Module 2: Digital Forensics

Fundamentals
-By
Asst Prof. Rohini M. Sawant
Introduction to Digital Forensics
● Digital forensics is the process of collecting and analyzing digital evidence in a way that maintains its
integrity and admissibility in court.
● Digital forensics is the process of storing, analyzing, retrieving, and preserving electronic data that may be
useful in an investigation. It includes data from hard drives in computers, mobile phones, smart
appliances, vehicle navigation systems, electronic door locks, and other digital devices.
● The process's goal of digital forensics is to collect, analyze, and preserve evidence.
● Digital Forensics is the process of investigating crimes committed using any type of computing device
(such as computers, servers, laptops, cell phones, tablets, digital camera, networking devices, Internet of
Things (IoT) device or any type of data storage device).
● It is used to investigate cybercrimes but can also help with criminal and civil investigations.
● Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing,
analysing, and reporting on data stored electronically.
● The main goal of digital forensics is to extract data from the electronic evidence, process it into actionable
intelligence and present the findings for prosecution. All processes utilize sound forensic techniques to
ensure the findings are admissible in court.
Introduction to Digital Forensics
● It is a branch of cyber security which mainly focus on investigation of cyber crime cases.
● Digital forensics recover and store the collected data securely to analyze and find the evidences
from digital devices.
● Digital forensics can be used in wide range cases which includes cybercrime, criminal
investigation, frauds and etc.
● Digital forensic investigations can bring out very crucial information after cyberattacks which can
be very helpful during the hearing process in the court of law.
● Digital forensics play a significant role in cyber security because it provides powerful tools and
techniques in investigating the cyber crime cases.
● Digital forensics is can be used to recover the deleted, modified, hidden and corrupted data and to
collect the evidence using tools and techniques.
● Digital forensic can help us to track the attackers place by analyzing network traffic and logs and it
also help us to find weakness and loop hole which later we can patch and improve the security.
 Objectives of Digital Forensics
Knowing the primary objectives of using digital forensics is essential for a complete understanding of what
is digital forensics:

● It aids in the recovery, analysis, and preservation of computers and related materials for the
investigating agency to present them as evidence in a court of law
● It aids in determining the motive for the crime and the identity of the primary perpetrator
● Creating procedures at a suspected crime scene to help ensure that the digital evidence obtained is not
tainted
● Data acquisition and duplication: The process of recovering deleted files and partitions from digital
media in order to extract and validate evidence
● Assists you in quickly identifying evidence and estimating the potential impact of malicious activity
on the victim
● Creating a computer forensic report that provides comprehensive information on the investigation
process
● Keeping the evidence safe by adhering to the chain of custody
 Need of Digital Forensics
Digital forensic investigations are essential in numerous scenarios, including corporate and legal contexts.
They help uncover critical evidence in cases of data breaches, intellectual property theft, cyberattacks, and
employee misconduct. For example, forensic experts can recover deleted files, trace unauthorized access,
and identify data exfiltration. Digital forensics is essential for several reasons, particularly in the context of
law enforcement, cybersecurity, and organizational data management. Here are some key needs for digital
forensics:

1. Investigating Cybercrimes: With the rise of digital technologies, cybercrimes (like hacking, data
breaches, identity theft, etc.) have become more common. Digital forensics helps law enforcement
track and analyze criminal activities in digital spaces.
2. Data Recovery: In case of system crashes, accidents, or malicious attacks, digital forensics can be
crucial for recovering important data that may otherwise be lost, such as financial records, emails, and
even deleted files.
3. Legal Evidence: In both criminal and civil cases, digital forensics plays a vital role in providing
verifiable evidence from devices such as computers, smartphones, or servers. The integrity and chain
of custody of the evidence are crucial in court.
 Need of Digital Forensics
4. Incident Response and Cybersecurity: Forensics help in identifying how a cyber attack occurred, what
was affected, and what vulnerabilities were exploited. This is critical for organizations to strengthen their
cybersecurity defenses and prevent future attacks.

5. Compliance and Data Privacy: Many industries require strict compliance with data privacy laws (like
GDPR or HIPAA). Digital forensics helps organizations investigate whether there has been a data breach and
assists in ensuring they meet regulatory requirements.

6. Preventing Future Attacks: By studying the tactics, techniques, and procedures (TTPs) used in previous
cybercrimes, digital forensics helps build stronger defenses against future incidents.

