"Digital Forensics: Unravelling the Digital Mysteries"

Collection, Seizure, Acquisition, Production, Role of IO

and Performa

Ankush Mishra
Deputy SP
STF/Cyber
Uttarakhand

Disclaimer
• This Handbook has general guidelines, and specific procedures may vary depending on
the jurisdiction and the circumstances of the seizure.
• Always prioritize safety during a seizure. Avoid compromising the scene or causing
damage to the equipment.
• Consult with legal counsel to ensure compliance with all applicable laws.
• Maintain a documented chain of custody for all seized evidence.
• Handbook is ONLY for learning & understanding delivered as part of public service.
Any format or Performa is Only to help with standard model format.
• Kindly adhere to principle as laid down in new criminal laws and seek legal opinion
where doubt.

1
Table of Contents
Chapter 1: Introduction to Digital Forensics ..................................................................................... 4
Definition of Digital Forensics ........................................................................................................... 4
Importance and Scope ......................................................................................................................... 4
Evolution of Digital Forensics ............................................................................................................ 5
Legal and Ethical Considerations ....................................................................................................... 6
Chapter 2: Fundamentals of Digital Forensics ................................................................................... 8
Basics of Computer Systems .............................................................................................................. 8
Ingredients of Digital Forensics .......................................................................................................... 9
Data Acquisition Techniques............................................................................................................. 10
Chain of Custody .............................................................................................................................. 10
Steps of Computer Forensics ............................................................................................................ 11
Chapter 3: Digital Evidence Collection ............................................................................................. 12
Types of Digital Evidence ................................................................................................................. 12
Volatile and Non-Volatile Data ......................................................................................................... 13
Locard's Exchange Principle ............................................................................................................. 14
Chapter 4: Forensic Imaging and Hashing ....................................................................................... 15
Introduction to Digital Evidence Acquisition ................................................................................... 15
Types of Digital Forensics ................................................................................................................ 15
Disk Imaging Techniques.................................................................................................................. 16
Creating Forensic Copies .................................................................................................................. 16
Types of Data Acquisition/ Forensic Copy making process ............................................................. 17
Chapter 4: Forensic Tools & Basic Data Acquisition ....................................................................... 19
Write Blockers .................................................................................................................................. 19
Introduction to Hash Value ............................................................................................................... 19
Hash Algorithms (MD5, SHA-1, SHA-256)..................................................................................... 20
Source Drive vs Target Drive ............................................................................................................ 21
SOP for using Write Blockers and Hash Value. ................................................................................ 21
Chapter 6: Network Forensics ........................................................................................................... 24
- Introduction to Network Forensics ................................................................................................. 24
- Network Traffic Capture ................................................................................................................. 25
- SOP of Network Capture & Packet Analysis .................................................................................. 26
Chapter 7: Mobile Device Forensics .................................................................................................. 29
- Introduction to Mobile Forensics.................................................................................................... 29
- Data Acquisition from Mobile Devices .......................................................................................... 30
- Analyzing Mobile Applications ...................................................................................................... 31

2
Chapter 8: Memory Forensics ........................................................................................................... 32
- Understanding Volatile Memory ..................................................................................................... 32
- Memory Acquisition Techniques .................................................................................................... 35
- Understanding Non-Volatile Memory ............................................................................................ 35
- Extracting Artifacts from Memory Dumps ..................................................................................... 37
Chapter 9: CCTV Forensics ............................................................................................................... 40
- About CCTV Forensics .................................................................................................................. 40
- Types of CCTV ............................................................................................................................... 41
- CCTV recording ways .................................................................................................................... 43
- SOP for CCTV Video Acquisition .................................................................................................. 44
- Precautions...................................................................................................................................... 46
Chapter 10: Browser Forensics .......................................................................................................... 47
What Data Does Browser Forensics Examine? ................................................................................ 47
Browser Forensics Tools: .................................................................................................................. 47
Browser Forensics Techniques:......................................................................................................... 47
Challenges in Browser Forensics: ..................................................................................................... 48
SOP for Step wise Browser Forensics: ............................................................................................. 48
Chapter 11: Seizure of Electronic Evidences .................................................................................... 51
- Seizure of Computer (Power On state) ........................................................................................... 51
- Seizure of Computer (Power Off state) .......................................................................................... 54
- Seizure of Mobile ........................................................................................................................... 56
Chapter 12: Reporting and Presentation .......................................................................................... 59
- Documenting Findings ................................................................................................................... 59
- Seizure Essentials ........................................................................................................................... 59
Annexure A: Network Traffic Capture ............................................................................................. 61
Annexure B: RAM dump with FTK Imager .................................................................................... 64
Annexure C: Non-Volatile Memory capture using FTK Imager .................................................... 66
Annexure D: Volatility Workbench on how to analyse RAM dump.................................................... 70
Annexure E: Browser Forensics (manually) ..................................................................................... 72
Annexure F: 63 BSA certificate by party .......................................................................................... 73
Annexure G: 63 BSA certificate by Expert ....................................................................................... 74
Annexure H: Model Seizure Memo (Digital Evidence) ................................................................... 75
Annexure I: Chain of Custody (Model Format)............................................................................... 77
Annexure J: Forwarding Note to FSL (Model Format) .................................................................. 79

3
 Chapter 1: Introduction to Digital Forensics
Definition of Digital Forensics
Digital forensics is a branch of forensic science that specializes in the recovery, investigation,
analysis, and presentation of digital evidence. It's like detective work for the digital age, where
electronic devices and their contents become the crime scene.

Digital evidence encompasses any electronic information that can be used to prove or disprove
a fact in a legal case. This can include:

• Computer Hard Drives and Solid State Drives: Files, deleted files, system logs,
internet history, and application data.
• Mobile Devices: Similar to computers, mobile devices hold a wealth of data including
call logs, messages, photos, videos, and browsing history.
• Cloud Storage: Cloud-based data like emails, documents, and backups can also be
crucial evidence.
• Embedded Systems: Devices like routers, gaming consoles, and even smart appliances
can store data relevant to investigations.

Importance and Scope

Digital forensics plays a vital role in various areas:

• Cybercrime Investigation: Investigating cyberattacks, data breaches, online fraud,

identity theft, and other digital crimes.
• Corporate Investigations: Examining digital evidence in internal investigations
related to employee misconduct, intellectual property theft, or data breaches.
• Civil Litigation: Recovering digital evidence relevant to civil disputes like intellectual
property infringement or contract breaches.

As technology advances, the scope of digital forensics continues to broaden. Here are some
key areas of growth:

• Cloud Forensics: With the increasing reliance on cloud storage, the ability to
investigate and recover data stored in the cloud is becoming increasingly important.
• Mobile Device Forensics: The vast amount of personal and professional data stored
on smartphones and other mobile devices necessitates specialized forensic techniques
for extracting evidence.
• IoT Forensics: The Internet of Things (IoT) introduces new challenges and
opportunities for digital forensics. As more and more devices become interconnected,
the potential for digital evidence to be spread across numerous devices needs to be
considered.
• Social Media Forensics: Social media platforms can be a valuable source of evidence
in investigations. Digital forensics professionals need the skills to extract and analyze
data from these platforms while adhering to privacy regulations.

4
 • Incident Response: Digital forensics plays a crucial role in incident response
planning and execution. By quickly identifying the source and scope of a cyberattack,
organizations can minimize damage and take appropriate mitigation measures.

Evolution of Digital Forensics

Digital forensics, like the technology it investigates, has undergone a remarkable evolution
over the past few decades. Here's a glimpse into this fascinating journey:

Early Days (1970s-1990s): The Dawn of Digital Investigation

• Focus on Personal Computers: The early days saw digital forensics primarily
focused on recovering data from floppy disks and hard drives used in personal
computers.
• Rudimentary Tools: Investigators relied on basic software utilities and manual
techniques to extract deleted files and analyze data.
• Limited Scope: The primary concern was computer-related crimes like hacking and
data theft.

Rise of the Internet and Network Forensics (1990s-2000s):

• The Internet Revolution: The explosion of the internet introduced new complexities.
Network forensics emerged to analyze network traffic and identify intrusions.
• Data Spread Across Devices: Digital evidence started residing on multiple devices
and locations, requiring new protocols for data collection and chain of custody.
• Standardization Efforts: Recognizing the need for consistency, organizations like
the National Institute of Standards and Technology (NIST) began developing best
practices for digital forensics.

Mobile Revolution and Beyond (2000s-Present):

• Mobile Forensics Takes Center Stage: The proliferation of smartphones and tablets
necessitated specialized techniques for extracting evidence from these devices.
• Cloud Storage on the Rise: The shift towards cloud-based storage presented new
challenges for accessing and analyzing digital evidence stored remotely.
• Evolving Threats: Cybercrime continued to evolve, with new threats like
ransomware attacks and cryptojacking emerging. Digital forensics needed to adapt to
these evolving threats.

Looking Ahead: The Future of Digital Forensics

• Focus on Emerging Technologies: As technologies like Artificial Intelligence (AI)

and the Internet of Things (IoT) become more prevalent, digital forensics will need to
adapt to handle the unique challenges associated with these technologies.
• Advanced Analytics: The use of AI and big data analytics will likely play a more
significant role in identifying patterns, extracting hidden evidence, and automating
forensic processes.

5
 • Continuous Learning: Digital forensic professionals will need to continuously learn
and adapt to new technologies and evolving criminal tactics.

The digital forensics landscape is constantly evolving, driven by advancements in

technology and the ever-changing nature of cybercrime. The field requires professionals
with not only technical expertise but also the ability to think critically and adapt to new
challenges.

Legal and Ethical Considerations

In the digital forensics world, collecting and analyzing evidence is crucial for investigations.
However, it's equally important to ensure these processes comply with legal regulations and
ethical principles. Here's a breakdown of key considerations:

Legal Considerations:

• Search and Seizure Laws: Obtaining digital evidence often requires following
specific search and seizure laws. Warrants may be necessary to access certain devices
or data.
• Chain of Custody: Maintaining a clear chain of custody for digital evidence is
paramount. This ensures its authenticity and admissibility in court. Every step taken
with the evidence needs to be documented.
• Data Privacy Laws: Data privacy regulations like GDPR (General Data Protection
Regulation) and national privacy laws may restrict how investigators collect and
handle personal data. Anonymization or pseudonymization techniques might be
required.
• E-Discovery Rules: In civil litigation, e-discovery rules dictate how electronically
stored information (ESI) is collected, preserved, and produced. These rules govern the
scope of discovery, data deletion practices, and format of production.

Ethical Considerations:

• Objectivity and Impartiality: Digital forensics professionals must remain objective

throughout the investigation. They should avoid bias or manipulating evidence to fit a
predetermined conclusion.
• Data Minimization: Investigators should only collect and analyze the data necessary
for the investigation. Personal information unrelated to the case should not be
accessed or retained.
• Transparency and Documentation: The entire digital forensics process should be
well-documented, including the tools used, procedures followed, and any limitations
encountered. Transparency builds trust in the investigation.
• Respect for User Privacy: Investigators should respect the privacy of individuals
whose data is being examined. Only authorized personnel should access the data, and
it should be secured to prevent unauthorized access.

