DIGITAL FORENSICS

Module II:Understanding Computing Investigations

Faculty of Computing and Informatics,

Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan, India.

09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 1
 Understanding of Computing Investigations
What is Computing Investigations?
•A computing investigation is a structured inquiry into a
computing-related problem or issue.
•The goal is to gather evidence, analyze data, and draw
conclusions—either in an academic setting or in real-world
applications like security breaches.

09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 2
 Type of Computing Investigations

There are 4 Types of Investigations are there:-

1. Digital Forensics
2. Cyber security Investigations
3. Educational Computing Investigations
4. Software/System Investigations

Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 3
India.
Type of Computing Investigations
1. Digital Forensics:-
i.) Involves recovering and examining digital evidence from devices (e.g., computers,
smartphones).
ii) Used in criminal investigations (e.g., cybercrime, fraud).

2. Cyber security Investigations:-

i.) Focus on identifying, analyzing, and mitigating cyber threats (e.g., phishing attacks,
ransom ware).
ii.) Often involves logs, intrusion detection systems, and network traffic.

Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 4
India.
 Type of Computing Investigations
3. Educational Computing Investigations
• Common in GCSE/A-Level courses or computer science research.
• Involves investigating computing topics like:
• The impact of emerging technologies (e.g., AI, blockchain).
• Social, ethical, and legal implications of computing.
• Algorithm efficiency or software performance.

4. Software/System Investigations
• Analyzing how a piece of software or system performs under certain conditions.
• Can include debugging, profiling, or user feedback analysis.

Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 5
India.
Steps in a Typical Computing Investigation
1. Identify the Problem/Question

a)What are you investigating? (e.g., “What are the impacts of facial recognition on privacy?”)
2. Plan the Investigation
a) What tools or methods will you use?
b) What data is needed?

3. Collect Data
a) Through experiments, simulations, interviews, logs, surveys, etc.

4. Analyze Data
a) Look for patterns, correlations, or anomalies.

5. Draw Conclusions
a) What does the data suggest?
b) Are there ethical or legal considerations?
6. Present Findings
a) In reports, presentations, or dashboards.
Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 6
India.
 Procedure for corporate high-tech investigations

• The procedure for corporate high-tech investigations (also called corporate digital forensics
or cybercrime investigations in a corporate environment) is a systematic approach used
to detect, analyze, and respond to digital incidents within a business or enterprise
setting.

• These investigations are often triggered by data breaches, insider threats, fraud, intellectual
property theft, or policy violations.

Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 7
India.
 Corporate High-Tech Investigation Procedure
1. Preparation & Planning
• Define objectives: What’s the suspected issue? (e.g., data leak, employee misconduct, malware
infection).
• Legal readiness: Ensure compliance with corporate policies, local laws, data protection regulations
(e.g., GDPR).
Assign roles: Involve IT, legal, HR, and possibly external digital forensics experts.

2. Initial Detection & Triage

• Incident detection: Via user reports, security tools (IDS, SIEM), audits, or anomaly detection.

• Classify severity: Is it a critical system breach or minor policy violation?

• Preserve the scene: Prevent tampering by isolating affected systems without powering off devices
if possible.
Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 8
India.
Corporate High-Tech Investigation Procedure

3. Evidence Identification & Collection

• Identify sources: Hard drives, email logs, cloud storage, network traffic, mobile devices, etc.
• Create forensic images (bit-by-bit copies) of digital devices.
• Maintain chain of custody: Document who accessed evidence, when, and how to ensure admissibility in
court.

4. Preservation of Evidence

• Use write-blockers and secure storage to prevent alteration.

• Follow industry-standard forensic procedures (e.g., NIST SP 800-86).
• Avoid using the original device for analysis—always work on a copy.
Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 9
India.
Corporate High-Tech Investigation Procedure
5. Analysis
• Timeline reconstruction: Rebuild user or attacker activity from logs and metadata.
• File recovery: Recover deleted or hidden files.
• Malware analysis: If malicious software is involved.
• Email and chat review: Search for evidence of communication breaches or insider
threats.
• Network forensics: Examine traffic for unauthorized access or data exfiltration.

6. Interpretation & Correlation

• Correlate findings across systems (e.g., logins, file transfers, emails).
• Identify motive, method, opportunity, and extent of damage.
• Assess if company policies or laws were violated.
Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-,
09-Jul-25 10
India.
Corporate High-Tech Investigation Procedure
7. Reporting
• Technical report: Detailed logs, analysis tools used, findings, and timelines.
• Executive summary: Clear explanation for non-technical stakeholders.
• Recommendations: Fixes, disciplinary actions, legal consequences, and policy updates.
8. Response & Remediation
• Patch vulnerabilities, change credentials, restore backups.
• Take HR/legal action if an employee is responsible.
• Notify stakeholders, regulators, or customers if legally required (e.g., in case of a data breach).
9. Post-Incident Review
• Conduct a lessons-learned meeting.
• Improve incident response plans, user training, and system monitoring.
• Implement stronger cybersecurity controls to prevent recurrence.

