INTRODUCTION TO CYBER SECURITY 22ETC5L

MODULE 5
UNDERSTANDING COMPUTER FORENSICS
5.1 INTRODUCTION
 Cyberforensics is the use of forensic techniques in the investigation of Cybercrimes.
 Cyberforensics plays a key role in investigation of Cybercrime.
 Cyber Forensics, Digital Forensics and Computer Forensics are used interchangeably.

5.2 HISTORICAL BACKGROUND OF CYBER FORENSICS

 The application of computer for investigating computer based crime led to development of a
new field called Computer Forensics.
 The Florida Computer Crimes Act was the first computer crime law to address computer fraud
and intrusion. It was enacted in Florida in 1978.
 The focus of computer forensics is to find out digital evidence required to establish whether or
not fraud or crime has been conducted.
 Computer Forensics is primarily concerned with the systematic “identification” “acquisition”
“preservation” and “analysis” of digital evidence, typically after an unauthorized access to
computer or unauthorized use of computer has taken place.
 Typically types of data requested for a digital forensics examination by the law enforcement
agencies include:
 Investigation into electronic mail (EMail) usage.
 Website history.
 Cell phone usage.
 File activity history.
 File creation or deletion.
 Chat History.
 Cellular and Voice over Internet Protocol (VoIP) phone usage.
 Account login/logout records and more.
 The goal of digital forensics is to determine the “evidential value” of crime scene and related
evidence.
 The role and contributions of the digital forensics experts are almost parallel to those involved as
forensics scientists in other crimes.

Mrs. Savitha J, DEPT OF E&C, SDIT 1

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.3 DIGITAL FORENSICS SCIENCE

 Digital Forensics is the application of analyses techniques to the reliable and unbiased
collection, analysis, interpretation and presentation of digital evidence.
 Digital Forensics is the use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of facilitation or
furthering the reconstruction of events found to be criminal or helping to anticipate unauthorized
actions shown to be disruptive to planned operations.
 The term computer forensics is generally considered to be related to the use of analytical and
investigative techniques to identify, collect, examine and preserve evidence/ information which
is magnetically stored or encoded.
 Computer forensics is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may contain information
which has evidentiary value in criminal investigations.

5.3.1 The role of digital forensics is to

1. Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events.
4. Connect attack and victim computers
5. Reveal and end to end path of events leading to a compromise attempt, successful or not.
6. Extract data that may be hidden, deleted or otherwise not directly available.

5.3.2 Typical scenarios involved are

1. Employee Internet abuse.
2. Data leak/ Data breach - unauthorized disclosure of corporate information and data
3. Industrial espionage - corporate spying activities.
4. Damage assessment.
5. Criminal fraud and deception cases.
6. Criminal cases.
7. Copyright violations.

Mrs. Savitha J, DEPT OF E&C, SDIT 2

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.3.3 Data seen using forensics tools are

1. History files.
2. Unallocated space.
3. File stack.
4. FAT (File Allocation Table ) information
5. Hidden files
6. Formated files and file systems on disks.
7. Temporary files.
8. Data Clusters.

5.4 NEED FOR COMPUTER FORENSICS:

1. The convergence of Information and communication Technology (ICT) advances and the
pervasive use of computers worldwide together have brought about many advantages to
mankind.
2. At the same time, this tremendously high technical capacity of modern computers/ computing
devices provides avenues for misuse as well as opportunities for committing crime.
3. The media in which the clues related to Cyber crime reside would vary from case to case. There
are many challenges for the forensics investigator because storage devices are getting
miniaturized due to advances in electronic technology.
4. Looking for digital forensics evidence is like looking for a needle in a haystack. Here is a way to
illustrate why there is always a need for forensics on suspect media.
 The capacity of a regular hard disk is 500GB. An A4 size page has approximately 4160
bytes. (52 lines ×80 characters =4160 bytes assuming 1byte per character ) This is
equivalent to 4KB.
 An A4 size paper sheet has a thickness of 0.004 inches.
 Data of 4MB (1000 times 4KB) when printed on a A4 Sheet would be 4 inches that is 1000
times of 4KB.
 Data of 4GB if printed on A4 sheet would be 4000 inches that is 1000 times of 4MB.
 The printout of 500GB would be 500000 inches!.
 It would be virtually impossible to “retrieve “ relevant forensics data from this heap.
5. The users, business and organizations worldwide have to live with a constant threat from
hackers who use a variety of techniques and tools to break into computer systems, steal
information, change data and cause havoc.

