Dr.

Kaushal Kishor

Unit-4
UNDERSTANDING COMPUTER FORENSICS

Computer Forensics: It is a scientific method of investigation and

analysis in order to gather evidence from digital devices or computer
networks and components which is suitable for presentation in a court of
law or legal body. It involves performing a structured investigation while
maintaining a documented chain of evidence to find out exactly what
happened on a computer and who was responsible for it.

Types of Computer Forensics:

1. Disk Forensics: It deals with extracting raw data from the primary

OR
or secondary storage of the device by searching active, modified, or
deleted files.
SH
2. Network Forensics: It is a sub-branch of Computer Forensics that
KI
involves monitoring and analysing the computer network traffic.
3. Database Forensics: It deals with the study and examination of
L

databases and their related metadata.

HA

4. Malware Forensics: It deals with the identification of suspicious

US

code and studying viruses, worms, etc.

5. Email Forensics: It deals with emails and their recovery and
KA

analysis, including deleted emails, calendars, and contacts.

6. Memory Forensics: Deals with collecting data from system
DR

memory (system registers, cache, RAM) in raw form and then

analysing it for further investigation.
7. Mobile Phone Forensics: It mainly deals with the examination and
analysis of phones and smartphones and helps to retrieve contacts,
call logs, incoming, and outgoing SMS, etc., and other data present
in it.

Characteristics:
1. Identification: Identifying what evidence is present, where it is
stored, and how it is stored (in which format). Electronic devices
can be personal computers, Mobile phones, PDAs, etc.
Dr. Kaushal Kishor

2. Preservation: Data is isolated, secured, and preserved. It includes

prohibiting unauthorised personnel from using the digital device
so that digital evidence, mistakenly or purposely, is not tampered
with and making a copy of the original evidence.
3. Analysis: Forensic lab personnel reconstruct fragments of data and
draw conclusions based on evidence.
4. Documentation: A record of all the visible data is created. It helps
in recreating and reviewing the crime scene. All the findings from
the investigations are documented.
5. Presentation: All the documented findings are produced in a court
of law for further investigations.

Application:

OR
● Intellectual Property theft
● Industrial espionage SH
KI
● Employment disputes
● Fraud investigations
L

● Misuse of the Internet and email in the workplace

HA

● Forgeries related matters

US

● Bankruptcy investigations
● Issues concerned the regulatory compliance
KA

Advantages of Computer Forensics :

DR

● To produce evidence in the court, which can lead to the

punishment of the culprit.
● It helps the companies gather important information on their
computer systems or networks potentially being compromised.
● Efficiently tracks down cyber criminals from anywhere in the
world.
● Helps to protect the organisation’s money and valuable time.
● Allows to extract, process, and interpret the factual evidence, so
it proves the cybercriminal action’s in the court.
Dr. Kaushal Kishor

Disadvantages of Computer Forensics :

● Before the digital evidence is accepted into court it must be
proved that it is not tampered with.
● Producing and keeping electronic records safe is expensive.
● Legal practitioners must have extensive computer knowledge.
● Need to produce authentic and convincing evidence.
● If the tool used for digital forensics is not according to specified
standards, then in a court of law, the evidence can be
disapproved by justice.
● A lack of technical knowledge by the investigating officer might
not offer the desired result.

OR
Digital Forensic Science:

SH
● Digital Forensics is a branch of forensic science which includes the
identification, collection, analysis and reporting of any valuable
KI
digital information in the digital devices related to computer
crimes, as a part of the investigation.
L

● In simple words, Digital Forensics is the process of identifying,

HA

preserving, analysing and presenting digital evidence.

US

● The first computer crimes were recognized in the 1978 Florida

computers act and after this, the field of digital forensics grew
KA

pretty fast in the late 1980-90’s.

● It includes the area of analysis like storage media, hardware,
DR

operating system, network and applications.

It consists of 5 steps at high level:

1. Identification of evidence: It includes

identifying evidence related to the digital crime
in storage media, hardware, operating system,
network and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital
evidence identified in the first step so that they
Dr. Kaushal Kishor

don't degrade to vanish with time. Preserving the digital evidence

is very important and crucial.
3. Analysis: It includes analysing the collected digital evidence of the
committed computer crime in order to trace the criminal and
possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the
whole digital investigation, digital evidence, loopholes of the
attacked system etc. so that the case can be studied and analysed
in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital
evidence and documentation in the court in order to prove the
digital crime committed and identify the criminal.