7. Internal Investigations: For businesses and organizations, digital forensics can help investigate internal
incidents, such as fraud, employee misconduct, or intellectual property theft, by analyzing the digital
footprints left behind.
 Types of Digital Forensics
Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-
disciplines are:

1) Computer Forensics: the identification, preservation, collection, analysis and reporting on evidence found
on computers, laptops and storage media in support of investigations and legal proceedings.

2) Network Forensics: the monitoring, capture, storing and analysis of network activities or events in order
to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware
attacks, abnormal network traffic and security breaches.

3) Mobile devices Forensics: the recovery of electronic evidence from mobile phones, smartphones, SIM
cards, PDAs, GPS devices, tablets and game consoles.

4) Digital Image Forensics: the extraction and analysis of digitally acquired photographic images to validate
their authenticity by recovering the metadata of the image file to ascertain its history.
Types of Digital Forensics
5) Digital Video/Audio Forensics: the collection, analysis and evaluation of sound and video recordings.
The science is the establishment of authenticity as to whether a recording is original and whether it has
been tampered with, either maliciously or accidentally.

6) Memory forensics: the recovery of evidence from the RAM of a running computer, also called live
acquisition.

7) Cloud Forensics: Cloud Forensics is actually an application within Digital Forensics which oversees
the crime committed over the cloud and investigates on it.

8) Database Forensics: It is a branch of digital forensics relating to the study and examination of
databases and their related metadata.
Process of Digital Forensics
Process of Digital Forensics
Identification
◻ It is the first step in the forensic process. The identification process mainly includes things
like what evidence is present, where it is stored, and lastly, how it is stored (in which
format).
◻ Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
◻ In this phase, data is isolated, secured, and preserved. It includes preventing people from
using the digital device so that digital evidence is not tampered with.

Analysis
◻ In this step, investigation agents reconstruct fragments of data and draw conclusions based
on evidence found. However, it might take numerous iterations of examination to support a
specific crime theory.
Process of Digital Forensics
Documentation
◻ In this process, a record of all the visible data must be created. It helps in recreating
the crime scene and reviewing it. It Involves proper documentation of the crime scene
along with photographing, sketching, and crime-scene mapping.
Presentation
◻ In this last step, the process of summarization and explanation of conclusions is done.
◻ However, it should be written in a layperson’s terms using abstracted terminologies.
All abstracted terminologies should reference the specific details.
Benefits of Digital Forensics
◻ To ensure the integrity of the computer system.
◻ To produce evidence in the court, which can lead to the punishment of the culprit.
◻ It helps the companies to capture important information if their computer systems
or networks are compromised.
◻ Efficiently tracks down cyber criminals from anywhere in the world.
◻ Helps to protect the organization’s money and valuable time.
◻ Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.
 Digital Evidence
Digital evidence refers to any data or information stored or transmitted in digital form that can be used in a legal
context to support or refute claims made in court or during investigations. This evidence is typically stored in electronic
devices such as computers, smartphones, servers, or online platforms and can be in various forms.Types of digital
evidence:

1. Computer Evidence:
○ Files and Documents: Includes text files, spreadsheets, PDFs, images, and other document formats found
on computers or storage devices.
○ System Logs: Records of events or transactions that occur on a computer, including login attempts, file
accesses, or security alerts.
○ Operating System Data: Data about the operating system and its interactions, such as registry entries
(Windows) or system configuration files.
2. Mobile Device Evidence:
○ Text Messages: SMS, MMS, and instant messaging app contents like WhatsApp, Telegram, etc.
○ Call Logs: Records of incoming and outgoing calls, timestamps, and phone numbers.
○ App Data: Data from installed apps, including location history, contacts, calendar entries, and app-specific
records.
○ Multimedia: Photos, videos, or audio files saved on mobile devices.
 Digital Evidence
3. Internet Evidence:

● Emails: Correspondence sent or received via email, including attachments and headers that contain metadata.
● Web Browsing Data: Browsing history, cookies, cache, saved passwords, and online search queries.
● Social Media: Posts, comments, messages, and profiles from platforms like Facebook, Instagram, Twitter, and LinkedIn.
● Cloud Storage: Files and data stored on cloud services like Google Drive, iCloud, or Dropbox, including timestamps and
shared file activity.

4. Network Evidence:

● Network Traffic Logs: Information about data transmissions between devices on a network, including IP addresses, ports,
protocols, and timestamps.
● Access Logs: Details of when and how users connected to a particular server or website.
● Firewall Logs: Records that indicate allowed or denied network traffic, helpful in understanding cyber-attacks or unauthorized
access.

