Unit-4

 Introduction
Computer Forensics is a scientific method of investigation and analysis in order to gather
evidence from digital devices or computer networks and components which is suitable for
presentation in a court of law or legal body. It involves performing a structured
investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computer and who was responsible for it.

Types

 Disk Forensics: It deals with extracting raw data from the primary or secondary storage
of the device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring
and analysing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their
related metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying
viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then analysing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones
and smartphones and helps to retrieve contacts call logs, incoming, and outgoing SMS,
etc., and other data present in it.

 The Digital Forensics Process

The digital forensics process may change from one scenario to another, but it typically
consists of four core steps—collection, examination, analysis, and reporting.

 Collection

The collection phase involves acquiring digital evidence, usually by seizing physical assets,
such as computers, hard drives, or phones. It is critical to ensure that data is not lost or
damaged during the collection process.

 Examination

The examination phase involves identifying and extracting data. You can split this phase into
several steps—prepare, extract, and identify.
  Analysis

The analysis phase involves using collected data to prove or disprove a case built by the
examiners. Here are key questions examiners need to answer for all relevant data items:

 Who created the data?

 Who edited the data?
 How the data was created?
 When these activities occur?

 Reporting

The reporting phase involves synthesizing the data and analysis into a format that makes
sense to laypeople. These reports are essential because they help convey the information so
that all stakeholders can understand.

 The need for computer forensics

 Because of the rise of cybercrimes, a new branch of investigation has been developed
to help law enforcement trace and find proof of illegal activity using computers. This
is computer forensics and much of their techniques involved some form of data
recovery, it is also known as digital forensics.

 Computer forensic experts can go through a suspected cybercriminal’s hard drive – be

it on a computer or a mobile device – and find deleted and hidden files that serve as
evidence of illegal activity.

 Much of what computer forensics does is related to data recovery. Data recovery
programs used in businesses and personal computers, such as DataNumen Data
Recovery and DataNumen SQL Recovery, are also widely used for law enforcement.

 Digital Forensics Process

Processes of Digital Forensics are discussed here in the following:

1. Investigation

The first step in a Digital Forensics process is to start the investigation and seize the
evidence. This involves acquiring digital devices or data that is relevant to the case. This may
involve seizing electronic devices, such as computers or smartphones, or acquiring data from
cloud services.
 2. Identification

During this process, the relevant data related to the case is identified and extracted from the
collected evidence. This includes information such as emails, documents, images, and other
types of digital files that are relevant to the case.

3. Collection

The next step is to collect the evidence from the digital device or system. This may involve
using specialized tools and techniques to extract data from the device, such as acquiring a
disk image or copying specific files.

4. Preservation

Preserving the evidence is the next step here. This involves duplicating the digital data and
ensuring that the original data is kept undamaged. This is an important process since it
ensures that the evidence will be accepted in court and can be used to support the findings of
the investigation.

5. Analysis

The collected evidence till now, is then analyzed to uncover any related information. This
involves using various Digital Forensics tools to examine the data, such as disk imaging
tools, data recovery tools, and many more.

6. Presentation

The final step of the Digital Forensics process is to prepare a report, document the findings of
the Digital Forensics investigation, and present the evidence in a clear and brief form to the
relevant authorities or stakeholders.

 Forensics Analysis of E-mail

Email forensics is the process of examining the content, structure, and metadata of emails to
uncover valuable information for various purposes, including legal investigations,
cybersecurity incidents, and corporate compliance.

Key Elements of Email Forensics

Metadata Analysis:
 Header Information: The email header contains crucial metadata, including
sender and recipient addresses, timestamps, routing information, and more. This
information can be crucial in tracking the source of an email or establishing a
timeline.
  IP Address Tracking: Examining the IP addresses associated with an email can
help determine the sender's location and trace the email's path through various
servers.

Content Analysis:
 Message Content: Analyzing the content of an email is essential for
understanding the message's context, intent, and potential relevance in an
investigation.
 Attachments: Email attachments, such as documents or images, can contain
vital clues or evidence.

Email Authentication:
Sender Verification: Email forensics helps verify the authenticity of an email sender.
Techniques like Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF)
are used to prevent email spoofing and phishing.

Recovery of Deleted Emails:

In some cases, deleted emails may be critical evidence. Email forensics experts can use
specialized software to recover these messages.

Chain of Custody:
Maintaining a secure chain of custody is crucial when handling email evidence in a legal
context. This ensures that the integrity of the evidence is preserved.

Applications of Email Forensics

Email forensics plays a pivotal role in various domains:

1. Legal Investigations: Email evidence is frequently used in legal cases, including

criminal, civil, and corporate disputes. It can help establish motives, timelines,
and the authenticity of communications.