OR
Branches of Digital Forensics:

SH
● Media forensics: It is the branch of digital forensics which
includes identification, collection, analysis and presentation of
KI
audio, video and image evidence during the investigation process.
● Cyber forensics: It is the branch of digital forensics which
L

includes identification, collection, analysis and presentation of

HA

digital evidence during the investigation of a cyber crime.

US

● Mobile forensics: It is the branch of digital forensics which

includes identification, collection, analysis and presentation of
KA

digital evidence during the investigation of a crime committed

through a mobile device like mobile phones, GPS device, tablet,
DR

laptop.
● Software forensics: It is the branch of digital forensics which
includes identification, collection, analysis and presentation of
digital evidence during the investigation of a crime related to
softwares only.

The Need for Computer Forensics:

1. Rising Cyber Crime Rates: With the increasing prevalence of
cybercrimes, including hacking, data breaches, and online fraud,
there is a growing need for computer forensics to investigate and
respond to digital incidents.
Dr. Kaushal Kishor

2. Digital Evidence in Legal Proceedings: As digital evidence

becomes integral to legal proceedings, computer forensics plays a
crucial role in collecting, analysing, and presenting this evidence in
a forensically sound and legally admissible manner.

3. Protection of Sensitive Information: Organizations and

individuals need computer forensics to safeguard sensitive
information from unauthorised access, ensuring the confidentiality
and integrity of digital data.

4. Corporate Security: In the corporate world, computer forensics is

essential for responding to incidents such as data breaches, insider

OR
threats, and intellectual property theft, helping organisations
maintain a secure digital environment.
SH
KI
5. Incident Response and Mitigation: Computer forensics aids in
incident response by providing methodologies and tools to quickly
L
HA

identify and mitigate cybersecurity incidents, minimising potential

damage.
US
KA

6. Legal Compliance: Compliance with legal standards and

regulations requires organisations to conduct thorough
investigations using computer forensics when dealing with digital
DR

incidents or potential data breaches.

7. Recovery of Lost or Deleted Data: Computer forensics helps in the

recovery of lost or deleted data, which can be critical in both
criminal investigations and corporate settings.

8. Prevention and Deterrence: The knowledge that computer

forensics can uncover and trace digital activities serves as a
deterrent, discouraging potential cybercriminals and contributing
to overall cybersecurity awareness.
Dr. Kaushal Kishor

9. Employee Misconduct Investigations: In cases of employee

misconduct or policy violations, computer forensics assists
organisations in investigating and documenting digital evidence
related to such incidents.

10.Identification of Security Weaknesses: Computer forensics helps

identify security weaknesses and vulnerabilities in digital systems,
enabling organisations to implement effective security measures
and protocols.

11.International Collaboration: With the global nature of cyber

crimes, computer forensics facilitates international collaboration
among law enforcement agencies and cybersecurity professionals

OR
to combat digital threats.

SH
12.Criminal Investigations: In criminal investigations, computer
KI
forensics is indispensable for examining electronic evidence,
reconstructing digital timelines, and identifying individuals
L

involved in cybercrimes.
HA
US

13.Support for Law Enforcement: Law enforcement agencies rely on

KA

computer forensics to gather evidence in cybercrime cases, track

digital footprints, and prosecute individuals engaged in illegal
online activities.
DR

14.Continuous Technological Advancements: The ever-evolving

landscape of technology and cyber threats necessitates ongoing
advancements in computer forensics tools and techniques to stay
ahead of sophisticated cybercriminal tactics.

Cyber Forensics: Cyber forensics is a process of extracting data as proof

for a crime (that involves electronic devices) while following proper
investigation rules to nab the culprit by presenting the evidence to the
court. Cyber forensics is also known as computer forensics. The main
aim of cyber forensics is to maintain the thread of evidence and
Dr. Kaushal Kishor

documentation to find out who did the crime digitally. Cyber forensics
can do the following:
● It can recover deleted files, chat logs, emails, etc
● It can also get deleted SMS, Phone calls.
● It can get recorded audio of phone conversations.
● It can determine which user used which system and for how
much time.
● It can identify which user ran which program.

What is Digital Evidence?

