1.

Computer Forensics is the science of identifying, preserving, analyzing, and presenting

digital evidence in a legally admissible manner. It plays a crucial role in both criminal and civil
investigations by recovering and validating data from digital devices, such as computers, hard
drives, and networks.
Differences:

Aspect Computer Forensics Network Forensics Data Recovery

Trace and analyze network

Recover and analyze data Retrieve lost or deleted
Purpose traffic during or after an
for legal evidence files
attack

Often to find hidden or

Identify attack methods and Accidental or system-
Intent deleted data (could be
sources based data loss
criminal)

Recovering deleted
Finding incriminating Tracing a hacker’s IP
Example photos from a corrupted
emails in a fraud case through logs
disk

Tools Wireshark, NetFlow

FTK, EnCase Recuva, EaseUS
Used analyzers

2.Investigations Triad collaborate:

1.Vulnerability Assessment & Risk Management: Conduct pre-breach risk analysis. Identify
security gaps (e.g., outdated firewalls). Recommend fixes and simulate future attacks.
2. Network Intrusion Detection & Incident Response: Detect real-time anomalies using
tools like IDS/IPS. Respond by blocking intrusions and isolating affected systems. Gather and
preserve volatile data for evidence.
3. Computer Investigations: Analyze compromised systems to uncover tampered files, user
activity, and malware traces. Collect legally admissible evidence. Support internal disciplinary
actions or external prosecutions.
Example_Scenario: A phishing attack exposes payroll records. The triad would:
Patch email filters (Risk Mgmt), Trace IPs and entry logs (NID), Recover deleted scripts and
present evidence (Investigations).
3.Public Investigations and Private/Corporate Investigations.

Criteria Public Investigations Private/Corporate Investigations

Law enforcement agencies (police,
Conducted By Private firms, internal security teams
FBI)
Legal Governed by the Fourth Governed by company policies and
Boundaries Amendment and criminal law employment law
Evidence Requires search warrants and Can access internal systems if policies
Collection follows court protocols allow
May lead to disciplinary action or
Outcome May lead to criminal prosecution
civil litigation
May become criminal if crime is
Transition May become civil after trial
uncovered

Example: A public investigation of fraud leads to prosecution. A corporate investigation may

uncover misuse of resources and refer to police if illegal actions are found.

4. importance of establishing policies, banners, and property distinctions in corporate

forensics.
These elements are critical to managing digital risks:
1.Clear Company Policies: Define acceptable computer/network use. Empower IT/security
to investigate incidents. Ensure consistency and legal defensibility.
2.Warning Banners: Inform users about monitoring. Legally remove the “expectation of
privacy”. Serve as simple, enforceable legal documentation in court.
3.Personal vs. Company Property: Avoids legal ambiguity in accessing devices like personal
phones. Ensures company data remains protected. Avoids evidence contamination or privacy
violations.
Impact:Such policies legitimize actions taken during internal investigations and reduce
liability during legal disputes.
5.“Maintaining professional conduct is critical for a computer forensics investigator.”
Explain.
A forensics investigator’s credibility depends on:
1.Ethics and Morals: Must maintain honesty, integrity, and neutrality. Avoid bias or
premature conclusions.
2.Confidentiality: Share details only with authorized personnel. Protect sensitive information,
especially in corporate or legal settings.
3. Objectivity: Present facts, not opinions. Support or refute claims with evidence.
4.Continuous Learning: Stay updated with tools, OS, laws, and best practices. Maintain logs
of processes and techniques used.
5.Legal Awareness: Must understand privacy rights, evidence handling, and legal constraints.
Maintain chain of custody and avoid search warrant violations.
Example: If an investigator shares case details with a friend or misinterprets a policy, it can
lead to legal dismissal of evidence or reputational harm.

