A Technical Seminar Report

On
DIGITAL FORENSICS
Submitted in the partial fulfilment of the requirements for the award of the
degree in

BACHELOR OF TECHNOLOGY

IN

COMPUTER SCIENCE & ENGINEERING

VADIYALA SRIKANTH REDDY 21BR1A0550

Under the Guidance of

P.LAXMI NARAYANA

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

(ARTIFICIAL INTELLIGENCE & MACHINE LEARNING)

Kavitha Memorial Educational Society's

VIJAYA ENGINEERING COLLEGE

Approved By AICTE New Delhi& Affiliated To JNTUH-HyderabadAMMAPALEM
(V), NEAR THANIKELLA, KHAMMAM-507305
2021-2025

P a g e 1 | 40
 Kavitha Memorial Educational Society’s

VIJAYA ENGINEERING COLLEGE

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING(AI&ML)
(Approved By AICTE-New Delhi & Affililiated to JNTUH-Hyderabad)
AMMAPALE(V), NEAR THANIKELLA KHAMMAM-507305

BONAFIDE CERTIFICATE

This is to certify that dissertation entitled as “DIGITAL FORENSICS” is a Bonafide

work carried out by V.SRIKANTH REDDY Reg.No: 21BR1A0550 submitted
technical seminar report and presented in manner required for its acceptance in
partial fulfilment for award of degree of Bachelor of technology in computer
Science and Engineering of Jawaharlal Nehru Technologies University Hyderabad,
Hyderabad during the academic year 2021-2025.

Internal Guide Head of the department.

P.LAXMI NARAYANA G.SANDHYA RANI

External viva voice held on

External examiner

P a g e 2 | 40
 DECLARATION

I V.SRIKANTH REDDY bearing Reg No: 21BR1A0550 hereby declare that the Technical Seminar
Report entitled “DIGITAL FORENSICS” is done by me and submitted in partial fulfillment of the
requirements for the award of the degree in BACHELOR OF TECHNOLOGY.

DATE:

PLACE: KHAMMAM SIGNATURE OF THE CANDIDATE

V.SRIKANTH REDDY

P a g e 3 | 40
 ACKNOWLEDGEMENT

I wish to convey my sincere thanks to Mr. PARUPALLI USHAKIRAN KUMAR Garu,

Secretary of Vijaya Engineering College.

I hereby that the Vice Chairperson Smt. PARUPALLI VIJAYA LAXMI Garu for providing
every requirement needed for completion of this technical seminar report.

I hereby thank the Principal Dr.V.CHINNAIAH sir for providing every requirement needed
for completion of this technical seminar report.

I hereby thank the Vice-Principal Dr.AYESHA TARANNUM sir for providing every
requirement needed for completion of this technical seminar report.

I offer my sincere thanks to G.SANDHYA RANI Head of the department Computer Science
and Engineering (Artificial Intelligence and Machine Learning) providing every requirementneeded for
completion of this technical seminar report.

I heartly thank my guide P.LAXMI NARAYANA sir for suggesting and giving the support
tocomplete this technical seminar report.

V.SRIKANTH REDDY

21BR1A0550

P a g e 4 | 40
 ABSTRACT

Digital forensics is a branch of forensic science focused on the identification, acquisition, analysis,
and preservation of digital evidence from electronic devices. It plays a crucial role in investigating
cybercrimes, data breaches, and other illicit activities involving digital data. The field encompasses
various sub-disciplines, including computer forensics, network forensics, and mobile device
forensics. By employing specialized techniques and tools, digital forensics experts can uncover
vital evidence to support legal proceedings, ensuring the integrity and authenticity of the digital
information. As technology advances, the challenges and methodologies in digital forensics
continue to evolve, making it an essential component in modern investigations and cybersecurity
efforts.

5
 CONTENTS

TOPIC PAGE NUMBER

1 Introduction………………………………………………… 8

1.1 Role of Digital Forensics

1.2 What is Digital Forensics
1.3 History of Digital Forensic

2 Need of Digital forensic…………………………………. 12

2.1 Purpose
2.2 Why is Digital Forensic Important
2.3 Digital forensic helps the organization in the following way
2.4 Advantage of Digital Forensics