2. Cybersecurity: In the realm of cybersecurity, email forensics can uncover the

source of a cyberattack, trace malicious actors, and determine the extent of a
security breach.

3. Corporate Compliance: Organizations may use email forensics to ensure

compliance with regulations, investigate internal misconduct, or detect data
leakage.

Mail Forensics Tools

Several tools are available to forensic experts to perform email analysis, such as:
 1. 4n6 Email Forensics Wizard: This software orchestrates the art of email
analysis, from metadata examination to content scrutiny.

2. MailXaminer: Specialized software designed for email forensics, enabling

investigators to extract and analyze email data efficiently.

3. EnCase Forensic: A comprehensive digital forensic tool that allows examiners

to analyze email content and metadata.

4. Wireshark: A network protocol analyzer that can help with IP tracking and
network-related email forensics tasks.

Challenges in Email Forensics

While email forensics is a powerful investigative tool, it comes with its fair share of
challenges:

1. Encryption: The growing use of end-to-end encryption in email services can

make it challenging to access email content.

2. Privacy Concerns: Balancing the need for email evidence with privacy rights is
a constant challenge in email forensics.

3. Data Preservation: Ensuring the integrity and admissibility of email evidence in

court can be complex.

 Digital Forensics Life Cycle

The digital forensics process is shown in the following figure. Forensic life cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. A sequence of events
in a computer might include interactions between:

 Different files
 Files and file systems
 Processes and files
 Log files

2. Collecting and Recording Digital Evidence

Digital evidence can be collected from many sources. The obvious sources can be:

 Mobile phone
 Digital cameras
 Hard drives
 CDs
 USB memory devices

3. Storing and Transporting Digital Evidence

Some guidelines for handling of digital evidence:

 Image computer-media using a write-blocking tool to ensure that no data is added to

the suspect device
 Establish and maintain the chain of custody
  Document everything that has been done
 Only use tools and methods that have been tested and evaluated to validate their
accuracy and reliability

Care should be taken that evidence does not go anywhere without properly being traced.
Things that can go wrong in storage include:

 Decay over time (natural or unnatural)

 Environmental changes (direct or indirect)
 Fires
 Floods
 Loss of power to batteries and other media preserving mechanisms

4. Examining/Investigating Digital Evidence

Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one
has the legal authority to do so. Forensic investigation performed on data at rest (hard disk) is
called dead analysis.

Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits
the information in the computer’s main memory. Performing forensic investigation on main
memory is called live analysis.

5. Analysis, Interpretation and Attribution

In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the
type of information stored on it.

Forensic analysis includes the following activities:

 Manual review of data on the media

 Windows registry inspection
 Discovering and cracking passwords
 Performing keyword searches related to crime
 Extracting emails and images

Types of digital analysis:

 Media analysis
 Media management analysis
 File system analysis
 Application analysis
 Network analysis
 Image analysis
 Video analysis
6. Reporting

After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. Some of the general elements in the report are:

 Identity of the report agency

 Case identifier or submission number
 Case investigator
 Identity of the submitter
 Date of receipt
 Date of report
 Descriptive list of items submitted for examination
 Identity and signature of the examiner
 Brief description of steps taken during examination
 Results / conclusions

7. Testifying

This phase involves presentation and cross-examination of expert witnesses. An expert

witness can testify in the form of:

 Testimony is based on sufficient facts or data

 Testimony is the product of reliable principles and methods
 Witness has applied principles and methods reliably to the facts of the case

 Chain of Custody

Chain of Custody refers to the logical sequence that records the sequence of custody,
control, transfer, analysis and disposition of physical or electronic evidence in legal cases.
Each step in the chain is essential as if broke, the evidence may be rendered inadmissible.

What the Chain of Custody entails in Digital Cyber Forensics?

One of the concepts that is most essential in Digital Forensics is the Chain of Custody.
The chain of custody in digital cyber forensics is also known as the paper trail or forensic
link, or chronological documentation of the evidence.
 Chain of custody indicates the collection, sequence of control, transfer and analysis.
 It also documents details of each person who handled the evidence, date and time it was
collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not tampered.
Importance of maintaining Chain of Custody

Importance to Examiner:
 To preserve the integrity of the evidence.
 To prevent the evidence from contamination, which can alter the state of the evidence.
 In case you obtained metadata for a piece of evidence but unable to extract any
meaningful information from the metadata. In such a case, the chain of custody helps to
show where possible evidence might lie, where it came from, who created it, and the
type of equipment used. This will help you to generate an exemplar and compare it to
the evidence to confirm the evidence properties.

