LECTURE NOTES CYBER SECURITY

MAINTAINED BY MS ANAMTA ABBAS

UNIT 4

UNDERSTANDING COMPUTER FORENSICS

• Computer forensics is a branch of digital forensics that deals with the recovery,
investigation, and analysis of data stored on computers and other electronic devices.
• The primary aim of computer forensics is to uncover evidence related to criminal
activities, data breaches, cybercrimes, or any other illegal activities involving digital
systems.
• This discipline involves various methods and tools used to preserve, collect, and analyze
data to ensure its integrity and legality, often in the context of legal proceedings.

Historical Context

• The concept of computer forensics emerged as technology advanced and its integration
into both personal and professional spheres increased. In the 1980s, as personal
computers became more widespread, crimes involving computers, such as hacking, data
theft, and fraud, began to surface.
• This necessitated a specialized approach to investigating digital crimes, leading to the
development of computer forensics as a distinct field.
• The growth of the internet in the 1990s further expanded the scope of computer-related
crimes, such as identity theft, cyberstalking, and online fraud, making forensics more
vital than ever.

Core Processes in Computer Forensics

1. Identification: The first step in a computer forensic investigation involves identifying

and securing all potential sources of evidence. This includes computers, smartphones,
external hard drives, network logs, cloud storage, and other digital storage devices.
Proper identification ensures that no evidence is overlooked.
2. Preservation: Preserving the integrity of the digital evidence is a critical part of
computer forensics. Forensic investigators must ensure that the data remains unaltered
during the investigation process. This is often done by creating an exact, bit-for-bit copy
of the data, called a forensic image. This ensures that the original data is not
compromised and can be used as reliable evidence in court.
3. Collection: Data collection involves retrieving data from various devices while
maintaining a strict chain of custody. The process must adhere to legal protocols to
ensure the evidence is admissible in court. Investigators typically use specialized forensic
tools to capture data without altering it.
4. Analysis: Once data is collected, forensic experts analyze it to uncover relevant evidence.
This could involve recovering deleted files, examining internet activity logs, analyzing
communication history, or uncovering hidden or encrypted files. The goal of the analysis
is to reconstruct events or actions that can prove or disprove criminal activity.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
5. Presentation: The final stage of computer forensics is presenting the findings in a clear,
understandable manner, often in a court of law. Forensic experts must be able to explain
complex technical details in a way that judges and jurors can understand. The integrity
and accuracy of the presentation are paramount, as the outcome of legal proceedings may
depend on the evidence provided.

Applications of Computer Forensics

Computer forensics has several practical applications in law enforcement, corporate security, and
legal fields:

• Cybercrime Investigations: Law enforcement agencies use computer forensics to

investigate crimes like hacking, identity theft, and fraud.
• Data Breach Response: Companies rely on forensics to understand how a security
breach occurred, recover stolen data, and prevent future incidents.
• Civil Litigation: In legal disputes, computer forensics can uncover important evidence
such as emails, documents, and transaction records that might be relevant to the case.
• Internal Investigations: Organizations use forensics to monitor employee activity,
investigate suspected misconduct, or ensure compliance with data protection regulations.

Challenges in Computer Forensics

• The sheer volume of data that needs to be examined can be overwhelming.

• Additionally, technological advancements like encryption, cloud storage, and
anonymizing tools like VPNs and the dark web can make it difficult to track and analyze
evidence.
• Furthermore, investigators must stay updated with rapidly evolving technology to keep
up with emerging cyber threats.\

Digital Forensics Science: An Overview

• Digital forensics science is the practice of recovering, preserving, and analyzing digital
data from electronic devices to investigate crimes or misconduct involving technology.
• This field is essential in the context of criminal investigations, corporate security
breaches, and legal disputes.
• Digital forensics aims to uncover, preserve, and validate digital evidence that can be
used in court.
• It covers a range of devices, including computers, smartphones, tablets, servers, external
storage, and even cloud-based environments.
• The process involves several key steps: identifying potential sources of evidence,
preserving the integrity of the data, collecting relevant information, analyzing it to
uncover valuable insights, and presenting the findings in a manner that is admissible in
legal proceedings.
• Tools such as forensic software, hardware duplicators, and specialized analytical
techniques are used to retrieve hidden, deleted, or encrypted data.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
• Digital forensics is used in investigations of cybercrimes like hacking, identity theft, and
online fraud, as well as internal investigations within organizations. It's crucial for tracing
digital footprints, reconstructing events, and establishing timelines of activities.

Advantages of Digital Forensics:

1. Effective Crime Solving: Digital forensics helps solve complex crimes involving
technology, providing law enforcement with solid evidence.
2. Data Recovery: It allows the recovery of deleted or hidden data, often providing crucial
evidence in investigations.
3. Protecting Privacy and Security: It aids organizations in detecting and preventing data
breaches or unauthorized access to sensitive information.
4. Legal Admissibility: Digital forensics ensures that data is collected and analyzed in a
legally sound manner, which can be used in court proceedings.
5. Preventive Measures: By identifying vulnerabilities in systems and processes, digital
forensics helps organizations improve their cybersecurity posture.

