1.
Understanding Computer Forensics: Introduction
BCC 301 Cyber Security Notes (Unit 4)
Table of Contents
1. Understanding Computer Forensics: Introduction ..................................................... 2
1.1 Computer Forensics vs. Cyber Security............................................................... 3
1.2 Methodology Used in Cyber Forensics [2] .......................................................... 4
1.3 Computer/Cyber Forensics Experts ..................................................................... 4
1.4 Steps for cyber forensic specialists ...................................................................... 5
1.5 Types of Computer/Cyber forensics .................................................................... 5
1.6 Computer/Cyber forensic methods and technologies .......................................... 6
1.7 Computer Forensics Services ............................................................................... 6
2. Digital Forensics Science........................................................................................... 8
3. The Need for Computer Forensics ........................................................................... 10
4. Cyber forensics and Digital Evidence...................................................................... 10
5. Forensics Analysis of E-Mail................................................................................... 11
6. Digital Forensics Life Cycle .................................................................................... 11
7. Chain of Custody Concept ....................................................................................... 11
8. Network Forensics ................................................................................................... 11
9. Approaching a Computer ......................................................................................... 11
10. Forensics Investigation. ......................................................................................... 11
11. Forensics and Social Networking Sites: The Security/Privacy Threats................. 11
12. Challenges in Computer Forensics. ....................................................................... 11
13. References .............................................................. Error! Bookmark not defined.
1 2
Computer forensics, also referred to as computer forensic analysis, electronic
discovery, electronic evidence discovery, digital discovery, data recovery, data discovery,
computer analysis, and computer examination, is the process of methodically examining
computer media (hard disks, diskettes, tapes, etc.) for evidence. A thorough analysis by a
skilled examiner can result in the reconstruction of the activities of a computer user. [1]
In other words, computer forensics is the collection, preservation, analysis, and
presentation of computer-related evidence. Computer evidence can be useful in criminal cases,
civil disputes, and human resources/employment proceedings.
Computer forensics can be an essential facet of modern investigations. When a crime
is committed and an investigation is started, one of the more common places to look for clues
is the computer or cell phone of a suspect. This is where a computer forensics professional
enters the picture.
When a suspect has been identified and their personal computer or cell phone taken into
evidence, a computer forensics professional goes searching for data that is relevant to the
investigation. When searching for information, they need to be careful to follow detailed
procedures that allow their findings to be used as evidence. The information they uncover,
whether it be documents, browsing information or even metadata, may then be used by
prosecution to create a compelling case against the suspect.
Cyber forensics is the process of obtaining data as evidence for a crime (using electronic
equipment) while adhering to correct investigative procedures to apprehend the offender by
presenting the evidence to the court. Computer forensics is another name for cyber forensics.
Maintaining the chain of evidence and documentation to identify the digital criminal is the
primary goal of cyber forensics.
It is crucial to make a digital copy of the system's unique storage cell during the
examination. To identify who is responsible for a security breach, a thorough cyber forensics
investigation is conducted. While assuring that the system is not impacted, a full investigation
is conducted on the software copy.
1.1 Computer Forensics vs. Cyber Security 1.2 Methodology Used in Cyber Forensics [3]

Cyber security is focused on prevention while computer forensics is about recovery and Acquiring a digital replica of the system that is being or must
reaction. Cyber security helps to prevent cybercrimes from happening, while computer be examined.

forensics helps recover data when an attack does occur and also helps identify the culprit behind
Confirming and authenticating the copy.
the crime.

Cyber security professionals use many different kinds of tools to protect networks and Getting back erased files (using Autopsy Tool).
the information. [2]

Web application firewalls (WAF): These firewalls help protect web applications from To discover the information you need, use keywords.
breaches and keep data secure.

Vulnerability scanners: These tools help scan through networks and programs to The creation of a technical report

identify vulnerabilities that can be potentially exploited by cybercriminals.

Penetration testing tools: Penetration testing tools are used by cyber security
1.3 Computer/Cyber Forensics Experts
professionals to carry out sanctioned hacks on their own systems in order to uncover
weaknesses. During an investigation, computer forensic professionals gather and analyze potential
evidence, including deleted, encrypted, or corrupted data. To avoid the evidence from being
Malware detectors: Malware detectors review sites and programs to see whether they
changed, tainted, or destroyed, all actions conducted during this procedure are documented and
have been infected with malware and pose a threat.
adhered to protocols.
Password security tools: Password security tools help identify weak passwords,
A cyber forensic specialist investigates each event using cutting-edge methods. Their
autofill saved passwords or generate passwords to help keep devices secure.
thorough inquiry focuses on building a solid chain of evidence. They can settle legal disputes
Table 1.1 Cyber security and computer forensics both have a few specializations
and convict cybercriminals thanks to the admissible proof they create.
Cyber security Computer forensics
Cyber forensics can accomplish:
Systems architecture Criminal investigations

Software security Data recovery

It can retrieve deleted data,
Which user executed which
Access management chat histories, emails, and
application can be determined?
more.
Ethical hacking and vulnerability assessment

Phone calls can be recorded Calls and SMS can also be

and played back afterward. erased.

