CYBER SECURITY

UNIT - 4

Understanding Computer Forensics

 Outline
▪ Introduction to Digital Forensics
▪ Need of Computer Forensics
▪ Cyber Forensics and Digital Evidence
▪ Forensics Analysis of E-mail
▪ Digital Forensics life cycle
▪ Chain of Custody Concept
▪ Network Forensics
▪ Approaching Computer Forensics Investigation
▪ Forensics and Social Networking Sites
Introduction to Computer Forensics

▪ Computer forensics is the application of investigation and analysis

techniques to gather and preserve evidence from a particular computing
device in a way that is suitable for presentation in a court of law.
▪ Computer forensics is essentially is data recovery with legal compliance
guidelines to make the information admissible in legal proceedings.
▪ Digital forensics starts with the collection of information in a way that
maintains its integrity. Investigators then analyze the data or system to
determine if it was changed, how it was changed and who made the
changes.
▪ The forensic process is also used as part of data recovery processes to
gather data from a crashed server, failed drive, reformatted operating
system (OS) or other situation where a system has unexpectedly stopped
working.
Computer Forensics

• Computer Forensics is a scientific method of investigation and

analysis in order to gather evidence from digital devices or computer
networks and components which is suitable for presentation in a
court of law or legal body. It involves performing a structured
investigation while maintaining a documented chain of evidence to
find out exactly what happened on a computer and who was
responsible for it.
• Digital forensics technically involves gathering evidence from any
digital device, whereas computer forensics involves gathering
evidence specifically from computing devices, such as computers,
tablets, mobile phones and devices with a CPU.
• Forensic science can be defined as the application of scientific
methods to criminal cases.
Aspect Digital Forensics Computer Forensics
The broader field A subfield of digital forensics
encompassing the focused specifically on
Definition
investigation of all digital computers and related
devices and media. systems.
Includes computers,
Primarily deals with desktop
smartphones, networks, cloud
Scope computers, laptops, and their
services, IoT devices, and
associated data.
more.
Investigates any device or
Investigates evidence stored or
Focus system that processes digital
transmitted via computers.
data.
Smartphones, tablets, IoT Hard drives, SSDs, memory
Examples of Devices devices, cloud storage, (RAM), operating systems, and
networks, USB drives, etc. applications on computers.

Used in diverse cases, Commonly applied in crimes

including network breaches, involving traditional computers,
Applications
mobile phone investigations, such as fraud, hacking, or data
and IoT-related crimes. theft.

Includes mobile forensics Relies on disk imaging tools,

Tools Used tools, network analyzers, and file recovery software, and
cloud investigation platforms. system analysis tools.

Broader and often more Typically narrower in scope but

Complexity complex due to the variety of may involve deep analysis of
devices and technologies. computer systems.
Digital Forensic Science

• Digital forensic science is a branch of forensic science that involves

the recovery, analysis, and examination of digital evidence to
investigate cybercrime and other criminal activities.
• The goal is to extract data from electronic devices and present it in a
way that can be used in court.
• Digital Forensics is a branch of forensic science which includes the
identification, collection, analysis and reporting any valuable digital
information in the digital devices related to the computer crimes, as
a part of the investigation. In simple words, Digital Forensics is the
process of identifying, preserving, analyzing and presenting digital
evidences. The first computer crimes were recognized in the 1978
Florida computers act and after this, the field of digital forensics
grew pretty fast in the late 1980-90’s.
Digital Forensic Science

• It includes the area of analysis like storage media, hardware,

operating system, network and applications. It consists of 5 steps at
high level:
Digital Forensic Science

• Identification of evidence: It includes of identifying evidences related

to the digital crime in storage media, hardware, operating system,
network and/or applications. It is the most important and basic step.
• Collection: It includes preserving the digital evidences identified in
the first step so that they doesn’t degrade to vanish with time.
Preserving the digital evidences is very important and crucial.
• Analysis: It includes analyzing the collected digital evidences of the
committed computer crime in order to trace the criminal and
possible path used to breach into the system.
Digital Forensic Science

• Documentation: It includes the proper documentation of the whole

digital investigation, digital evidences, loop holes of the attacked
system etc. so that the case can be studied and analysed in future
also and can be presented in the court in a proper format.
• Presentation: It includes the presentation of all the digital evidences
and documentation in the court in order to prove the digital crime
committed and identify the criminal.
Branches of Digital Forensics:

• Media forensics: It is the branch of digital forensics which includes

identification, collection, analysis and presentation of audio, video
and image evidences during the investigation process.
• Cyber forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital
evidences during the investigation of a cyber crime.
• Mobile forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital
evidences during the investigation of a crime committed through a
mobile device like mobile phones, GPS device, tablet, laptop.
• Software forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital
evidences during the investigation of a crime related to softwares
only.
Need of Computer Forensics
▪ In the civil and criminal justice system, computer forensics
helps ensure the integrity of digital evidence presented in
court cases.
▪ The main goal of computer forensics is to identify, collect,
preserve, and analyze data in a way that preserves the integrity
of the evidence collected so it can be used effectively in a legal
case.
▪ Help investigators to uncover evidence of malicious activities,
such as malware infections, root kits, network connections,
encryption keys, passwords, and hidden processes.
Type of Computer Forensics
• Database forensics: The examination of information
contained in databases, both data and related metadata.

• Email forensics: The recovery and analysis of emails and

other information contained in email platforms, such as
schedules and contacts.

• Malware forensics: Sifting through code to identify possible

malicious programs and analyzing their payload. Such programs
may include Trojan horses, ransom ware or various viruses.
Type of Computer Forensics
• Memory forensics: Collecting information stored in a
computer's random access memory (RAM) and cache.

• Mobile forensics: The examination of mobile devices to

retrieve and analyze the information they contain,
including contacts, incoming and outgoing text messages,
pictures and video files.

• Network forensics: Looking for evidence by monitoring network

traffic, using tools such as a firewall or intrusion detection
system.
Cyber Forensics and Digital Evidence

Cyber forensics is the science of collecting, inspecting,

interpreting, reporting, and presenting computer-related
electronic evidence. Evidence can be found on the hard
drive or in deleted files.
Cyber Forensics and Digital Evidence
Cyber Forensics and Digital Evidence

• Obtaining a digital copy of the under inspection system.

• Authenticating and confirming the replica.
• Determining that the copied data is forensically
acceptable.
• Recovering deleted files.
• Finding the necessary data with keywords.
• Establishing a technical report.
Cyber Forensics and Digital Evidence
Forensics Analysis of E-mail

• Email forensics is the study of source and content of

email as evidence to identify the actual sender and
recipient of a message along with some other
information such as date/time of transmission and
intention of sender. It involves investigating metadata,
port scanning as well as keyword searching.
Goal to Perform Forensics Analysis of E-mail

• To identify the main criminal

•To collect necessary evidences

•To presenting the findings

•To build the case

Challenges in Email Forensics

• Fake Emails

• Spoofing

• Anonymous Re-emailing
Techniques Used in Email Forensic
Investigation

• Header Analysis

•Server investigation

•Network Device Investigation

•Sender Mailer Fingerprints

•Software Embedded Identifiers

Techniques Used in Email Forensic
Investigation

Header Analysis:
•Meta data in the e-mail message in the form of control
information envelope and headers including headers in
the message body contain information about the sender
and/or the path along which the message has traversed.
Some of these may be spoofed to conceal the identity of
the sender. A detailed analysis of these headers and their
correlation is performed in header analysis.
Techniques Used in Email Forensic
Investigation
Server Investigation:
• In this investigation, copies of delivered e-mails and server logs are
investigated to identify source of an e-mail message. E-mails purged from
the clients (senders or receivers) whose recovery is impossible may be
requested from servers (Proxy or ISP) as most of them store a copy of all
e-mails after their deliveries. Further, logs maintained by servers can be
studied to trace the address of the computer responsible for making the
e-mail transaction. However, servers store the copies of e-mail and server
logs only for some limited periods and some may not co-operate with the
investigators. Further, SMTP servers which store data like credit card
number and other data pertaining to owner of a mailbox can be used to
identify person behind an e-mail address.
Techniques Used in Email Forensic
Investigation
Network Device Investigation:
• In this form of e-mail investigation, logs maintained by
the network devices such as routers, firewalls and
switches are used to investigate the source of an e-mail
message. This form of investigation is complex and is
used only when the logs of servers (Proxy or ISP) are
unavailable due to some reason, e.g. when ISP or proxy
does not maintain a log or lack of co-operation by ISP’s
or failure to maintain chain of evidence.
Techniques Used in Email Forensic
Investigation
Sender Mailer Fingerprint:
•Identification of software handling e-mail at server can
be revealed from the Received header field and
identification of software handling e-mail at client can be
ascertained by using different set of headers like
“X-Mailer” or equivalent. These headers describe
applications and their versions used at the clients to send
e-mail. This information about the client computer of the
sender can be used to help investigators devise an
effective plan and thus prove to be very useful.
Techniques Used in Email Forensic
Investigation

