Cyber Forensic

Cyber forensics is the practice of collecting, analyzing and reporting on digital data in a way that
is legally admissible. It can be used in the detection and prevention of crime and in any dispute
where evidence is stored digitally. Cyber forensics follows a similar process to other forensic
disciplines, and faces similar issues. In present scenario the broad term used for cyber forensics
is digital forensic and it encompasses several other digital forensics.

Different types of digital forensics

Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of
these sub-disciplines are:
1. Computer Forensics – the identification, preservation, collection, analysis and reporting
on evidence found on computers, laptops and storage media in support of investigations
and legal proceedings.
2. Network Forensics – the monitoring, capture, storing and analysis of network activities or
events in order to discover the source of security attacks, intrusions or other problem
incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security
breaches.
3. Mobile Devices Forensics – the recovery of electronic evidence from mobile phones,
smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
4. Digital Image Forensics – the extraction and analysis of digitally acquired photographic
images to validate their authenticity by recovering the metadata of the image file to
ascertain its history.
5. Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and
video recordings. The science is the establishment of authenticity as to whether a recording
is original and whether it has been tampered with, either maliciously or accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running computer, also
called live acquisition.
In practice, there are exceptions to blur this classification because the grouping by the provider is
dictated by staff skill sets, contractual requirements, lab space, etc. For example:
 Tablets or smart phones without SIM cards could be considered computers.
 Memory cards (and other removable storage media) are often found in smart phones and
tablets, so they could be considered under mobile forensics or computer forensics.
 Tablets with keyboards could be considered laptops and fit under computer or mobile
forensics.
The science of digital forensics has a seemingly limitless future and as technology advances, the
field will continue to expand as new types of digital data are created by new devices logging
people’s activity. Although digital forensics began outside the mainstream of forensic science, it
is now fully absorbed and recognized as a branch of forensic science.
Types of Digital Evidence
There are different types of digital evidence offering unique types of information. They are
broadly categorized into two groups:
 Evidence from data at rest (obtained from any device that stores digital information).
 Data intercepted while being transmitted (interception of data transmission/
communications).

Sources of Digital Evidence

Internet
Evidence obtained from the internet includes information collected from website
communications, emails, message boards, chat rooms, file sharing networks and intercepted
communications. Message boards and chat rooms contain mountains of information both in real
time as well as in archives. Though sources may easily be tracked and identified, there are many
more problems posed by the internet today. The culprits may be outside the jurisdiction of the
courts. Also, some websites are designed for user anonymity making identification of culprits
more difficult.
Computers
Computers are a repository of information with evidence obtained using special extraction
methods. Though information may overlap with Internet sources, computers provide many
unique and notable pieces of evidence including time stamps, IP addresses, information about
VPNs and MAC addresses.
Portable Devices
These include information sourced from cell phones, tablets and other handheld devices or
gadgets. Because of the dependency society has on portable devices, these have become the lead
source of digital evidence in many court cases.
Nomenclature, sanctity and relevance of Digital Evidence

As in the case of written or oral evidence, digital evidence can also be classified into three main
categories:

i. Material evidence:

Material evidence is any evidence that speaks for itself without relying on anything else. In
digital terms, this could be a log produced by an audit function in a computer system, the books
of account maintained on a day-to-day basis on the computer, or any inventory management
account maintained on the computer etc., if it can be shown to be free from contamination.

ii. Testimonial evidence:

Testimonial evidence is evidence supplied by a witness. This type of evidence is subject to the
perceived reliability of the witness, but if the witness is considered reliable, testimonial evidence
can be almost as powerful as material evidence. For example, word processor documents written
by a witness could be considered testimonial as long as the author is willing to depose that he
wrote the same.

iii. Hearsay:

Hearsay is any evidence presented by a person who is not a direct witness. Word processor
documents written by someone without direct knowledge of the incident or documents whose
authors cannot be traced fall in this category? Except in special circumstances, such evidence is
not admissible in court of law. But even such evidence may constitute material and may be very
relevant in Income-tax proceedings, which are not bound by technical rules of evidences.
Otherwise also, they can provide important leads for further investigation.