3 4
1.4 Steps for cyber forensic specialists  Database forensics: This area of forensics looks at and evaluates database data as

Identification: Cyber forensics professionals identify the evidence that is present, well as any associated information.

where it is stored, and in what format it is stored as their first step.  Disk forensics: This area of forensics searches updated, active, or deleted files to
retrieve data from storage media.
Preservation: The next step after locating the data is to carefully preserve it and prevent
anyone from using the device so that the data cannot be altered. 1.6 Computer/Cyber forensic methods and technologies

Analysis: The next step after obtaining the data is to examine the data or system. Here, Reverse steganography: Steganography is a technique for concealing crucial data

the expert identifies the evidence that the criminal attempted to erase by erasing hidden files, within a digital file, picture, etc. Therefore, reverse steganography is used by cyber forensic

recovers the erased files, checks the recovered data, and restores the data. The ultimate result specialists to examine the data and discover a connection to the case.

may need numerous cycles of this method. Stochastic forensics: Without employing digital artifacts, stochastic forensics

Documentation: After data analysis, a record is now produced. This file contains all of professionals examine and recreate digital activities. In this context, artifacts refer to

the retrieved and readily accessible (not deleted) data that is useful for evaluating and unintentional data changes that result from digital operations.

reconstructing the crime scene. Cross-drive analysis: In this procedure, data from several computer discs are

Presentation: The studied data is finally provided to the court at this phase to help correlated and cross-referenced to preserve and evaluate data that is pertinent to the inquiry.

resolve cases. Live analysis: In this method, the operating system of the culprits' computer is

1.5 Types of Computer/Cyber forensics examined from within. To obtain certain important data, it targets the volatile RAM data.

Depending on the industry that requires digital inquiry, there are many forms of Deleted file recovery: This involves looking through memory for remnants of a file

computer forensics. Here are the fields: that was partially destroyed to recover it for use as evidence. [3]

 Network forensics: This entails keeping an eye on and examining network traffic 1.7 Computer Forensics Services
going to and coming from the criminal's network. Network intrusion detection
A computer forensics professional does more than turn on a computer, make a directory
systems and other automated techniques are the technologies in use here.
listing, and search through files. Your forensics professionals should be able to successfully
 Email forensics: In this kind of forensics, the specialists examine the criminal's perform complex evidence recovery procedures with the skill and expertise.
email and recover deleted email threads to extract important case-relevant data.
 Malware forensics: This area of forensics focuses on crimes connected to hacking.
To determine who is responsible for this breach, the forensics specialist looks at the
malware and Trojans in this case.
 Memory forensics: This area of forensics works with extracting information from
raw memory data (such as cache, RAM, etc.) after it has been collected.
 Mobile Phone forensics: Generally speaking, this area of forensics focuses on cell
phones. They look over and evaluate the cell phone's data.

5 6
 Evidence Service Options: Standard service, On-site service, Emergency service and
Data
Data recovery duplication and Data seizure Priority service.
preservation
Miscellaneous Services:

Expert witness Media Document  Analysis of computers and data in criminal investigations
services conversion searches
 On-site seizure of computer data in criminal investigations
 Analysis of computers and data in civil litigation.
Evidence miscellaneous
service options services  On-site seizure of computer data in civil litigation
 Analysis of company computers to determine employee activity
 Assistance in preparing electronic discovery requests
 Reporting in a comprehensive and readily understandable manner
Data Recovery: Computer forensics experts should be able to safely recover and
analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible  Court-recognized expert witness testimony

by the expert’s advanced understanding of storage technologies.  Fast turnaround time

Data Duplication and Preservation: the data must not be altered in any way, and the 1.8 Types of Computer Forensics Systems

seizure must not put an undue burden on the responding party. Computer forensics experts  Internet security systems
should acknowledge both of these concerns by making an exact duplicate of the needed data.  Intrusion detection systems
Data Seizure: forensics experts inspect and copy designated documents or data  Firewall security systems
compilations that may contain evidence.  Storage area network security systems

Expert Witness Services: forensics experts should be able to explain complex  Network disaster recovery systems

technical processes in an easy-to-understand fashion. This should help judges and juries  Public key infrastructure security systems

comprehend how computer evidence is found, what it consists of, and how it is relevant to a  Wireless network security systems

specific situation.  Satellite encryption security systems

 Instant messaging (IM) security systems
Media Conversion: forensics experts should extract the relevant data from old and
 Net privacy systems
unreadable devices, convert it into readable formats, and place it onto new storage media for
 Identity management security systems
analysis.
 Identity theft prevention systems
Document Searches: forensics experts should also be able to search over large number
of electronic documents in minimum time. Speed and efficiency of these searches make the 2. Digital Forensics Science
discovery process less complicated and less intrusive to all parties involved.
Digital forensics is a branch of forensic science that focuses on identifying, acquiring,
processing, analysing, and reporting on data stored electronically. Electronic evidence is a