Software Embedded Identifiers:

•Some information about the creator of e-mail, attached files or
documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be
included in the form of custom headers or in the form of MIME content
as a Transport Neutral Encapsulation Format (TNEF). Investigating the
e-mail for these details may reveal some vital information about the
senders e-mail preferences and options that could help client side
evidence gathering. The investigation can reveal PST file names, Windows
logon username, MAC address, etc. of the client computer used to send
e-mail message
Email Forensics Tools

• MiTec Mail Viewer

• OST and PST Viewer

• eMailTrackerPro
Digital Forensics life cycle

Forensic life cycle phases are:

1. Preparation and identification

2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
Digital Forensics life cycle
1.Preparing for the Evidence and Identifying
the Evidence:
In order to be processed and analyzed, evidence must first be
identified. It might be possible that the evidence may be
overlooked and not identified at all. A sequence of events
in a computer might include interactions between.

▪ Different files
▪ Files and file systems
▪ Processes and files
▪ Log files
Digital Forensics life cycle
2.Collecting and Recording Digital Evidence:

Digital evidence can be collected from many

sources. The obvious source can be:

Mobile phone
Digital cameras
Hard drives
CDs
USB memory devices
Digital Forensics life cycle
3.Storing and Transporting Digital Evidence

Sometimes evidence must be transported from place to place either

physically or through a network. Care should be taken that the evidence
is not changed while in transit. Analysis is generally done on the copy
of real evidence. If there is any dispute over the copy, the real can be
produced in court.

4.Examining/Investigating Digital Evidence:

Forensics specialist should ensure that he/she has proper legal
authority to seize, copy and examine the data. As a general rule, one
should not examine digital information unless one has the legal
authority to do so.
Digital Forensics life cycle
Analysis, Interpretation and Attribution:

The digital evidence must be analyzed to determine the type of

information stored on it.

Examples of forensics tools:

Forensics Tool Kit (FTK)
EnCase
Digital Forensics life cycle
Reporting:
▪Identity of the report agency
▪Case identifier or submission number
▪Case investigator
▪Identity of the submitter
▪Date of receipt
▪Date of report
▪Descriptive list of items submitted for examination
▪Identity and signature of the examiner
▪Brief description of steps taken during examination
▪Results / conclusions
Digital Forensics life cycle
Testifying
•This phase involves presentation and cross-examination
of expert witnesses. An expert witness can testify in the
form of:
•Testimony is based on sufficient facts or data
•Testimony is the product of reliable principles and
methods
•Witness has applied principles and methods reliably to
the facts of the case
Digital Forensics life cycle
Chain of Custody Concept

Chain of custody is a process used to track the movement and

control of an asset through its lifecycle by documenting each
person and organization who handles an asset, the date/time
it was collected or transferred, and the purpose of the
transfer
Chain of Custody Concept
Analysis of Network Forensics

Network forensics is a science that centers on the

discovery and retrieval of information
surrounding a cybercrime within a networked
environment. Common forensic activities
include the capture, recording and analysis of
events that occurred on a network in order to
establish the source of cyber attacks.
Analysis of Network Forensics

▪Network forensics is helpful to access and retrieved

entire data including messages, file transfers, e-mails,
and, web browsing history, and reconstructed to
expose the original transaction.
Analysis of Network Forensics
Processes Involved in Network Forensics:

Identification: In this process, investigators identify and evaluate the

incident based on the network pointers.
Safeguarding: In this process, the investigators preserve and secure
the data so that the tempering can be prevented.
Accumulation: In this step, a detailed report of the crime scene is
documented and all the collected digital shreds of evidence are
duplicated.
Observation: In this process, all the visible data is tracked along with
the metadata.
Investigation: In this process, a final conclusion is drawn from the
collected shreds of evidence.
Documentation: In this process, all the shreds of evidence, reports,
conclusions are documented and presented in court
Analysis of Network Forensics