6
Maintaining the Balance:

Balancing legal requirements with ethical considerations is crucial. Digital forensics

professionals must:

• Stay informed: Continuously update their knowledge of relevant laws and

regulations.
• Seek legal guidance: Consult with legal counsel if unsure about the legality of
specific investigative techniques.
• Prioritize ethical principles: Uphold ethical principles even when they seem to
conflict with expediency.

Consequences of Non-Compliance:

Failing to adhere to legal and ethical considerations can have serious consequences:

• Suppression of Evidence: Evidence collected illegally or unethically may be deemed

inadmissible in court.
• Legal Action: Investigators may face legal repercussions for violating data privacy
laws or exceeding their authority.
• Loss of Public Trust: Unethical practices can erode public trust in law enforcement
and the justice system.

a) Challenges in Digital Forensics

The dynamic nature of digital evidence presents unique challenges:

• Data Volatility: Certain types of data, like RAM content, can be lost once a device is
powered off.
• Encryption: Encrypted data requires specialized techniques for decryption and
analysis.
• Data Deletion: Deleted data might not be completely erased and can be recovered using
advanced techniques.
• Evolving Technology: Digital forensics professionals need to stay updated with the
latest technologies and trends used by criminals.

7
 Chapter 2: Fundamentals of Digital Forensics
Basics of Computer Systems
In digital forensics, understanding the fundamentals of computer systems is essential for
effectively investigating and analyzing digital evidence. Here's a breakdown of some key areas:

Hardware:

• Storage Devices: A core focus is understanding various storage devices like hard disk
drives (HDDs), solid-state drives (SSDs), and removable media (USB drives, memory
cards). Knowing how data is stored, accessed, and potentially deleted on these devices
is crucial.
• Operating Systems: Familiarity with different operating systems (Windows, macOS,
Linux etc.) is important. Understanding how these systems manage files, directories,
and user accounts helps investigators locate relevant evidence.
• Memory (RAM): Volatile Random Access Memory (RAM) can hold temporary data
that disappears when a computer is powered off. Techniques for acquiring and
analysing RAM content can reveal valuable information about ongoing processes and
recently accessed data.

Software:

• File Systems: Knowledge of different file systems (FAT32, NTFS, ext4 etc.) is
essential. File systems dictate how data is organized on storage devices, impacting data
recovery and analysis.
• Applications: Investigators may need to understand how specific applications (e.g.,
web browsers, email clients, office software) store and manage data. This knowledge
helps locate evidence specific to these applications.
• Digital Forensics Tools: Specialized software tools are used for various tasks in digital
forensics, including data acquisition, analysis, and reporting. Understanding the
capabilities and limitations of these tools is crucial for effective evidence collection.

Network Fundamentals:

• Network Protocols: Basic knowledge of network protocols (TCP/IP) helps

investigators understand how data travels across networks and identify potential
sources of digital evidence.
• Network Forensics: In cases involving cyberattacks or online activity, understanding
network forensics principles can be beneficial for analyzing network traffic and
identifying intrusions.

Additional Considerations:

• Encryption: Modern digital devices and data often utilize encryption. Basic knowledge
of encryption methods and potential workarounds can help access encrypted evidence.
• Data Deletion and Recovery: Understanding how data is deleted from storage devices
and the potential for data recovery is essential. Investigators need to employ techniques
that preserve data and avoid accidental overwriting of evidence.

8
Benefits of Understanding Computer Systems:

• Effective Evidence Collection: Knowing where to look for evidence and how to
collect it in a forensically sound manner is crucial.
• Data Interpretation: Being able to interpret data extracted from digital devices
requires a strong foundation in computer systems.
• Identifying Anomalies: Understanding how computer systems function normally
allows for easier identification of suspicious activity or potential evidence tampering.

Ingredients of Digital Forensics

• Primary Evidence: Including electronic records under primary evidence allows them
to be presented directly in court without the need for secondary sources, simplifying
the process. Section 57 of Bhartiya Sakshta Adhiniyam
• Admissibility and Authenticity: The focus on admissibility and authenticity
highlights the importance of ensuring the digital evidence is relevant to the case and
hasn't been altered or modified in any way. Section 61 of Bhartiya Sakshta Adhiniyam
• Hash Values: Section 63 mentions hash values as a way to verify data integrity. A
hash value is a unique mathematical fingerprint of the data. If the hash value of the
presented digital evidence matches the hash value calculated at the time of collection,
it strengthens the evidence's authenticity. Section 63 of Bhartiya Sakshta Adhiniyam
• Chain of Custody: Section 193 of the BNSS emphasizes maintaining a chain of
custody to demonstrate that the digital evidence hasn't been tampered with throughout
the collection, analysis, and presentation process.

9
Data Acquisition Techniques
Technique Description Advantages Disadvantages
- Time-consuming and error-
Manual Manually copying - May be useful for targeted data prone. - Not suitable for
Extraction specific files retrieval. comprehensive investigations.
Copying specific
Logical files based on - Faster than physical extraction. - - May miss relevant evidence
Extraction criteria Smaller file size. if criteria are not well-defined.
- Captures all potential evidence,
Creating a bit- including deleted data and hidden - Requires more storage
Physical stream copy of the files. - Preferred for most space. - Can be slower than
Extraction entire device investigations. logical extraction.

Chain of Custody
• Establishes Trustworthiness: A strong chain of custody demonstrates that the
evidence hasn't been tampered with or altered in any way. This is crucial for ensuring
the evidence is reliable and admissible in court.
• Prevents Disputes: A clear chain of custody record helps prevent any doubts or
challenges about the evidence's handling during the investigation.
• Maintains Accountability: It holds everyone involved in handling the evidence
accountable for its proper care and security.

What Information Does the Chain of Custody Document Include?

• Detailed Description of the Evidence: This includes information like the type of
device, make and model, serial number, and any identifying marks.
• Date and Time of Collection: Records the exact time the evidence was seized or
acquired.
• Name of the Individual Collecting the Evidence: Documents who took possession of
the evidence initially.
• Transfer Log: Tracks every time the evidence is transferred between individuals or
locations. This includes the date, time, and reason for transfer, along with the names of
the individuals involved.
• Security Measures Taken: Details any security measures implemented to protect the
evidence, such as encryption or storage in a secure facility.

Maintaining a Strong Chain of Custody:

• Detailed Documentation: Maintain meticulous records of every step involving the

evidence, including collection, transportation, storage, analysis, and return.
• Limited Access: Restrict access to the evidence to authorized personnel only.
• Use of Write-Blockers: Employ write-blocking devices to prevent accidental or
malicious modification of the evidence.
• Secure Storage: Store the evidence in a secure location with appropriate access
controls.

10
Consequences of a Broken Chain of Custody:

• Evidence Inadmissible: If the chain of custody is compromised, the evidence may be

deemed inadmissible in court, potentially weakening the case.
• Loss of Credibility: A broken chain of custody can raise doubts about the
investigation's integrity and damage the credibility of the evidence.

Steps of Computer Forensics

IDENTIFICATION EXTRACTION INTERPRETATION

DOCUMENTATION PRESERVATION INTEGRITY OF

EVIDENCE

11
 Chapter 3: Digital Evidence Collection
Types of Digital Evidence
Traditional Digital Evidence:

• Document Files: This includes everything from text documents (like Word files) to
spreadsheets, presentations, and PDFs. Deleted documents can also be recovered
using forensic techniques.
• Emails: Emails and email attachments can be a rich source of evidence, containing
communication history, exchanged files, and timestamps.
• Databases: Databases can hold valuable information about individuals, transactions,
or organizational activities.
• Browser History and Cache: Web browsing history and cached data can reveal a
user's online activity and potentially visited websites.
• Application Data: Data stored by various applications like social media platforms,
messaging apps, or photo editing software can be relevant depending on the
investigation.

Mobile Device Evidence:

• Call Logs and Text Messages: These provide details about communication history,
including phone numbers contacted and message content.
• Photos and Videos: Images and videos captured or stored on mobile devices can be
crucial evidence.
• Location Data: Location data associated with photos, messages, or app usage can
reveal a user's whereabouts.
• App Activity: Information about installed apps, app usage data, and in-app activity
can be forensically extracted.

Other Digital Evidence Sources:

• Cloud Storage: Data stored in cloud storage services like Dropbox or Google Drive
can be accessed and analyzed for relevant evidence.
• Social Media Content: Public or private social media posts, messages, and account
information can be retrieved for investigations.
• Network Logs: Network logs record network activity and can be helpful in
identifying intrusions, unauthorized access attempts, or data transfers.
• Embedded Systems: Digital evidence can even be found on devices like routers,
gaming consoles, or smart appliances.

Additional Considerations:

• Deleted Data: Modern forensics techniques can often recover deleted data from
storage devices, making it crucial to preserve evidence properly.
• Metadata: Metadata, which is data about the data itself (e.g., creation date, file size)
can provide valuable insights for forensic analysis.
• Volatile Data: Data residing in RAM (memory) is temporary and disappears when a
device is powered off. Special techniques are needed to acquire and analyze this
volatile data.

12
Volatile and Non-Volatile Data

Semiconductor-
RAM & ROM

Section 63 of the BSA now includes electronic records copied in semiconductor

memory in addition to optical or magnetic media as provided in the IEA.

1. Non-volatile

2. Volatile Data

13
Locard's Exchange Principle
Locard's Exchange Principle posits that "every contact leaves a trace." This principle is
foundational in forensic science, especially in the context of crime scene investigations.
It suggests that whenever two objects come into contact, there is always a transfer of
material.

The principle is used extensively to collect and analyse physical evidence in various
forms, such as fingerprints, fibres, hair, or traces of materials such as paint or broken
glass, which can link a suspect to a crime scene.

14
 Chapter 4: Forensic Imaging and Hashing
Introduction to Digital Evidence Acquisition
When dealing with digital evidence in the context of forensic investigations, it is crucial
to handle data acquisition processes with the utmost integrity and precision to ensure
the evidence is admissible in court. Digital evidence acquisition involves several key
techniques: copying, imaging, and cloning. Each method serves specific purposes and
is chosen based on the requirements of the forensic examination.

Types of Digital Forensics

There are two types of forensics: Live Forensics & Dead Forensics. Difference can be
detailed as shown below.

Feature/Method Dead Forensics Live Forensics

Involves analyzing digital Involves analysing digital devices that are
Definition devices that are powered off. operational and running.
Entire contents of storage, Data currently in RAM and transient
including deleted and hidden information that would be lost on shutdown,
Data Captured files. in addition to persistent storage.
Memory capture tools (e.g., Volatility, FTK
Disk imaging tools (e.g., FTK Imager for RAM), network monitoring tools
Tools Imager, dd, EnCase). (e.g., Wireshark).
Device must be powered off,
ensuring no ongoing changes to Device remains powered on to capture real-
Conditions digital evidence. time data and active network connections.
Not time-sensitive since the
device is off; data does not Time-sensitive; data must be captured quickly
Time Constraints change during acquisition. to avoid loss of volatile data.
Often requires less storage space for the
Requires storage space equal to captured data, but may need more frequent
Storage Needs or greater than the original data. captures.
Ability to capture live system state, running
More comprehensive capture of processes, and network connections, which
stored data, stable state, less risk are crucial for analyzing malware and active
Advantages of data corruption. data breaches.
Cannot access data only stored Risk of altering data during the capture
in memory or data that requires process, potentially affecting the integrity of
Challenges the system to be running. the evidence.
Incident response, real-time cyber breach
investigations, where stopping the system is
Most forensic investigations, impractical or would cause loss of critical
Typical Use especially after device seizure. data.

