Module IV

UNDERSTANDING COMPUTER FORENSICS

INTRODUCTION: CYBER FORENSICS

CYBER FORENSICS:
Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence.
Forensic examiners typically analyze data from personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any other type of media. This process can involve
anything from breaking encryption, to executing search warrants with a law enforcement
team, to recovering and analyzing files from hard drives that will be critical evidence in the
most serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and highly
specialized process. The results of forensic examinations are compiled and included in
reports. In many cases, examiners testify to their findings, where their skills and abilities are
put to ultimate scrutiny.

DIGITAL FORENSICS:

Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.

Digital forensic science is a branch of forensic science that focuses on the recovery and
investigation of material found in digital devices related to cybercrime.
THE NEED FOR COMPUTER FORENSICS
Computer forensics is also important because it can save your organization money From a
technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and
analyze data in a way that preserves the integrity of the evidence collected so it can be used
effectively in a legal case.
CYBER FORENSICS AND DIGITAL EVIDENCE:

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, among other places. Digital
evidence is commonly associated with electronic crime, or e-crime, such as child
pornography or credit card fraud. However, digital evidence is now used to prosecute all
types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might
contain critical evidence regarding their intent, their whereabouts at the time of a crime and
their relationship with other suspects. In 2005, for example, a floppy disk led investigators to
CYBER Page 1
SECURITY
the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at
least 10 victims.

CYBER Page 2
SECURITY
In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law
enforcement agencies are incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law enforcement agencies are
challenged by the need to train officers to collect digital evidence and keep up with rapidly
evolving technologies such as computer operating systems.

FORENSICS ANALYSIS OF EMAIL:

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are:

 Header Analysis – Meta data in the e-mail message in the form of control
information i.e. envelope and headers including headers in the message body contain
information about the sender and/or the path along which the message has traversed.
Some of these may be spoofed to conceal the identity of the sender. A detailed
analysis of these headers and their correlation is performed in header analysis.

 Bait Tactics – In bait tactic investigation an e-mail with http: “<imgsrc>” tag having
image source at some computer monitored by the investigators is send to the sender of
e-mail under investigation containing real (genuine) e-mail address. When the e-mail
is opened, a log entry containing the IP address of the recipient (sender of the e-mail
under investigation) is recorded on the http server hosting the image and thus sender
is tracked. However, if the recipient (sender of the e-mail under investigation) is using
a proxy server then IP address of the proxy server is recorded. The log on proxy
server can be used to track the sender of the e-mail under investigation. If the proxy
server’s log is unavailable due to some reason, then investigators may send the tactic
e-mail containing a) Embedded Java Applet that runs on receiver’s computer or b)
HTML page with Active X Object. Both aiming to extract IP address of the receiver’s
computer and e-mail it to the investigators.

 Server Investigation – In this investigation, copies of delivered e-mails and server

logs are investigated to identify source of an e-mail message. E-mails purged from the
clients (senders or receivers) whose recovery is impossible may be requested from
servers (Proxy or ISP) as most of them store a copy of all e-mails after their
deliveries. Further, logs maintained by servers can be studied to trace the address of
the computer responsible for making the e-mail transaction. However, servers store
the copies of e-mail and server logs only for some limited periods and some may not
co-operate with the investigators. Further, SMTP servers which store data like credit
card number and other data pertaining to owner of a mailbox can be used to identify
person behind an e-mail address.

 Network Device Investigation – In this form of e-mail investigation, logs maintained

by the network devices such as routers, firewalls and switches are used to investigate

CYBER Page 3
SECURITY
the source of an e-mail message. This form of investigation is complex and is used
only when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g.
when ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure
to maintain chain of evidence.

 Software Embedded Identifiers – Some information about the creator of e-mail,

attached files or documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be included in the
form of custom headers or in the form of MIME content as a Transport Neutral
Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal
some vital information about the senders e-mail preferences and options that could
help client side evidence gathering. The investigation can reveal PST file names,
Windows logon username, MAC address, etc. of the client computer used to send e-
mail message.