4. Windows Registry Structure & Forensic Use

The Windows Registry is a hierarchical database that stores configuration and user data.
Main parts: HKEY_LOCAL_MACHINE (HKLM) – System and software settings.
HKEY_CURRENT_USER (HKCU) – Current user's preferences.
HKEY_USERS (HKU) – All user profiles.
Stored as hive files like SYSTEM, SOFTWARE, SAM, SECURITY, and Ntuser.dat.
Forensic Value: Shows USB devices used, installed apps, user activity, network connections,
etc. Helps track user behavior and reconstruct timelines.

5. Windows NT Startup Sequence

The system boot process involves several stages:
Steps: BIOS → runs POST and checks boot device. MBR (Master Boot Record) → Loads
bootloader. BOOTMGR (or NTLDR) → Loads boot configuration (BCD or Boot.ini).
Loads Ntoskrnl.exe, HAL.dll, and registry hives. Starts Winlogon and user session.
Important Files: BOOTMGR: Handles OS selection. BCD: Boot Configuration Database.
Ntoskrnl.exe: Windows Kernel. Registry: Loads system/user configurations.
Understanding this helps in diagnosing boot failures and malware persistence.
Unit 2:
1.Systematic Approach to Investigation:
Initial Assessment: Understand the case type and talk to stakeholders. //Design Strategy:
Plan steps and whether evidence is already collected. //Checklist: Break steps down with
time estimates. //Resources: List tools, software, and OS knowledge needed. //Evidence
Copy: Create bit-stream image of all media.// Risk Assessment: Predict issues (e.g., booby-
trapped files).// Mitigation: Prepare backups, handle passwords smartly. //Analysis &
Report: Recover and document files, deleted data, emails, etc.

2. Internet Abuse vs. ACP Investigations

Internet Abuse: Get proxy logs, suspect IP, disk. Analyze browser history vs. logs. Check
for inappropriate downloads. Follow legal privacy rules.
ACP Investigation: Start only with lawyer's memo. Make 2 images using different tools. Use
keyword search, avoid written comms. Mark all findings "Privileged". Confidentiality is
critical.

3. Preserving Evidence & Chain of Custody :

Use evidence forms with full details. Store items in antistatic bags. Forensic image must be
created. Lock originals in secure storage. Log every access with signatures and
timestamps. Ensures integrity and admissibility in court.

4. Forensic Workstation Setup

Needs: Win XP/Vista/Linux, ports, forensic tools. Use write-blockers to prevent altering
evidence. Don’t boot evidence disk in Windows—it modifies data. Use DOS or bootable
forensic tools if needed.

5. Analyzing USB Drive with ProDiscover

Load image into project. Browse files, view deleted files. Use keyword search (e.g.,
“George”). Extract files of interest. Create and export report in RTF or TXT.
Unit 3:
FAT vs NTFS:

Feature FAT NTFS

Structure Simple File Allocation Table Master File Table (MFT) with metadata

File Size Up to 4 GB (FAT32) Supports very large files

Security No permissions or encryption File-level permissions + EFS

Reliability No journaling, prone to corruption Journaling helps recovery

Slack Space More slack due to large clusters Less slack, efficient storage

Performance Slower with large drives Faster and more stable

Compression Not supported Supported

Compatibility Very high (USBs, memory cards) Mostly Windows

Use Case Small, portable storage Internal drives, secure systems

2. NTFS MFT Structure and Key Files

NTFS (New Technology File System) stores data using the Master File Table (MFT).
Each file and folder has a 1024-byte MFT record that stores metadata (like file name,
location, size, timestamps, permissions).
Key system files in NTFS: File :Description
$MFT : Main file table holding metadata of all files. $MFTMirr : Backup of first few MFT
records for recovery. $LogFile : Stores logs of file system operations—used for crash
recovery. $Bitmap: Tracks free and used clusters on the disk. $Boot :Contains boot code
and startup information.

