Digital Forensics Science
Computer Forensics:
❑ Computer Forensics refers to the process of identifying, preserving,
analyzing, and presenting digital evidence that resides in computer
systems to support legal investigations. The goal of computer forensics is
to recover, examine, and trace digital information, such as files, emails,
logs, and other data, to detect criminal activity or data breaches.
❑ Key Features:
Focuses specifically on data and evidence found in computers.
Involves recovering deleted, encrypted, or hidden files.
❑ Digital Forensics is a broader field encompassing the identification,
preservation, analysis, and documentation of digital evidence from a
variety of digital devices, including computers, mobile phones, networks,
and cloud services, to support legal investigations.
❑ Key Features:
Covers all forms of digital data, including mobile forensics, network forensics,
and database forensics.
Involves the collection of digital evidence from various devices and
environments.
� Digital Forensics Science
❑ In general, the role of digital forensic is to:
1. Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events.
4. Connect attack and victim computers
5. Reveal an end-to-end path of events leading to a compromise attempt,
successful or not
6. Extract data that may be hidden, deleted or otherwise not directly available.
❑ The typical scenarios involved are:
Employee Internet abuse
Data leak / data breach – unauthorized disclosure of corporate information
and data (accidental and intentional)
Industrial espionage (corporate spying activities)
Damage assessment (following an incident)
Criminal fraud and deception case
Criminal cases (many criminals simply store information on computers,
intentionally or unwittingly) and countless others
Copyright violation
� Digital Forensics Science
❑ Using digital forensic techniques, one can:
Corroborate and clarify evidence otherwise discovered
Generate investigative leads for follow-up and verification in other ways
Provide help to verify an intrusion hypothesis
Eliminate incorrect assumptions.
� The Need for Computer Forensics
❑ Computer forensics plays a crucial role in cybersecurity, law
enforcement, and corporate security, as it involves the collection,
preservation, analysis, and presentation of digital evidence in a way that
is legally admissible. The need for computer forensics arises from the
increasing reliance on digital systems, the prevalence of cybercrime, and
the critical importance of securing data and networks.
❑ Here are key reasons why computer forensics is essential:
1. Investigating Cybercrime
Cybercrimes such as hacking, identity theft, fraud, and data breaches are on
the rise. Computer forensics helps investigators track down the origin of these
attacks, determine how the crime was committed, and identify the
perpetrators.
2. Evidence Collection and Legal Compliance
Forensic techniques are used to collect and preserve digital evidence from
computers, mobile devices, and networks in a manner that maintains its
integrity and chain of custody. This ensures the evidence can be presented in
court as part of legal investigations.
3. Incident Response and Breach Analysis
After a security incident or data breach, computer forensics helps
organizations understand the scope and impact of the breach. It identifies the
entry point, the attacker’s methods, and the extent of the damage caused.
� The Need for Computer Forensics
This information is vital for mitigating damage, improving security defenses,
and preventing future attacks.
4. Data Recovery
Computer forensics can be used to recover lost, deleted, or corrupted data,
whether it is due to human error, system failure, or malicious activity such as
ransomware attacks.
It ensures critical data is recovered, helping organizations or individuals avoid
significant data loss and financial damage.
5. Prevention of Future Attacks
Forensic analysis of past incidents helps organizations and law enforcement
understand the weaknesses exploited during attacks. This knowledge
contributes to developing stronger security protocols and improving defenses.
6. Dispute Resolution
In civil cases, computer forensics can provide evidence in disputes involving
contracts, intellectual property theft, workplace misconduct, and other legal
matters.
7. Maintaining Corporate Integrity and Accountability
Computer forensics can be used to investigate insider threats, such as
employees leaking confidential information, conducting fraud, or engaging in
other unethical behavior.
� The Need for Computer Forensics
Chain of custody
❑ Chain of custody refers to the process of documenting and preserving the
integrity of evidence from the moment it is collected until it is presented
in court or used in an investigation. This documentation ensures that the
evidence has not been tampered with, altered, or compromised and that it
is admissible in legal proceedings.
❑ The chain of custody includes details such as:
Who collected the evidence.
Where and when the evidence was collected.
How the evidence was handled, stored, and transferred.
Who had access to the evidence at various stages.
❑ Key Steps in Chain of Custody:
Collection: Evidence is collected in a secure manner, documented, and labeled.
Storage: Evidence is stored securely in a tamper-evident manner to prevent
unauthorized access.
Transfer: When evidence is moved or handled by other individuals (e.g.,
investigators, forensic analysts), each handover is documented.
Preservation: Evidence must be stored in a way that ensures it remains
unaltered, even over long periods.
� The Need for Computer Forensics
❑ Example of Chain of Custody: Let’s consider a case of cybercrime where
a computer hard drive is collected as evidence in a hacking investigation.
1. Evidence Collection: A forensic investigator arrives at the scene and collects
the suspect's hard drive from a computer. They label the hard drive with a
unique identification number and record the time, date, and location where it
was seized.