15
 Disk Imaging Techniques
Feature/Method Copying Imaging Cloning
Transferring selected files or Creating a sector-by-sector Creating an exact hardware
folders from one digital device copy of an entire storage replica of the source storage
Definition to another. device, including all content. device.
Used for comprehensive Used when multiple exact
Used when only specific data analysis of all data on a physical copies are needed
Purpose is relevant for the case. device. for analysis or backup.
Entire content of the
original device, including
All files, folders, deleted files, system files and hidden
Data Captured Selected files and folders only. and unallocated spaces. partitions.
Basic file copying commands
or forensic copying tools that Forensic imaging tools like Disk cloning software like
Tools preserve metadata. FTK Imager, EnCase, dd. Clonezilla.
Time-consuming, as it Time-consuming, similar to
Relatively quick, depending on involves copying every imaging, but also requires
Time the amount of data selected. sector. exact hardware match.
High, requires storage space
Minimal, only for selected equal to the entire original High, as it needs space for a
Storage Needs data. device. full physical duplicate.
Less comprehensive, does not Most thorough, captures data Requires identical hardware,
capture potentially hidden or in a way that is forensically which can be costly and
Considerations unallocated space data. sound. resource-intensive.
When there is a need to
When the investigation When a detailed and preserve the original
focuses on specific known untouched snapshot of data is device's exact state in
Usage Scenario data. required. multiple locations.

Creating Forensic Copies

Number of Forensic Copies in Digital Forensics

The number of forensic copies created typically depends on the specific investigation and legal
requirements. However, there's a general principle of creating at least two copies of the
acquired digital evidence. Here's a breakdown of the rationale:

• Preservation: One copy serves as the pristine working copy for analysis. This copy
should never be modified to ensure the original state of the evidence is preserved.
• Analysis: Additional copies can be used for various analytical purposes. This allows
investigators to explore different avenues or use specialized forensic tools without
risking alterations to the original copy.
• Security and Chain of Custody: Having multiple copies mitigates the risk of data loss
or corruption due to hardware failure, accidental modification, or other unforeseen
circumstances. This helps maintain a strong chain of custody, which is a documented
record tracking the movement and handling of the evidence.

16
 • Legal Requirements: Some jurisdictions may have specific requirements regarding the
number of forensic copies that need to be retained.

Common Practices:

• Two Copies: This is the minimum, ensuring a working copy for analysis and a backup
for preservation.
• Three Copies: This adds an extra layer of security with a working copy, analysis copy,
and long-term archive.
• Four or More Copies: High-profile cases or investigations with strict legal requirements
might require additional copies for distribution (e.g., legal teams, reviewers).

Additional Considerations:

• Storage Requirements: Multiple copies consume storage space, especially for large
devices. Efficient storage solutions and data compression techniques are crucial.
• Version Control: If multiple copies are used for analysis, a clear version control system
is essential to track changes and ensure everyone uses the correct version.
• Chain of Custody: Maintain a meticulous chain of custody record for all copies.

Types of Data Acquisition/ Forensic Copy making process

Feature/Method Manual Extraction Logical Extraction Physical Extraction
Involves manually Extracts data from the Creates a bit-by-bit copy of
selecting and copying logical storage structure the entire storage medium,
files and folders from the of the device, typically via including unallocated space
Definition digital device. software interfaces. and deleted data.
Software tools extract Involves directly accessing the
Requires human data through logical physical storage medium,
intervention to identify interfaces such as bypassing the operating
and copy relevant files or operating system APIs or system, to create an exact
Process data manually. file systems. replica.
Selective data chosen Data stored in files, Full contents of the storage
manually by the examiner directories, and system medium, including deleted
based on relevance to areas accessible via logical files, file system metadata,
Data Captured the investigation. interfaces. and unallocated space.
Typically involves basic Specialized forensic Hardware write blockers,
file management tools or software tools such as FTK forensic imaging tools like dd,
built-in operating system Imager, EnCase, or X- or forensic acquisition
Tools commands. Ways Forensics. hardware.
Can be relatively slow, as Generally faster than
it depends on the manual extraction due to Slower than logical extraction
examiner's manual automated tools and due to the need to copy the
Speed selection process. processes. entire storage medium.
Moderately complex, More complex and requires
Less complex and requiring familiarity with advanced technical
requires minimal forensic software tools knowledge of storage devices
Complexity technical expertise, but and data structures. and forensic principles.

17
Feature/Method Manual Extraction Logical Extraction Physical Extraction
may be prone to errors or
omissions.

Maintains data integrity

Susceptible to errors or by extracting data via Preserves data integrity by
omissions during manual software interfaces creating an exact replica of
selection, potentially without altering the the storage medium, ensuring
Data Integrity impacting data integrity. original device. forensic soundness.
Commonly used for data Essential for comprehensive
Suitable for quick analysis extraction from live forensic analysis, especially
of specific files or folders systems or logical when examining storage
when time and resources partitions where physical media for deleted or hidden
Use Cases are limited. access is not possible. data.

18
 Chapter 4: Forensic Tools & Basic Data Acquisition
I. Write Blockers
II. Introduction to Hash Value
III. Hash Algorithms (MD5, SHA-1, SHA-256)
IV. Source Drive vs Target Drive
V. SOP for using Write Blockers and Hash Value.

Write Blockers

Hardware Write Blockers: Hardware write blockers are used to stop and block
any modifying command from reaching the storage device. For example, if anyone
attempts to write or modify the evidence hard disk, then the write blocker will
immediately block the attempt.

Hardware write blockers have write blocking software installed on a controller chip
inside a portable physical device. They are comparatively slower and more
expensive as compared to software write blockers. Also, hardware write blockers
require separate connector for each type of interface such as SATA, IDE, and USB.

Introduction to Hash Value

In digital forensics, a hash value acts like a unique digital fingerprint for a piece of data. It's a
fixed-size string of characters generated by a mathematical algorithm that takes the original
data as input. Here's a breakdown of how hash values are used in digital forensics:

• Verifying Data Integrity: When a hash value is calculated for a file or an entire storage
device, it creates a unique signature. This signature can be recalculated later to verify
if the data has been altered or tampered with in any way. If the original and recalculated
hash values match, it indicates a high likelihood that the data hasn't been modified.

19
 • Ensuring Chain of Custody: Hash values are often used throughout the chain of
custody process, which documents the movement and handling of digital evidence. By
calculating hash values at each stage (collection, storage, analysis), investigators can
demonstrate that the evidence hasn't been tampered with during the investigation.
• Identifying Duplicate Files: Hash values can help identify duplicate files across
different locations on a storage device or even across multiple devices. This can be
useful for streamlining analysis and reducing storage requirements.
• Detecting Malware: Some malware may attempt to modify existing files on a system.
By comparing the hash values of known clean files with the ones found on the device,
investigators can potentially identify files that have been infected with malware.

Properties of Hashing Algorithms:

• Deterministic: For a given input, the hash function always produces the same output
hash value.
• Collision Resistant: It's highly improbable to generate the same hash value for two
different pieces of data.
• Avalanche Effect: Even a minor change in the original data should result in a
significantly different hash value.

Limitations of Hash Values:

• Hash Collisions: While unlikely, it's theoretically possible for two different files to
generate the same hash value (collision). However, the probability of this happening
with robust algorithms like SHA-256 and SHA-3 is extremely low.
• Verification Only: Hash values only tell you if the data has been altered, not what
changes were made.

Hash Algorithms (MD5, SHA-1, SHA-256)

Common Hashing Algorithms in Forensics:

• MD5: An older algorithm, still used in some legacy systems, but considered less secure
due to potential collisions.
• SHA-1: Another older algorithm, considered less secure than SHA-256 due to
advancements in computing power.
• SHA-256: A widely used and secure hashing algorithm for digital forensics
applications.
• SHA-3: The latest standard from NIST (National Institute of Standards and
Technology), considered the most secure hashing algorithm for current use.

Inclusion of Hash Values:

The mention of SHA-1, SHA-256, and MD5 hash values in the section suggests a new
requirement for secondary evidence certificates related to digital records. These hash values
would likely function as a way to verify the authenticity and integrity of the secondary
evidence. (Section 63 of Bhartiya Sakshya Adhiniyam 2023)

20
Source Drive vs Target Drive
Source Drive: The seized device from the crime scene is termed as the source drive.
It can be any storage device such as a hard disk drive -HDD or a pen drive, SD card,
or floppy disk.
Target Drive: The target drive refers to the storage drive used to store the image
or a True copy of the drive seized at the scene of crime. This target drive for
collecting the image ideally should be a new or fresh drive. It is usually two-times
the capacity of the source drive.

SOP for using Write Blockers and Hash Value.

1. Materials and Tools Required:

• Write blockers (hardware or software)
• Forensic workstation (Laptop)
• Storage media (e.g., hard drives, USB drives): TARGET Drives
• Forensic imaging software (e.g., FTK Imager, EnCase)
• Hashing software (e.g., MD5, SHA-1, SHA-256)
2. Procedure:
A. Preparation:
o Ensure that all necessary materials and tools are available and properly
functioning.
o Prepare the forensic workstation by ensuring it is free from any malicious
software and properly configured for forensic analysis.

21
 o Verify the functionality of the write blockers and ensure they are properly
connected to the forensic workstation.
B. Acquisition using Write Blockers:
o Connect the storage device (Source Drive) containing the digital evidence to be
acquired to the write blocker.
o Connect the write blocker to the forensic workstation.
o Power on the write blocker and verify that write operations to the storage device
are blocked.
o Use forensic imaging software to create a forensic image of the storage device
(SOURCE DRIVE).
o Follow the software's instructions to acquire the image, ensuring that all relevant
data is captured.
o Once the acquisition is complete, verify that the write blocker is still functioning
correctly and disconnect the storage device.
C. Hashing and Verification:
o Generate hash values for the acquired forensic image using hashing software (e.g.,
MD5, SHA-1, SHA-256).
o Document the hash values generated for the forensic image, ensuring accuracy
and completeness.
o Compare the generated hash values with reference hash values obtained from the
original storage device before acquisition.
o If the hash values match, it indicates that the forensic image is identical to the
original storage device, verifying its integrity.
o If the hash values do not match, repeat the acquisition process to ensure accurate
preservation of evidence.
D. Documentation and Reporting:
o Document all steps performed during the acquisition process, including hardware
and software used, timestamps, and any deviations from the standard procedure.
o Record the hash values generated for the forensic image and their comparison
with reference hash values.
o Prepare a detailed report summarizing the acquisition process, including the
findings and the integrity verification results.
o Ensure that the documentation is stored securely and is easily accessible for future
reference and legal proceedings.