3. Challenges with Whole Disk Encryption (WDE)

WDE protects all data on a disk by encrypting it (e.g., BitLocker).
Challenges for forensics: Can't read or analyze encrypted drives without the encryption
key. Access needs password, TPM chip, or recovery key.
Workarounds: Live acquisition: If the system is powered on and unlocked. //Cold boot
attack: Recover keys from RAM immediately after shutdown. //Legal methods: Obtain
decryption keys via warrant or cooperation.
Encryption strengthens security but makes forensic analysis harder.
Unit 4:
1. Compare Raw, Proprietary, and AFF (Advanced Forensic Format)

AFF (Advanced Forensic

Feature Raw Proprietary
Format)

Tool-specific format Open-source, flexible

Format Type Bit-by-bit copy
(e.g., EnCase .E01) format

Compression No Yes Yes

Not embedded, Embedded within the

Metadata Embedded with image
stored separately image

High – supported by Limited – depends on

Compatibility High – tool-independent
most tools the tool

External hash
Validation Built-in validation Built-in validation
required

Simple, fast Advanced analysis, Secure sharing across

Use Case
acquisition commercial tools tools and platforms

2. Four Data Acquisition Methods + Use Cases

Method Description Best Use Case

Disk-to- Criminal case where full forensic

Sector-by-sector copy to a file
Image duplication is needed

Disk-to- Full copy from suspect drive to Hardware issues, or when imaging to a
Disk another physical drive file isn’t feasible

Captures selected files/folders (no Corporate cases where only specific

Logical
deleted/unallocated space) data (e.g., emails) is relevant

Captures active files + unallocated Time-limited cases or when full image

Sparse
file fragments isn't needed but deleted data may help

Factors to Consider:Drive size: Sparse for large drives, raw for smaller ones. Time:
Logical is fastest, disk-to-image takes more time. Investigation type: Legal/criminal cases
often require full bit-stream copies.
3. Contingency Planning, Multiple Images, Encryption, HPA, Hashing
Contingency Planning: Essential to prepare for tool crashes, power failures, or drive errors.
Use two different tools or formats as backup (e.g., FTK and ProDiscover).
Why Create Multiple Images?;Protects original evidence. Enables separate analysis/court
storage. Reduces chance of data loss during transfer or corruption.
Challenges with Encrypted Drives & HPA
Encrypted Drives:Require passwords or decryption keys. Static acquisition is useless if
system is off.
Solution: Live acquisition, memory imaging, or legal order for keys.
Host Protected Area (HPA):Hidden from OS and imaging tools. Solution: Use BIOS tools
or imaging software that supports HPA detection.
Hashing for Validation: MD5 / SHA-1 / SHA-256: Create digital fingerprints of data. Used
to verify that no changes occurred during acquisition.
Tools: Linux: md5sum, sha1sum Forensic tools: EnCase, FTK, ProDiscover
Matching hash = integrity confirmed. Always hash before and after.

4. Acquisition with Linux Live CD, dd & dcfldd

Use of Forensic Live CD: Doesn’t auto-mount drives (avoids modifying evidence). Runs in
memory; OS is not affected. Preloaded with forensic tools like dd, dcfldd.
Process of Acquisition: Boot with Live CD (e.g., Helix, Penguin Sleuth). Attach evidence
disk and destination drive. Use commands like:dd if=/dev/sda of=/mnt/image/evidence.dd.
dcfldd if=/dev/sda of=case1.img hash=md5 hashlog=hash.txt
Precautions with if and of : if= (input file): Must be the evidence drive (read-only). of=
(output file): Must be image destination.
Reversing them will destroy the evidence! Advantages of dcfldd over dd

Feature dcfldd Advantage

Hashing Supports MD5, SHA1 during acquisition

Logging Generates detailed logs (hashlog)

Splitting Allows split images for easier handling

Verification Verifies copy post-acquisition (vf=)

 5. RAID Acquisition & Remote Network Tools

Common RAID Levels & Challenges

RAID Type Description Acquisition Challenge

RAID 0 Striping, no redundancy Lose 1 disk = lose all data

RAID 1 Mirroring (duplication) Twice the space needed, syncing issues

RAID 5 Striping + parity Requires all disks + proper config

//Tools for RAID Acquisition: EnCase . X-Ways Forensics. R-Studio. RAID

Reconstructor

Remote Acquisition Tools

Tool Key Features

ProDiscover IR Agent-based, encrypted transfer, stealth mode

EnCase Enterprise Centralized control, SAFE server

F-Response Mounts remote drives read-only on local system

Advantages: Access remote systems without physical contact.: Saves time, especially in
enterprise environments.

