COMPUTER

FORENSICS
Unit 1
Define computer crime
 Computer crime is any criminal offense,
activity or issue that involves computers.

 Computer misuse tends to fall into two

categories:
 Computer is used to commit a crime
 Computer itself is a target of a crime.
Computer is the victim.
Computer Forensics
 Computer forensics is the application of
investigation and analysis techniques to gather
and preserve evidence from a particular computing
device in a way that is suitable for presentation in a
court of law.
 Computer Forensics/ Digital Forensics is the
application of science and engineering to the
legal problem of digital evidence. It is a synthesis
of science and law.
 The goal of computer forensics is to do a structured
investigation and find out exactly what
happened on a digital system, and who was
responsible for it.
Cont...
 Digital forensics starts with the collection of
information in a way that maintains its integrity.
 Investigators then analyze the data or system to
determine if it was changed, how it was changed
and who made the changes.
 The use of computer forensics isn't always tied to a
crime.
 The forensic process is also used as part of data
recovery processes to gather data from a crashed
server, failed drive, reformatted operating system
(OS) or other situation where a system has
unexpectedly stopped working.
 Scope of computer Forensics

 Cybercrime Investigations
 Incident Response
 Corporate Investigations
 Law Enforcement Support
 Litigation Support
 Data Recovery
 Malware Analysis
 Digital Asset Tracing
 Mobile Device Forensics
 Network Forensics
 Types of computer forensics

 Database forensics. The examination of

information contained in databases, both data
and related metadata.
 Email forensics. The recovery and analysis of
emails and other information contained in email
platforms, such as schedules and contacts.
 Malware forensics. Sifting through code to
identify possible malicious programs and
analyzing their payload. Such programs may
include Trojan horses, ransomware or various
viruses.
 Types of computer
forensics
 Memory forensics. Collecting information
stored in a computer's random access memory
(RAM) and cache.
 Mobile forensics. The examination of mobile
devices to retrieve and analyze the information
they contain, including contacts, incoming and
outgoing text messages, pictures and video
files.
 Network forensics. Looking for evidence by
monitoring network traffic, using tools such as
a firewall or intrusion detection system.
 Computer Forensics Team

 Investigators
 Responsibilities:
 Lead the overall investigation process,
coordinating with other team members.
 Analyze digital evidence to reconstruct events,
determine the timeline of activities, and identify
relevant information.
 Use specialized forensic tools to extract,
recover, and preserve electronic evidence.
 Collaborate with other team members to build a
comprehensive understanding of the case.
 Cont…
 Photographer:
 Responsibilities:
 Document the physical crime scene, ensuring
accurate and thorough visual records.
 Capture images of computer systems,
networks, and related physical evidence.
 Follow established procedures for
photographing and cataloging evidence.
 Provide visual documentation for reports and
legal proceedings.
 Cont..
 Incident Handlers (First Responder):
 Responsibilities:
 Respond quickly to cybersecurity incidents,
ensuring the preservation of volatile evidence.
 Contain and mitigate security breaches and
vulnerabilities.
 Collaborate with other team members to gather
initial information and assess the scope of the
incident.
 Preserve and document critical information
related to the incident.
 Cont…
 IT Engineers & Technicians (Other Support
Staff):
 Responsibilities:
 Provide technical support for the forensic
investigation, including hardware and software
assistance.
 Assist in the acquisition and preservation of digital
evidence.
 Maintain and update forensic tools, ensuring they
are current and effective.
 Collaborate with forensic analysts to address
technical challenges during the investigation.
 Cont..
 Attorney
 Responsibilities:
 Ensure that all forensic activities comply with legal
standards and procedures.
 Provide legal guidance to the team throughout the
investigation process.
 Collaborate with investigators to understand case
requirements and legal implications.
 Prepare and present evidence in legal proceedings
and hearings.
 Assist in obtaining necessary legal permissions for
evidence collection.
Stages of a Computer Forensics Investigation

