Unit – 4

Cyber Forensics and Auditing

What are Cyber Forensics?

Computer forensics is the application of scientific techniques to collect, analyze, and preserve digital
evidence from computer systems, storage media, and other electronic devices.
Forensic investigators are professionals trained in computer forensics who play a crucial role in
collecting and analyzing digital evidence for legal and investigative purposes.
1. Cyberforensics is an electronic discovery technique used to determine and reveal technical criminal
evidence.
2. It often involves extracting data from local and/or cloud storage to electronic to establish a chain
of evidence for legal process purposes.
3. Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for presentation in a
court of law.
4. The goal of computer forensics is to perform a structured investigation and maintain a documented
chain of evidence to find out exactly what happened on a computing device and who was responsible
for it.
Computer Equipment, and Associated Storage Media:
Computer equipment and associated storage media encompass various devices, such as computers,
laptops, servers, external hard drives, USB drives, memory cards, CDs/DVDs, and mobile devices,
that may contain valuable evidence.
Role of a Forensics Investigator:
A forensic investigator is responsible for conducting investigations involving digital evidence.
Their role includes identifying and preserving potential evidence, acquiring data from devices, analyzing data
to uncover relevant information, and documenting findings for legal proceedings.

Investigators use a variety of techniques and proprietary forensic applications to examine the copy
they've made of a compromised device. They search hidden folders and unallocated disk space for
copies of deleted, encrypted or damaged files.
• Reverse steganography. Steganography is a common tactic used to hide data inside any type
of digital file, message or data stream. Computer forensic experts reverse a steganography
attempt by analyzing the data hashing that the file in question contains. If a cybercriminal
hides important information inside an image or other digital file, it may look the same before
and after to the untrained eye, but the underlying hash or string of data that represents the
image will change.
• Stochastic forensics. Here, investigators analyze and reconstruct digital activity without the
use of digital artifacts. Artifacts are unintended alterations of data that occur from digital
processes. Artifacts include clues related to a digital crime, such as changes to file attributes
during data theft. Stochastic forensics is frequently used in data breach investigations where
the attacker is thought to be an insider, who might not leave behind digital artifacts.
• Cross-drive analysis. This technique correlates and cross-references information found on
multiple computer drives to search for, analyze and preserve information relevant to an
investigation. Events that raise suspicion are compared with information on other drives to
look for similarities and provide context. This is also known as anomaly detection.
• Live analysis. With this technique, a computer is analyzed from within the OS while the
computer or device is running, using system tools on the computer. The analysis looks at
volatile data, which is often stored in cache or RAM. Many tools used to extract volatile data
require the computer in to be in a forensic lab to maintain the legitimacy of a chain of
evidence.
• Deleted file recovery. This technique involves searching a computer system and memory for
fragments of files that were partially deleted in one place but leave traces elsewhere on the
machine. This is sometimes known as file carving or data carving.
Forensics Investigation Process:
Cyber forensics is a field that follows certain procedures to find the evidence to reach conclusions
after proper investigation of matters.
• Identification and Preservation:

The first step of cyber forensics experts is to identify what evidence is present, where it is stored, and
in which format it is stored. Identifying potential sources of evidence and ensuring they are not
tampered with or compromised.
After identifying the data, the next step is to safely preserve the data and not allow other people to
use that device so that no one can tamper data. Taking necessary steps to preserve the integrity of the
evidence, such as creating a forensic image or making a bit-by-bit copy.
• Acquisition:
Acquiring the data from the identified sources, including computer systems, storage media, or
network logs. Using forensically sound techniques to capture and preserve the evidence, ensuring its
admissibility in court.
• Analysis:
After getting the data, the next step is to analyze the data or system. Here the expert recovers the
deleted files and verifies the recovered data and finds the evidence that the criminal tried to erase by
deleting secret files. This process might take several iterations to reach the final conclusion.
Analyzing the acquired data using forensic tools and techniques.
Searching for relevant information, reconstructing events, and uncovering evidence that can support
the investigation.
• Reporting:
Documenting the findings, methodologies, and analysis performed during the investigation. Now
after analyzing data a record is created. This record contains all the recovered and available (not
deleted) data which helps in recreating the crime scene and reviewing it.
Creating a comprehensive report that presents the evidence in a clear, concise, and understandable
manner.
• Presentation:
This is the final step in which the analyzed data is presented in front of the court to solve cases.
How many Types of computer forensics?
There are multiple types of computer forensics depending on the field in which digital investigation
is needed. The fields are:
• Network forensics: This involves monitoring and analyzing the network traffic to and from
the criminal’s network. The tools used here are network intrusion detection systems and other
automated tools.
• Email forensics: In this type of forensics, the experts check the email of the criminal and
recover deleted email threads to extract out crucial information related to the case.
• Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind this.
• Memory forensics: This branch of forensics deals with collecting data from the memory(like
cache, RAM, etc.) in raw and then retrieve information from that data.
• Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They
examine and analyze data from the mobile phone.
• Database forensics: This branch of forensics examines and analyzes the data from databases
and their related metadata.
• Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.
Advantages
• Cyber forensics ensures the integrity of the computer.
• Through cyber forensics, many people, companies, etc get to know about such crimes, thus
taking proper measures to avoid them.
• Cyber forensics find evidence from digital devices and then present them in court, which can
lead to the punishment of the culprit.
• They efficiently track down the culprit anywhere in the world.
• They help people or organizations to protect their money and time.
• The relevant data can be made trending and be used in making the public aware of it.
What are the required set of skills needed to be a cyber forensic expert?
The following skills are required to be a cyber forensic expert:
• As we know, cyber forensic based on technology. So, knowledge of various technologies,
computers, mobile phones, network hacks, security breaches, etc. is required.
• The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
• The expert must be aware of criminal laws, a criminal investigation, etc.
• As we know, over time technology always changes, so the experts must be updated with the
latest technology.
• Cyber forensic experts must be able to analyse the data, derive conclusions from it and make
proper interpretations.
• The communication skill of the expert must be good so that while presenting evidence in front
of the court, everyone understands each detail with clarity.
• The expert must have strong knowledge of basic cyber security.
How to write computer forensics report?