Difference Between Computer Forensics and Digital Forensics

Computer forensics Digital forensics

Computer forensics is specifically focused Digital forensics encompasses a much wider
on computers (desktops, laptops, and range of devices, including mobile phones,
workstations) and the data stored on them tablets, servers, external drives, cloud storage,
and IoT devices.

Specialization: While computer forensics Digital forensics includes the broader

focuses on retrieving data from computer investigation of any electronic device that may
systems and associated storage media (like contain valuable evidence. This includes
hard drives) recovering data from smartphones, social
media platforms, and cloud storage, as well as
examining network traffic.
Both disciplines use similar tools for data Digital forensics covers a wider range of
recovery and analysis, devices and may involve specialized tools for
mobile phones, cloud services, or network
forensics.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
The Need for Computer Forensics

• The increasing reliance on digital technology in every aspect of modern life—whether

personal, business, or government—has created a strong need for computer forensics.
As more critical data is stored electronically, the potential for digital crimes, fraud,
cyberattacks, and data breaches has risen dramatically.
• This has made computer forensics an essential field for addressing and solving
technology-driven incidents. Here are some of the key reasons why computer forensics is
so necessary today:

1. Rise in Cybercrime

• Cybercrime is on the rise, with criminals exploiting technology to commit fraud, identity
theft, hacking, data breaches, and online scams. As more people and organizations rely
on digital systems, the potential for digital crimes increases. Computer forensics is crucial
in identifying and investigating cybercrimes, such as:

i. Hacking: Unauthorized access to computer systems to steal data, cause damage, or

spread malware.
ii. Phishing: Fraudulent attempts to gain sensitive information through deceptive digital
communication.
iii. Data Theft: The illegal copying or theft of business or personal data for malicious use.

2. Evidence Recovery

• One of the main roles of computer forensics is to recover deleted, hidden, or corrupted
data from digital devices. In many cases, criminals believe that deleting files or wiping
hard drives will erase their tracks. However, skilled forensic experts can recover valuable
evidence that proves criminal activity, such as:

i. Deleted Files: Data that was thought to be erased or hidden but can still be recovered.
ii. Metadata: Information about when and by whom files were created, modified, or
accessed, which can establish a timeline of events.
iii. Encrypted Data: Forensic techniques can sometimes crack or bypass encryption, making
hidden files accessible for analysis.

3. Digital Evidence in Legal Proceedings

• Digital evidence is often pivotal in modern legal cases. With most transactions,
communications, and interactions now taking place in digital spaces, such as emails,
social media, and online banking, computer forensics plays a critical role in gathering and
presenting evidence that is legally admissible in court. This includes:
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
i. Corporate Investigations: Companies may use computer forensics to investigate
employee misconduct, intellectual property theft, or violations of policies.
ii. Criminal Trials: Law enforcement agencies use forensic experts to retrieve evidence
from computers, mobile devices, and servers that can support criminal cases.
iii. Civil Cases: In cases like divorce or intellectual property disputes, digital evidence can
reveal key communications, files, and transactions.

4. Preventing and Responding to Data Breaches

• Data breaches are a significant concern for organizations and individuals alike.
Cybercriminals target databases, cloud storage, and networks to steal sensitive personal
or business information, such as credit card numbers, intellectual property, and client
records. Computer forensics helps:

i. Identify the Source: Forensics experts can trace the source of a data breach, determining
how the intrusion occurred and what vulnerabilities were exploited.
ii. Assess the Damage: Forensics helps in understanding what information was accessed or
stolen, helping businesses and individuals understand the scope of the breach.
iii. Improve Security: By analyzing a breach, computer forensics professionals can
recommend security measures to prevent future incidents.

5. Corporate and Internal Investigations

• Organizations often face internal threats, including fraud, harassment, intellectual

property theft, or violations of company policies. Computer forensics helps investigate
such incidents by:

i. Tracking Digital Footprints: Forensics experts can monitor employee activities on

company systems, identifying any irregular or suspicious behavior.
ii. Investigating Employee Misconduct: Digital evidence such as emails, chat logs, and
file transfers can help organizations uncover misconduct.
iii. Ensuring Compliance: Many industries require organizations to adhere to strict data
protection regulations (e.g., HIPAA, GDPR). Computer forensics ensures that employees
and systems comply with these legal frameworks.

6. Preventing and Solving Financial Fraud

• Financial institutions and businesses are frequently targeted by fraudsters who exploit
digital systems for illicit financial gain. Computer forensics can help track fraudulent
activities like:
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
i. Bank Fraud: Investigating unauthorized transactions, money laundering, or hacking into
financial systems.
ii. Corporate Fraud: Identifying fraudulent activities within companies, such as
embezzlement or accounting fraud.
iii. Credit Card Fraud: Tracing illegal activities involving stolen credit card information or
unauthorized transactions.

7. Combating Terrorism and National Security Threats

• Digital forensics plays a vital role in national security efforts. Terrorist organizations,
criminal syndicates, and extremist groups increasingly use digital means to communicate,
organize, and fund their activities. Computer forensics aids law enforcement agencies and
intelligence organizations by:

i. Tracking Online Communications: Investigating encrypted communications, social

media activity, and dark web interactions.
ii. Uncovering Financial Networks: Tracing illegal money transfers and funding sources
that support terrorist activities.
iii. Preventing Cyberattacks: Identifying vulnerabilities in national infrastructure systems
and preventing cyberattacks that could threaten public safety or national security.