 Sender Mailer Fingerprints – Identification of software handling e-mail at server

can be revealed from the Received header field and identification of software
handling e-mail at client can be ascertained by using different set of headers like “X-
Mailer” or equivalent. These headers describe applications and their versions used at
the clients to send e-mail. This information about the client computer of the sender
can be used to help investigators devise an effective plan and thus prove to be very
useful.

EMAIL FORENSICS TOOLS

Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails
can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to
traditional detective work. It is used for retrieving information from mailbox files.

 MiTec Mail Viewer – This is a viewer for Outlook Express, Windows

Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML
files. It displays a list of contained messages with all needed properties, like an
ordinary e-mail client. Messages can be viewed in detailed view, including
attachments and an HTML preview. It has powerful searching and filtering capability
and also allows extracting email addresses from all emails in opened folder to list by
one click. Selected messages can be saved to eml files with or without their
attachments. Attachments can be extracted from selected messages by one command.

 OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you
view OST and PST files easily without connecting to an MS Exchange server. These
tools allow the user to scan OST and PST files and they display the data saved in it
including email messages, contacts, calendars, notes, etc., in a proper folder structure.

 eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the

IP address of the machine that sent the message so that the sender can be tracked
down. It can trace multiple e-mails at the same time and easily keep track of them.
The geographical location of an IP address is key information for determining the
threat level or validity of an e-mail message.

CYBER Page 4
SECURITY
 EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource
Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in
India. It develops cyber forensic tools based on the requirements of law enforcement
agencies.

DIGITAL FORENSICS LIFECYCLE:

Collection: The first step in the forensic process is to identify potential sources of data and
acquire data from them.
Examination:After data has been collected, the next phase is to examine the data, which
involves assessing and extracting the relevant pieces of information from the collected data.
This phase may also involve bypassing or mitigating OS or application features that obscure
data and code, such as data compression, encryption, and access control mechanisms.
Analysis: Once the relevant information has been extracted, the analyst should study and
analyze the data to draw conclusions from it. The foundation of forensics is using a
methodical approach to reach appropriate conclusions based on the available data or
determine that no conclusion can yet be drawn.
Reporting: The process of preparing and presenting the information resulting from the
analysis phase. Many factors affect reporting, including the following:
a. Alternative Explanations:When the information regarding an event is incomplete, it
may not be possible to arrive at a definitive explanation of what happened. When an
event has two or more plausible explanations, each should be given due consideration
in the reporting process. Analysts should use a methodical approach to attempt to
prove or disprove each possible explanation that is proposed.

b. Audience Consideration. Knowing the audience to which the data or information

will be shown is important.

CYBER Page 5
SECURITY
c. Actionable Information. Reporting also includes identifying actionable information
gained from data that may allow an analyst to collect new sources of information
FORENSICS INVESTIGATION:
Forensics are the scientific methods used to solve a crime. Forensic investigation is the
gathering and analysis of all crime-related physical evidence in order to come to a conclusion
about a suspect. Investigators will look at blood, fluid, or fingerprints, residue, hard drives,
computers, or other technology to establish how a crime took place. This is a general
definition, though, since there are a number of different types of forensics.
TYPES OF FORENSICS INVESTIGATION
 Forensic Accounting / Auditing
 Computer or Cyber Forensics
 Crime Scene Forensics
 Forensic Archaeology
 Forensic Dentistry
 Forensic Entomology
 Forensic Graphology
 Forensic Pathology
 Forensic Psychology
 Forensic Science
 Forensic Toxicology

CHALLENGES IN COMPUTER FORENSICS

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the identification, collection, preservation, validation, analysis, interpretation, and
presentation of digital evidence derivative from digital sources to facilitate the reconstruction
of events found to be criminal.But these digital forensics investigation methods face some
major challenges at the time of practical implementation. Digital forensic challenges are
categorized into three major heads as per Fahdi, Clark, and Furnell are:

 Technical challenges
 Legal challenges
 Resource Challenges

TECHNICAL CHALLENGES

As technology develops crimes and criminals are also developed with it. Digital forensic
experts use forensic tools for collecting shreds of evidence against criminals and criminals
use such tools for hiding, altering or removing the traces of their crime, in digital forensic this
process is called Anti- forensics technique which is considered as a major challenge in digital
forensics world.