 Stage 1: Identification
 The very first step in a digital forensics investigation is
to identify the devices and resources containing the
data that will be a part of the investigation. The data
involved in an investigation could be on organizational
devices such as computers or laptops, or on users’
personal devices like mobile phones and tablets.
 These devices are then seized and isolated, to
eliminate any possibility of tampering. If the data is on
a server or network, or housed on the cloud, the
investigator or organization needs to ensure that no
one other than the investigating team has access to it.
Stage 2: Extraction and Preservation

 After the devices involved in an investigation have

been seized and stored in a secure location, the digital
forensics investigator or forensics analyst uses
forensic techniques to extract any data that may
be relevant to the investigation, and stores it securely.
 This phase can involve the creation of a digital copy of
the relevant data, which is known as a “forensic
image.”
 This copy is then used for analysis and evaluation,
while the original data and devices are put in a secure
location, such as a safe. This prevents any tampering
with the original data even if the investigation is
compromised.
Stage 3: Analysis

 Once the devices involved have been identified and isolated,

and the data has been duplicated and stored securely, digital
forensic investigators use a variety of techniques to extract
relevant data and examine it, searching for clues or evidence
that points to wrongdoing. This often involves recovering
and examining deleted, damaged or encrypted files,
using techniques such as:
 Reverse Steganography: a technique used to extract hidden
data by examining the underlying hash or string of characters
representing an image or other data item
 File or Data Carving: identifying and recovering deleted
files by searching for the fragments that deleted files may leave
 Keyword Searches: using keywords to identify and analyze
information relevant to the investigation, including deleted data.
Stage 4: Documentation

 Post analysis, the findings of the

investigation are properly documented in
a way that makes it easy to visualize the
entire investigative process and its
conclusions.
 Proper documentation helps to formulate
a timeline of the activities involved in
wrongdoing, such as embezzlement,
data leakage, or network breaches.
Stage 5: Presentation

 Once the investigation is complete, the

findings are presented to a court or the
committee or group that will determine
the outcome of a lawsuit or an internal
complaint.
 Digital forensics investigators can act as
expert witnesses, summarizing and
presenting the evidence they
discovered, and disclosing their findings.
Techniques forensic investigators
use
Techniques forensic investigators use

 1.Reverse steganography: Steganography is

a common tactic used to hide data inside any
type of digital file, message or data stream.
 Computer forensic experts reverse a
steganography attempt by analyzing the
data hashing that the file in question contains.
 If a cybercriminal hides important information
inside an image or other digital file, it may look
the same before and after to the untrained
eye, but the underlying hash or string of data
that represents the image will change.
2.
 2. Stochastic forensics. Here, investigators
analyze and reconstruct digital activity without
the use of digital artifacts.
 Artifacts are unintended alterations of data that
occur from digital processes. Artifacts include
clues related to a digital crime, such as
changes to file attributes during data theft.
 Stochastic forensics is frequently used in data
breach investigations where the attacker is
thought to be an insider, who might not leave
behind digital artifacts.
3-5
 3.Cross-drive analysis. This technique correlates and
cross-references information found on multiple computer
drives to search for, analyze and preserve information
relevant to an investigation.
 Events that raise suspicion are compared with information
on other drives to look for similarities and provide
context. This is also known as anomaly detection.
 4.Live analysis. With this technique, a computer is
analyzed from within the OS while the computer or device
is running, using system tools on the computer. The
analysis looks at volatile data, which is often stored in
cache or RAM.
 Many tools used to extract volatile data require the
computer in to be in a forensic lab to maintain the
legitimacy of a chain of evidence.
Cont..
 5.Deleted file recovery. This
technique involves searching a computer
system and memory for fragments of
files that were partially deleted in one
place but leave traces elsewhere on the
machine.
 This is sometimes known as file
carving or data carving.
 Evidence

 Evidence is something that tends to

establish or disprove a fact. Evidence
can include documents, testimony and
other documents.
 The most important quality of
required evidence is that it must be
relevant to the investigation.
 If it isn’t admissible in court, certain
types of evidence could help an
investigator draw conclusions.
Evidence Types-1) Analogical Evidence