2. Initial Documentation: The investigator signs a document, stating they
collected the hard drive at the specified location, and places the hard drive in a
secure, tamper-evident evidence bag.
3. Storage: The hard drive is transported to a secure forensics lab, where it is
logged into the evidence database and stored in a locked facility.
4. Transfer for Analysis: When another forensic analyst needs to examine the
hard drive, they sign a chain of custody form acknowledging that they
received the evidence. This document records the time and date of the
transfer.
5. Analysis and Return: After the analysis is complete, the analyst returns the
hard drive to secure storage, signing the form again to indicate the return.
6. Presentation in Court: When the case goes to trial, the prosecution presents
the hard drive as evidence, along with detailed documentation of its chain of
custody to prove that it remained intact and untampered throughout the
investigation.
� Cyberforensics and Digital Evidence
❑ Network forensics is the process of capturing, recording, and analyzing
network traffic to investigate cybercrimes, security incidents, or breaches.
The goal of network forensics is to monitor, track, and uncover any
malicious activity occurring across a network. It involves the examination
of data packets transmitted over a network to gather evidence of
unauthorized access, attacks, or other suspicious behavior.
❑ Applications of Network forensics:
Intrusion Detection: Identifying and investigating unauthorized access to a
network.
Data Breach Investigation: Tracking the source and method of a data breach
or information theft.
Malware Detection: Analyzing traffic patterns to detect the spread of malware
or ransomware across the network.
Compliance and Security Audits: Ensuring network activities comply with
security policies and regulations.
� Cyberforensics and Digital Evidence
❑ As compared to “physical evidence”, “digital evidence” is different in
nature because it has some unique characteristics. Here are the unique
characteristics that set digital evidence apart from physical evidence:
Digital evidences exists in electronic form and cannot be seen or touched
directly. It includes data stored in devices like hard drives, cloud storage, or
transmitted over networks.
Digital evidences are highly susceptible to alteration, deletion, or corruption.
Simple actions like opening a file or restarting a device can modify digital
data.
Digital evidences can be copied exactly without losing quality or originality.
Multiple identical copies of digital evidence can be created and stored.
Digital evidences requires specific hardware, software, or tools to access,
analyze, and interpret (e.g., forensic tools, encryption keys).
Digital evidences can exist in massive quantities, including logs, emails, social
media interactions, and entire databases. The amount of digital evidence can
be overwhelming.
Digital evidences contains hidden metadata, such as timestamps, file origins,
and modification history. This metadata can provide context and trace the
handling of digital files.
Digital evidences are more fragile in terms of legal admissibility because it’s
easier to challenge its authenticity, origin, or integrity without proper
collection methods.
� Cyberforensics and Digital Evidence
The Rules of Evidence
❑ There are number of contexts involved in actually identifying a piece of
digital evidence:
1. Physical Context: It must be definable in its physical form, that is, it
should refer to the actual physical location, medium, or device where the
digital evidence resides.
Example: A file stored on a hard drive or a message retrieved from a
smartphone’s memory.
2. Logical Context: It must be identifiable as to its logical position, that is,
where does it reside relative to the file system.
Example: A document stored in a folder on a computer’s operating system
3. Legal Context: We must place the evidence in the correct context to read
its meaning. Refers to the legal considerations involved in collecting,
preserving, and presenting digital evidence for admissibility in court.
Example: Ensuring that digital evidence is collected with a valid search
warrant and handled in compliance with data protection laws like the Indian
IT Act
❑ The path taken by digital evidence can be conceptually depicted as shown
below:
� Cyberforensics and Digital Evidence
❑ Following are some guidelines for the (digital) evidence collection phase:
Document every step of evidence handling, from the moment it is collected
until it is presented in court.
Include details such as who collected the evidence, where it was found, and
how it was handled during transfer and storage.
Respect privacy laws, data protection regulations, and relevant jurisdictional
requirements to ensure admissibility in court.
Capture hash values (e.g., MD5, SHA-256) of the evidence before and after
collection to confirm its integrity.
� Cyberforensics and Digital Evidence
Create a bit-by-bit forensic image (exact copy) of the storage device or digital
medium before performing any analysis.
Employ trusted and validated forensic tools that are widely accepted in digital
forensics practices (e.g., EnCase, FTK, X-Ways).
Take detailed notes and photographs of the physical and digital scene where
evidence is collected.
Proceed from the volatile to the less volatile. If possible, collect volatile data
(e.g., RAM, running processes, active network connections) before powering
off devices, as it is lost once the system is turned off.
Label digital evidence clearly with identifying information such as date, time,
location, and case number.
Store the evidence in secure, tamper-proof containers or bags to prevent
unauthorized access or damage.
Focus on collecting the most relevant digital evidence first to avoid excessive
data collection that could slow down the investigation.
Identify key data sources based on the nature of the case (e.g., email logs,
browsing history, social media activity).
� Cyberforensics and Digital Evidence
The Rules of Evidence
❑ Digital
❑ Some of these sources are listed below:
The