Importance to the Court: If not preserved, the evidence submitted in the court might be
challenged and ruled inadmissible.

Chain of Custody Process

The chain of custody should span from the first step of data collection to examination,
analysis, reporting, and the time of presentation to the Courts.

Let’s discuss each stage of the chain of custody in detail:

1. Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the possible
relevant sources that preserve the integrity of the data and evidence collected.
2. Examination: During this process, the chain of custody information is documented
outlining the forensic process undertaken.
3. Analysis: This stage is the result of the examination stage. In the Analysis stage, legally
justifiable methods and techniques are used to derive useful information to address
questions posed in the particular case.
4. Reporting: This is the documentation phase of the Examination and Analysis stage.
Reporting includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be taken.
The Chain of Custody Form

In order to prove a chain of custody, you’ll need a form that lists out the details of how the
evidence was handled every step of the way. The form should answer the following
questions:
 What is the evidence?: For example- digital information includes the filename, md5
hash, and Hardware information includes serial number, asset ID, hostname, photos,
description.
 How did you get it?: For example- Bagged, tagged or pulled from the desktop.
 When it was collected?: Date, Time
 Who has handle it?
 Why did that person handled it?
 Where was it stored?: This includes the information about the physical location in
which proof is stored or information of the storage used to store the forensic image.
 How you transported it?: For example- in a sealed static-free bag, or in a secure
storage container.
 How it was tracked?
 How it was stored?: For example- in a secure storage container.
 Who has access to the evidence?: This involves developing a check-in/ check-out
process.

Procedure to establish the Chain of Custody

The following procedure is followed according to the chain of custody for electronic
devices:
 Save the original material
 Take photos of the physical evidence
 Take screenshots of the digital evidence.
 Document date, time, and any other information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence content into forensic computers.
 Perform a hash test analysis to authenticate the working clone.

How can the Chain of Custody be assured?

1. Never ever work with the Original Evidence

2. Ensuring storage media is sterilized: It is important to ensure that the examiner’s
storage device is forensically clean when acquiring the evidence.
3. Document any extra scope: A comprehensive report must contain following sections:
 Identity of the reporting agency.
 Case identifier.
 Case investigator.
 Identity of the submitter.
 Date of receipt.
 Date of report.
 Descriptive list of items submitted for examination: This includes the serial number,
make, and model.
 Identity and signature of the examiner
 Results.
4. Consider the safety of the personnel at the scene:
 Identify the number and type of computers.
 Interview the system administrator and users.
 Identify and document the types and volume of media: This includes removable
media also.
 Determine if a network is present.
 Document the information about the location from which the media was removed.
 Identify offsite storage areas and/or remote computing locations.
 Identify proprietary software.
 Determine the operating system in question.

 Network Forensics

Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is
spreading malware for stealing credentials or for the purpose analyzing the cyber-attacks.

With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction.

Processes Involved in Network Forensics:

Some processes involved in network forensics are given below:

 Identification: In this process, investigators identify and evaluate the incident based on
the network pointers.
 Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
 Accumulation: In this step, a detailed report of the crime scene is documented and all
the collected digital shreds of evidence are duplicated.
 Observation: In this process, all the visible data is tracked along with the metadata.
 Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
 Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

Challenges in Network Forensics:

 The biggest challenge is to manage the data generated during the process.
 Intrinsic anonymity of the IP.
 Address Spoofing.
  Forensics and Social Networking Sites
Social media usage is constantly growing as people like to connect, share posts, videos, and
photos, and engage with others. However, it's essential to be aware of the potential privacy
risks and to know how to protect users’ personal information. People are becoming more
careful about their privacy, what they share on social media, and what social platforms do
with their social media data. Even with tough privacy laws, sensitive user information could
be at risk.

Common Social Media Privacy Issues

To be compliant with privacy laws, you need to understand the most common privacy issues
found on social media platforms. In addition to compliance, you also need to protect the data
of your customers, retain the trust of customers in your company, and avoid penalties for
breaches of data safety.

