: Meeting data protection standards.

Reporting: Providing detailed findings for legal and internal

use.

Improving Security: Enhancing defenses based on

findings.