Drawbacks: Network Speed: Slow transfer over busy or low-bandwidth networks.

Security Risks: Data may be intercepted if encryption fails. Permissions: Requires
admin/root access; may be blocked by firewalls.

Unit 4:
1. Roles of E-mail Clients and Servers & Differences:
• E-mail Server stores, sends, and manages e-mail (e.g., Microsoft Exchange).
• E-mail Client (e.g., Outlook) accesses the server to send/receive messages.
3 Key Differences (Intranet vs. Internet Email Systems):

Feature Intranet E-mail Internet E-mail

Account Creation Admin-controlled User self-registration

Usernames Standard format (e.g., j.doe@corp) Flexible (e.g., dragonkiller@gmail)

Tracking Ease Easy due to naming rules & access Hard due to varied providers
 2. Steps in Examining E-mail Evidence:
• Access victim’s device to retrieve e-mails.
• Preserve e-mails by copying or forwarding them (never modify the original).
• View headers: Outlook → Right-click > Message Options > Copy header text.
Why use a copy?
• Prevents accidental data modification.
• Maintains chain of custody.
• Allows repeated analysis without risk to original.

3. Significance of E-mail Server Logs:

• Logs show sender IP, date/time, recipient, and message status.
• Used to trace message delivery or tampering.
Circular Logging:
• Overwrites old logs (e.g., daily), causing loss of past data.
• May destroy valuable evidence if logs aren't backed up.
Tracking.log (Exchange Server):
• Logs each message movement.
• In verbose mode, includes IPs, timestamps, content info.
 4. Use of FINALeMAIL & FTK Tools in E-mail Forensics:
FINALeMAIL:
• Scans drives for deleted e-mails.
• Supports formats like Outlook Express, Eudora.
• Recovers orphaned messages.
FTK (with dtSearch):
• Adds PST/DBX files as evidence.
• Builds searchable index of message content and attachments.
• Allows viewing/exporting specific messages.
Steps in FTK:
1. Start a case → Add .pst file.
2. Use "E-mail Emphasis" → Index messages.
3. Right-click → Export as .html or file format of choice.

5. E-mail Spoofing and Detection:

• Spoofing: Forging sender's address to appear legitimate.
• Detection Method:
o Analyze e-mail headers (e.g., check ESMTP number).
o Compare message routing paths.
o Look for mismatched domains or IPs.

Case Example: In Suni Munshani v. Signal Lake, spoofing was proven by matching header
data like the ESMTP number.
Unit 4:

1. Rules of Evidence in U.S. Courts for Digital Evidence

• Digital evidence is treated like physical evidence.
• Must follow Federal Rules of Evidence (e.g., relevance, authenticity, hearsay
exceptions).
• Hearsay rule exceptions: business records, public records, absence of a record.
• Hashing tools (MD5, SHA-1) are used to verify integrity of digital data.
• Investigators must maintain chain of custody and use proper forensic tools.
• Courts demand reproducibility and authentication of the digital evidence source.

2. Private-Sector vs. Law Enforcement Crime Scenes

Feature Private-Sector Scene Law Enforcement Scene

Requires search warrant (4th

Legal Authority Based on company policy
Amendment)

Purpose Policy enforcement Criminal investigation

May vary (based on

Privacy Concerns Must protect rights of suspects
banners/policies)

Investigator Role Often internal staff Government agents

Evidence
Can turn over to police later Follows strict legal protocols
Handling

Summary: Private-sector cases rely on internal policies; law enforcement must follow
constitutional procedures.