These are the most common social media privacy issues:

1. Data mining. Scammers use data mining for identity theft. They do not need much
data for that. Scammers can get email addresses, usernames, phone numbers, and
physical addresses quite easily.
2. Data breach. If a company is hacked, customers’ social media data is one of the first
data to be stolen. People provide a lot of personal information on social media which
could be used for malicious purposes.
3. Third-party data sharing. Many social media platforms are in partnership with
third-party services and share user data with them. While it allows the integration of
different services, it also creates significant privacy risks. Users often grant
permission to share or sell their data to these third parties even without knowing it.
4. Privacy setting loopholes. Social media accounts often are less private than users
think.
5. Location settings. User location paired with personal information can provide
detailed information to a user profile. Scammers can use this comprehensive data to
physically fi
6. d and target users or collect more digital data.
 7. Harassment and cyberbullying. Defrauders can send threatening messages, perform
harassment, or cause emotional trouble even without getting into users’ social media
accounts.
8. Doxxing is a form of cyberbullying and involves sharing harmful content about
persons like revealing a person's address, phone number, or personal photos to cause
harm, embarrassment, or humiliation.
9. Malware and viruses. Malware and viruses can spread through social media
platforms. They can steal sensitive data, infect, or slow down users’ computers.

Types Of Social Media Platforms

A variety of different social media platforms have become popular over the last decade. Here
are some of them:

Personal connection social media platforms

These platforms primarily focus on helping people connect with their family, friends and
acquaintances. They also have businesses, celebrities and other entities that people can
follow. Facebook is the most prominent example of such a platform.

Visual social media platforms

Instagram, TikTok, Snapchat, Pinterest and YouTube are examples of platforms that focus on
image and video sharing. People can post their videos and pictures on these platforms to
share with their acquaintances or the general public. Businesses also use such platforms to
create more engaging marketing content.Related: How To Create A Channel On
YouTube: A Step-By-Step Guide

Microblogging social media platforms

Twitter and Tumblr are popular microblogging websites that allow people to share short text-
based posts. Such platforms usually have a limit on the length of the post. For example,
Twitter allows a maximum of 280 characters in a single post or tweet.

Content aggregator and review social media platforms

Many platforms allow users to share content from across the internet and help create
communities around interests. Reddit is a popular example of a content aggregator platform.
There are also many dedicated review platforms that contain authentic user experiences and
reviews.

Professional social media platforms

Professional social media websites have a business, employment or networking purpose.

LinkedIn is a popular example of such a platform. The focus on such platforms is to connect
with colleagues, business clients, employers and prospects.
Types of Social Media Crimes

1. Online Threats, Stalking, Cyberbullying

The most commonly reported and seen crimes that occur on social media involve people
making threats, bullying, harassing, and stalking others online. While much of this type of
activity goes unpunished, or isn't taken seriously, victims of these types of crimes frequently
don't know when they can call the police

2. Hacking and Fraud

Creating fake accounts, or impersonation accounts, to trick people (as opposed to just
remaining anonymous), can be punished as fraud depending on the actions the
fake/impersonation account holder takes.

3. Buying Illegal Things

Connecting over social media to buy drugs, or other regulated, controlled or banned products
is probably illegal.

4. Posting Videos of Criminal Activity

As smartphone and social media technology continue to improve hand in hand, more and
more criminals are posting videos of their crimes on social media.

5. Vacation Robberies

One common practice among burglars is to use social media to discover when a potential
victim is on vacation. If your vacation status updates are publicly viewable, rather than
restricted to friend groups, then potential burglars can easily see when you are going to be
away for an extended period of time.

 Privacy Concerns in Digital Forensics

• Centralization of Data: Forensic methods usually see all the digital data on a computer or
device. This tempts investigators to violate user privacy since they may find other interesting
things not originally sought or authorized during their searches

• Misjudgment of Data: Forensic investigators often have limited understanding of all the
variety of data they encounter and may be overly suspicious of innocent data.

• Unwarranted Reporting of Forensic Findings: Because of the difficulty of judging data,

there is a serious risk that investigators may cause harm by reporting incorrect results.

• Violating Privacy of Third Parties: Investigation of a shared resource such as a server

computer, cloud site, or even a family computer may see data owned by different people. If
only one person is subject of the investigation, that could violate the privacy of the others.
• Selling of Private Forensic Data: Since private user data has monetary value,
unscrupulous investigators could sell it to the many Internet brokers of user information like
the customers of Google. This could considerably broaden the damage of a privacy violation.

• Criminal Use of Digital Forensics: Internet-of-Things systems like home-monitoring

systems can be exploited with a little digital forensics to tell thieves when people are present
or absent at a location.

 Challenges in Computer Forensics

 Data Encryption: Encryption can make it difficult to access the data on a device or
network, making it harder for forensic investigators to collect evidence. This can
require specialized decryption tools and techniques.

 Data Destruction: Criminals may attempt to destroy digital evidence by wiping or

destroying devices. This can require specialized data recovery techniques.

 Data Storage: The sheer amount of data that can be stored on modern digital
devices can make it difficult for forensic investigators to locate relevant
information. This can require specialized data carving techniques to extract relevant
information.