Forensic Analysis of E-Mail

• E-mail forensics involves the investigation and analysis of electronic mail (e-mail)
messages to uncover evidence in criminal cases or civil disputes.
• Given that e-mails are one of the most widely used communication methods in personal,
business, and criminal contexts, they often serve as a rich source of evidence in various
investigations.
• E-mail forensic analysis can help to authenticate or refute claims, uncover hidden
messages, identify the sender/receiver, and establish timelines of communication.

Key Areas of E-Mail Forensics

i. E-Mail Header Analysis

• E-mail headers contain valuable metadata that can be used to trace the origin and
path of a message. These headers are typically hidden from regular users but can
be extracted and analyzed by forensic experts. Key information in an e-mail
header includes:

o Sender’s IP Address: Helps determine the physical location of the sender at the
time the email was sent.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
o Message Routing Path: Shows the servers and networks through which the e-
mail traveled.
o Timestamp: Provides the date and time the e-mail was sent and received, which
can be used to establish timelines.
o Return Path: Identifies the server used to send the message and may help
confirm the legitimacy of the sender.
o Message-ID: A unique identifier for each e-mail, useful for identifying duplicates
or verifying authenticity.

By examining these details, forensic experts can often determine the true origin of the message,
detect forged e-mails, or trace e-mail spoofing attempts.

2. E-Mail Content and Message Integrity

Forensic experts often perform a content analysis of e-mail bodies to assess the
message’s authenticity and uncover any hidden or deleted information. Common
techniques include:
o Analyzing E-Mail Attachments: Attachments may contain malware, hidden
messages, or incriminating files. Experts can extract and analyze these
attachments to understand their content and purpose.
o Detecting Deleted or Hidden Content: Sometimes, messages may be
intentionally altered or deleted by the sender. Forensic tools can retrieve deleted
e-mails from the system’s cache, hard drive, or e-mail servers.
o HTML or Rich Text Analysis: If the e-mail is in HTML format, forensic
analysis may reveal hidden code (e.g., JavaScript, images, or links) embedded in
the message. This can help trace phishing attempts or other malicious activities.

3. Time Analysis and Timeline Construction

E-mail forensic investigators can use timestamps found in headers to establish a timeline
of events. By analyzing the sending and receiving times, the geographic location of the
sender, and other related messages, investigators can build a chronological sequence of
communication that may reveal crucial details about a crime or fraud. This is particularly
useful for:
o Verifying Alibis: For example, if an individual claims they were not near a
location, e-mails sent at certain times can help confirm or challenge their alibi.
o Establishing Intent: In criminal cases, analyzing the timing of e-mails can
provide insights into intent, particularly when messages are exchanged just before
or after a crime.

4. E-Mail Footprints and User Behavior

Forensic analysis can also examine user behavior by tracking e-mail interactions over
time. By looking at a sequence of e-mails, investigators can discern patterns, such as:
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
o Frequency of Communication: High-frequency e-mails exchanged within short
periods may indicate urgent or coordinated efforts (e.g., criminal activity or
fraud).
o Recipient and Sender Relationships: E-mail forensics can uncover hidden
relationships between individuals through analysis of e-mail exchanges over time.
o Content Patterns: For example, repeated use of certain terms, codes, or language
could indicate covert communications in cases like money laundering or
organized crime.

5. E-Mail Authentication and Validity

In many cases, forensic experts must determine whether an e-mail is authentic or forged.
Techniques used to authenticate e-mails include:
o Cryptographic Signatures: Some e-mails may contain cryptographic signatures
(e.g., PGP or S/MIME) to ensure the authenticity of the sender. Forensic experts
can verify these signatures to confirm the integrity of the message.
o Forensic E-Mail Tools: There are various forensic tools (like X1 Social
Discovery, MailXaminer, or EnCase) that can verify the authenticity of an e-mail
by checking for tampering or inconsistencies in its metadata.

6. E-Mail Logs and Server Analysis

Forensic experts often access server logs to track e-mail traffic and identify patterns that
can help pinpoint the sender or receiver. Server logs can provide insight into:
o IP Addresses: Determining the geographical location and network the e-mail
originated from.
o SMTP Logs: These logs provide details on the sending server, including how the
message was routed across multiple servers before being delivered to the
recipient.
o Mail Server Activity: By examining the mail server’s activity logs, forensic
investigators can identify whether the e-mail was received, rejected, or relayed
from different sources.

Common Use Cases for E-Mail Forensics

1. Criminal Investigations
E-mails are often used in criminal cases to establish communication patterns between
suspects. Forensic analysis can uncover critical evidence that might link a suspect to a
crime, such as threatening messages, communications between conspirators, or evidence
of planning illegal activities.
2. Corporate Investigations
In the corporate world, e-mail forensics is commonly used to investigate fraud,
intellectual property theft, harassment, or breaches of company policies. For example,
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
forensic analysis can uncover evidence of data theft or attempts to cover up illicit
activities through deleted or altered e-mails.
3. Civil Litigations
E-mail forensics is used in civil cases to resolve disputes or provide evidence in lawsuits.
For example, e-mails could be used to verify contracts, establish timelines, or prove a
breach of duty.
4. Fraud Investigations
In cases of financial fraud or investment scams, e-mail communications can serve as a
significant source of evidence, revealing key conversations, instructions, or misleading
information exchanged between parties.