22
Chapter 5: File Analysis and Carving
- File Signatures and Headers
- File Fragmentation
- File Carving Techniques
- Reassembling Fragmented Files

23
 Chapter 6: Network Forensics
- Introduction to Network Forensics
Network forensics is the specialized field of digital forensics that focuses on the investigation,
monitoring, and analysis of network traffic and network devices to gather evidence for
cybercrime investigations, incident response, and network security monitoring. It involves the
capture, analysis, and interpretation of data traversing a computer network or communication
channels to understand and mitigate security incidents, breaches, or unauthorized activities.
Key Components of Network Forensics:
1. Data Collection and Capture:
• Network forensics begins with the collection and capture of network traffic data
using specialized tools such as network analysers, packet sniffers, and intrusion
detection systems (IDS).
• Data capture may involve capturing packets from various network segments,
including local area networks (LANs), wide area networks (WANs), and the
internet.
2. Packet Analysis:
• Once the network traffic data is captured, it is analyzed at the packet level to
extract relevant information such as source and destination IP addresses, port
numbers, protocols, packet payloads, and timestamps.
• Packet analysis tools and techniques help identify anomalies, suspicious
activities, and security breaches within the network traffic.
3. Protocol Analysis:
• Network forensics involves dissecting and analyzing various network protocols
such as TCP/IP, HTTP, FTP, DNS, SMTP, and others to understand the
communication patterns and behaviors of network devices and applications.
• Understanding protocol interactions and deviations from standard protocols can
provide insights into potential security incidents or malicious activities.
4. Session Reconstruction:
• Network forensics enables the reconstruction of network sessions and
conversations between network hosts, including emails, chat messages, file
transfers, and other communications.
• Session reconstruction helps investigators understand the sequence of events,
identify involved parties, and determine the nature and scope of security
incidents.
5. Forensic Analysis and Attribution:
• Network forensic analysis involves correlating and interpreting evidence
collected from network traffic data to reconstruct the timeline of events, identify

24
 attack vectors, and attribute malicious activities to specific individuals or
entities.
• Forensic analysis techniques include timeline analysis, signature-based
detection, anomaly detection, behavior analysis, and threat intelligence
correlation.
6. Incident Response and Mitigation:
• Network forensics plays a critical role in incident response by providing real-
time visibility into security incidents, breaches, or data exfiltration attempts.
• It enables security teams to quickly detect, contain, and mitigate security threats,
as well as gather evidence for legal proceedings and regulatory compliance.

- Network Traffic Capture

There are several excellent tools available for network traffic capture, each with its own
features, capabilities, and use cases. Here are some of the best tools commonly used for network
traffic capture:
1. Wireshark:
• Wireshark is one of the most popular and widely used network protocol
analyzers.
• It offers comprehensive packet capture and analysis capabilities for
troubleshooting, network monitoring, and forensic investigations.
• Wireshark supports a wide range of protocols and provides detailed packet
inspection, filtering, and decoding features.
• It is available for multiple platforms, including Windows, macOS, and Linux.
2. Tcpdump:
• Tcpdump is a command-line packet analyzer available for Unix-like operating
systems, including Linux and macOS.
• It offers powerful packet capture capabilities and can capture packets in real-
time or from saved capture files.
• Tcpdump supports a wide range of filters and options for capturing specific
types of traffic and analyzing network protocols.
3. tshark (part of Wireshark):
• tshark is the command-line equivalent of Wireshark and is included as part of
the Wireshark package.
• It provides similar packet capture and analysis features as Wireshark but can be
run from the command line, making it suitable for automated tasks and
scripting.

25
 • tshark supports the same set of protocols and filters as Wireshark, making it a
powerful tool for network traffic capture and analysis.
4. Ethereal:
• Ethereal is the predecessor to Wireshark and offers similar packet capture and
analysis capabilities.
• While Wireshark has largely replaced Ethereal, Ethereal may still be preferred
by some users for compatibility with older systems or familiarity with its
interface.
5. Microsoft Network Monitor:
• Microsoft Network Monitor is a network protocol analyzer developed by
Microsoft for Windows operating systems.
• It provides packet capture and analysis capabilities for troubleshooting network
issues, monitoring network traffic, and diagnosing network performance
problems.
• Network Monitor supports various capture and filtering options and integrates
well with other Microsoft products and tools.
6. Nmap:
• Nmap is primarily known as a network scanning tool, but it also offers limited
packet capture capabilities.
• It can capture packets using the -sn (ping scan) or -sP (port scan) options and
provides basic packet inspection features.
• While not as feature-rich as dedicated packet analyzers like Wireshark, Nmap
can be useful for basic network traffic capture and analysis tasks.
Demonstrations of Wireshark (Annexure A)

- SOP of Network Capture & Packet Analysis

1. Prepare the Environment:
• Ensure that you have access to a network environment where the packet capture will
take place.
• Set up the necessary hardware (such as a network tap or switch port mirroring) to
capture network traffic without disrupting normal network operations.
• Install and configure packet capture software such as Wireshark on a dedicated forensic
workstation.
2. Capture Network Traffic:
• Start the packet capture software (e.g., Wireshark) on the forensic workstation.

26
 • Select the network interface from which you want to capture traffic (e.g., Ethernet
adapter, Wi-Fi interface).
• Begin capturing packets by clicking the "Start" or "Capture" button in the packet
capture software.
3. Monitor and Collect Data:
• Allow the packet capture software to run for a specified duration or until you have
captured enough data for analysis.
• Monitor the packet capture in real-time to observe network traffic patterns, anomalies,
and potential security incidents.
4. Stop Packet Capture:
• Once you have captured sufficient data, stop the packet capture by clicking the "Stop"
or "Capture" button in the packet capture software.
5. Filter and Analyze Packets:
• Use filtering options in the packet capture software to focus on specific protocols, IP
addresses, ports, or other criteria relevant to your investigation.
• Analyze captured packets to identify patterns, anomalies, suspicious activities, or
security breaches.
• Examine packet headers and payloads to understand the nature and context of network
communications.
6. Extract Relevant Information:
• Extract relevant information from the packet capture data, such as source and
destination IP addresses, port numbers, protocols, packet payloads, timestamps, and
session data.
• Identify key network events, transactions, or sessions that are pertinent to your
investigation.
7. Reconstruct Network Sessions:
• Reconstruct network sessions and conversations between network hosts by analyzing
packet sequences and flow.
• Piece together fragmented data streams to reconstruct complete transactions, emails,
chat messages, file transfers, or other communications.
8. Interpret Results:
• Interpret the results of packet analysis to draw conclusions about the nature and scope
of security incidents, breaches, or unauthorized activities.
• Correlate findings with other forensic evidence and contextual information to
understand the broader context of the investigation.

27
9. Document Findings:
• Document your findings, observations, and analysis results in a detailed report.
• Include relevant metadata, timestamps, captured packets, session logs, and any other
supporting evidence.
10. Present Findings:
• Present your findings and analysis results to stakeholders, including incident response
teams, management, legal counsel, and law enforcement if necessary.
• Provide recommendations for remediation, mitigation, or further investigation based on
your analysis.
11. Secure and Store Data:
• Securely store packet capture data and analysis results in a tamper-proof manner to
maintain the integrity and admissibility of evidence.
• Ensure compliance with legal and regulatory requirements for data retention and chain
of custody.

28
 Chapter 7: Mobile Device Forensics
- Introduction to Mobile Forensics
Mobile forensics is a branch of digital forensics that focuses on the recovery of digital evidence
or data from mobile devices under forensically sound conditions. The rapid proliferation of
mobile devices and their extensive use in communication, social interaction, banking, and even
remote work scenarios makes them rich sources of personal and sensitive information, which
can be crucial in a variety of legal contexts such as criminal investigations, civil litigation, and
corporate disputes.
Core Aspects of Mobile Forensics
1. Types of Devices:
• Smartphones and Tablets: These are the most common devices and include platforms
like Android, iOS, and occasionally Windows or BlackBerry.
• Other Mobile Devices: Includes smart watches, fitness trackers, and other IoT devices
that can pair with mobile phones.
2. Data Sources:
• Internal Memory: Non-volatile memory where user data and system files are stored.
• External Memory: Such as SD cards which store additional user data.
• SIM Cards: Contains information like the subscriber's identity, contacts, and text
messages.
• Cloud Backups: Data synced with cloud services like Google Drive for Android or
iCloud for iOS.
3. Challenges in Mobile Forensics:
• Device Diversity: Wide variety of devices with different operating systems, hardware
specifications, and security measures.
• Security Features: Encryption, passcodes, biometric locks, and factory reset
protections that can restrict access.
• Software Updates: Frequent updates can alter data storage structures and security
mechanisms.
• Tool Efficacy: Mobile forensic tools must be regularly updated to cope with the latest
devices and security measures.
4. Forensic Process:
• Acquisition: The process of extracting data from the mobile device. Can be physical
(bit-by-bit copy of an entire device), logical (extraction of logical storage files like
documents, call logs, texts, etc.), or file system extraction.
• Examination: Involves using various software tools to analyze and interpret the data
obtained during acquisition.

29
 • Reporting: Documenting the process, findings, and evidence in a manner that is
understandable to those who may not have technical expertise.
Tools Used in Mobile Forensics:
• Cellebrite UFED: Widely used for both logical and physical extraction.
• Oxygen Forensics: Known for advanced data parsing and analysis capabilities.
• MSAB XRY: Extracts data and recovers deleted items from mobile devices.
• Magnet AXIOM: Integrates cloud data extraction along with traditional mobile device
data extraction.
Legal and Ethical Considerations:
Mobile forensic investigations must adhere to legal standards to ensure that evidence is
admissible in court. This includes maintaining the chain of custody, using forensically sound
methods to prevent data modification, and ensuring privacy laws are respected during the
acquisition and analysis of data.
Emerging Trends:
• Cloud Forensics: As more mobile data is backed up online, the ability to acquire data
from the cloud is increasingly important.
• Encryption: As default encryption becomes more prevalent, forensic analysts need
methods to decrypt data legally.
• IoT and Wearables: Expanding the scope of mobile forensics to include other
connected devices that interact with mobile phones.

- Data Acquisition from Mobile Devices

Method Description Advantages Disadvantages

Bit-by-bit copy of the
entire storage. Captures Comprehensive recovery, Time-consuming; may not work
Physical all data including deleted including hidden and on encrypted or newer devices.
Acquisition files. delseted files. Requires specialized tools.
Extracts all data visible to
the OS, such as media Faster and simpler; no need Does not recover deleted files;
Logical files, contacts, and to bypass security limited to data accessible by the
Acquisition messages. mechanisms. OS.
Extracts all files from the More detailed than logical Does not usually recover
device's file system, acquisition; accesses deleted data unless still present
File System including system files and application data and and marked as deleted.
Acquisition databases. databases. Requires some device access.
Can be done remotely;
Accesses data synced with accesses data no longer on Reliant on cloud credentials and
Cloud cloud services linked to the device but retained in sync settings; legal and privacy
Extraction the mobile device. the cloud. concerns.

30
Method Description Advantages Disadvantages
Highly invasive; risks physical
Useful for damaged or damage to the chip/data;
Physically removes and locked devices where other requires very specialized
Chip-off reads the memory chip. methods fail. equipment.
Accesses the device
through its test access Useful for damaged devices; Invasive; technical and complex;
ports to extract data does not require removal of potential for device damage;
JTAG directly from the memory. the memory chip. specialized equipment needed.