Mrs. Savitha J, DEPT OF E&C, SDIT 3

 INTRODUCTION TO CYBER SECURITY 22ETC5L

6. The widespread use of computer forensics is the result of two factors: the increasing dependence
of law enforcement on digital evidence and the ubiquity of computers that followed from the
microcomputer revolution.
7. The media, on which clues related to cybercrime reside, would vary from case to case.
8. There are many challenges for the forensics investigator because storage devices are getting
miniaturized due to advances in electronic technology.

5.5 CHAIN OF CUSTODY:

 Chain of custody means the chronological documentation trail etc that indicated the seizure,
custody, control, transfer, analysis and disposition of evidence physical or evidence.
 The basic idea behind “chain of custody” is to ensure that the “evidence” is not tampered with.
 The chain of custody requires that from the moment the evidence is collected every transfer of
evidence from one person to another person should be documented as it helps to prove that
nobody else could have accessed that evidence.
 A chain of custody is the process of validating how many kinds of evidences have been gathered
tracked and protected on the way to a court of law.
 It is essential to get in the habit of protecting all evidences equally so that they will hold up in
the court.
 Forensic investigation professionals know that if you do not have a chain of custody, the
evidence is worthless.
 The purpose of chain of custody is that the piece of evidence must demonstrate wht is supposed
to be.
 In other words there is a reliable information to suggest that the party offering the evidence can
demonstrate the piece of evidence is actually in fact what the party claims it to be and can
further demonstrate in origin and the handling of the evidence because it was acquired.
 Chain of custody is a chronological written record of those individuals who have has custody
of the evidence from its initial acquisition until its final disposition

5.6 CYBER FORENSICS AND DIGITAL EVIDENCE

Cyber forensics can be divided into two domains:
Computer forensics
Network forensics
 Many threats are possible through computer networks.
 Therefore, network forensics assumes importance in the context of cybercrime.

Mrs. Savitha J, DEPT OF E&C, SDIT 4

 INTRODUCTION TO CYBER SECURITY 22ETC5L

 Network forensics is the study of network traffic to search for truth in civil, criminal, and
administrative matters to protect users and resources from exploitation, invasion of privacy
and any other crime fostered by the continual expansion of network connectivity.
 Open network is the source of many network based cyber attacks.
 In a survey conducted by a leading IT business it revealed that 50% of the Wi Fi internet
connection in the city continued to be unprotected.
 Wireless forensics is a discipline included within the network forensics field.
 The goal of Wireless forensics is to provide the methodology and tools required to collect
and analyze network traffic that can be presented as a valid evidence in the court of law.
 The evidence collected can correspond to plain data or with the broad usage of VoIP
technologies, especially over wireless , can include voice conversations.
 The wireless forensics process involves capturing all data moving over Wi Fi network and
analyzing network events to uncover network anomalies, discover the source of security
attacks and investigate breaches on computers and wireless networks to determine whether
they are or have been used for illegal or unauthorized activities.

5.6.1 Computer systems have the following:

1. Logical file system that consists of
File system: it includes files, volumes, directories and folders, file allocation tables (FAT) as in the
older version of windows operating system, clusters, partitions, sectors.
Random access memory.
Physical storage media: it has magnetic force microscopy that can be used to recover data from
overwritten area.
Physical storage media:
 Slack Space: it is a space allocated to the file but is not actually used due to internal
fragmentation and
 Unallocated space.
2. User created files: it consists of address books, audio/video files, calendars, database files,
spreadsheets, E-Mails, Internet bookmarks, documents and text files.
3. Computer created files: it consists backups, cookies, configuration files, history files, log files,
swap files, system files, temporary files etc.
4. Computer networks: it consists of the Application Layer, the Transportation Layer, the Network
Layer, the Data link Layer.

Mrs. Savitha J, DEPT OF E&C, SDIT 5

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.6.2 The Rule of Evidence

According to the Indian Evidence Act 1872, “Evidence” means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in relation to
matters of facts under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary evidence.
 It is only logical that the process used in the case of digital evidence mimic the process that is
used for paper evidence.
 As each step requires the use of tools or knowledge, the process must be documented, reliable
and repeatable.
 It may also require examination to determine where a particular piece of evidence is physically
located.
Contexts involved in actually identifying a piece of digital evidence:
1. Physical context: It must be definable in its physical form, that is, it should reside on a specific
piece of media.
2. Logical context: It must be identifiable as to its logical position, that is where does it reside
relative to the file system.
3. Legal context: We must place the evidence in the correct context to read its meaning. This may
require looking at the evidence as machine language, for example, American Standard Code for
Information Interchange.
Digital evidences originate from a number of sources such as seized computer hard drives and
backup media, real time E-Mail messages, chat room logs, Internet service provider records,
webpages, digital network traffic, local and virtual databases, digital directories etc.