Challenges in E-Mail Forensics

• Encryption and Security Measures: Many criminals or malicious actors use encryption,
secure e-mail services, or pseudonymous e-mail addresses to conceal their identity. This
makes it more difficult to perform thorough forensics.
• Data Volume: The sheer volume of e-mail traffic can be overwhelming, especially in
large organizations. Forensic experts must sift through large datasets to identify relevant
information, which can be time-consuming.
• Tampering and Deletion: Criminals may attempt to delete or alter e-mails to cover their
tracks, making it challenging to extract reliable evidence.

Digital Forensics Life Cycle

• The Digital Forensics Life Cycle is a structured process followed by forensic

investigators to identify, collect, preserve, analyze, and present digital evidence.
• This life cycle ensures that evidence is handled in a methodical and legally sound
manner, ensuring its integrity and admissibility in court.
• Each stage of the life cycle is crucial in maintaining the chain of custody and ensuring the
credibility of the evidence. Here’s an overview of the typical stages in the Digital Forensics
Life Cycle.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS

1. Identification

Purpose: The first step is identifying potential sources of digital evidence.

• Scope: This stage involves determining which devices, data sources, and systems could
contain relevant evidence. These can include computers, mobile phones, servers, hard
drives, USB drives, cloud storage, emails, and more.
• Key Activities:
o Identifying devices such as computers, mobile devices, storage devices, and
network logs.
o Recognizing the type of data that might be relevant to the case (e.g., deleted files,
logs, or communications).
o Identifying the digital environment, such as cloud services, databases, or IoT
devices that may contain pertinent evidence.

2. Preservation

Purpose: Ensuring the integrity of digital evidence by preventing contamination or alteration.

• Scope: Digital evidence can be easily altered or deleted if not properly handled. The
preservation stage focuses on maintaining the evidence in its original state.
• Key Activities:
o Create Forensic Images: Make exact, bit-by-bit copies of the digital storage
devices (hard drives, phones, etc.) to prevent altering the original evidence. These
are known as forensic images or disk images.
o Write Blockers: Use write blockers to prevent any modification of the original
storage devices during evidence collection.
o Document Chain of Custody: Record all actions taken on the evidence,
including who accessed it, when, and for what purpose. This documentation is
crucial for ensuring that the evidence is admissible in court.

3. Collection

Purpose: To gather all relevant data from the identified sources.

• Scope: Data collection involves extracting relevant information from digital devices
while ensuring that no data is altered during the process. Forensic investigators use
specialized tools and techniques to ensure that the process is as thorough and non-
invasive as possible.
• Key Activities:
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
o Collection of Data: Extracting data from various devices like computers, mobile
phones, external drives, servers, etc.
o Data Types: This could include files, emails, web browsing history, logs,
metadata, system configurations, and even live data such as running processes or
active network connections.
o Collect Volatile Data: In certain cases, investigators may need to capture volatile
data from live systems, such as RAM (random access memory) or active
processes, before the device is powered off.

4. Examination and Analysis

Purpose: Analyzing the collected data to identify evidence and reconstruct events.

• Scope: This stage is about uncovering hidden, deleted, or obfuscated data and
determining its relevance to the investigation. Data analysis might involve searching for
patterns, recovering deleted files, decrypting data, or analyzing metadata.
• Key Activities:
o Data Recovery: Restoring deleted or corrupted files that could be crucial for the
investigation.
o Data Filtering: Identifying relevant data from large volumes of information,
including documents, emails, files, web activity, logs, and more.
o Analysis Techniques: Using specialized forensic tools (such as EnCase, FTK, or
Autopsy) to analyze data, recover deleted files, and identify suspicious activities.
o Metadata Analysis: Investigators often analyze metadata (such as creation,
modification, and access timestamps) to establish timelines or verify the
authenticity of the evidence.
o Forensic Tool Usage: Utilizing forensic tools and software to analyze large
datasets, recover hidden files, crack passwords, decrypt messages, and more.

5. Interpretation

Purpose: Making sense of the data to draw conclusions that are relevant to the investigation.

• Scope: Once the evidence is analyzed, it needs to be interpreted in the context of the case.
This involves understanding the data, linking it to criminal behavior, and developing a
narrative based on the digital evidence.
• Key Activities:
o Establishing a Timeline: Creating a timeline of events based on the collected
data to understand the sequence of actions or communications.
o Contextualizing Evidence: Correlating the data with other information from the
investigation (e.g., witness statements, physical evidence) to build a clear case.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
o Identifying Links: Tracing relationships between different pieces of evidence to
establish connections (e.g., identifying a suspect’s involvement or intentions
through digital trails).

6. Documentation

Purpose: Recording all findings, methodologies, and processes for future use in legal or
investigative proceedings.