Anti-forensics techniquesare categorized into the following types:

S. No. Type Description

1 Encryption It is legitimately used for ensuring the privacy of

CYBER Page 6
SECURITY
information by keeping it hidden from an
unauthorized user/person. Unfortunately, it can also
be used by criminals to hide their crimes
2 Data hiding in storage space Criminals usually hide chunks of data inside the
storage medium in invisible form by using system
commands, and programs.
3 Covert Channel A covert channel is a communication protocol
which allows an attacker to bypass intrusion
detection technique and hide data over the network.
The attacker used it for hiding the connection
between him and the compromised system.

Other Technical challenges are:

 Operating in the cloud

 Time to archive data
 Skill gap
 Steganography

LEGAL CHALLENGES

The presentation of digital evidence is more difficult than its collection because there are
many instances where the legal framework acquires a soft approach and does not recognize
every aspect of cyber forensics, as in Jagdeo Singh V. The State and Ors case Hon’ble High
Court of Delhi held that “while dealing with the admissibility of an intercepted telephone call
in a CD and CDR which was without a certificate under Sec. 65B of the Indian Evidence Act,
1872 the court observed that the secondary electronic evidence without certificate u/s. 65B of
Indian Evidence Act, 1872 is not admissible and cannot be looked into by the court for any
purpose whatsoever.” This happens in most of the cases as the cyber police lack the
necessary qualification and ability to identify a possible source of evidence and prove it.
Besides, most of the time electronic evidence is challenged in the court due to its integrity. In
the absence of proper guidelines and the nonexistence of proper explanation of the collection,
and acquisition of electronic evidence gets dismissed in itself.

Legal Challenges

S.No. Type Description

1 Absence of guidelines and In India, there are no proper guidelines for the
standards collection and acquisition of digital evidence. The
investigating agencies and forensic laboratories are
working on the guidelines of their own. Due to this,
the potential of digital evidence has been destroyed.
2 Limitation of the Indian The Indian Evidence Act, 1872 have limited
Evidence Act, 1872 approach, it is not able to evolve with the time and
address the E-evidence are more susceptible to
tampering, alteration, transposition, etc. the Act is
silent on the method of collection of e-evidence it
only focuses on the presentation of electronic
evidence in the court by accompanying a certificate
as per subsection 4 of Sec. 65B[12]. This means no

CYBER Page 7
SECURITY
matter what procedure is followed it must be proved
with the help of a certificate.

Other Legal Challenges

 Privacy Issues
 Admissibility in Courts
 Preservation of electronic evidence
 Power for gathering digital evidence
 Analyzing a running computer

Resource Challenges

As the rate of crime increases the number of data increases and the burden to analyze such
huge data is also increasing on a digital forensic expert because digital evidence is more
sensitive as compared to physical evidence it can easily disappear. For making the
investigation process fast and useful forensic experts use various tools to check the
authenticity of the data but dealing with these tools is also a challenge in itself.

Types of Resource Challenges are:

 Change in technology

Due to rapid change in technology like operating systems, application software and hardware,
reading of digital evidence becoming more difficult because new version software’s are not
supported to an older version and the software developing companies did provide any
backward compatible’s which also affects legally.

 Volume and replication

The confidentiality, availability, and integrity of electronic documents are easily get
manipulated. The combination of wide-area networks and the internet form a big network
that allows flowing data beyond the physical boundaries. Such easiness of communication
and availability of electronic document increases the volume of data which also create
difficulty in the identification of original and relevant data.

CYBER Page 8
SECURITY
CYBER Page 9
SECURITY