3. Preparing for a Search – 5 Key Considerations

Nature of Case: Public (requires warrant) or private (policy-driven). System Type: Identify
OS, hardware, network setup. Hazards: HAZMAT, power risks, unstable environments.
Seizure Options: Decide if you can remove system or must image on-site. Tools Needed:
Choose between Initial or Extensive Response Field Kits based on situation.

Proper planning ensures legal compliance, safety, and successful evidence collection.
4. Securing a Crime Scene & Seizing Digital Evidence
• Secure the area using barrier tape and restrict access.
• Assign one person to collect and log evidence.
• If the system is off, don’t power it on. If on, consider an orderly shutdown.
• Use forensic imaging tools; don’t alter data.
• Document everything: photos, sketches, evidence logs.
• Bag and tag items with labels, collector info, and timestamps.

Ensures preservation and admissibility of digital evidence.

5. Digital Hash (e.g., MD5, SHA-1)

• A hash is a fixed-length digital fingerprint of data.
• Used to verify integrity (original = copy if hashes match).
• Common algorithms: MD5, SHA-1, SHA-256.
• Even a 1-bit change alters the hash completely.
• Helps detect tampering or corruption.
• Tools: md5sum, FTK, Autopsy.

Essential for maintaining the reliability and authenticity of evidence.

Unit 5:
1. Challenges in Mobile Device Forensics vs. Traditional Forensics
• Device Diversity: Many OSs (Android, iOS, etc.) and models with different file
systems and hardware.
• Rapid Tech Changes: New devices and updates make tools obsolete quickly.
• Volatile Memory: Data in RAM is lost if power is cut.
• Network Isolation: Devices must be blocked from the internet to prevent remote
wiping (use Faraday bags or airplane mode).

These factors make mobile forensics more complex and time-sensitive than traditional
computer forensics.

2. Physical vs. Logical Extraction + Isolation Techniques

• Physical Extraction: Creates a full bit-by-bit copy (even deleted data/unallocated
space). Preferred for deep forensic analysis.
• Logical Extraction: Uses the device's API to collect accessible data (e.g., contacts,
messages); safer but limited.
Isolation Steps:
• Critical First Step: Block all communications to prevent remote access/wiping.
• Tools:
o Airplane Mode: If device is accessible.
o Faraday Bag or RF Shielding Box: Prevents all wireless signals.

Proper isolation protects volatile evidence and prevents tampering.

3. Forensic Significance of SIM Card in GSM Devices

• SIM Card Role: Identifies the user on the GSM network.
• Key Data Stored:
o IMSI (International Mobile Subscriber Identity)
o Network details, limited contacts, SMS
• Acquisition: Use a SIM card reader to extract data.
• Value: Links the device to a subscriber, tracks activity (calls, messages), and helps in
user identification.
 SIMs are small but valuable sources of network and user evidence.

4. Cellebrite UFED and XRY – Leading Mobile Forensics Tools

Tool Key Features

Cellebrite Supports physical, logical, file system, and cloud extractions. Works with
UFED thousands of device types. Offers decoding, app analysis, and reporting.

Performs both logical and physical acquisitions. Supports many phones and
XRY
apps. Offers intuitive interface and analysis options.

Both are industry standards and support a wide range of devices and extraction types.

5. Internet of Anything (IoT) – Meaning, Examples & Challenges

• Definition: IoT refers to everyday smart devices that collect and share data via the
internet.
Examples:
1. Smart Home Devices (e.g., Alexa, thermostats)
2. Wearables (e.g., smartwatches)
3. Smart Cars (with GPS, event data recorders)
Forensic Challenges:
• Data Location: Data may be stored on-device, in the cloud, or on paired
smartphones.
• Tech Diversity: No standard formats or interfaces; each device is different.
• Volume: Huge amounts of data from various sensors and logs.

Investigating IoT requires identifying all linked sources and strong network forensic
skills.