Cyber Forensics

2.6.1. Definition Computer forensics is also called Forensic computing or Cyber Forensics, the
youngest branch of forensic science, thoroughly peer reviewed techniques/procedures, well
tested tools deals with the preservation, identification, extraction, interpretation, and
documentation of computer evidence,. There are various definitions, a few are
Computer forensics is simply the application of computer investigation and analysis techniques
in the interests of determining potential legal evidence (Judd Robbins5).
 Forensic Computing is the process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable” (Rodney McKemmish 19996).
 The study of evidence from attacks on computer systems in order to learn what has occurred,
how to prevent it from recurring, and the extent of the damage (McGraw-Hill Dictionary of
Scientific & Technical Terms).
2.6.2. Classification of Cyber Forensics
The branch of Cyber forensics can be classified into various sub branches. Some of these sub-
branches are:
Disk forensics deals with extracting data/information from storage media by searching active,
deleted files and also from unallocated, slack spaces.
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of
computer network traffic for the purposes of information gathering, legal evidence or intrusion
detection. Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information. Network traffic is transmitted and then lost, so network forensics is often a
pro-active investigation.
Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is
to provide the methodology and tools required to collect and analyze wireless network traffic
data. The data collected can correspond to plain data or, with the broad usage of Voice-over-IP
(VoIP) technologies, especially over wireless, can include voice conversations.
Database Forensics is a branch of digital forensic science relating to the forensic study of
databases and their related metadata. A forensic examination of a database may relate to the
timestamps that apply to the row (update time) in a relational table being inspected and tested for
validity in order to verify the actions of a database user.
Malware Forensics deals with Investigating and Analyzing Malicious Code for identification of
Malware like viruses, Trojans, worms, keylogger’s etc and to study their payload.
Mobile device forensics deals with examining and analyzing mobile devices like mobile phones,
pagers to retrieve addresses book, call logs (Missed, Dialed, Received), Paired Device History,
Incoming/Out Going SMS/MMS, Videos, Photos, Audio.etc.
GPS forensics, also known as SatNav Forensics, is a relatively new discipline within the fast
paced world of Mobile Device Forensics. It is used for examining and analyzing GPS devices to
retrieve Track Logs, Track points, Waypoints, Routes, Stored Location; Home, Office, etc,.
E-mail Forensics: Deals with recovery and analysis of e-mails including deleted e-mails,
calendars and contacts.

Memory Forensics deals with collecting data from system memory (e.g., system registers, cache,
RAM) in raw form and carving the data from the raw dump.
What Cyber Forensics Can Reveal ?
According the Judd Robbins, the expectations from Cyber Forensics are that it:
 Protects the subject computer system during the forensic examination from any possible
alteration, damage, data corruption, or virus introduction;
 Discovers all files on the subject system. This includes existing normal files, deleted yet
remaining files, hidden files, password-protected files, and encrypted files;
 Recovers all (or as much as possible) of discovered deleted files;
 Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files
used by both the application programs and the operating system;
 Accesses (if possible and if legally appropriate) the contents of protected or encrypted files;
 Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk;
 Prints out an overall analysis of the subject computer system, as well as a listing of all possibly
relevant files and discovered file data and,
 Provides expert consultation and/or testimony, as required.
Cyber forensics process encompasses five key elements:
 The identification and acquiring of digital evidence: Knowing what evidence is present,
where it is stored and how it is stored is vital in determining which processes are to be employed
to facilitate its recovery. In addition, the Cyber forensic examiner must be able to identify the
type of information stored in a device and the format in which it is stored so that the appropriate
technology can be used to extract it. After the evidence is identified the cyber forensic examiner/
investigator should image/ clone the hard-disk or the storage media.
 The preservation of digital evidence is a critical element in the forensic process. Any
examination of the electronically stored data can be carried out in the least intrusive manner.
Alteration to data that is of evidentiary value must be accounted for and justified.
 The analysis of digital evidence —the extraction, processing and interpretation of digital data
—is generally regarded as the main element of cyber forensics. Extraction produces a binary
junk, which should be processed, to make it human readable.
 Report the findings, means giving the findings, in a simple lucid manner, so that any person
can understand. The report should be in simple terms, giving the description of the items, process
adopted for analysis & chain of custody, the hard & soft copies of the findings, glossary of terms
etc.
 The presentation of digital evidence involves deposing evidence in the court of law regarding
the findings and the credibility of the processes employed during analysis.
.6.4. What can the IO expect from Cyber Forensic Analysis
 Data Recovery: includes recovering and analyzing deleted files that have not been
overwritten, as well as carving out portions of files and text from unallocated and slack space.
 String and Keyword Searching: involves looking at known and unknown files, as well as
unallocated and slack space, to identify readable text within a binary file or to find a file that
contains a specific string.
 Volatile Evidence Analysis: gives the analyst the ability to see what state the System is
currently in by peering into connections, processes and cache tables.
 Timeline Analysis: is the process whereby a timeline of events is created and analyzed based
on the modified, accessed and changed times associated with all files that were imaged.
 System File Analysis: reveals unauthorized changes to system binaries.