3. Digital Forensic Methodology………………………………. 18

3.1 Methods Used
3.2 Digital Forensic Process
3.3 Approach to retrieve the evidence
3.3.1 Shut Down the Computer
3.3.2 Document the Hardware Configuration of the System
3.3.3 Transport the Computer System to A Secure Location
3.3.4 Make Bit Stream Backups of Hard Disks and Floppy Disks
3.3.5 Mathematically Authenticate Data on All Storage Devices
3.3.6 Document the System Date and Time
3.3.7 Make a List of Key Search Word
3.3.8 Evaluate the Windows Swap File
3.3.9 Evaluate File Slack
3.3.10 Evaluate Unallocated Space (Erased Files)
3.3.11 Search Files, File Slack and Unallocated Space
3.3.12 Document File Names, Dates and Times
3.3.13 Identify File, Program and Storage Anomalies
3.3. I 4 Evaluate Program Functionality
3.3.15 Document YourFindings

4. Digital Forensics Technology………………………… 26

4.1. Get Free - Forensic Data Capture Tool.
4.2. Get Slack - Forensic Data Capture Utility
4.3. Disk Scrub - Hard Drive Data Elimination Software
4.4. Forensic Graphics File Extractor

5. Requirements and Analysis……………………………… 31

5.1 The Tools
5.1.1 Partition Analysis
5.1.2 File System Analysis
6
5.1.3 General Requirements
5.1.4 Non Functional Requirements
5.2 Specific Requirements
6. Digital Forensic Services…………………………………33
7. Application of Digital Forensic…………………………..35
8. Conclusion ………………………………………………..38
9. References …………………………………………………40

7
Chapter 1

1.INTRODUCTION

1.1 Role Of Digital Forensics

"Digital Forensic is the process of identifying, preserving, analyzing and presenting digital
evidence in a manner that is legally acceptable.

From the above definition we can clearly identify four components:-

 IDENTIFYING

This is the process of identifying things such as what evidence is present, where and
how it is stored, and which operating system is being used. From this information the investigator
can identify the appropriate recovery methodologies, and the tools to be used.

• PRESERVING

This is the process of preserving the integrity of digital evidence, ensuring the chain of
custody is not broken. The data needs to preserved (copied) on stable media such as CD-ROM,
using reproducible methodologies. All steps taken to capture the data must be documented. Any
changes to the evidence should be documented, including what the change was and the reason for
the change. You may need to prove the integrity of the data in the court of law.

• ANALYSING

This is the process of reviewing and examining the data. The advantage of copying this
data onto CD-ROMs is the fact it can be viewed without the risk of accidental changes, therefore
maintaining the integrity whilst examining the changes.

• PRESENTING

This is the process of presenting the evidence in a legally acceptable and understandable
manner. If the matter is presented in court the jury who may have littleor no computer experience,
must all be able to understand what is presented and how it relates to the original, otherwise all
efforts could be futile.
Far more information is retained on the computer than most people realize. Its also more difficult to
completely remove information than is generally thought. For these reasons (and many more),
digital forensic can often find evidence or even completely recover, lost or deleted information,
even if the information was intentionally deleted.

The goal of Digital forensics is to retrieve the data and interpret as much information about it as
possible as compared to data recovery where the goal is to retrieve the lost data.

8
 1.2 What is Digital Forensics?

Digital forensic is simply the application of disciplined investigative techniques inthe

automated environment and the search, discovery, and analysis of potential evidence. It is the
method used to investigate and analyze data maintained on or retrieved from electronic data storage
media for the purposes of presentation in a court of law, civil or administrative proceeding.
Evidence may be sought in a wide range of computer crime or rrususe cases. Digital forensic is
rapidly becoming a science recognized on a par with other forensic sciences by the legal and law
enforcement communities. As this trend continues, it will become even more important to handle
and examine computer evidence properly. Not every department or organization has the resources
to have trained digital forensic specialists on staff. Digital forensics is a specialized field within
forensic science that focuses on the recovery, analysis, and investigation of data found on digital
devices, such as computers, smartphones, and networks. It involves using advanced techniques and
tools to collect, preserve, and examine digital evidence in a manner that maintains its integrity and
is admissible in court.
The main goal of digital forensics is to uncover evidence of cybercrimes, data breaches, fraud, and
other illegal activities involving digital data. This evidence can include files, emails, chat logs,
metadata, and more. Digital forensics experts often work closely with law enforcement agencies,
legal professionals, and organizations to investigate incidents and support legal proceedings.