7 8
component of almost all criminal activities and digital forensics support is crucial for law
enforcement investigations. Electronic evidence can be collected from a wide array of sources,
such as computers, smartphones, remote storage, unmanned aerial systems, shipborne
equipment, and more. The main goal of digital forensics is to extract data from the electronic
evidence, process it into actionable intelligence and present the findings for prosecution. All
processes utilize sound forensic techniques to ensure the findings are admissible in court. [4]
The first computer crimes were recognized in the 1978 Florida computers act and after
this, the field of digital forensics grew pretty fast in the late 1980-90’s. It includes the area of
analysis like storage media, hardware, operating system, network and applications. It consists
of 5 steps at high level:
Identification of evidence
Collection
Analysis
Documentation
Presentation
Figure 2.1 Digital Forensic Process
2.1 Branches of Digital Forensics
Media forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidences during the
investigation process.
Cyber forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a cyber
crime.
Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
committed through a mobile device like mobile phones, GPS device, tablet, and laptop.
9 10
Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
related to software’s only. [5] [6]
3. The Need for Computer Forensics
Cybercrime causes billions of dollars of economic damage. Because of this, forensic
science has to evolve to deal with cybercriminals. Computer forensic techniques allow
investigators to gather evidence against cybercriminals that will stand up in a court of law. [7]
According to a McAfee report from 2014, the economic damage done by cybercrimes
globally was about $445 billion. The most common type of cybercrime is financial fraud, where
an individual accesses the private data of another and uses it to misrepresent themselves to
financial institutions. For example, credit card fraud. [7]
Because of the rise of cybercrimes, a new branch of investigation has been developed
to help law enforcement trace and find proof of illegal activity using computers. This is
computer forensics and much of their techniques involved some form of data recovery, it is
also known as digital forensics. Computer forensic experts can go through a suspected
cybercriminal’s hard drive – be it on a computer or a mobile device – and find deleted and
hidden files that serve as evidence of illegal activity. Much of what computer forensics does is
related to data recovery.
4. Cyber forensics and Digital Evidence
Digital evidence is information stored or transmitted in binary form that may be relied
on in court. It can be found on a computer hard drive, a mobile phone, among other places.
Digital evidence is commonly associated with electronic crime, or e-crime, such as child
pornography or credit card fraud. However, digital evidence is now used to prosecute all types
of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain
critical evidence regarding their intent, their whereabouts at the time of a crime and their
relationship with other suspects. In 2005, for example, a floppy disk led investigators to the
BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10
victims. [8]
Digital forensics essentially involves a three-step, sequential process: [9] [10]
 [3] V. Narayan, “A Brief Introduction to Cyber Forensics,” [Online]. Available:
https://www.linkedin.com/pulse/brief-introduction-cyber-forensics-vishwas-narayan/.
 Seizing the media.
[4] CCF, “Digital forensic,” [Online]. Available: https://www.interpol.int/en/How-we-
 Acquiring the media; that is, creating a forensic image of the media for
work/Innovation/Digital-forensics.
examination.
 Analyzing the forensic image of the original media. This ensures that the [5] GeeksforGeeks, “Digital Forensics in Information Security,” [Online]. Available:
https://www.geeksforgeeks.org/digital-forensics-in-information-security/.
original media are not modified during analysis and helps preserve the probative
value of the evidence. [6] EC-Council, “Digital Forensic,” [Online]. Available:
https://www.eccouncil.org/cybersecurity/what-is-digital-forensics/.

5. Forensics Analysis of E-Mail [7] DataNumen, “Computer Forensics,” DataNumen Inc, 9 Oct 2021. [Online]. Available:
https://www.datanumen.com/blogs/what-is-computer-forensics-and-why-we-need-it/.
6. Digital Forensics Life Cycle
[8] NIJ, “Digital Evidence and Forensics,” National Insitute of Justics, [Online]. Available:
https://nij.ojp.gov/digital-evidence-and-forensics.
7. Chain of Custody Concept
[9] N. I. o. Justice, “New Approaches to Digital Evidence Processing and Storage,”. Patent
8. Network Forensics Grants.gov announcement number NIJ-2014-3727, 6 Feb 2014.

[10] J. G. a. D. G. Martin Novak, “Approaches to Digital Evidence,” National Institute of

9. Approaching a Computer
Justice, 7 Oct 2018. [Online]. Available: https://nij.ojp.gov/topics/articles/new-approaches-digital-
evidence-acquisition-and-analysis#note1.
10. Forensics Investigation.

11. Forensics and Social Networking Sites: The Security/Privacy Threats

12. Challenges in Computer Forensics.

13. Bibliography

[1] A. University, “CYBER FORENSICS,” [Online]. Available:

https://annamalaiuniversity.ac.in/studport/download/engg/it/resources/Cyber%20Forensics.pdf.

[2] D. University, “Cyber Security vs. Computer Forensics,” [Online]. Available:

https://www.devry.edu/online-programs/area-of-study/cyber-security/computer-forensics-vs-
cybersecurity.html#difference.

11 12