09-Jul-25 11
 Tools Commonly Used

1. Forensics: EnCase, FTK, Autopsy

2. Disk imaging: dd, FTK Imager
3. Memory analysis: Volatility
4. Log analysis: Splunk, ELK stack
5. Network forensics: Wireshark, tcpdump
6. E-discovery: Relativity, Nuix

09-Jul-25 12
 Data Recovery Workstation
What Is Data Recovery in Computer Forensics?

In computer forensics, data recovery is the act of recovering data from a storage device,
such as a hard disc, USB flash drive, or cloud server, that may have been accidentally or
purposely erased, damaged, or lost. Recovering this data during a forensic investigation
may yield important evidence that helps solve cybercrimes or confirm suspicions in
court proceedings.

Data recovery is a crucial step in the digital forensic process and must be carried out
carefully to maintain the validity and integrity of the evidence. In order to follow
activity logs, find hidden or erased files, and spot possibly illegal conduct, the recovered
data is frequently examined.

09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 13
 Data Recovery Workstation
Types of Data Recovery Techniques
Logical recovery and physical recovery are the two basic categories into which
computer forensics data recovery techniques may be generally divided. Every strategy
for retrieving erased or lost data has its own tools, procedures, and best practices.
1. Logical Data Recovery
Logical data recovery is the process of recovering data from a device that is still
operational but has lost or corrupted files as a result of software issues, unintentional
deletion, or file corruption. This kind of recovery, which is usually quicker and less
intrusive than physical recovery, is frequently the initial stage of a data retrieval
procedure.
Key Logical Data Recovery Techniques:
File System Recovery: The operating system indicates that storage space is available
when files are removed from a device, but it does not instantly replace it. By gaining
access to the file system and utilising specialised recovery tools to find and restore the
erased information, forensic specialists can recover these files.
09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 14
 Data Recovery Workstation
Unallocated Space Recovery: This technique looks through a storage device’s unused or
unallocated space. Data can be recovered by piecing together bits that may still be on the
device after files are erased.

File Signature Searching: This method looks for recognised file signatures, which are
distinct identifiers for different kinds of files (like Word documents, PDFs, photos, etc.). Data
recovery software can recognise and retrieve files based on their signature, even if the file
name is gone.

2. Physical Data Recovery

When logical recovery is unsuccessful or the storage device is physically damaged, physical
data recovery is employed. More sophisticated methods and specialised equipment are needed
for this kind of recovery in order to retrieve the raw data at the hardware level.
09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 15
 Data Recovery Workstation
Key Physical Data Recovery Techniques:
Hard Drive Imaging: This method entails producing an identical picture of the broken or
malfunctioning hard drive. To prevent more harm, forensic specialists operate with the picture
rather than the real gadget. After that, the picture is examined for data that may be recovered.

Data Carving: This technique looks for patterns or surviving data pieces to recreate files
when file structures are lost or corrupted. Files that have been overwritten or fragmented can
be recovered using this method.

Optical and Magnetic Data Recovery: Physical recovery methods may involve using
specialised instruments to read data straight from storage platters, chips, or flash memory
modules if a device has been physically damaged (for example, by a scratched hard drive or a
broken solid-state drive).
09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 16
 Data Recovery Workstation
3. Cloud Data Recovery
Recovering erased or lost data from cloud platforms has become more crucial as the usage of
cloud storage solutions has grown. In computer forensics, cloud data recovery necessitates
access to logs, metadata, and backups from cloud service providers in order to recover lost
files or recreate erased data.
In order to obtain the required data and confirm any deletions or changes, forensic
investigators usually collaborate with the security teams of cloud providers.

09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 17
 Data Recovery Workstation
3 Challenges in Data Recovery for Forensics
Although data recovery is crucial for investigations, there are difficulties involved. Experts in
forensics frequently encounter several challenges, such as:

• Encryption: Files and storage devices may be encrypted, making data recovery difficult
without the correct decryption keys or passwords.
• Overwritten Data: Once data is overwritten, it becomes much more difficult (or even
impossible) to recover, especially in cases where secure wiping techniques are used.
• Data Corruption: Physical damage to storage devices, such as a corrupted hard drive, may
render data inaccessible without sophisticated recovery techniques.
• Legal and Ethical Issues: Forensic investigators must ensure that data recovery is performed
in accordance with legal guidelines, such as maintaining a proper chain of custody, to ensure
that recovered data can be used as evidence in court.
09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 18
 Data Recovery Workstation
Tools Used in Data Recovery for Computer Forensics
In computer forensics, specialised software and hardware technologies are usually used to
retrieve data. Among the often used tools are:
EnCase: A widely used digital forensics tool that helps investigators collect, preserve, and
recover data from computers and mobile devices. It offers powerful file recovery capabilities.
FTK Imager: A tool used for creating forensic images of hard drives and other digital devices,
and for recovering lost or deleted files.
R-Studio: A data recovery software that helps retrieve deleted, damaged, or lost data from a
variety of file systems, including FAT, NTFS, and exFAT.
X1 Social Discovery: A tool used for recovering social media data and online communications,
which is essential in cybercrime investigations.
Data Recovery Hardware Tools: Tools such as disk repair machines, data recovery
workstations, and chip-off recovery kits are used to repair damaged hardware and extract data
at the physical level.
09-Jul-25 Faculty of Computing and Informatics, Sir Padampat Singhania University, Bhatewar, Udaipur, Rajasthan-, India. 19