● The term “ Digital Evidence” means the information that is
transmitted and stored in binary form that can be found in hard

OR
disks, mobile phones etc.
● It can be used for prosecution of various crimes but it is generally
associated with E-Crimes. SH
KI
● Digital evidence is described as information and data kept on,
received from, or transferred by an electronic device that is useful
L

to an investigation.
HA

● When electronic devices are taken into custody and secured for
inspection, this evidence can be obtained.
US

Digital proof −
KA

1. Similar to fingerprints or DNA evidence, it is latent (hidden).

2. Swift and simple jurisdictional border crossing.
DR

3. Can be easily changed, damaged, or destroyed.

4. Potentially time-sensitive.

Process involved in Digital Evidence Collection: The main processes

involved in digital evidence collection are given below:

● Data collection: In this process data is identified and collected for

investigation.
● Examination: In the second step the collected data is examined
carefully.
Dr. Kaushal Kishor

● Analysis: In this process, different tools and techniques are used

and the collected evidence is analysed to reach some conclusion.
● Reporting: In this final step all the documentation, reports are
compiled so that they can be submitted in court.

OR
Forensic Analysis of E-Mail:
SH
● Email forensics involves the systematic examination and analysis
KI
of email data to gather evidence for investigative or legal purposes.
● It plays a crucial role in cybercrime investigations, corporate
L

incidents, and legal proceedings.

HA
US

1. Collection of Email Evidence:

● Metadata Extraction: Collect metadata, including sender and
KA

recipient details, timestamps, and email server information.

● Email Headers: Examine email headers for routing information and
DR

details about the email's journey.

● Attachments and Content: Extract and analyse email attachments
and content for potential evidence.

2. Preservation of Email Evidence:

● Original Email Preservation: Preserve original email content,
headers, and metadata to maintain authenticity.
● Chain of Custody: Document and maintain a secure chain of
custody to track the handling of email evidence.
Dr. Kaushal Kishor

3. Email Analysis Techniques:

● Keyword Search: Conduct keyword searches to identify relevant
information within email content.
● Link Analysis: Analyse relationships between email senders,
recipients, and other entities to uncover patterns or connections.
● Timeline Reconstruction: Reconstruct timelines of email
exchanges to understand the sequence of events.
● Content Analysis: Analyse the content of emails for contextual
clues, threats, or indications of malicious activity.

4. Authentication and Verification:

● Email Source Verification: Verify the authenticity of emails by

OR
examining the source, SPF/DKIM signatures, and sender
information.
SH
● Sender Authentication: Validate the identity of the sender
KI
through forensic analysis to prevent email spoofing.
L

5. Investigation of Email Attachments:

HA

● Malware Analysis: Conduct analysis on email attachments to

US

identify and characterise potential malware.

● File Metadata Examination: Examine metadata of attached files
KA

for additional insights into their origin and history.

DR

6. Email Header Examination:

● IP Address Analysis: Analyse IP addresses in email headers to trace
the geographic location or identify potential malicious activities.
● Email Routing Analysis: Examine email routing paths to
understand the journey of the email through different servers.

7. Recovering Deleted Emails: Employ forensic techniques to recover

deleted emails, including examining email server logs and backup
systems.

8. Legal Admissibility: Ensure that the methods used in email forensics

adhere to legal standards, making the evidence admissible in court.
Dr. Kaushal Kishor

9. Reporting: Generate comprehensive reports documenting the findings

of the email forensics analysis, including key evidence, methodologies
used, and conclusions drawn.

Digital Forensics Life Cycle:

● The digital forensics life cycle consists of a series of systematic
steps and processes aimed at identifying, collecting, analysing, and
preserving digital evidence in a forensically sound manner.
● This life cycle is followed in the investigation of cybercrimes,
incidents, or any digital-related legal matters.

OR
Here are the key stages of the digital forensics life cycle:
SH
KI
1. Identification of evidence: It includes identifying evidence
related to the digital crime in storage media, hardware, operating
L

system, network and/or applications. It is the most important and

HA

basic step.
US

2. Collection: It includes preserving the digital evidence identified in

the first step so that they don't degrade to vanish with time.
KA

Preserving the digital evidence is very important and crucial.

3. Analysis: It includes analysing the collected digital evidence of the
DR

committed computer crime in order to trace the criminal and

possible path used to breach into the system.
E

4. Documentation: It includes the proper documentation of the

whole digital investigation, digital evidence, loopholes of the
attacked system etc. so that the case can be studied and analysed
in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital
evidence and documentation in the court in order to prove the
digital crime committed and identify the criminal.
Dr. Kaushal Kishor

Chain of Custody Concept in Digital Forensics:

The chain of custody in digital cyber forensics is also known as the paper
trail or forensic link, chronological documentation of the evidence.
● Chain of custody indicates the collection, sequence of control,
transfer and analysis.
● It also documents details of each person who handled the
evidence, date and time it was collected or transferred, and the
purpose of the transfer.
● It demonstrates trust to the courts and to the client that the
evidence has not been tampered.