5. Digital Images and Videos:

● Photos and Video Files: Digital pictures or video recordings found on various devices or storage media, which can serve as
evidence in cases like fraud, surveillance, or criminal activity.
● Metadata: Information attached to digital images and videos, such as creation time, camera settings, geolocation, and editing
 Digital Evidence
6. Forensic Data:

● Hard Drive Evidence: Data extracted from hard drives and storage devices, including deleted files that can often be
recovered using forensic techniques.
● File System Data: Analysis of file structures, partitions, and storage locations that can provide insight into how data
was created or modified.

7. Cryptocurrency Evidence:

● Blockchain Data: Transactions, addresses, and wallet information associated with cryptocurrencies such as Bitcoin,
Ethereum, etc., that can provide financial evidence or trace illicit transactions.
● Wallet Information: Digital wallets used to store or transfer cryptocurrencies, including public and private keys.

8. VoIP and Communication Data:

● Voice Over IP (VoIP): Data from calls made through services like Skype or Zoom, including call logs, recordings,
and chat messages.
● Digital Audio Files: Recordings of conversations or meetings that may be considered as evidence in cases of fraud,
threats, or other crimes.
 Rules of Digital Evidence
There are five rules of collecting electronic evidence. These relate to five properties that evidence must have to be useful.

1. Admissible: Admissible is the most basic rule (the evidence must be able to be used) in court or otherwise. Failure to
comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher.
2. Authentic: If you can’t tie the evidence positively with the incident, you can’t use it to prove anything. You must be
able to show that the evidence relates to the incident in a relevant way.The evidence should act positively to an
incident.
3. Complete: It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you
collect evidence that can prove the attacker’s actions, but also evidence that could prove their innocence. For instance,
if you can show the attacker was logged in at the time of the incident, you also need to show who else was logged in,
and why you think they didn’t do it. This is called exculpatory evidence, and is an important part of proving a case.
4. Reliable: The evidence you collect must be reliable. Your evidence collection and analysis procedures must not cast
doubt on the evidences authenticity and veracity.
5. Believable: The evidence you present should be clearly understandable and believable by a jury. There’s no point
presenting a binary dump of process memory if the jury has no idea what it all means. Similarly, if you present them
with a formatted, human-understandable version, you must be able to show the relationship to the original binary,
otherwise there’s no way for the jury to know whether you’ve faked it.
 Chain of Custody
Chain of Custody in digital forensics refers to the documented and unbroken trail of possession, control, and handling of
digital evidence from the moment it is collected to its presentation in court or during an investigation. It ensures that the
evidence has been properly secured, maintained, and documented at all stages to prevent tampering, alteration, or
contamination.

The chain of custody serves two primary purposes:

1. Verification of Authenticity: It confirms that the evidence presented in court is the same as the evidence collected
during the investigation, ensuring its integrity.
2. Prevention of Tampering or Contamination: It provides a clear record that helps demonstrate that the evidence has
been protected from unauthorized access or alterations.

Key Elements of Chain of Custody in Digital Forensics:

3. Collection:
○ The first step is to properly collect digital evidence, such as computers, mobile phones, servers, or external
storage devices, ensuring no alteration or destruction of data occurs during the process. For instance,
investigators often use write-blockers to prevent changes to storage devices while copying data.
○ Seizure of physical devices: When a device is physically seized, it must be labeled with unique identifiers
(e.g., case number, date, time, investigator's details) to ensure that it can be traced back to the original owner.
 Chain of Custody
2. Documentation:

● Every step in the handling and movement of digital evidence must be documented in a chain of custody log. This log
should include:
○ The date and time of collection and each transfer of evidence.
○ The identity of individuals handling the evidence (names, roles, and signatures).
○ A description of the evidence being collected (e.g., device type, serial numbers, or file names).
○ Any actions taken during each stage (e.g., data extraction, imaging, analysis).
● The log ensures that anyone handling the evidence can be traced, and any unauthorized access or changes to the
evidence can be identified.

3. Transfer and Storage:

● Digital evidence should be securely stored to avoid tampering. This can involve using locked storage areas for
physical devices and using encrypted drives or storage for digital copies of the evidence.
● Whenever evidence is transferred between locations (e.g., from a field site to a forensic lab), the chain of custody log
must be updated to reflect the transfer, including the names and roles of those involved.
 Chain of Custody
3. Analysis:

● During the analysis phase, forensic experts must ensure that any analysis or examination does not alter or compromise the
evidence. This includes using techniques that preserve the original data, such as forensic imaging (creating bit-for-bit copies of
digital storage devices).
● Any analysis or processing performed on the evidence must be documented to ensure it can be verified and understood later,
especially in legal contexts.