 Analogical evidence can prove helpful in

scenarios with limited information or
credible evidence to present during the
investigation.
 By drawing comparisons between two
similar cases, analogical evidence can
lend credibility during a formal
argument;
 however, it cannot be shown in court as
proof.
1A) Anecdotal evidence
 Anecdotal evidence comes in the form of retellings
of events from parties involved in the investigation
techniques.
 In any workplace, the investigation report
example might include:
 Written complaints or reports
 Accounts from the reporter, accused person, and
witnesses as told in interviews
 Stories shared between an employee and their manager
or coworkers
 Anecdotal evidence isn’t used in court but can
sometimes help in a workplace investigation to get a
better picture of an issue.
1B)Character Evidence

 This is usually in the form of testimony

or document that is used to prove
someone’s action in a particular manner
based on the person’s character.
 It can be used in some investigations to
prove intent, motive, or opportunity.
2. Circumstantial Evidence

 2. Circumstantial Evidence :This form of

evidence, also known as indirect
evidence, is used to conclude something
based on a series of facts other than the
fact the argument is trying to prove.
 It involves deducing facts from other facts
that can be proven.
 Although this form of evidence is not
considered very strong on its own, it can be
relevant in a civil inquiry, which has a
different burden of proof than a criminal
investigation.
3. Demonstrative Evidence

 This includes types of evidence that

directly demonstrate a fact.
 It’s a common and reliable type of
evidence.
 Most common examples of this include
photographs, video, and audio
recordings, charts, etc.
4. Digital Evidence
 Digital evidence: is information stored
or transmitted in binary form that may
be relied on in court. It can be found on
a computer hard drive, a mobile phone,
among other places.
 It can be anything from logs and all the
way to video footage, images, archives,
temporary files, replicant data, residual
data, metadata, active data, and even
data that’s stored inside a device’s RAM .
5. Digital Evidence Types-
5.1. Logs
logs Description

OS logs Include events pertaining to system access,

security alerts, the duration of a user’s login
session, when the device was shut down, etc.
Database logs they mostly reveal what changes were made to a
particular database, these can be a vital source of
crime evidence as well as a useful approach for
debugging and troubleshooting in the unfortunate
event of any technical issues
Email logs Often presented in a CSV format, email logs can
reveal certain details about the sender and
content, which includes their email address, time
and date of delivery, delivery status, cc, bcc,
subject, content type, and error codes (if
applicable), while mostly stored in the email’s
header.
 Cont..
Logs Description
Software They contain details regarding what action was
logs performed while the program was running as well as
indicate any errors or crashes that can be used for
debugging purposes.
Network These can be viewed as different types of evidence
logs because they also contain clues about what an
individual was doing on the internet, including what
websites that person has visited, what messages were
exchanged with another party, and what the content of
the messages was.
Phone A phone’s infrastructure encompasses various kinds of
logs evidence, including photos taken, videos recorded,
system logs, app logs, and call logs
IP logs Since everyone who browses the internet gets
assigned a unique IP address, knowing this crucial
detail allows a digital forensics investigator to trace
their real identity and physical location by cooperating
5.2.Video Footage and Images

 Out of all the types of digital evidence, video

footage and images can be classified as the
visible data type, just like the logs.
 There are many types of digital evidence that
fall into this category, including CCTV
footage, videos recorded on a mobile device,
digital camera footage, voice recordings, etc.
 But nowadays with the involvement of AI, its
is highly required to check for authenticity of
these records using well equipped tools.
5.3 Archives

 Archives are regular files accessible straight

from the file explorer, they fall into the visible
data type group.
 Technically, since they can contain all sorts of
extractable file formats, archives can be
regarded as a wildcard source of evidence,
which contains anything from Images, Text files,
Documents etc.
 The main purpose of archives is to prevent data
loss in the unfortunate event that the original
files get damaged, deleted, or corrupted, thus
serving as a source of backup to restore them to
their prior functional state.
5.4 Active Data

 Content editors and word processors like

Microsoft Word often create temporary files on
your hard drive while you’re in the midst of
typing and working on a document. This is what’s
referred to as active data and it’s a visible data
type.