- Analyzing Mobile Applications

1. Place Jammers in the scene of crime to jam all the Network/Signals.
2. Unlock the device by entering the passcode.
3. Enable flight mode.
4. In case of an Apple device, Check the i-cloud ID on the device.
5. Go to ‘General’ and then ‘About’ option to check the device configuration like software
version, model name, serial number, IMEI number etc.
6. Check whether the date and timestamp belong to the current region.
7. Check for the storage for each and every application for further analysis.
8. Remove the passcode.
9. Connect it to the PC containing UFED 4 PC.
10. Open UFED 4 PC on the computer.
11. Select ‘Mobile Device’ option.
12. Click on ‘Auto Detect’ to automatically detect the model of mobile device.
13. Now, we have to check the back panel of mobile to find the exact model number.
14. Select the Advance Logical Method.
15. Select the file system.
16. Select the destination folder where we will save the evidence and click next.
17. Click ‘Continue’.
18. Select the ‘TRUST’ option on the mobile device and click ‘OK’.
19. Select a random password like 1234 and click ‘OK’.
20. Click ‘Finish’.

31
 Chapter 8: Memory Forensics
- Understanding Volatile Memory
Capturing a RAM dump, also known as acquiring volatile memory, is a crucial step in digital
forensics investigations. Here's a general stepwise procedure for capturing a RAM dump:

Preparation:

1. Target System Selection: Identify the system where you need to acquire the RAM
dump. Ensure the system is powered on and accessible.
2. Legal Considerations: Be aware of any legal requirements or restrictions regarding
digital evidence acquisition in your jurisdiction.
3. Software Selection: Choose a suitable RAM capture tool. Popular options include:
o FTK Imager (supports various platforms)
o Volatility Framework (open-source command-line tool)
o Belkasoft Live RAM Capturer (Windows and Linux)
o Many operating systems also have built-in memory acquisition tools.
4. Target System Preparation: If possible, minimize activity on the target system to
reduce the amount of data written to RAM during acquisition.

Acquisition Process:

1. Boot the Acquisition Tool: Boot a separate system with the chosen RAM capture
tool or use a bootable version of the tool on the target system (if applicable).
2. Establish Connection: Depending on the tool, establish a connection to the target
system. This might involve using a network connection, physical firewire/USB
connection, or remote access methods.
3. Target Selection: Select the target system's memory for acquisition within the RAM
capture tool.
4. Acquisition Options: Configure any available options within the tool. This might
include specifying a destination for the captured RAM image file and choosing the
capture method (physical or logical).
5. Capture Initiation: Start the RAM capture process using the tool. This might involve
a single click or following specific commands depending on the chosen software.

Post-Acquisition:

1. Verification: Once the capture is complete, the tool might generate a verification
hash (e.g., MD5, SHA-256) for the captured RAM image. This hash can be used later
to verify the integrity of the captured data.
2. Documentation: Document the entire RAM capture process, including the date, time,
tools used, target system details, and any specific options chosen during acquisition.
3. Secure Storage: Store the captured RAM image file securely on a separate system
following established digital forensics chain of custody procedures.

Additional Considerations:

• Live vs. Hibernated/Sleep Mode Acquisition: Techniques for capturing RAM from
a live running system differ from those used for hibernated or sleep mode systems.

32
 • Memory Volatility: RAM is volatile memory, meaning data is lost when power is
lost. Ensure a quick and efficient acquisition process to minimize data loss.
• System Stability: The RAM capture process might affect system stability on the
target system. Proceed with caution, especially if acquiring from a critical system.

Here's a step-wise procedure for capturing a RAM dump using FTK Imager:

Preparation:

1. Target System Selection: Identify the system where you need to acquire the RAM
dump. Ensure the system is powered on and accessible.
2. Legal Considerations: Be aware of any legal requirements or restrictions regarding
digital evidence acquisition in your jurisdiction.
3. Software Setup: Ensure you have FTK Imager installed on a separate system. You
can download a free version from AccessData's website https://www.exterro.com/.

Target System Preparation (Optional):

• If possible, minimize activity on the target system to reduce the amount of data
written to RAM during acquisition.

Acquisition Process:

1. Boot the Acquisition System: Boot the system where you have FTK Imager
installed.
2. Connect to Target System (if applicable): FTK Imager can capture RAM in two
ways:
o Local Acquisition: If the target system is directly accessible through a USB
or Firewire connection, you might be able to acquire RAM directly. Consult
FTK Imager's documentation for specific instructions on local acquisition.
o Network Acquisition: This is the more common method for modern systems.
You'll need a network connection between the system with FTK Imager and
the target system.
3. Launch FTK Imager: Open FTK Imager on the acquisition system.
4. New Case: Click "File" -> "New Case" to create a new case for this investigation.
5. Add Evidence: In the new case window, right-click on "Evidence" and select "Add
Evidence." Choose "Physical Disk/Logical Drive" from the submenu.
6. Target Selection:
o Local Acquisition: If using local acquisition, select the target system's
physical drive representing RAM (consult FTK Imager documentation for
specific identification).
o Network Acquisition: In the "Add Evidence" window, select "Network" as
the connection type. You'll need to provide the target system's network
hostname or IP address. FTK Imager will attempt to discover available devices
on the network.
7. Target Verification: FTK Imager might display information about the detected
memory. Verify that it corresponds to the target system's RAM.

33
 8. Destination Selection: Click the "Browse" button next to "Destination" and choose a
location on your system to save the captured RAM image file. Use a descriptive
filename for the image.
9. Capture Options:
o Acquisition Mode: By default, FTK Imager uses "Physical" acquisition,
which is recommended for capturing a complete RAM image.
o Advanced Options: Explore the "Advanced" options if needed. These might
allow for setting password cracking options (if applicable) or image splitting
(for very large RAM sizes).
10. Capture Initiation: Click the "Capture" button to begin the RAM acquisition
process. FTK Imager will display the progress.

Post-Acquisition:

1. Verification: Once the capture is complete, FTK Imager will calculate a hash value
(e.g., MD5) for the captured RAM image. You can use a third-party hashing tool to
verify the integrity of the captured image file later.
2. Documentation: Document the entire RAM capture process, including:
o Date and Time
o FTK Imager version used
o Target system details (hostname, IP address)
o Network configuration details (if applicable)
o Destination path and filename of the captured RAM image
o Any specific options chosen during acquisition
3. Secure Storage: Store the captured RAM image file securely on a separate system
following established digital forensics chain of custody procedures.

Important Notes:

• This is a general guide, and specific steps might vary depending on your FTK Imager
version. Refer to the official FTK Imager documentation for detailed instructions.
• Network acquisition requires FTK Imager to be pre-installed and configured on the
target system or require administrative access to deploy an agent.
• Capturing RAM from a live system can affect system stability. Proceed with caution,
especially on critical systems.

Annexure B: RAM Dump Collection with FTKImager

34
- Memory Acquisition Techniques
Technique Description Advantages Disadvantages
Uses specialized
hardware to capture Expensive, complex
Hardware physical RAM Most reliable, captures setup, requires physical
Acquisition contents. complete image. access.
Software Uses software tools to May not capture complete
Acquisition capture memory image, vulnerable to anti-
(Live Response) image. Faster, less expensive. forensic techniques.
Software runs directly Faster than hardware Requires physical access,
Local on target system for methods, no network may not be compatible
Acquisition RAM capture. required. with all systems.
Software on a separate Convenient for
system captures modern systems, no Relies on network
Network memory image physical access connectivity, potential for
Acquisition remotely. needed. delays.
Pre-installed software
agent facilitates Convenient for remote Requires prior agent
Agent-based remote memory systems, allows for deployment, potential
Acquisition capture. scheduled acquisition. security risks.

- Understanding Non-Volatile Memory

Capturing non-volatile memory, which refers to data that persists even after power is lost,
involves creating a forensic image of the storage devices in a computer. Here's a stepwise
procedure for capturing a non-volatile memory image:

Preparation:

1. Target System Selection: Identify the computer from which you need to capture the
non-volatile memory. Ensure it's powered off and accessible.
2. Legal Considerations: Be aware of any legal requirements or restrictions regarding
digital evidence acquisition in your jurisdiction.
3. Tool Selection: Choose a suitable forensic imaging tool. Popular options include:
o FTK Imager (supports various platforms)
o Autopsy (open-source)
o Guymager (open-source)
o Many operating systems also have built-in disk imaging utilities.
4. Write-Blocking Device (Optional): Consider using a write-blocking device, which
allows you to create a read-only copy of the storage device. This helps prevent
accidental modifications to the original evidence.

35
Imaging Process:

1. Boot the Acquisition System: Boot the system where you have the chosen forensic
imaging tool installed.
2. Connect the Target Drive (if applicable): If the target storage device (HDD/SSD) is
removable, connect it directly to the acquisition system using a SATA/IDE adapter or
USB enclosure.
3. Launch the Forensic Imaging Tool: Open the chosen forensic imaging tool on the
acquisition system.
4. Identify Target Drive: Locate and select the target storage device (HDD/SSD) that
represents the non-volatile memory you want to capture. The tool should provide a list
of available drives.
5. Destination Selection: Choose a destination on your acquisition system to save the
captured image file. Use a descriptive filename for the image (e.g.,
target_drive_image.dd).
6. Verification Options: Many tools offer options to verify the integrity of the captured
image after acquisition. Enable these options (e.g., MD5, SHA-256 hash calculation)
to ensure the image is an accurate copy.
7. Imaging Mode: Use the "physical acquisition" mode (if available) to capture a bit-by-
bit copy of the entire storage device. This ensures all data, including potentially hidden
or deleted files, is captured.
8. Imaging Initiation: Click the "Capture" or "Image" button to begin the imaging
process. The tool will display the progress.

Post-Acquisition:

1. Verification: Once the capture is complete, the tool will verify the integrity of the
captured image using the chosen hashing algorithm (e.g., compare the calculated hash
with the original hash value).
2. Documentation: Document the entire imaging process, including:
o Date and Time
o Forensic imaging tool used
o Target storage device details (model, size, serial number)
o Connection method (direct connection, write-blocking device used)
o Destination path and filename of the captured image file
o Verification hash values
3. Secure Storage: Store the captured image file securely on a separate system following
established digital forensics chain of custody procedures.

Additional Considerations:

• Imaging Internal Drives: Imaging internal drives often requires specialized hardware
enclosures or bootable acquisition tools that can run on the target system itself. Consult
the documentation of your chosen tool for specific instructions.
• Imaging Time: The imaging process can take a significant amount of time depending
on the size of the storage device.
• System Stability: Imaging internal drives might require the target system to be
powered on, so proceed with caution, especially on critical systems.

36
By following these steps, you can capture a forensic image of the non-volatile memory from a
computer, preserving the contents of the storage device for further digital forensics analysis.
Remember, using write-blocking devices and maintaining a proper chain of custody are crucial
for ensuring the evidential value of the captured image.