4. Reporting and Presentation in Court:

● This is the documentation phase of the Examination and Analysis stage. Reporting includes Statement regarding Chain of
Custody, Explanation of the various tools used, A description of the analysis of various data sources, Issues identified,
Vulnerabilities identified, Recommendation for additional forensics measures that can be taken.
● When digital evidence is presented in court, the chain of custody log serves as proof that the evidence presented is the same as the
evidence collected and has been handled in accordance with established procedures. The forensic expert must testify to the
integrity of the chain of custody and explain how the evidence was preserved and analyzed.

5. Security and Prevention of Unauthorized Access:

● To prevent tampering, all physical and digital evidence must be kept in secure environments where access is restricted to
authorized personnel only.
● Access to evidence should be logged and tracked, and all changes to the evidence should be recorded.
 Anti Forensics
Anti-forensics refers to techniques and methods used to obfuscate, alter, or destroy digital evidence in order to hinder or
prevent forensic investigations. The goal of anti-forensics is to make it difficult, if not impossible, for forensic experts to
recover, analyze, or authenticate data from digital devices. This can be done by both individuals trying to conceal illegal
activity or malicious actors seeking to avoid detection during criminal investigations or cyberattacks.

In digital forensics, anti-forensics can be a significant challenge because it undermines the integrity of the evidence, disrupts
the investigation, and complicates the work of forensic experts.

Key Types of Anti-forensics Techniques:

1. Data Destruction and Erasure:

○ File Deletion: Simply deleting files doesn't remove them completely. However, many users rely on basic file
deletion techniques to hide data. In response, anti-forensics techniques can involve sophisticated deletion
methods to make it much harder to recover deleted files.
○ Data Wiping: This involves the use of software to overwrite the data in sectors of the storage device multiple
times, making data recovery nearly impossible. Examples include tools like DBAN (Darik's Boot and Nuke) and
CCleaner.
○ Physical Destruction: Some perpetrators physically destroy the storage media (e.g., hard drives, SSDs) to
prevent any forensic recovery.
 Anti Forensics
2. Data Obfuscation:

● File System Manipulation: Anti-forensics techniques can manipulate file systems or operating systems to
hide files, folders, or system logs. This may involve altering timestamps, renaming files, or hiding files in
unusual locations.
● Metadata Stripping or Falsification: Metadata (e.g., file creation dates, access times, file paths) can be
altered or removed to hide the trail of digital evidence. This could include changing the file's timestamp or
using tools to modify access logs.
● Using Hidden Partitions: Some attackers create hidden or encrypted partitions on hard drives to store illicit
data in such a way that it is not immediately visible during a standard forensic analysis.

3. Log Tampering:

● Altering System Logs: Anti-forensics can include modifying system logs to erase traces of malicious activity,
such as login attempts, command execution, or network connections. This helps attackers cover their tracks
and avoid detection.
● Disabling Logging: Some attackers disable logging services or delete log files entirely to avoid leaving
behind any traces of their actions.
 Anti Forensics
4. Rootkits and Malware:

● Rootkits: A rootkit is a piece of malicious software designed to hide itself or other malicious processes from detection
by forensic tools or system administrators. Rootkits can be used to hide the presence of files, alter system behavior, or
modify logs to erase evidence of criminal activity.
● Fileless Malware: Some malware does not leave a traditional trace in files or on disk, making it harder to detect. It
operates in system memory and is often used to execute malicious actions without leaving a typical digital footprint.

5. Use of Virtualization and Cloud Technologies:

● Virtual Machines (VMs): Some attackers may use virtual machines to conduct their activities. These virtual machines
can be deleted after use, leaving no physical evidence behind on the host machine.
● Cloud Storage: Cloud services are sometimes used to store data, making it difficult for forensic experts to track down
the source or location of the data. If the cloud provider doesn't cooperate with authorities, the data could be effectively
hidden.