Chain of Custody Process:

OR
In order to preserve digital evidence, the chain of custody should span
from the first step of data collection to examination, analysis, reporting,
SH
and the time of presentation to the Courts. This is very important to
KI
avoid the possibility of any suggestion that the evidence has been
compromised in any way.
L
HA
US
KA
DR

● Data Collection: This is where the chain of custody process is

initiated. It involves identification, labelling, recording, and the
acquisition of data from all the possible relevant sources that
preserve the integrity of the data and evidence collected.
● Examination: During this process, the chain of custody
information is documented outlining the forensic process
undertaken. It is important to capture screenshots throughout the
process to show the tasks that are completed and the evidence
uncovered.
Dr. Kaushal Kishor

● Analysis: This stage is the result of the examination stage. In the

Analysis stage, legally justifiable methods and techniques are used
to derive useful information to address questions posed in the
particular case.
● Reporting: This is the documentation phase of the Examination
and Analysis stage. Reporting includes the following:
a. Statement regarding Chain of Custody.
b. Explanation of the various tools used.
c. A description of the analysis of various data sources.
d. Issues identified.
e. Vulnerabilities identified.
f. Recommendation for additional forensics measures that can

OR
be taken.

SH
KI
Network Forensics:
● Network forensics is a subcategory of digital forensics that
L

essentially deals with the examination of the network and its traffic
HA

going across a network that is suspected to be involved in

US

malicious activities, and its investigation for example a network

that is spreading malware for stealing credentials or for the
KA

purpose analysing the cyber-attacks.

● As the internet grew cybercrimes also grew along with it and so did
DR

the significance of network forensics, with the development and

acceptance of network-based services such as the World Wide Web,
e-mails, and others.
● With the help of network forensics, the entire data can be retrieved
including messages, file transfers, e-mails, and web browsing
history, and reconstructed to expose the original transaction.
● It is also possible that the payload in the uppermost layer packet
might wind up on the disc, but the envelopes used for delivering it
are only captured in network traffic.
Dr. Kaushal Kishor

Processes Involved in Network Forensics:

● Identification: In this process, investigators identify and evaluate
the incident based on the network pointers.
● Safeguarding: In this process, the investigators preserve and
secure the data so that the tempering can be prevented.
● Accumulation: In this step, a detailed report of the crime scene is
documented and all the collected digital shreds of evidence are
duplicated.
● Observation: In this process, all the visible data is tracked along
with the metadata.
● Investigation: In this process, a final conclusion is drawn from the
collected shreds of evidence.

OR
● Documentation: In this process, all the shreds of evidence,
reports, conclusions are documented and presented in court.
SH
KI
Challenges in Network Forensics:
● The biggest challenge is to manage the data generated during
L

the process.
HA

● Intrinsic anonymity of the IP.

US

● Address Spoofing.
KA
DR

Advantages:
● Network forensics helps in identifying security threats and
vulnerabilities.
● It analyses and monitors network performance demands.
Dr. Kaushal Kishor

● Network forensics helps in reducing downtime.

● Network resources can be used in a better way by reporting and
better planning.
● It helps in a detailed network search for any trace of evidence
left on the network.

Disadvantage:
● The only disadvantage of network forensics is that It is difficult
to implement.

Approaching a computer forensics investigation: The phases in a

OR
computer forensics investigation are:
● Secure the subject system
● Take a copy of hard drive/disk
SH
KI
● Identify and recover all files
● Access/view/copy hidden, protected, and temp files
L
HA

● Study special areas on the drive

● Investigate the settings and any data from programs on the system
US

● Consider the system from various perspectives

KA

● Create detailed report containing an assessment of the data and

information collected
DR

Things to be avoided during forensics investigation:

● Changing date/timestamps of the files
● Overwriting unallocated space

Things that should not be avoided during forensics investigation:

● Engagement contract
● Non-Disclosure Agreement (NDA)
Dr. Kaushal Kishor

Elements addressed before drawing up a forensics investigation

engagement contract:
● Authorization
● Confidentiality
● Payment
● Consent and acknowledgement
● Limitation of liability

General steps in solving a computer forensics case are:

● Prepare for the forensic examination
● Talk to key people about the case and what you are looking for
● Start assembling tools to collect the data and identify the target