• Scope: Documentation ensures that all actions taken during the investigation are fully
recorded. This helps establish the credibility of the findings and ensures that they can be
used in court if necessary.
• Key Activities:
o Detailed Reporting: Preparing a detailed forensic report that outlines all the
findings, the methods used in the investigation, and any conclusions drawn.
o Supporting Evidence: Including all supporting evidence such as logs,
screenshots, data prints, and analysis summaries.
o Chain of Custody: Documenting the chain of custody for the evidence to ensure
that the evidence has not been tampered with or altered during the investigation
process.

7. Presentation

Purpose: Presenting findings in a clear, understandable, and legally acceptable manner.

• Scope: The findings from the forensic analysis must be presented in a way that can be
understood by legal authorities, judges, jurors, or other stakeholders. This is often a
critical stage as the outcome of the investigation might lead to legal consequences.
• Key Activities:
o Court Presentation: Forensic investigators may be called to testify in court to
explain the methods used, the findings, and the conclusions drawn. This requires
the expert to present complex technical details in an understandable manner.
o Evidence Presentation: Presenting the evidence (e.g., e-mails, data logs, or
recovered files) in a clear, concise manner to support the investigation’s
conclusions.
o Expert Testimony: Forensic experts may need to testify as an expert witness to
explain the methods used in the investigation, the tools used for analysis, and the
interpretation of the findings.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
8. Final Reporting

Purpose: Providing a final report that documents the entire investigative process and
conclusions.

• Scope: A final, comprehensive report is produced, which serves as the official record of
the investigation. It contains all the details of the steps taken, methodologies used,
findings, and conclusions.
• Key Activities:
o Summary of Findings: A clear summary of the evidence found, how it was
collected, and its relevance to the case.
o Technical and Legal Aspects: A balance between technical explanations and
legal implications, ensuring the findings are accessible and valid for legal
proceedings.

Challenges in the Digital Forensics Life Cycle

• Volume of Data: The sheer amount of data involved can make it challenging to identify
relevant evidence.
• Encryption: Encrypted data may require additional time and resources to analyze,
particularly if passwords or decryption keys are unavailable.
• Data Corruption: Some data may be corrupted or fragmented, complicating the analysis
process.
• Legal and Ethical Considerations: Ensuring that all actions taken are within the
boundaries of the law and ethical guidelines is critical for the admissibility of evidence.

Chain of Custody Concept in Digital Forensics

• The Chain of Custody refers to the detailed and documented process of tracking the
handling and movement of evidence from the moment it is collected until it is presented
in court. In digital forensics, maintaining a proper chain of custody is critical to ensure
that digital evidence—such as hard drives, mobile devices, or files—is not tampered with
or altered during the investigation process.
• When digital evidence is handled improperly, it risks being deemed inadmissible in court.
This is why the chain of custody is one of the most important concepts in digital
forensics, as it preserves the integrity of the evidence and ensures its authenticity.

Key Elements of Chain of Custody

1. Documentation
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
• Every step of the process must be carefully documented. This includes recording
the identity of individuals who handle the evidence, the times at which it was
collected or transferred, and any actions taken with the evidence. Documentation
is typically stored in a chain of custody form or a logbook.

o Key Information:
▪ Date and time of evidence collection
▪ Name and signature of the person who collected the evidence
▪ Description of the evidence (type, serial numbers, etc.)
▪ The condition of the evidence at the time of collection
▪ Locations where the evidence was stored or analyzed
2. Sealing and Labeling
Digital evidence must be properly sealed and labeled to prevent unauthorized access.
This typically involves:
o Sealing: Placing the evidence in tamper-evident bags or containers.
o Labeling: Assigning unique identifiers to the evidence, such as case numbers,
serial numbers, and barcodes, to track it easily.

Proper labeling ensures that the evidence can be identified and traced accurately at every
stage of the investigation.

3. Handling and Storage

Evidence should be handled only by authorized personnel and stored in a secure
environment. For digital evidence, this involves:
o Write Protection: Using write blockers to prevent alteration of data during the
collection and handling of storage devices (e.g., hard drives, USB drives).
o Secure Storage: Storing evidence in a controlled environment where
unauthorized access is restricted (e.g., locked evidence lockers or secured server
rooms).
4. Transfer and Transportation
When evidence needs to be transferred between locations or investigators, it is crucial
that:
o The chain of custody is maintained through signed receipts, documentation, and
secure transport.
o The evidence is always under supervision, preventing any risk of tampering
during transit.
5. Access Control
Only authorized individuals should be allowed to access or handle the evidence. Access
logs are essential to track who interacted with the evidence at each stage. Any time the
evidence is accessed or transferred, this action must be documented.

Why is Chain of Custody Important in Digital Forensics?