Mrs. Savitha J, DEPT OF E&C, SDIT 6

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.6.3 Following are some guidelines for the evidence collection phase:
1. Adhere to your site’s security policy and engage the appropriate incident handling and law
enforcement personnel.
2. Capture a picture of the system as accurately as possible.
3. Keep detailed notes with dates and times. If possible, generate an automatic transcript. Notes
and printouts must be signed and dated.
4. Note the difference between the system clock and coordinated universal time (UTC). For each
time stamp provided, indicate whether UTC or local time is used.
5. Be prepared to testify outlining all actions you took and at what times. Detailed notes will be
vital.
6. Minimize changes to the data as you are collecting it. This is not limited to content changes;
avoid updating file or directory access times.
7. When confronted with a choice between collection and analysis you should do collection first
and analysis later.
8. Needless to say, your procedures should be implementable. As with any aspect of an incident
response policy, procedures should be tested to ensure feasibility, particularly, in a crisis.
9. For each device, a systematic approach should be adopted to follow the guidelines laid down in
your collection procedure.
10. Speed will often be critical; therefore, where there are a number of devices requiring
examination, it may appropriate to spread the work among the team to collect the evidences in
parallel.
11. Proceed from the volatile to the less volatile; order of volatility is as follows:
 Registers, cache (most volatile i.e, contents lost as soon as the power is turned off).
 Routing table, address resolution protocol (ARP) cache, process table, kernel statistics,
memory;
 Temporary file system;
 Disk;
 Remote logging and monitoring data that is relevant to the system in question;
 Physical configuration and network topology;
 Archival media (least volatile, i.e., holds data even after power is turned off).
12. You should make a bit-level copy of the system’s media. If you wish to do forensic analysis
you should make a bit-level copy of your evidence copy for that purpose, as your analysis will
almost certainly alter file access times. Try to avoid doing forensics on the evidence copy.

Mrs. Savitha J, DEPT OF E&C, SDIT 7

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.7 DIGITAL FORENSIC LIFE CYCLE

 As per FBI’s view, digital evidence is present in nearly every crime scene.
 The cardinal rules to remember are that evidence:
1. Is admissible
2. Is authentic
3. Is complete
4. Is reliable
5. Is understandable and believable

5.7.1 THE DIGITAL FORENSIC PROCESS

1. Identification and Preparation
2. Search and Seizure
3. Preservation
4. Examination
5. Analysis and conclusion
6. Reporting

Mrs. Savitha J, DEPT OF E&C, SDIT 8

 INTRODUCTION TO CYBER SECURITY 22ETC5L

5.7.2 THE PHASES IN COMPUTER FORENSICS/ DIGITAL FORENSICS

Forensics life cycle involves the following phases
1. Preparation and Identification
2. Collection and Recording
3. Storing and Transporting
4. Examination and Investigating
5. Analysis, Interpretation and Attribution
6. Reporting
7. Testfying

1. Preparation and Identification

 In order to be processed and applied, evidence must first be identified as evidence.
2. Collection and Recording
 Digital evidence may be collected from many sources which include obvious sources such as
computers, cell phones, digital camera, hard drives, CD ROM, USB memory devices and so on.
 Non obvious sources include settings of digital thermometers, black boxes inside automobiles,
RFID tags and webpages.
3. Storing and Transporting
 The following are specific practices that have been adopted in handling of digital evidence,
 Image computer media using a write blocking tool to ensure that no data is added to the suspect
device.
 Establish and maintain the chain of custody.
 Document everything that has been done.
 Only use tools and methods that have been tested and evaluated to validate their accuracy and
reliability.
4. Examination and Investigating
 In an investigation in which the owner of the digital evidence has not given consent to have his
or her media examined special care must be taken to ensure that the forensics specialist has the
legal authority to seize, copy and examine the data.
 As a general rule one should not examine digital information unless one has the authority to do
so.
 Amateur forensics examiners should keep this in mind before starting any unauthorized
investigation.
5. Analysis, Interpretation and Attribution