 The key thing to realize about active data is that

cyber criminals are often smart enough to delete
the originals, but they sometimes forget to wipe
the temporary files that get left behind by
various software and operating systems.
5.5.Metadata

 Metadata is defined as the data providing information

about one or more aspects of the data; it is used to
summarize basic information about data that can make
tracking and working with specific data easier.
 Metadata falls into the invisible data type category
because it typically requires special software to be able
to view it.
 For instance, a photo file on a hard drive or storage
media can contain additional data regarding the file’s
creation such as where the photo was taken , date/time
etc.
 The reason why any kind of metadata is such a valuable
source of evidence is that not only does it contain
information regarding when the data was created and
last accessed, but it also reveals who its owner is.
5.6 Residual Data

 When someone deletes a file from a device, the

data is still there – it’s just unlinked from the file
structure itself so it doesn’t show up in a search
or when viewing the contents of a hard drive or
storage device through a file browser.

 Every deleted file has the risk of being

overwritten by other data, which is particularly
true if the hard drive space is running out. That’s
why it’s of paramount importance to act swiftly if
you want to recover data that was deleted.
5.7 Volatile Data

 Volatile data is the kind of data that is

not being written to the disk itself, hence
belonging to the invisible data type
category.
 Some viruses, for example, don’t write
themselves to the hard drive to leave
minimal traces behind and avoid
detection by antivirus software.
 Therefore, in order to detect them, the
RAM needs to be checked and its
contents analyzed by a qualified digital
6. Direct Evidence

 The most powerful type of evidence,

direct evidence, needs no inference.
 The evidence itself is the proof.
 This includes the testimony of a witness
who saw an incident or the confession of
the perpetrator.
Collection of Digital
Evidences
 Find the Evidence
 Find the Relevant Data
 Create an order of volatility
 Remove external avenues of change
 Collect the evidence
 Document everything
The Chain of Custody: Controlling
Contamination

 This is a detailed list of what was done

with the original copies once they are
collected.
 Sometimes the detailed document of
custody of evidence becomes larger
than the original data (evidence)
collected.
 But it mandatory to record every step of
evidence collection to prove it at later
stage.
Process of Chain of Custody
 1. Analysis:- Once the data has been
successfully collected, it must be
analyzed to extract the evidence you
wish to present and to rebuild what
actually happened.
 You must make sure that you fully
document everything you do.
 Your work will be questioned and you
must be able to show that your results
are consistently obtainable from the
procedures you performed.
2.
 Time:- To reconstruct the events that led to your
system being corrupted, you must be able to create
a timeline. This can be particularly difficult when it
comes to computers.
 Clock drift, delayed reporting, and differing time
zones can create confusion in abundance.
 One thing to remember is to never, ever change
the clock on an affected system.
 Record any clock drift and the time zone in use, as
you will need this later, but changing the clock just
adds in an extra level of complexity that is best
avoided.
3.
 Forensic Analysis of Backups:- When
analyzing backups, it is best to have a
dedicated host for the job.
 This examination host should be secure,
clean and isolated from any network.
 You don’t want it tampered with while
you work, and you don’t want to
accidentally send something nasty down
the line.
4.
 Reconstructing the Attack:- Now that you
have collected the data, you can attempt to
reconstruct the chain of events leading to and
following the attacker’s break-in.
 You must correlate all the evidence you have
gathered (which is why accurate timestamps
are critical), so it’s probably best to use
graphical tools, diagrams, and spreadsheets.
 Include all of the evidence you’ve found when
reconstructing the attack—no matter how
small it is. You may miss something if you
leave a piece of evidence out.
KRUSE and HEISER Model- 3’A’ Model