Tools used in Network Forensics:

▪Protocol Analyzers
▪Packet Sniffers
Approaching Computer Forensics
Investigation
The phases in a computer forensics investigation are:

▪Secure the subject system

▪Take a copy of hard drive/disk
▪Identify and recover all files
▪Access/view/copy hidden, protected, and temp files
▪Study special areas on the drive
▪Investigate the settings and any data from programs on
the system
▪Consider the system from various perspectives
▪Create detailed report containing an assessment of the
data and information collected
Approaching Computer Forensics
Investigation
Things to be avoided during forensics investigation:

▪Changing date/timestamps of the files

▪Overwriting unallocated space

Things that should not be avoided during forensics

investigation:

▪Engagement contract
▪Non-Disclosure Agreement (NDA)
Forensics and Social Networking Sites

Social networking site is defined as web-based

services that allow individuals to:

▪Create a public or semi-public profile

▪Search or navigate through a list of users with whom
they share a common connection
▪View connections of other users
Forensics and Social Networking Sites

The concerns regarding social networking sites are:

•Does the social networking site violate people’s

intellectual property rights
•Whether these sites infringe the privacy of their own
users
•Whether these sites promote fraudulent and illegal
activities
Forensics and Social Networking Sites
Security issues that are associated with social networking sites are:

▪ Corporate espionage
▪ Cross site scripting
▪ Virus and Worms
▪ Social networking site aggregators
▪ Phishing
▪ Network infiltration leading to data leakage
▪ ID theft
▪ Cyber bullying
▪ Content-Based Image Retrieval (CBIR)
▪ Spam
▪ Stalking
Challenges in Digital Forensics

• Data Encryption: Encryption can make it difficult to access the data

on a device or network, making it harder for forensic investigators to
collect evidence. This can require specialized decryption tools and
techniques.
• Data Destruction: Criminals may attempt to destroy digital evidence
by wiping or destroying devices. This can require specialized data
recovery techniques.
• Data Storage: The sheer amount of data that can be stored on
modern digital devices can make it difficult for forensic investigators
to locate relevant information. This can require specialized data
carving techniques to extract relevant information.
Challenges in Digital Forensics

1. Technological Advancements
• Encryption: Widespread use of encryption makes data retrieval
challenging.
• Cloud Storage: Locating and securing evidence from decentralized
cloud systems.
• IoT Devices: Forensics on IoT devices with proprietary software and
limited storage.
• Artificial Intelligence: Investigating AI systems or ML models used in
crimes.
2. Legal and Jurisdictional Issues
• Jurisdiction Conflicts: Crimes span across regions with varying laws.
• Data Privacy Laws: Regulations (like GDPR) limit access to personal
data.
• Admissibility: Ensuring collected evidence is admissible in court.
Challenges in Digital Forensics

3. Handling Big Data

• Volume of Data: Analyzing terabytes of data is time-intensive.
• Data Redundancy: Sifting through duplicate or irrelevant data.
4. Anti-Forensic Techniques
• Data Hiding: Use of steganography and obfuscation techniques.
• Data Destruction: Tools that securely wipe or overwrite data.
• Spoofing: Creating false evidence to mislead investigations.
5. Lack of Standardization
• Tool Reliability: Variability in forensic tools and methodologies.
• Global Standards: Absence of universally accepted forensic
standards.
Challenges in Digital Forensics

6. Skilled Workforce
• Shortage of Experts: Demand for trained professionals exceeds
supply.
• Continuous Training: Rapid technological evolution requires ongoing
education.
7. Emerging Technologies
• Quantum Computing: May challenge existing encryption and hashing
methods.
• Blockchain: Complexity in analyzing and tracking blockchain
transactions.
8. Evidence Volatility
• Fragile Digital Evidence: Easy to alter, delete, or corrupt.
• Real-time Data: Challenges in capturing ephemeral data, like live
network traffic.
Challenges in Digital Forensics

9. Resource Constraints
• Time Sensitivity: Need for rapid analysis to meet legal or business
timelines.
• Cost: High costs of tools, training, and operations.
10. Ethical Challenges
• Unintentional Breach: Risk of exposing sensitive non-case-related
data.
• Bias in Tools: Automated analysis tools might carry biases affecting
investigations.