Accordingly, merely gathering electronic evidence is not sufficient. Efforts have to be made to
corroborate the contents therein vis-à-vis other evidence such as material and oral. Preliminary
and detailed statements of the persons in control of computers/ electronic devices are always
very important.
Cardinal Rule of Digital Forensics
There are basically five cardinal rules to be followed systematically by cyber forensic examiner
1. Never Mishandle the Evidence
2. Never work on the Original Evidence
3. Never Trust the Subject’s Operating System
4. Document Everything
5. The results should be repeatable and verifiable by a third party

1. Never Mishandle the Evidence

The first cardinal rule says to preserve the evidence, which means that the evidence should not to
be tampered with or contaminated. Secure collection of evidence is important to guarantee the
evidential integrity and security of information. The best approach for this matter is to use disk
imaging tool. Choosing and using the right imaging tool is very important in cyber forensics
investigation.

1.1Disk imaging tool top level requirement

 The tool shall make a bit-stream duplicate or an image of an original disk

 Or partition on fixed or removable media.
 The tool shall not alter the original disk
 The tool shall be able to verify the integrity of a disk image file
 The tool shall log I/O errors
 The tool should provides good documentation

1.2 Importance of Imaging: To preserve the original evidence, a forensic copy or

imaging of the original data is done using specialized software and write blocker so that
integrity of evidence is not altered. The analysis is done now on forensic copy of
evidence. The original evidence is to be preserved into safe custody.

1.3 Chain of Custody: To document the evidence, like who recovered the evidence and
when, and who possessed it and when a chain-of-evidence form is generated and filled,
which helps the examiner to document what has and has not been done with both the
original evidence and the forensic copies of the evidence.
2 Never Work on the original evidence

The second cardinal rule says not to work on the original evidence as the digital evidence is very
fragile in nature. To maintain the integrity of the digital evidence and any unknowing alteration,
preserve the original evidence in its pristine condition.

Pros and cons of using original evidence:

It is easier to work on the original evidence and the cost related to it is also low. If
analyzed directly, the digital evidence will lose its integrity, authenticity and will not be
admissible in any court.

3 Never Trust the Subject’s Operating System

Computer criminal can modify the routine operating system commands to perform destructive
commands. Using the subject’s operating system could easily destroy data with just a few
keystrokes. When the subject computer starts, booting to a hard disks overwrites and changes
evidentiary data. To make sure that data is not altered, we need to monitor the subject’s computer
during initial bootstrap to identify the correct key to use access the CMOs setup.

4 Document Everything

To document the evidence chain-of-evidence form is created. It serves the following functions.
Identify the evidence.
 A legal authority copy should be obtained.
 Chain of custody including initial count of evidence to be examined.
 Information regarding the packaging and condition of the evidence upon receipt by the
examiner,
 Lists the dates and times the evidence was handled.
 Documentation should be preserved according to the examiner’s agency policy

5. The results should be repeatable and verifiable by a third party

The fifth cardinal rule says that the analysis done on the evidence should be completely audited
by the third party. To establish the integrity of information a cryptographic hash value, such as
MD5 or SHA-1 are calculated so that it can be proven to the courts. Chain of custody forms are
created if evidence are used in court or verified by any third party. The same process can be
conducted and verified by any expert or person.
Collection & Preservation of Digital Evidences

On the scene: As anyone who has dropped a cell phone in a lake or had their computer damaged
in a move or a thunderstorm knows, digitally stored information is very sensitive and easily lost.
There are general best practices, developed by organizations like SWGDE and NIJ, to properly
seize devices and computers. Once the scene has been secured and legal authority to seize the
evidence has been confirmed, devices can be collected. Any passwords, codes or PINs should be
gathered from the individuals involved, if possible, and associated chargers, cables, peripherals,
and manuals should be collected. Thumb drives, cell phones, hard drives and the like are
examined using different tools and techniques, and this is most often done in a specialized
laboratory. First responders need to take special care with digital devices in addition to normal
evidence collection procedures to prevent exposure to things like extreme temperatures, static
electricity and moisture.
Seizing Mobile Devices
• Devices should be turned off immediately and batteries removed, if possible. Turning off the
phone preserves cell tower location information and call logs, and prevents the phone from being
used, which could change the data on the phone. In addition, if the device remains on, remote
destruction commands could be used without the investigator’s knowledge. Some phones have
an automatic timer to turn on the phone for updates, which could compromise data, so battery
removal is optimal.