Creating Image of Hard Disk Using FTK Imager

• Step1: Connect the source drive -pen drive in this case, to the forensic workstation.
• Step2: Open “FTK imager” in the administrator mode.
• Step3: In the File tab, select “Create a disk image” option.
• Step4: Choose one of the options as listed on FTK window to acquire
• Step5: On selecting Physical drive, all the connected drives will be available in the
dropdown list. Select the source drive –a pen drive in this case from the list and then
click on Finish.
• Step6: Now click on the Add button.
• Step7: Select the type of Image from the list -dd, SMART, E01, AFF. Generally, E01
is preferred.
• Step8: Fill the case details such as Case number, Evidence number, Unique description
For example, pen drive size, model, serial number, Examiner name, and Notes. You
can use the Notes section to enter any additional information related to the case.
• Step9: Now click on Browse button and select the destination drive and folder where
the image will be saved. It is advisable to create the destination folder before starting
with the acquisition process.
• Step10: Name the image file without suing extension -E01 and provide Image
fragmentation size in MB, depending on the size of source drive.
• Step11: Select on “Verify image after they are created” and “Precalculated progress”
checkboxes and hit the Start button to initiate the acquisition.
• Step 12: Image.E01 file will be created in the destination folder.

Annexure C: Non-Volatile/Disc Imaging using FTK Imager

- Extracting Artifacts from Memory Dumps

Step-by-Step Guide to Extracting Artifacts from Memory Dumps
Step 1: Capture the Memory Dump
First, ensure you have a valid and complete memory dump. This can be captured using tools
like FTK Imager, WinDbg, or a Linux DD if it's a Linux system. Make sure the memory dump
is captured in a forensically sound manner, using appropriate tools and techniques as previously
described in capturing RAM.
Step 2: Choose the Right Tool
Select a tool that can analyze the memory dump and extract artifacts. Common tools include:
• Volatility: A well-known, open-source memory forensics framework that works with
memory dumps from Windows, Linux, and Mac systems.

37
 • Rekall: Similar to Volatility, but with a different set of plugins and slightly different
approaches in analysis.
• Magnet RAM Capture: Useful for quickly acquiring memory but also has capabilities
for analysis.
Step 3: Set Up the Analysis Environment
• 3.1 Environment Isolation: Ensure that the analysis environment is isolated and
secure. This prevents contamination of evidence and potential malware infection.
• 3.2 Tool Installation: Install the forensic analysis tool on your forensic workstation.
Ensure that you have the latest version of the tool and all necessary plugins.
Step 4: Load the Memory Dump
• 4.1 Open the Tool: Launch your chosen memory forensic tool.
• 4.2 Load the Dump: Import the memory dump file into the tool. Depending on the
tool, this might involve pointing it to the location of the dump file or running a specific
command to load the dump.
Step 5: Analyze the Memory Dump
• 5.1 Run Standard Commands/Plugins: Use commands or plugins to extract
information from the dump. Common artifacts and corresponding commands in
Volatility include:
• pslist, pstree: To view running processes at the time of dump capture.
• netscan: To list active network connections.
• cmdscan, consoles: To extract command history.
• hashdump: To extract password hashes.
• malfind: To identify potential malware by scanning for anomalies.
• 5.2 Document Findings: Record the outputs of each command, taking screenshots if
necessary for reporting purposes.
Step 6: Extract Specific Artifacts
Based on the initial findings, target specific areas for deeper analysis:
• 6.1 Extract Files: Use tools like dumpfiles in Volatility to extract files loaded in
memory.
• 6.2 Retrieve Browser History/Cache: Look for internet artifacts that can be crucial in
understanding user behavior.
• 6.3 Decrypt Credentials: Utilize tools/plugins to decrypt or locate passwords and
encryption keys.
Step 7: Cross-Referencing and Correlation

38
 • 7.1 Correlate Data: Cross-reference extracted data with other sources such as hard
drive analysis, log files, and network traffic captures to build a comprehensive picture.
• 7.2 Anomaly Detection: Look for anomalies or signs of tampering in the memory
artifacts which could indicate sophisticated malware or advanced persistent threats
(APT).
Step 8: Reporting
• 8.1 Detailed Report: Compile a detailed forensic report that documents every step
taken, tools used, findings, and artifacts extracted. This report should be clear enough
for non-technical stakeholders to understand the implications of the findings.
• 8.2 Review and Revise: Review the report for accuracy and completeness. Revise if
necessary to include all relevant technical and procedural details.
Step 9: Secure Storage
• 9.1 Secure Evidence: Ensure all extracted artifacts and the full memory dump are
securely stored in accordance with legal and organizational guidelines. This ensures
evidence integrity for future review or legal proceedings.
Extracting artifacts from memory dumps is a detailed and often complex process, but following
these structured steps will help ensure thorough and accurate analysis in digital forensic
investigations.
Annexure D: Volatility Workbench on how to analyse RAM dump

39
 Chapter 9: CCTV Forensics
- About CCTV Forensics
CCTV footage can be a valuable source of evidence in various investigations, from criminal
activity to traffic accidents. However, extracting and analyzing this data requires specific
techniques and procedures to ensure its admissibility in court. Here's a detailed look at CCTV
forensics and data acquisition:

What is CCTV Forensics?

CCTV forensics refers to the process of analyzing video footage captured by Closed-Circuit
Television (CCTV) systems for investigative purposes. It involves techniques to:

• Enhance Image Quality: Improve the clarity and resolution of recorded footage, if
possible.
• Identify Objects and People: Analyze video to identify individuals, vehicles, or
objects of interest.
• Extract Timelines: Establish a timeline of events based on timestamps and video
content.
• Authenticate Footage: Verify the authenticity and integrity of the video recording.
• Data Acquisition: Securely extract relevant video data from CCTV systems.

- Data Acquisition Methods

There are several methods for acquiring CCTV footage, depending on the system setup and
access:

• Direct Download: If physically accessing the recording device is possible, you might
be able to download the video files directly through a USB port or network
connection.
• Export from Software: Many CCTV systems have dedicated software for managing
recordings. You might be able to export relevant footage from this software.
• Network Extraction: For network-based CCTV systems, specialized forensic tools
can be used to capture video data remotely over the network.
• Chain of Custody: Throughout the acquisition process, it's crucial to maintain a
documented chain of custody to demonstrate that the evidence hasn't been tampered
with. This includes recording details like the date, time, location of acquisition, and
the personnel involved.

Importance of Data Acquisition Techniques:

• Preserving Evidence: Proper data acquisition techniques ensure the video footage is
captured without modification, preserving its evidential value.
• Chain of Custody: Maintaining a documented chain of custody strengthens the
credibility of the evidence in court.
• Minimizing Data Loss: Using appropriate tools and procedures minimizes the risk of
data loss or corruption during acquisition.

Challenges in CCTV Forensics:

40
 • Video Quality: CCTV footage can be low quality, especially from older systems or
cameras with poor lighting. This can make identification and analysis difficult.
• Data Storage: CCTV systems often overwrite older recordings, making it crucial to
secure relevant footage promptly.
• Tampering: There's a risk of CCTV footage being tampered with before or during
acquisition. Techniques for verifying video authenticity are important.

CCTV Forensics Tools:

Several specialized tools can be used for CCTV forensics analysis, including:

• Video Enhancement Software: These tools can improve image clarity, adjust
brightness and contrast, and potentially sharpen blurry footage.
• Object Recognition Software: This software can automatically detect and track
objects (e.g., vehicles) within video footage, aiding in identification.
• Forensic Video Analysis Software: These tools offer advanced features for
analyzing video timelines, identifying persons of interest, and extracting specific
video segments.

- Types of CCTV
CCTV (Closed-Circuit Television) cameras are a crucial element in both security and
surveillance systems. There are several different types of CCTV cameras, each designed for
specific environments, purposes, and requirements. Here’s an overview of the common types:
1. Dome Camera
• Appearance: Named for its dome-like shape.
• Uses: Common in indoor environments such as retail stores and hotels.
• Advantages: Discreet appearance; some models offer vandal-resistant features; the
dome shape makes it difficult to tell where the camera is pointing, enhancing security.
2. Bullet Camera
• Appearance: Long and cylindrical, resembling a bullet.
• Uses: Ideal for outdoor use, such as monitoring long, narrow areas like streets and
alleys.
• Advantages: High-quality video resolution; often equipped with a casing that protects
against dust, dirt, and other natural elements.
3. C-Mount Camera
• Appearance: Bulkier than other types of CCTV cameras; lenses can be detached and
replaced.
• Uses: Suitable for indoor use, but with special accessories, can be adapted for outdoor
use.

41
 • Advantages: Lens can be changed to fit different distances beyond the typical 35-40
feet range of standard CCTV lenses.
4. PTZ (Pan, Tilt, and Zoom) Camera
• Appearance: Cameras that can pan (move horizontally), tilt (move vertically), and
zoom.
• Uses: Highly versatile, used in situations where a camera operator is present to control
the camera angles.
• Advantages: Ability to remotely control the focus, making it ideal for live monitoring
situations where dynamic observation is required.
5. Day/Night Camera
• Appearance: Capable of operating in both normal and poorly lit environments.
• Uses: Does not require infrared illuminators as it can capture clear video in both
daylight and low-light conditions.
• Advantages: Versatile and ideal for outdoor surveillance where lighting conditions
may vary significantly.
6. Infrared/Night Vision Camera
• Appearance: Equipped with infrared LEDs around the lens to provide "night vision."
• Uses: Perfect for areas with no lighting conditions, as they can capture video in
complete darkness.
• Advantages: Great for 24-hour surveillance needs.
7. Network/IP Camera
• Appearance: Can be either wired or wireless.
• Uses: Suitable for both indoor and outdoor use, transmitting images over the internet,
often recording directly to network-attached storage devices.
• Advantages: High video quality, remote viewing capabilities, and no requirement for
separate power boosts.
8. Wireless Camera
• Appearance: Generally similar to other types but without wires, making installation
very flexible.
• Uses: Ideal for locations where running cables is impractical.
• Advantages: Less invasive installation, though susceptible to interference and requires
regular maintenance like battery replacement.
9. High-Definition (HD) Camera
• Appearance: Provides higher resolution video images.

42
 • Uses: Ideal for environments requiring detailed images, such as casinos and banks.
• Advantages: Superior image quality with more detail and wider coverage area.

Considerations
When selecting a CCTV camera, consider factors such as the required range, field of view,
lighting conditions, and whether the recordings are for general surveillance or need to capture
detailed images for identifying faces or license plates. Each camera type has its strengths and
is suited to specific applications, making it essential to choose based on the specific needs of
the surveillance area.

- CCTV recording ways

CCTV camera systems record video footage using different types of recording devices, with
the most common being Digital Video Recorders (DVR) and Network Video Recorders
(NVR). Understanding the differences between these technologies is crucial for choosing the
right system for your security needs. Here’s a comparative look at DVR and NVR systems:

Feature DVR (Digital Video Recorder) NVR (Network Video Recorder)

Technology Analog Digital
Connection Type Coaxial cables Ethernet cables (CAT5/6)
Supports higher resolutions, including
Video Quality Up to 1080p resolution 4K
Analog video converted to digital at the IP cameras encode video, which is then
System Setup DVR streamed to NVR
Camera Primarily analog cameras; hybrid models
Compatibility can support HD analog IP cameras only
More expensive due to advanced
Cost Generally less expensive features

43
 Feature DVR (Digital Video Recorder) NVR (Network Video Recorder)
Simpler with thin Ethernet cables;
Installation Complex due to bulky coaxial cables supports PoE
Suitable for fewer cameras, lower- Ideal for large networks, high-
Performance resolution needs resolution requirements
Flexibility and Less flexible, suited for existing analog Highly flexible and scalable for
Scalability setups modern, extensive systems

Key Differences
• Cabling: DVR systems use coaxial cables that can transmit data over longer distances
without degradation but are bulkier. NVR systems use Ethernet cables that are easier to
manage and can power cameras through PoE.
• Video Processing: In DVR systems, video processing and encoding happen at the
DVR. In NVR systems, this processing is done at the camera, which sends digital video
to the recorder.
• Flexibility and Scalability: NVR systems are generally more flexible and scalable,
easily integrating with modern technology and capable of handling larger networks of
cameras.
Applications
• DVRs are well-suited for smaller setups or upgrades of existing analog systems without
the need for new wiring.
• NVRs are ideal for new installations requiring high-definition video, extensive camera
networks, and advanced surveillance features.