6. Anti-Forensics Software:

● Anti-forensics Tools: Some software tools are specifically designed to obstruct digital forensic investigations. These
tools can help users wipe files, encrypt data, and create fake timestamps or metadata to mislead investigators.
Incident Response
● Incident response (IR) refers to the structured approach that organizations take to
handle and manage the aftermath of a security breach, cyberattack, or any type of
malicious activity or data breach. The goal of incident response is to mitigate the
impact, recover systems and data, and prevent future incidents from occurring.
● Incident Response (IR) is a systematic approach to managing and mitigating the
impact of security incidents on an organization's information technology
infrastructure.
● The goal of incident response is to identify, contain, eradicate, recover, and learn
from security incidents in order to minimize damage and reduce the risk of future
incidents.
● It is a critical component of an organization's overall cybersecurity strategy.
 Incident Response
Methodology of Incident Response typically follows a series of stages, often referred to as the "Incident
Response Lifecycle." These stages provide a systematic approach to handling security incidents from
detection to recovery. Here's a detailed look at the methodology:

1. Preparation

● Objective: To establish and maintain an incident response capability.

● This stage includes creating an incident response (IR) policy, forming an incident response team (IRT),
and ensuring that tools and resources are in place for effective response. This also includes employee
training, creating response plans, and setting up monitoring and detection systems.
● Key Actions:
○ Develop and maintain an incident response plan.
○ Implement detection and monitoring tools (e.g., intrusion detection systems).
○ Conduct training and simulation exercises (e.g., tabletop exercises).
○ Ensure proper logging and data collection mechanisms are in place.
 Incident Response
2. Identification

● Objective: To detect and acknowledge the occurrence of an incident.

● In this phase, the organization identifies that an incident has occurred. This can be detected through
monitoring tools, alerts, or reports from users or automated systems. It’s crucial to verify that an event
is indeed an incident and not a false alarm.
● Key Actions:
○ Detect anomalies, suspicious activities, or system failures.
○ Confirm whether it’s a security incident or just a system malfunction.
○ Categorize the type of incident (e.g., malware, data breach, DDoS attack).
○ Escalate the incident to the appropriate response teams.
Incident Response
3. Containment

● Objective: To limit the scope and impact of the incident.

● In this phase, the immediate goal is to contain the incident and prevent it from spreading further, while
minimizing the damage to systems and data. There are typically two types of containment:
○ Short-term containment: Immediate actions to limit the incident’s damage (e.g., disconnecting
affected systems).
○ Long-term containment: Strategic actions to ensure that the incident doesn’t spread while
allowing for a full recovery (e.g., isolating the affected network segment).
● Key Actions:
○ Isolate affected systems from the network.
○ Disable or contain malicious processes.
○ Prevent the attacker from moving laterally within the network.
○ Preserve evidence for forensic analysis.
 Incident Response
4. Eradication

● Objective: To remove the cause and trace of the incident.

● In this stage, the goal is to eliminate the root cause of the incident and remove any malware,
vulnerabilities, or unauthorized access methods. This ensures the attack cannot recur from the same
exploit.
● Key Actions:
○ Identify and eliminate malicious files, scripts, or backdoors.
○ Apply patches and fix security vulnerabilities.
○ Ensure that all remnants of the attack are fully removed.
○ Verify that no further unauthorized access is possible.
Incident Response
5. Recovery

● Objective: To restore and resume normal operations while ensuring that the system is secure.
● The recovery phase focuses on bringing affected systems back online in a secure state. This can involve
restoring systems from backups, rebuilding compromised systems, or applying new security measures
to prevent recurrence.
● Key Actions:
○ Restore systems and data from secure backups.
○ Verify system integrity and security before bringing systems back online.
○ Monitor systems for signs of reinfection or lingering issues.
○ Conduct a full operational test to ensure systems are functioning properly.
Incident Response
6. Lessons Learned

● Objective: To analyze the incident and improve future response strategies.

● After the incident has been fully managed, organizations should conduct a retrospective review. This
allows the response team to evaluate the effectiveness of the response, identify areas for improvement,
and update policies, procedures, and tools.
● Key Actions:
○ Conduct a post-incident review (e.g., after-action report).
○ Identify what went well and areas for improvement in the response.
○ Update incident response plans, detection methods, and employee training.
○ Communicate lessons learned across the organization to improve future readiness.
Roles of CSIRT in handling incident.
● Remediating security incidents.

● Detecting and taking immediate action upon incidents.

● Providing a 360 view and in depth analysis of the past incidents.

● Preventive protocols are set up in the light of these reports that CSRIT provide after the incidents.

● Training to give the appropriate responses for new threats.

● Management of audits.

● Reviewing the security measures of networks and systems to detect vulnerabilities.

● Informing related departments about new technologies, policies and changes in protocols after security incidents.

● Maintaining internal communications and supervising operations during and after significant incidents.

● Creating and (when necessary) updating the incident response plan (IRP).

● Regularly reviewing standard security protocols and if needed, updating them.