OR
media
● Collect the data from the target media SH
KI
● Use a write blocking tool while performing imaging of the disk
● Check emails records too while collecting evidence
L

● Examine the collected evidence on the image that is created

HA

● Analyse the evidence

US

● Report your finding to your client

KA

The Security/Privacy Threats:

DR

● Security and privacy threats in the digital landscape are diverse

and evolving.
● Understanding these threats is crucial for individuals,
organisations, and policymakers to implement effective measures
for protection.
Here are some key security and privacy threats:
1. Malware: Malicious software designed to harm or exploit computer
systems.
● Threat Impact: Data theft, system damage, unauthorised access,
and financial losses.
● Examples: Viruses, Trojans, ransomware, spyware.
Dr. Kaushal Kishor

2. Phishing: Deceptive attempts to obtain sensitive information, often

through fraudulent emails or websites.
● Threat Impact: Identity theft, unauthorised access to accounts,
financial fraud.
● Examples: Email phishing, spear phishing, vishing (voice phishing).

3. Data Breaches: Unauthorised access to and exposure of sensitive data.

● Threat Impact: Compromised personal information, financial
losses, reputational damage.
● Examples: Hacking incidents, insider threats, accidental data leaks.

OR
4. Social Engineering: Manipulating individuals to divulge confidential
information or perform actions.
SH
● Threat Impact: Unauthorised access, data breaches, identity theft.
KI
● Examples: Impersonation, pretexting, baiting.
L
HA

5. IoT Vulnerabilities: Security weaknesses in Internet of Things (IoT)

devices.
US

● Threat Impact: Unauthorised access, device manipulation, data

KA

exposure.
● Examples: Insecure smart devices, lack of encryption in IoT
communication.
DR

6. Insider Threats: Threats originating from individuals within an

organisation with access to sensitive information.
● Threat Impact: Data breaches, intellectual property theft, sabotage.
● Examples: Malicious employees, negligent behaviour, unintentional
mistakes.

7. Ransomware: Malware that encrypts data, demanding payment for its

release.
● Threat Impact: Data loss, financial losses, operational disruptions.
● Examples: WannaCry, NotPetya, Ryuk.
Dr. Kaushal Kishor

8. Identity Theft: Unauthorised use of someone's personal information

for fraudulent purposes.
● Threat Impact: Financial fraud, damage to personal reputation.
● Examples: Stolen credentials, synthetic identity theft.

9. Artificial Intelligence (AI) Threats: Misuse of AI for malicious

purposes or exploitation of AI vulnerabilities.
● Threat Impact: Deepfake creation, AI-powered cyberattacks.
● Examples: AI-driven phishing, adversarial attacks on machine
learning models.

OR
10. Eavesdropping: Unauthorised interception of communications.

SH
● Threat Impact: Privacy invasion, data leakage, industrial espionage.
● Examples: Wiretapping, packet sniffing.
KI

11. Cloud Security Concerns: Risks associated with storing and

L
HA

accessing data in cloud environments.

● Threat Impact: Data breaches, unauthorised access.
US

● Examples: Insecure APIs, misconfigured cloud settings.

KA

12. Lack of Encryption: Failure to secure data with encryption, making it

DR

vulnerable to unauthorised access.

● Threat Impact: Data exposure, privacy violations.
● Examples: Unencrypted communication channels, unsecured
storage.

13. Data Mining and Profiling: Unauthorised collection and analysis of

personal data for profiling purposes.
● Threat Impact: Invasion of privacy, targeted advertising.
● Examples: Unethical data harvesting, profiling without consent.
Dr. Kaushal Kishor

14. Legislative and Regulatory Compliance: Failure to comply with data

protection and privacy regulations.
● Threat Impact: Legal consequences, fines, reputational damage.
● Examples: GDPR violations, non-compliance with local privacy
laws.

Challenges in Digital Forensics

1. Data Encryption: Encryption can make it difficult to access the
data on a device or network, making it harder for forensic
investigators to collect evidence. This can require specialised
decryption tools and techniques.
2. Data Destruction: Criminals may attempt to destroy digital
evidence by wiping or destroying devices. This can require

OR
specialised data recovery techniques.

modern digital devices can

SH
3. Data Storage: The sheer amount of data that can be stored on
make it difficult for forensic
KI
investigators to locate relevant information. This can require
specialised data carving techniques to extract relevant
L

information.
HA
US
KA
DR