1. Ensuring Integrity of Evidence

The primary purpose of maintaining a chain of custody is to ensure that the evidence
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
remains untouched and unmodified throughout the investigation process. Any
unauthorized access or alteration of evidence could result in the evidence being declared
inadmissible in court.
2. Legal Admissibility
Digital evidence must be handled and documented correctly to be considered valid in
legal proceedings. If there is a break in the chain of custody, opposing parties may argue
that the evidence was tampered with, leading to questions about its authenticity. The
chain of custody ensures that evidence can be legally presented in court without disputes
over its authenticity.
3. Establishing Accountability
Proper documentation and logging of actions help establish a clear record of who handled
the evidence and what actions were taken. This protects the integrity of the investigation
by holding each individual involved accountable for their actions.
4. Preventing Evidence Tampering
Without a clear chain of custody, there is a risk of evidence being tampered with, lost, or
compromised. This could undermine the investigation and hinder the ability to solve
crimes. The chain of custody provides a safeguard against such tampering.

Steps in Maintaining the Chain of Custody

1. Collection of Evidence
The process starts with the proper identification and collection of the evidence. This
includes documenting:
o What is collected (e.g., a laptop, external hard drive, smartphone).
o Where it was collected (e.g., the scene of the crime, from a suspect's property).
o Who collected it and the date/time of collection.
2. Sealing and Labeling Evidence
Once collected, evidence should be sealed in a tamper-evident container. A unique
identifier, like a barcode or serial number, is assigned to the evidence to track it.
3. Transport and Transfer
Evidence should be transported securely to a storage facility or forensic lab. Every time
evidence is moved, a documented transfer (often in the form of a chain of custody form)
is required, listing:
o Who transferred the evidence.
o Where and why it was transferred.
o Who received the evidence at the destination.
4. Storage
Evidence must be stored in a secure and controlled environment to prevent tampering.
This includes:
o Physical security (locked storage areas).
o Digital security (encrypted storage or secure servers).
5. Analysis
During forensic analysis, the evidence should be protected from alteration. Investigators
use techniques like write-blocking to ensure the original data remains intact.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
6. Presentation in Court
When evidence is presented in court, the entire chain of custody must be demonstrated to
show that the evidence has not been tampered with. Investigators or forensic experts may
be called upon to testify about how they handled the evidence and maintain its integrity.

Breaks in the Chain of Custody

A break or gap in the chain of custody occurs when one of the critical steps is not documented
or executed correctly, such as:

• Evidence is transferred without proper documentation.

• Evidence is handled by unauthorized individuals.
• Evidence is stored improperly, leaving it open to potential tampering.

If the chain of custody is broken, the defense can challenge the validity of the evidence, arguing
that it may have been altered or contaminated. In some cases, this can lead to the exclusion of
evidence in court.

Network Forensics
• Network forensics and computer forensics both play key roles in digital investigations, but they
focus on different aspects of digital evidence collection, analysis, and presentation. Here's an
outline of how to approach a computer forensics investigation with a particular focus on network
forensics:

1. Preparation Phase

a. Understand the Legal and Ethical Considerations

• Authorization: Make sure you have the proper legal authority to conduct the
investigation (e.g., warrants, consent).
• Chain of Custody: Ensure all evidence is collected, handled, and stored according to
legal standards to preserve its integrity.
• Privacy Concerns: Be mindful of privacy rights and data protection laws (GDPR,
HIPAA, etc.).

b. Identify the Scope of the Investigation

• Determine whether the focus is purely network-based (e.g., intrusions, traffic analysis) or
involves systems at rest (e.g., file systems, logs, applications).
• Clarify if the investigation involves internal systems, third-party service providers, or
external hackers.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
2. Network Forensics Investigation

Network forensics involves capturing and analyzing network traffic to uncover digital evidence.
It is often crucial for identifying the source of an attack, understanding how the attack occurred,
and preventing future incidents.

a. Evidence Collection:

• Packet Capturing: Tools like Wireshark or tcpdump allow you to capture live network
traffic.
• Network Logs: Routers, firewalls, IDS/IPS systems, and web servers often log important
network events.
• Intrusion Detection/Prevention Systems (IDS/IPS): These systems might provide
valuable data on abnormal network activity or unauthorized access attempts.
• Server Logs: Logs from DNS, web servers, or application servers could provide crucial
insights into user behavior and access patterns.

b. Data Preservation:

• Ensure that collected data is stored securely, maintaining a clear chain of custody to
avoid any challenges in court.
• Network traffic logs and packet captures should be preserved in their raw form for future
analysis.

c. Initial Analysis:

• Traffic Analysis: Investigate traffic patterns, such as unusual spikes in network activity,
large data transfers, or unauthorized access.
• Protocols: Look for unusual or unexpected protocols in use. If you see SMB traffic on
ports where it’s not supposed to be, it could indicate a data exfiltration attempt.
• Source & Destination Analysis: Identify the origin and target of traffic. Suspicious
traffic might come from known malicious IP addresses or countries.

d. Detailed Analysis:

• Traffic Reconstruction: Reconstruct sessions from captured packets. If the attacker used
tools like Metasploit or RATs (Remote Access Trojans), their commands might be visible
in the traffic.
• Timeline Creation: Use network logs and traffic captures to build a timeline of events
leading up to the incident. This helps identify attack vectors and potentially compromised
accounts or systems.