- SOP for CCTV Video Acquisition

Objective:
To standardize the acquisition of video footage from CCTV systems to ensure the integrity and
admissibility of the video evidence.
Scope:
This procedure applies to all personnel responsible for acquiring CCTV footage during
investigations.
Equipment Needed:
• Authorization forms (if required)
• External storage devices (e.g., USB drives, external hard drives)
• Documentation forms (chain of custody form, evidence log)
Procedure:
1. Authorization:

44
 • Obtain necessary permissions or warrants to access and collect CCTV footage
to ensure compliance with privacy laws and regulations.
2. Preliminary Assessment:
• Determine the location and number of CCTV cameras that may have captured
relevant footage.
• Assess the type of CCTV recording system in use (DVR, NVR, cloud-based,
etc.).
3. Contact Point:
• Identify and contact the person responsible for the CCTV system (e.g., security
manager, IT department).
4. On-site Inspection:
• Visit the site to inspect the CCTV setup and ensure that the system is
operational.
• Verify the time settings and accuracy of the CCTV system.
5. Data Integrity:
• Ensure that the process of copying or transferring footage does not alter the
original data.
• Use write-blocked methods if directly accessing the DVR or NVR system to
prevent data tampering.
6. Acquiring the Footage:
• Connect an external storage device to the CCTV system.
• Copy or download the required video footage ensuring no alteration of the data.
• If the system supports, use the system's export function to export the video in a
playable format.
• Ensure that any exports include timestamps and other relevant metadata.
7. Documentation:
• Document the process, including date and time of acquisition, the personnel
involved, the exact footage extracted, and any difficulties encountered during
the acquisition.
• Fill out a chain of custody form to maintain a record of all individuals who have
handled the footage from the point of collection to its current location.
8. Verification:
• Review the collected footage to ensure completeness and clarity of the video.
• Verify that the footage includes all necessary timeframes as per the investigation
requirement.

45
 9. Secure Storage:
• Store the external storage device containing the footage in a secure location
accessible only to authorized personnel.
• Maintain a log for access to the stored footage.
10. Reporting:
• Prepare a report summarizing the acquisition process, findings, and any issues
or anomalies noted during the acquisition.
11. Review and Approval:
• Have the procedure and collected footage reviewed and approved by the
relevant authority or supervisor to ensure adherence to legal and procedural
standards.
This SOP ensures that all steps are taken to maintain the legal integrity of the evidence and that
the video footage remains a viable piece of evidence for any legal proceedings or investigative
purposes.

- Precautions
Timely notes should be kept, detailing the course of action taken, to provide an audit trail.
Note the make and model of the CCTV system, and the number of cameras.
Note the basic system settings (e.g. current record settings and display settings), so that if
changes have to be made to facilitate the retrieval, it is then possible to return the system to its
original state. (Taking photographs of the system can assist, particularly if cable connections
are changed during retrieval).
Time check – compare the time displayed by the CCTV system with that given by the speaking
clock. Any error between the system time and real time should be recorded in the audit trail
and compensated for when conducting the retrieval. This will ensure that the correct section of
data is copied.
Determine time period required in conjunction with IO.
Determine which camera views are required, and whether they can be retrieved separately.
Replay Data. Check that the requested video exists on the system.
Check storage / overwrite time – to determine how long the relevant data will be retained on
the system.
Obtain system password, if necessary.
The recording should not be stopped during the retrieval process
It is preferable to extract the CCTV sequence in its native format in order to maintain image
quality and provide best evidence
The IO can seize the entire DVR/NVR (preferable due to propriety software), or can collect
the relevant part of recording from the owner/operator/ technician along with a 65 B(4)
Certificate.

46
 Chapter 10: Browser Forensics
What Data Does Browser Forensics Examine?
Browsers store a variety of data points that can be crucial for forensic analysis. Here are some
key areas:
• Browsing History: This includes a list of websites visited, along with timestamps and
potentially additional details like titles or search queries.
• Cache: Browsers store temporary copies of webpages and resources to improve loading
times. This cache can contain remnants of deleted webpages or data that might not be
readily available in browsing history.
• Cookies: These small data packets store information from websites you visit, like login
credentials, preferences, and browsing activity. Analyzing cookies can reveal user
behavior and potentially identify compromised accounts.
• Downloads: Forensic tools can identify downloaded files, even if they have been
deleted from their original location.
• Autofill Data: Browsers often store information you enter in forms, such as usernames,
passwords, and addresses. This can be helpful in piecing together online activity.
• Bookmarks and Saved Pages: These can provide insights into a user's interests and
browsing habits.

Browser Forensics Tools:

Several specialized tools can aid in browser forensics investigations. Here are some examples:
• FTK Imager: A popular forensic imaging tool that can be used to create a disk image
of a storage device, preserving all browser data for later analysis.
• Autopsy (Open-source): A comprehensive digital forensics platform that includes
browser forensic modules for analyzing browsing history, cache, and other artifacts.
• Browsing History View (Freeware): A simple tool for extracting and analyzing
browsing history data from various browsers.
• Forensic Browser Extensions: Some browser extensions are designed specifically for
forensic analysis, offering functionalities like data preservation and keyword searching.

Browser Forensics Techniques:

The process of browser forensics involves several steps:
1. Data Acquisition: This might involve creating a forensic image of the storage device
or directly extracting data from the browser.
2. Data Carving: Searching for specific data patterns within the extracted data can
potentially reveal deleted browsing history or hidden files.
3. Analysis and Interpretation: Forensic analysts need to understand the structure of
browser data and interpret the extracted information in the context of the investigation.

47
 4. Reporting: The findings of the browser forensics analysis should be documented in a
clear and concise report for legal proceedings or further investigation.

Challenges in Browser Forensics:

• Data Volatility: Some browser data, like browsing history in incognito mode, might
not be readily available or easily retrievable.
• Data Encryption: Modern browsers might encrypt some data, making it more
challenging to extract and analyze.
• Cloud Storage: Web browsing activity can be synced across devices and stored in
cloud accounts, requiring additional investigation steps.
• User Privacy Concerns: Browser forensics needs to be balanced with user privacy
considerations. Legal authorization and proper procedures are crucial.

SOP for Step wise Browser Forensics:

Personnel Involved:
• Forensic Examiner: The individual qualified to conduct the browser forensics
examination.
• Investigator: The person requesting the browser forensics examination.
• Witness(es): (Optional) Depending on the situation, witnesses might be present
during data acquisition.
Equipment:
• Forensic workstation (with write-blocking capabilities)
• Forensic imaging tool (e.g., FTK Imager)
• Browser forensic tools (e.g., Autopsy, Browsing, History, View)
• Write-blocking device (optional)
• Hashing tool (e.g., MD5, SHA-256)
Authorization:
• Ensure legal authorization exists to acquire browser data (warrant, consent).
SOP Steps:
1. Preparation:
o Understand the investigation goals and the type of information sought from
browser data.
o Document the make and model of the target device and the browser version
being investigated.
o Verify the availability of forensic tools and ensure the examiner has the
necessary expertise.

48
2. Data Acquisition:
o Option 1: Disk Imaging (Preferred):
▪ If possible, create a forensic image of the entire storage device using a
write-blocking device to preserve all data, including browser artifacts.
o Option 2: Direct Extraction (if disk imaging is not feasible):
▪ Use forensic tools to directly extract browser data from the target device.
This might involve extracting specific browser folders or using browser-
specific extraction tools.
3. Data Handling:
o Calculate a hash value (MD5, SHA-256) of the acquired data (image or
extracted files) to verify its integrity throughout the process.
o Maintain a chain of custody document for the acquired data.
4. Data Analysis:
o Use browser forensic tools to analyse the acquired data. This might involve
examining:
▪ Browsing history (including timestamps, URLs, titles)
▪ Cache files (potentially containing remnants of deleted browsing
activity)
▪ Cookies (user logins, preferences, website tracking data)
▪ Downloads (including deleted downloads)
▪ Autofill data (usernames, passwords, addresses)
▪ Bookmarks and saved pages
o Employ data carving techniques to search for deleted browsing history or
hidden files within the acquired data (if applicable).
5. Filtering and Correlation:
o Filter the extracted data based on the investigation timeframe and relevant
keywords.
o Correlate browser data with other evidence from the investigation (e.g.,
timestamps, downloaded files) to strengthen the findings.
6. Documentation and Reporting:
o Create a comprehensive report documenting the entire process, including:
▪ Date and time of examination
▪ Description of the target device and browser
▪ Data acquisition method (disk imaging or direct extraction)
49
 ▪ Tools used for analysis
▪ Findings from the browser data examination
▪ Any limitations or challenges encountered
7. Data Retention and Disposition:
o Follow established organizational policies for retaining and disposing of
forensic data after the investigation is complete.
Important Considerations:
• Data Volatility: Browser data, especially browsing history in incognito mode, might
be volatile and require immediate acquisition.
• Data Encryption: Modern browsers might encrypt some data, requiring advanced
techniques for extraction and analysis. Consult with a qualified examiner if encryption
is suspected.
• Cloud Storage: If browsing activity is synced across devices or stored in cloud
accounts, additional investigation of those platforms might be necessary.
• User Privacy: Browser forensics should comply with legal requirements and user
privacy considerations.
Annexure E: Manual way of checking browser forensics

50
 Chapter 11: Seizure of Electronic Evidences
- Seizure of Computer (Power On state)
This Standard Operating Procedure (SOP) outlines the process for seizing computers and
related digital devices as evidence during an investigation. It ensures the collection,
preservation, and integrity of digital evidence while maintaining legal requirements and
admissibility in court.
Personnel Involved:
• Seizure Officer: The individual authorized to seize the computer equipment.
• Witnesses: Two or more individuals to witness the seizure process.
Equipment:
• Anti-static bags or Faraday cages (for secure transport)
• Evidence tags or labels
• Chain of Custody documentation
• Custody seals
• Permanent markers
• Digital evidence acquisition tools (if applicable)
Seizure Procedure:
1. Preparation:
o Ensure you have the legal authority to seize the computer (warrant, consent).
o Gather necessary equipment and have witnesses present.
2. Initial Assessment:
o Visible inspection of Scene of Crime in front of technically qualified
independent witnesses
o Take photographs of the computer and its connection points as evidence.
o Photograph the Scene of Crime (SoC)
o Close shot of the Monitor
o Long shot and close shot of the SoC from various angles to show all the devices
connected with the computer.
o Long and close shot of the system from different angle identifying all externally
connected devices to the system.
o Collect finger print, if required
3. On field Analysis of crime scene