 Acquisition (without altering or

damaging), Authentication (that
recovered evidence is the exact copy of
the original data), and Analyze.
1. Acquire
 1. Acquire – you must acquire evidence without modification or
corruption. Do not tamper or spoil or contaminate the original
evidence.
 Once you introduce any foreign object into the original
evidence, it loses meaning. The opposing counsel could use
such mishandling of the original evidence to cause its dismissal
from the court records for lack of substance.
 Contaminated evidence cannot pin anyone.
 When working with the defense counsel, the strategy is to
examine whether the best process for evidence preservation
was followed or not.
 For example, if a write-protector is not used while making a
forensic image of the original evidence, that could be a good
reason to disqualify any evidence collected based on spoilation
or contamination!
2. Authenticate
 2. Authenticate -the examiner must make sure the recovered evidence is
the replica or the same as the originally seized data.
 No forensic evidence recovery is complete without first authenticating it
using such tools as MD5 to compare the original evidence with the
recovered evidence.

 Case Study: One time during a mobile phone examination, the phone
was seized from a suspect but transported to other place without having
first stored it in a forensically sound storage device.
 By the time the police officer arrived with the evidence into the forensic
lab, it had been contaminated several times that the police officer could
not prove that the suspect was the last user of the said phone.
 If the police officer was well trained with the right tools, they would have
stored the phone in the state, which automatically disables network
signal and keeps the phone in the same state as at the point of seizure.
3. Analyze
 Analyze – the data and evidence
without any alterations.
 The forensic investigator’s work is to
examine what is on the seized devices
and to map relationships with other facts
collected to aid the solving of the case.
 You cannot alter any data as such would
be a biased action.
Self-Study
How is computer forensics used as evidence?

 Apple trade secret theft. An engineer named Xiaolang Zhang at Apple's

autonomous car division announced his retirement and said he would be
moving back to China to take care of his elderly mother. He told his
manager he planned to work at an electronic car manufacturer in China,
raising suspicion. According to a Federal Bureau of Investigation (FBI)
affidavit, Apple's security team reviewed Zhang's activity on the company
network and found, in the days prior to his resignation, he downloaded
trade secrets from confidential company databases to which he had access.
He was indicted by the FBI in 2018.
 Enron. In one of the most commonly cited accounting fraud scandals,
Enron, a U.S. energy, commodities and services company, falsely reported
billions of dollars in revenue before going bankrupt in 2001, causing
financial harm to many employees and other people who had invested in
the company. Computer forensic analysts examined terabytes of data to
understand the complex fraud scheme. The scandal was a significant factor
in the passing of the Sarbanes-Oxley Act of 2002, which set new
accounting compliance requirements for public companies. The company
declared bankruptcy in 2001.
Cont..
 Google trade secret theft. Anthony Scott Levandowski, a former
executive of both Uber and Google, was charged with 33 counts of
trade secret theft in 2019. From 2009 to 2016, Levandowski
worked in Google's self-driving car program, where he downloaded
thousands of files related to the program from a password-
protected corporate server. He departed from Google and created
Otto, a self-driving truck company, which Uber bought in 2016,
according to The New York Times. Levandowski plead guilty to one
count of trade secrets theft and was sentenced to 18 months in
prison and $851,499 in fines and restitution. Levandowski received
a presidential pardo in January 2021.
 Larry Thomas. Thomas shot and killed Rito Llamas-Juarez in 2016
Thomas was later convicted with the help of hundreds of Facebook
posts he made under the fake name of Slaughtaboi Larro. One of
the posts included a picture of him wearing a bracelet that was
found at the crime scene.
Cont..
 Michael Jackson. Investigators used metadata
and medical documents from Michael Jackson's
doctor's iPhone that showed the doctor, Conrad
Murray, prescribed lethal amounts of
medication to Jackson, who died in 2009.
 Mikayla Munn. Munn drowned her newborn
baby in the bathtub of her Manchester
University dorm room in 2016. Investigators
found Google searches on her computer
containing the phrase "at home abortion,"
which were used to convict her.