Cyber Forensics (Evidence Recovery

Techniques)
The method of collecting and documenting proof from computer or a computing device in a
form which makes it presentable to court by applying the techniques of investigation and
analysis is called Cyber Forensics. The ideology behind cyber forensic is to determine who is
responsible for what actually happened on the computer while documenting the evidence and
performing a proper investigation. The storage media of the device for investigation is turned
into a digital copy by the investigators and investigation is performed on digital copy while
making sure the device under investigation is not contaminated accidentally. Cyber Forensics is
important element for investigation of crime and law enforcement. The computer system
becomes a crime scene when there are cases of hacking and denial of service (DOS) attacks. The
proof can be collected by browsing history, emails, documents, etc. These proofs can be
evidence in the court of law to sort out allegations or to protect innocent people from charges.
Cyber Security has worked to enforce law in both areas cyber forensics and collection reporting
to help provide companies the validated information needed, to present recovered files
material in a court of law.

In few cases, evidence needed for criminal investigation is stored on the hard disks which are
duly distributed, marked with names and extensions on appropriate locations. Though there
are times when cases require forensic experts but they are not lucky in collecting the evidence.
Cyber crime perpetrators may realize that they are to be arrested soon and delete the evidence
which can be brought against them in the court. Sometimes the perpetrator is way ahead and
knows how to smartly hide the information. There are also times when data was never stored
in the hard disc but was from transferable media and this is when the techniques come into
play depending upon each case:

Detecting Deleted Data

Computer users tend to believe that once they delete a file and empty recycle bin there is no
way to retrieve the information but things are not that simple as it may seem. Data removed
can be stored on hard disc consisting a certain amount of bits. After files are deleted the
emptied file is marked unallocated. Such space is available to the system later on for storing
other data when required. Due to technology under development and increase in disc
capacity, it may take a long time till the fragment of a file is overwritten by the some other data.

Finding Hidden Data

Data hidden in a disc zone may be useful for investigation and data may remain present even
after data deletion. Finding, recovering and reconstructing of hidden data is very time
consuming and tedious method but in some cases they are the only way to provide evidence
which will crack the case. A disc sector where data is stored is a unit of fixed size when file
system is created. Old hard discs have some wasted storage space on outside tracks as each
track is divided into equal number of sectors. It is possible in few cases to hide data in space
between sectors on larger outer disks and this is sector gap. These types of data can be
retrieved and located as they are hidden in these gaps.

Slack Space
Another way for hiding data is slack space caused by file sizes that do not match the clusters in
which they are stored. Forensic Experts are interested in this space particularly because of
functions through which DOS and Windows operating systems use this slack to fill in the
system’s memory (RAM slack). All kinds of data can be found in this space, and some of them
may be crucial for the investigation.

Steganography
This is hiding files with other files and this type of encryption is made through empty space.
Stenography can be easily explained through data hidden images. An image is recorded through
description f any single pixel represented by particular bite e.g. 10100010. When the last bit is
changed from 0 to 1 a different shade of pixel is obtained and hidden bit is created. Hidden bits
and their orders can be detected by someone who knows the key that is the code meaning it
can only be cracked by someone who knows how to crack such codes, the programs used to
detect the code is anti-steganography which detects the presence of hidden files. It is rightly
observed that detecting is much easier than reconstructing hidden files.

Alternative Data Streams

This is another stream used for information with respect to computer forensics. A stream of any
size can be created and linked to usually visible file, the parent file but the streams remain
hidden and can be detected only through specialized program. Such data streams are
completely legitimate. Namely, through these streams Macintosh / Apple files can be used.
Each Macintosh file has two parts: resource and data part. The first part is hidden in alternative
stream. There is another function of streams – the storage of control sums for anti-virus
programs. These streams may be linked to both files and directories. A stream cannot be
directly deleted, meaning that firstly parent file must be erased. Many programs for data
destruction delete only parent files while streams remain on hard disc. Also viruses and Trojans
use streams for hiding files. Criminals may use them to hide incriminating data.

Cyber Forensics was created to address the specified needs of law enforcement to make most
of electronic evidence. Despite, of producing interpretations just like any other forensic
department they provide direct information and data that may have relation with the case. This
type of data collection has wide range insinuation for both the parties the investigator and the
forensic scientist and the work product of the cyber forensic examination. The Computer Fraud
Abuse Act (CFAA) is federal criminal statute which recognizes various computer crimes,
providing a civil remedy to the companies victimized by violation of the statute. In this digital
age, an Act like this need to be recognized worldwide as a tool that can be used by companies
to retrieve stolen data, prevent its distribution in the market and obtain compensation for the
same.

Akshita Bhaskar

References
 https://www.datasolutions.rs/eng/digital-forensics-basics/digital-evidence-recovery/
 https://www.datatriage.com/the-process-for-recovering-electronic-evidence/
 https://www.educba.com/cyber-forensics/