51
 o Search for any kind of external digital storage media like Pen Drive, Hard Disk,
etc.
o The IO/ Cyber Forensic Expert (if present) should collect RAM dump and
system information, encrypted files, if any with the help of tools & software.
LIVE FORENSICS
o Create 3 Images of Hard Disk (with Write Blocker) and other external
memory devices seized (if Cyber Forensic Expert available).
o 1st image to be sent to the Forensic Lab along with seizure list and questionnaire
with permission of the court as per regular procedure
o 2nd image to be kept with IO for analysis
o 3rd image to be handed over to the accused party
o Original Hard Disk and external memory devices along with seizure list to be
sent to the Court along with other original documents at the time of submission
of Final Report.
o Hash calculation
o Remove the power plug of the CPU (from the socket) without shutting down
the system.
o Open the CPU and take a photograph of the inside view showing all peripherals
like Hard Disk, RAM, Motherboard etc.
o Remove the Hard Disk
o Photograph the Hard Disk showing
Unique S.No.
Connector Ports
Jumper Position
Logic Board
o Preparation of seizure list mentioning all details like S.No. of External Drives,
Hard Disk and Hash value of the Hard Disk and other external memory devices
o Original Hard Disk and external memory devices along with seizure list to be
sent to the Forensic Lab with permission of the Court along with questionnaire
4. Seizure:
o Briefly document the computer's make, model, serial number, and any
peripherals attached.
o Tag or label the computer with a unique identifier.
o If possible, power down the computer using the operating system's shutdown
function.
o Disconnect the power cable and any remaining peripherals.
o Place the computer in an anti-static bag or Faraday cage to shield it from
electromagnetic interference during transport.
o Apply a custody seal over the bag/cage opening to deter tampering.
5. Documentation:
o Complete a chain of custody form, documenting:

52
 ▪ Date and time of seizure
▪ Location of seizure
▪ Description of seized equipment (make, model, serial number)
▪ Name of the seizing officer and witnesses
▪ Signatures of all involved parties
6. Transportation and Storage:
o Transport the seized computer to a secure location for forensic examination.
o Maintain chain of custody throughout transportation and storage.
o Store the computer in a climate-controlled environment to prevent damage.
Optional Considerations:
• Data Acquisition: If authorized, use forensic data acquisition tools to create a bit-
stream copy of the computer's storage drive(s) on-site. This can be done before
powering off the computer for volatile memory acquisition in specific situations.
• Data Encryption: If the computer is suspected to be encrypted, document any
encryption software or passwords found. Consult with a digital forensics expert for
appropriate handling procedures.
Important Notes:
• This SOP is a general guideline, and specific procedures may vary depending on the
jurisdiction and the circumstances of the seizure.
• Always prioritize safety during a seizure. Avoid compromising the scene or causing
damage to the equipment.
• Consult with legal counsel to ensure compliance with all applicable laws.
• Maintain a documented chain of custody for all seized evidence.

53
- Seizure of Computer (Power Off state)
This Standard Operating Procedure (SOP) outlines the process for seizing computers and
related digital devices as evidence during an investigation. It ensures the collection,
preservation, and integrity of digital evidence while maintaining legal requirements and
admissibility in court.
Personnel Involved:
• Seizure Officer: The individual authorized to seize the computer equipment.
• Witnesses: Two or more individuals to witness the seizure process.
Equipment:
• Anti-static bags or Faraday cages (for secure transport)
• Evidence tags or labels
• Chain of Custody documentation
• Custody seals

54
 • Permanent markers
• Digital evidence acquisition tools (if applicable)
Seizure Procedure:
1. Preparation:
I. Ensure you have the legal authority to seize the computer (warrant, consent).
II. Gather necessary equipment and have witnesses present.
III. Disconnect the computer from all peripherals (printers, external drives) and
the network.
2. Initial Assessment:
a. Visible inspection of Scene of Crime in front of technically qualified
independent witnesses
b. Take photographs of the computer and its connection points as evidence.
c. Photograph the Scene of Crime (SoC)
d. Close shot of the Monitor
e. Long shot and close shot of the SoC from various angles to show all the devices
connected with the computer.
f. Long and close shot of the system from different angle identifying all externally
connected devices to the system.
g. Collect finger print, if required
3. On field Analysis of crime scene
o Search for any kind of external digital storage media like Pen Drive, Hard Disk,
etc.
o Open the CPU and take a photograph of the inside view showing all peripherals
like Hard Disk, RAM, Motherboard etc.
o Remove the Hard Disk
o Photograph the Hard Disk showing
Unique S.No.
Connector Ports
Jumper Position
Logic Board
o Preparation of seizure list mentioning all details like S.No. of External Drives,
Hard Disk and Hash value of the Hard Disk and other external memory devices
o Original Hard Disk and external memory devices along with seizure list to be
sent to the Forensic Lab with permission of the Court along with questionnaire
4. Seizure:
a. Briefly document the computer's make, model, serial number, and any
peripherals attached.
b. Tag or label the computer with a unique identifier.

55
 c. Place the computer in an anti-static bag or Faraday cage to shield it from
electromagnetic interference during transport.
d. Apply a custody seal over the bag/cage opening to deter tampering.
5. Documentation:
a. Complete a chain of custody form, documenting:
i. Date and time of seizure
ii. Location of seizure
iii. Description of seized equipment (make, model, serial number)
iv. Name of the seizing officer and witnesses
v. Signatures of all involved parties
6. Transportation and Storage:
a. Transport the seized computer to a secure location for forensic examination.
b. Maintain chain of custody throughout transportation and storage.
c. Store the computer in a climate-controlled environment to prevent damage.

- Seizure of Mobile
This Standard Operating Procedure (SOP) outlines the process for seizing mobile phones and
related devices as evidence during an investigation. It ensures the collection, preservation, and
integrity of digital evidence while maintaining legal requirements and admissibility in court.
Personnel Involved:
• Seizure Officer: The individual authorized to seize the mobile phone.
• Witnesses: Two or more individuals to witness the seizure process.
Equipment:
• Phone power-off device (optional, for specific situations)
• Faraday bag (for secure transport)
• Evidence tags or labels
• Chain of Custody documentation
• Custody seals
• Permanent markers
• Digital evidence acquisition tools (if applicable)
Seizure Procedure:

56
 1. Preparation:
o Ensure you have the legal authority to seize the phone (warrant, consent).
o Gather necessary equipment and have witnesses present.
2. Initial Assessment:
o Briefly document the phone's make, model, IMEI number (unique identifier),
and any accessories attached (case, SIM card).
o Take photographs of the phone from various angles as evidence.
3. Seizure:
o Tag or label the phone with a unique identifier.
o If the phone is on and you have concerns about data loss due to remote wipe or
self-destruct features, consider using a phone power-off device (consult legal
guidelines for appropriate use in your jurisdiction).
o If possible, power down the phone properly using the software shutdown
function to minimize data loss.
o Place the phone in a Faraday cage to shield it from electromagnetic signals that
could potentially activate remote wipe functionalities (depending on the
situation and local regulations).
o Apply a custody seal (optional) over the cage opening to deter tampering.
4. Documentation:
o Complete a chain of custody form, documenting:
▪ Date and time of seizure
▪ Location of seizure
▪ Description of seized equipment (make, model, IMEI number)
▪ Name of the seizing officer and witnesses
▪ Signatures of all involved parties
5. Transportation and Storage:
o Transport the seized phone to a secure location for forensic examination.
o Maintain chain of custody throughout transportation and storage.
o Store the phone in a controlled environment to prevent damage.
Optional Considerations:
• Data Acquisition: If authorized, use forensic data acquisition tools to acquire a logical
or physical image of the phone's storage. This process should ideally be conducted in a
controlled environment by a trained technician.

57
 • PIN/Passcode: If a PIN or passcode is required to access the phone, document any
attempts to unlock it. Legal requirements regarding compelling passwords may vary by
jurisdiction. Consult with legal counsel for guidance.
Important Notes:
• This SOP is a general guideline, and specific procedures may vary depending on the
jurisdiction and the circumstances of the seizure.
• Always prioritize safety during a seizure. Avoid compromising the scene or causing
damage to the device.
• Consult with legal counsel to ensure compliance with all applicable laws.
• Maintain a documented chain of custody for all seized evidence.
By following these SOP guidelines, law enforcement personnel can effectively seize mobile
phones and digital devices while preserving their evidential value for forensic analysis and
potential court presentations.

58
 Chapter 12: Reporting and Presentation
- Documenting Findings
• Videography
• Photography
• Taking DVR possession
• Recording of facts
• Taking photos of live systems
• Imaging, Hashing
• Disconnecting the live systems
• Taking details of Server
• Taking details of IP
• Taking details of Modem
• Confiscate digital evidences
• Proper labelling of all evidences

- Seizure Essentials
A Electronic forensics field response kit may contain some of the following
• Electronic camera
• Sterilized removable media
• Forensic computer
• Hardware write-blocking devices
• Mobile device acquisition tools
• Tool kit (screw drivers, etc.)
• Evidence packaging materials
Prepare equipment
• Camera
• Evidence labelling tool (markers, stickers, tie-on tagging)
• Evidence packaging (anti-static bag, aluminium foil, bubble wrapper, cardboard box)

59
• Imaging tool
• Pre-Analysis tool (Encase, FTK)
• Storage device to store acquired data
• Power bank for your mobile phone
• Tools, small pliers, wire cutters
• Torch
• Synchronize your watch/computer/mobile phone with atomic clock.

60
 Annexure A: Network Traffic Capture
Wireshark
1. Google Wireshark.

2. Install latest version of Wireshark from the official website.

3. Run Wireshark once it gets downloaded

61
4. Select the Network Packet to be capture:

5. Begin capturing the network traffic

62
6. Stop the network traffic capture and save the data.

63
 Annexure B: RAM dump with FTK Imager
1. Download FTK Imager

2. Run FTK Imager and Click upon ‘Capture Memory’

3. Memory Capture process will show.

64
4. RAM dump file will be saved with “.mem” extension

5. RAM dump (volatile data is successfully saved).

65
 Annexure C: Non-Volatile Memory capture using FTK Imager
1. Open FTK Imager

2. In File menu, select “Create Disk Image”

3. Select Type of Drive for imaging, in this case, select “Physical drive” (hard disk)

4. Type of Hard Disk is to be selected.

66
5. Select the format in which file is to be saved.

6. Give details for the new Image file to be made.

67
7. Give the destination folder details and file name

8. Non-Volatile Memory/Disc imaging will start.

68
9. Non-volatile memory copies are made in the destination folder.

69
 Annexure D: Volatility Workbench on how to analyse RAM dump
1. Download Volatility Workbench from Google (free tool)

2. Run Volatility Workbench and load the RAM dump image file.

3. Run the tool/software

70
71
 Annexure E: Browser Forensics (manually)
1. Click upon three dots/settings options in browser

2. Autofill, passwords, Downloads, History, Bookmarks etc browser history can be recovered.

72
Annexure F: 63 BSA certificate by party

73
Annexure G: 63 BSA certificate by Expert

74
Annexure H: Model Seizure Memo (Digital Evidence)

75
76
Annexure I: Chain of Custody (Model Format)

77
78
Annexure J: Forwarding Note to FSL (Model Format)

79
80