3. Computer Forensics Investigation

While network forensics focuses on traffic, computer forensics focuses on the data stored on
devices, such as files, operating system artifacts, logs, and user activity.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
a. Evidence Collection:

• Data Acquisition: Make an exact copy (bit-for-bit) of the device’s hard drives or storage
volumes. Use write-blockers to prevent modifying the original data during acquisition.
• Operating System Artifacts: Focus on system logs, user profiles, registry (Windows), or
plist files (Mac) for traces of activity.
• Files and Metadata: Look for unusual file modifications or hidden files (e.g., files
created by malware, exfiltrated data).

b. File System Examination:

• Deleted Files: Investigate file slack, unallocated space, and deleted files. Data might still
be recoverable from these areas.
• File Analysis: Review document files, email correspondence, or system logs that could
provide insights into the activity that took place.
• Hidden Data: Use steganography tools or search for encrypted files that could indicate
hidden data.

c. Malware Analysis:

• If malware is suspected, examine the behavior of files, processes, or memory to detect

anomalies.
• Tools like Volatility (for memory analysis) or Kali Linux can be used to identify
suspicious binaries or processes that may be linked to malicious activity.

d. Correlation with Network Data:

• Correlate network data with local system logs. For example, if you find unusual traffic on
a network log, check if there are related artifacts in system logs on the corresponding
machine.

4. Analysis Phase

a. Correlation and Hypothesis Formation

• Use both network and system-based evidence to piece together the events. For example,
if there’s evidence of an attacker exploiting a vulnerability, try to match that with
suspicious network traffic or system events.
• Build a timeline based on both network traffic and file modifications on affected systems.

b. Identifying Attack Vectors

• Look for common attack vectors such as phishing, web shell exploitation, or remote
access tools (RATs).
• Analyze whether the attack came from an insider or external source, and track down the
attack’s progression from the initial entry point to the final impact.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
c. Reporting and Documentation

• Create a detailed report documenting your findings, methods used, and the overall
process.
• Include the timeline, affected systems, actions taken during the investigation, and any
recommendations to improve security.

5. Post-Investigation

a. Remediation and Prevention

• Based on your findings, recommend corrective actions. For example, if the attack came
via a phishing email, improving employee training and email filtering would be essential.
• Patch systems or configure network defenses to prevent future incidents.

b. Legal Actions and Evidence Presentation

• If required, prepare evidence for legal proceedings. Ensure the integrity and chain of
custody of the evidence are well-documented.

c. Root Cause Analysis

• Conduct a root cause analysis to understand how and why the attack occurred. Was it a
vulnerability in the system, lack of monitoring, or user negligence?

Tools Commonly Used in Network and Computer Forensics

1. Network Forensics Tools:

o Wireshark: Captures and analyzes network packets.
o tcpdump: Command-line packet analyzer.
o Suricata: IDS/IPS and network security monitoring engine.
o NetFlow/SFlow: Monitors network traffic flow for anomalies.
2. Computer Forensics Tools:
o EnCase: For disk imaging and analysis.
o FTK Imager: For forensic disk imaging and evidence collection.
o Autopsy: Open-source digital forensics tool.
o Volatility: Memory analysis framework.

Forensics and Social Networking Sites:

• Social networking sites (SNS) like Facebook, Twitter, Instagram, LinkedIn, and
others have become integral parts of our daily lives.
• However, they also pose unique security and privacy risks that can complicate
digital forensics investigations.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
• As investigators, understanding these challenges is key to navigating the
complexities involved in collecting and analyzing data from social media
platforms.

1. Security and Privacy Threats in Social Networking Sites

a. Privacy Violations

• Oversharing of Personal Information: Users often overshare personal details on social

media without considering the potential consequences. This can provide cybercriminals
or malicious actors with sensitive information for exploitation.
• Geotagging: Many platforms allow users to share their physical location (e.g., check-ins,
location-based posts). This can inadvertently reveal the user's whereabouts in real time,
aiding physical stalking or targeting for further attacks.
• Misuse of User-Generated Content: Photos, posts, and even private messages can be
misused by malicious actors, who may extract personal information or use them to
blackmail or intimidate the user.

b. Cyber Threats

• Phishing: Social media is a common platform for phishing attacks. Criminals

impersonate legitimate users or institutions to extract login credentials, bank details, or
other sensitive information.
• Malware Distribution: Social media platforms are prime locations for spreading
malicious links, files, and apps that exploit vulnerabilities or trick users into downloading
malware.
• Social Engineering Attacks: Attackers use social engineering techniques on platforms to
manipulate individuals into revealing confidential information, accessing systems, or
performing actions that compromise security.
• Impersonation and Fake Profiles: Attackers often create fake profiles or "catfish" users
to gain trust and extract private information or manipulate others.

c. Data Leaks and Breaches

• Third-Party Apps: Many SNS allow third-party applications that access users' personal
data. These apps may inadvertently or maliciously leak sensitive information.
• Data Breaches: SNS platforms themselves can be the target of large-scale data breaches,
exposing millions of users' private information.
• API Vulnerabilities: Social media platforms may have insecure or poorly configured
APIs, allowing attackers to extract large quantities of data without proper authorization.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
2. Challenges in Computer Forensics on Social Media