• If the device cannot be turned off, then it must be isolated from its cell tower by placing it in a
Faraday bag or other blocking material, set to airplane mode, or the Wi-Fi, Bluetooth or other
communications system must be disabled. Digital devices should be placed in antistatic
packaging such as paper bags or envelopes and cardboard boxes. Plastic should be avoided as it
can convey static electricity or allow a buildup of condensation or humidity.

In emergency or life threatening situations, information from the phone can be removed and
saved at the scene, but great care must be taken in the documentation of the action and the
preservation of the data.

• When sending digital devices to the laboratory, the investigator must indicate the type of
information being sought, for instance phone numbers and call histories from a cell phone,
emails, documents and messages from a computer, or images on a tablet.

Seizing Stand Alone Computers and Equipment:

To prevent the alteration of digital evidence during collection, first responders should first
document any activity on the computer, components, or devices by taking a photograph and
recording any information on the screen. Responders may move a mouse (without pressing
buttons or moving the wheel) to determine if something is on the screen. If the computer is on,
calling on a computer forensic expert is highly recommended as connections to criminal activity
may be lost by turning off the computer. If a computer is on but is running destructive software
(formatting, deleting, removing or wiping information), power to the computer should be
disconnected immediately to preserve whatever is left on the machine.

Office environments provide a challenging collection situation due to networking, potential loss
of evidence and liabilities to the agency outside of the criminal investigation. For instance, if a
server is turned off during seizure that is providing a service to outside customers, the loss of
service to the customer may be very damaging. In addition, office equipment that could contain
evidence such as copiers, scanners, security cameras, facsimile machines, pagers and caller ID
units should be collected. Computers that are off may be collected into evidence as per usual
agency digital evidence procedures.

How and Where the Analysis is Performed (General Protocol)

Exploiting data in the laboratory: Once the digital evidence has been sent to the laboratory, a
qualified analyst will take the following steps to retrieve and analyze data:

1. Prevent contamination:
It is easy to understand cross contamination in a DNA laboratory or at the crime scene, but
digital evidence has similar issues which must be prevented by the collection officer. Prior to
analyzing digital evidence, an image or work copy of the original storage device is created.
When collecting data from a suspect device, the copy must be stored on another form of media to
keep the original pristine. Analysts must use “clean” storage media to prevent contamination or
the introduction of data from another source. For example, if the analyst was to put a copy of the
suspect device on a CD that already contained information, that information might be analyzed
as though it had been on the suspect device. Although digital storage media such as thumb drives
and data cards are reusable, simply erasing the data and replacing it with new evidence is not
sufficient. The destination storage unit must be new or, if reused, it must be forensically “wiped”
prior to use. This removes all content, known and unknown, from the media.

2. Isolate Wireless Devices:

Cell phones and other wireless devices should be initially examined in an isolation chamber, if
available. This prevents connection to any networks and keeps evidence as pristine as possible.
The Faraday bag can be opened inside the chamber and the device can be exploited, including
phone information, Federal Communications Commission (FCC) information, SIM cards, etc.
The device can be connected to analysis software from within the chamber. If an agency does not
have an isolation chamber, investigators will typically place the device in a Faraday bag and
switch the phone to airplane mode to prevent reception.
3. Install write-blocking software:
To prevent any change to the data on the device or media, the analyst will install a block on the
working copy so that data may be viewed but nothing can be changed or added.

4. Select extraction methods:

Once the working copy is created, the analyst will determine the make and model of the device
and select extraction software designed to most completely “parse the data,” or view its contents.

5. Submit device or original media for traditional evidence examination:

When the data has been removed, the device is sent back into evidence. There may be DNA,
trace, fingerprint, or other evidence that may be obtained from it and the digital analyst can now
work without it.

6. Proceed with investigation:

At this point, the analyst will use the selected software to view data. The analyst will be able to
see all the files on the drive, can see if areas are hidden and may even be able to restore
organization of files allowing hidden areas to be viewed. Deleted files are also visible, as long as
they haven’t been over-written by new data. Partially deleted files can be of value as well.

Files on a computer or other device are not the only evidence that can be gathered. The analyst
may have to work beyond the hardware to find evidence that resides on the Internet including
chat rooms, instant messaging, websites and other networks of participants or information. By
using the system of Internet addresses, email header information, time stamps on messaging and
other encrypted data, the analyst can piece together strings of interactions that provide a picture
of activity.