Mrs. Savitha J, DEPT OF E&C, SDIT 9

 INTRODUCTION TO CYBER SECURITY 22ETC5L

 Analysis, Interpretation and Attribution of evidence are the most difficult aspects encountered by
most forensics analysts.
 Basically all digital evidence must be analyzed to determine the type of information that is
stored upon it.
 For this purpose special tools are used that can display information in a format useful to
investigators.
6. Reporting
 Once the analysis is completed a report is generated.
 The report may be in the written form or an oral testimony or it may be a combination of the
two.
 The following are the broad level elements of the report.
1. Identity of the reporting agency.
2. Case identifier or submission number.
3. Case Investigator.
4. Identity of the submitter.
5. Date of receipt.
6. Date of report.
7. Descriptive list of items submitted for examination, including serial number, make and
model.
8. Identity and signature of the examiner.
9. Brief description of the steps taken during examination, such as string searches, graphics
image searches and recovering erased files.
10. Results/ conclusions.
7. Testfying
 This phase involves presentation and cross examination of expert witnesses.
 Digital forensics evidence is normally introduced by expert witnesses.
 Only expert witnesses can address issues based on scientific, technical or other specialized
knowledge.

5.8 DIFFERENT TYPES OF DIGITAL ANALYSIS THAT CAN BE PERFORMED ON

THE CAPTURED FORENSICS EVIDENCE.
1. Media Analysis:
 It is the analysis of the data from a storage device.

Mrs. Savitha J, DEPT OF E&C, SDIT 10

 INTRODUCTION TO CYBER SECURITY 22ETC5L

 This analysis does not consider any partitions or other operating system (OS) specific data
structures.
 If the storage device uses a fixed size unit, such as a sector then it can be used in this analysis.
2. Media Management Analysis:
 It is the analysis of the management system used to organize media.
 This typically involves partitions and may include volume management or redundant array of
independent disks systems that merge data from multiple storage devices into a single storage
device.
3. File System Analysis:
 It is the analysis of file system data inside a partition or disk.
 This typically involves processing the data to extract contents of a file or to recover the contents
of a deleted file.
4. Application Analysis:
 It is the analysis of the data inside a file.
 Files are created by the users and applications.
 The format of the contents is application specific.
5. Network Analysis:
 It is the analysis of data on the communication network.
 OS analysis: An OS is an application. This analysis examines the configuration files and the
output data of the OS to determine what events may be occurred.
 Executable analysis: Executables are digital objects that can cause events to occur and they are
frequently examined during intrusion investigations because the investigator needs to determine
what events the executable could cause.
6. Image Analysis:
 Digital images are the target of many digital investigations.
 This type of analysis looks for information about where the picture was taken and who or what is
in the picture.
 Image analysis also includes examining images for evidence of steagnography
7. Video Analysis:
 Digital video is used in security camera and in personal video cameras and webcams.
 This type of analysis examines the video for the identification of objects in the video and the
location where it was shot.

5.9 PRECAUTIONS TO BE TAKEN WHEN COLLECTING ELECTRONIC EVIDENCE

Mrs. Savitha J, DEPT OF E&C, SDIT 11

 INTRODUCTION TO CYBER SECURITY 22ETC5L

Special measures should be taken while conducting a forensics investigation if it is desired for the
results to be used in a court of law.
In order to comply with the need to maintain the integrity of digital evidence, certain rules must be
complied with. In general the following principles are applicable.

1. Principle 1: No action taken by law enforcement agencies or their agents should change data
held on a computer or storage media, which may subsequently be relied upon in court.

2. Principle 2: In exceptional circumstances, where a person finds it necessary to access

original data held on a computer or on storage media that person must be competent to do so
and be able to give evidence explaining the relevance and the implications of his/her actions.

3. Principle 3: An audit trail or other record of all processes applied to computer based
electronic evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.

4. Principle 4: The person in charge of the investigation has overall responsibility for ensuring
that the law and these principles are adhered to.

IMPORTANT QUESTIONS
1. What is the difference between “digital forensics” and “computer forensics” Explain?
2. Can a Cyber Crime investigation be done without involving a forensics expert? Explain with
reasons.
3. Explain how chain of custody concept applies in computer/ digital forensics.
4. Explain the role of digital forensics.
5. Explain the best practices in handling digital evidence, Explain what “rules of evidence” are.
6. What are the phases and activities involved in the life cycle of a digital forensics investigation
process?
7. What are the typical elements of a digital forensics investigation report?
8. What are the different types of digital analysis that can be performed on the captured forensics
evidence?
9. What are the precautions to be taken while collecting electronic evidence?
10. What is the nature of evidence collected for network forensics?

Mrs. Savitha J, DEPT OF E&C, SDIT 12