1. Executive Summary: Executive Summary section of computer forensics report template provides
background data of conditions that needs a requirement for investigation.
2. Objectives: Objectives section is used to outline all tasks that an investigation has planned to
complete.
3. Computer Evidence Analyzed: The Computer Evidence Analyzed section is where all gathered
evidences and its interpretations are introduced. It provides detailed information.
4. Relevant Findings: This section of Relevant Findings gives summary of evidences found of
probative Value When a match is found between forensic science material recovered from a crime
scene e.g., a fingerprint, a strand of hair, a shoe print, etc.
5. Supporting Details: Supporting Details is section where in-depth analysis of relevant findings is
done.
6. Investigative Leads: Investigative Leads performs action items that could help to discover
additional information related to the investigation of case. The investigators perform all outstanding
tasks to find extra information if more time is left.
7. Additional Subsections: Various additional subsections are included in a forensic report.
• Attacker Methodology – Additional briefing to help reader understand general or exact
attacks performed is given in this section of attacker methodology.
• User Applications – In this section we discuss relevant applications that are installed on
media analyzed because it is observed that in many cases applications present on system.
• Internet Activity – Internet Activity or Web Browsing History section gives web surfing
history of user of media analyzed.
• Recommendations – This section gives recommendation to posture client to be more
prepared and trained for next computer security incident.

Collecting Network-Based Evidence:

Network-based evidence refers to digital evidence collected from network devices, logs, traffic
captures, and communication records.
Collecting network-based evidence involves capturing network packets, analyzing network logs,
examining firewall logs, and correlating network activities to reconstruct events.
Writing Computer Forensics Reports:
Computer forensics reports serve as a documentation of the investigation process, findings, analysis,
and conclusions.
Reports should be clear, concise, and organized, with detailed information on the evidence collected,
tools used, methodologies applied, and results obtained.
Reports should follow standard formats and guidelines, ensuring they are admissible as evidence in
legal proceedings.
Auditing and Planning an Audit Against a Set of Audit Criteria:
Auditing refers to the systematic evaluation of an organization's processes, controls, and systems to
ensure compliance with established standards or criteria.
Planning an audit involves defining the scope, objectives, and criteria against which the audit will be
conducted.
The audit criteria may include industry standards, regulatory requirements, best practices, or specific
organizational policies.

➢ 1st answer:
2nd answer:
What is an ISMS (Information Security Management System)?
1. ISMS stands for ‘Information Security Management System’.
2. An ISMS includes policies, processes and procedures to manage information security risks in a
structured and systematic way.
3. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the
impact of a security breach.
4. ISMS that identifies the organizational assets and provides the following assessment:
• the risks the information assets face;
• the steps taken to protect the information assets;
• a plan of action in case a security breach happens; and
• identification of individuals responsible for each step of the information security process.

ISO 27001:2013:
ISO 27001:2013 is an international standard that sets the requirements for establishing,
implementing, maintaining, and continually improving an Information Security Management System
(ISMS).
ISMS is a framework of policies, procedures, and controls designed to manage an organization's
information security risks.
The standard provides guidance on risk assessment, risk management, incident response, security
controls, and ongoing monitoring and review of the ISMS.
Implementing ISO 27001:2013 helps organizations establish a systematic approach to information
security and demonstrate their commitment to protecting sensitive information.
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and
continually improving an information security management system within the context of the
organization. It also includes requirements for the assessment and treatment of information security
risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are
generic and are intended to be applicable to all organizations, regardless of type, size or nature.