The integration of social networking sites into everyday life has created complex challenges for
computer forensics investigations. Here are some of the most significant obstacles faced by
forensic investigators when dealing with data from SNS:

a. Data Volatility and Transience

• Temporary Data: Many SNS platforms make extensive use of temporary data storage or
cache, which can be deleted automatically or expire after a certain time. For instance,
Facebook and Instagram may delete messages or posts after a short duration, making it
difficult to retrieve relevant data for an investigation.
• User-Controlled Data Deletion: Users have the ability to delete posts, messages, or
entire accounts, which can hinder the investigation. Some platforms also automatically
delete content after a certain period of time or when accounts are deactivated.
• Ephemeral Content: Features like Snapchat’s disappearing messages and Instagram’s
Stories make it harder to track down evidence, as the content disappears after a set
period.

b. Data Encryption

• End-to-End Encryption: Some social networking services (like WhatsApp) offer end-
to-end encryption, which prevents anyone—including service providers—from accessing
the content of communications. While this is excellent for privacy, it makes it much more
difficult for investigators to access message contents unless they have access to the user’s
device or account credentials.
• Encrypted Media: Photos and videos shared on social media may be encrypted in such a
way that investigators need specialized tools to extract and analyze the content properly.

c. Large Volumes of Data

• Massive Data Sets: Social media platforms generate huge amounts of data daily, from
messages, images, videos, and posts to comments and likes. This flood of information
can make it difficult to identify relevant evidence or trace specific events in the midst of
irrelevant noise.
• Dynamic Content: Social networks are continuously changing, with new posts, updates,
and comments appearing all the time. Forensic investigators must work fast to capture
relevant data before it is removed or altered.

d. Legal and Jurisdictional Issues

• Cross-Border Data: Many SNS platforms store user data on servers located in multiple
countries, which creates jurisdictional issues. Different countries have different privacy
and data protection laws (e.g., GDPR in the EU), and these laws can complicate the
process of obtaining data from SNS companies.
• Platform Cooperation: Social media companies may not always be forthcoming with
data, especially in jurisdictions where they do not have legal obligations to comply. They
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
may be unwilling to cooperate unless a court order or subpoena is provided, which can
delay investigations.
• Privacy Laws: Legal considerations around privacy (e.g., GDPR, CCPA) can restrict
access to user data. Investigators need to be aware of the legal implications of accessing
and using personal data from SNS platforms.

e. Platform-Specific Challenges

• API Restrictions: Some platforms have strict API (Application Programming Interface)
access policies that limit the amount and type of data that can be retrieved. For example,
many platforms only provide historical data through API requests for a short time
window.
• Content Alteration: Many social media platforms allow users to edit or delete their
posts, making it hard for investigators to determine the original content. Even deleted
content might still be available in cached versions or through third-party services like
Google.
• Metadata and Context: Social media platforms often strip or fail to provide important
metadata when content is shared or reposted, making it difficult to verify authenticity and
understand the context of the content.

f. Authentication and Verification

• False Identities: Social media users can create fake profiles or impersonate others. This
creates problems for investigators trying to authenticate the identity of a user or link a
particular post or message to a specific individual.
• Shared Devices: Multiple individuals may use the same device to access social media
platforms, which makes it difficult to determine who performed a particular action or
posted a specific piece of content.
• Spoofed or Manipulated Content: Photos, videos, and text can be altered, manipulated,
or spoofed to deceive investigators or hide the truth. For example, images might be
edited, or someone could change the metadata on a piece of content to mislead
investigators.

3. Approaches to Overcome These Challenges

a. Collaboration with Social Media Providers

• Subpoenas and Legal Orders: In many cases, investigators can obtain data directly
from social media providers through subpoenas or court orders. Providers like Facebook,
Twitter, and Google have legal processes to request data, and forensic investigators
should be familiar with how to use these tools to obtain evidence.
• Collaboration with Digital Forensic Firms: Sometimes, third-party firms specialize in
data extraction and forensic analysis from social media platforms. These companies have
experience navigating the complexities of accessing and analyzing data from SNS.
 LECTURE NOTES CYBER SECURITY
MAINTAINED BY MS ANAMTA ABBAS
b. Use of Specialized Forensic Tools

• Tools like X1 Social Discovery, Cellebrite, and Oxygen Forensics are designed to
extract, preserve, and analyze data from mobile devices and social media platforms,
overcoming many of the limitations of platform-specific restrictions.
• Social Media Analysis Tools: Investigators can use specialized tools that focus on social
media forensics, such as Maltego for data mining and link analysis, or Social Media
Investigations tools to search public profiles and trace connections between individuals.

c. Data Collection and Preservation

• Timely Capture: To avoid losing data, investigators should capture and preserve
evidence as quickly as possible. Using browser-based tools, browser extensions, or
dedicated forensic tools, investigators can archive entire social media pages, profiles, and
conversations.
• Preservation of Metadata: Tools like FTK Imager or EnCase can be used to preserve
the original metadata of social media content, which can be critical for verifying
authenticity.

d. Legal Training and Awareness

• Given the rapidly evolving landscape of social media platforms, forensic professionals
need to stay informed about the latest privacy and data protection laws (e.g., GDPR,
CCPA). Understanding these laws will help investigators navigate the complexities of
data access while ensuring compliance.