1.3 History of Digital Forensics

Michael Anderson
• "Father of digital forensic"
• Special agent with IRS Meeting in 1988 (Portland, Oregon)
• creation of IACIS, the International Association of Computer Investigative Specialists
• the first Seized Computer Evidence Recovery Specialists (SCERS) classes held

Prior to the 1980s crimes involving computers were dealt with using existing laws. The first
computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included
legislation against the unauthorized modification or deletion of data on a computer system.5]6]
Over the next few years the range of computer crimes being committed increased, and laws were
passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking,
and online predators) and child pornography.7]8] It was not until the 1980s that federal laws
began to incorporate computer offences. Canada was the first country to pass legislation in
1983.6] This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian
amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990.6]8]

1980s–1990s: Growth of the field

The growth in computer crime during the 1980s and 1990s caused law enforcement agencies to
begin establishing specialized groups, usually at the national level, to handle the technical aspects
of investigations. For example, in 1984 the FBI launched a Computer Analysis and Response
9
Team and the following year a computer crime department was set up within the British
Metropolitan Police fraud squad. As well as being law enforcement professionals, many of the
early members of these groups were also computer hobbyists and became responsible for the
field's initial research and direction.
One of the first practical (or at least publicized) examples of digital forensics was Cliff Stoll's
pursuit of hacker Markus Hess in 1986. Stoll, whose investigation made use of computer and
network forensic techniques, was not a specialized examiner. Many of the earliest forensic
examinations followed the same profile.

Throughout the 1990s there was high demand for the new, and basic, investigative resources.
The strain on central units lead to the creation of regional, and even local, level groups to help
handle the load. Tech Crime Unit was set up in 2001 to provide a national infrastructure for
computer crime; with personnel located both centrally in London and with the various regional
police forces (the unit was folded into the Serious Organized Crime Agency (SOCA) in 2006).

During this period the science of digital forensics grew from the ad-hoc tools and techniques
developed by these hobbyist practitioners. This is in contrast to other forensics disciplines which
developed from work by the scientific community.1]13] It was not until 1992 that the term
"computer forensics" was used in academic literature (although prior to this it had been in
informal use); a paper by Collier and Saul attempted to justify this new discipline to the forensic
science world.14]15] This swift development resulted in a lack of standardization and training.
In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K
Rosenblatt wrote: 6] Seizing, preserving, and analyzing evidence stored on a computer is the
greatest forensic challenge facing law enforcement in the 1990s.

Although most forensic tests, such as fingerprinting and DNA testing, are performed by specially
trained experts the task of collecting and analyzing computer evidence is often assigned to patrol
officers and detectives.16]

2000s: Developing standards

Since 2000, in response to the need for standardization, various bodies and agencies have
published guidelines for digital forensics. The Scientific Working Group on Digital Evidence
(SWGDE) produced a 2002 paper, "Best practices for Computer Forensics", this was followed,
in 2005, by the publication of an ISO standard (ISO 17025, General requirements for the
competence of testing and calibration laboratories). A European lead international treaty, the
Convention on Cybercrime, came into force in 2004 with the aim of reconciling national
computer crime laws, investigative techniques and international co-operation. The treaty has
been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other
European nations) and ratified by 16.

The issue of training also received attention. Commercial companies (often forensic software
developers) began to offer certification programs and digital forensic analysis was included as a
topic at the UK specialist investigator training facility, Centrex.6]10]
Since the late 1990s mobile devices have become more widely available, advancing beyond
simple communication devices, and have been found to be rich
forms of information, even for crime not traditionally associated with digital forensics.19]
Despite this, digital analysis of phones has lagged behind traditional computer media, largely due
10
to problems over the proprietary nature of devices.20]

Focus has also shifted onto internet crime, particularly the risk of cyber warfare and cyber
terrorism. A February 2010 report by the United States Joint Forces Command concluded:
Through cyberspace, enemies will target industry, academia, government, as well as the military
in the air, land, maritime, and space domains. In much the same way that airpower transformed
the battlefield of World War II; cyberspace has fractured the physical barriers that shield a nation
from attacks on its commerce and communication.21]

The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic
Research: The Good, the Bad and the Unaddressed", by Peterson and Shensi identified a bias
towards Windows operating systems in digital forensics research.22] In 2010 Samson Garfunkel
identified issues facing digital investigations in the future, including the increasing size of digital
media, the wide availability of encryption to consumers, a growing variety of operating systems
and file formats, an increasing number of individuals owning multiple devices, and legal
limitations on investigators. The paper also identified continued training issues, as well as the
prohibitively high cost of entering the field.11]

11
 Chapter 2

2. Need For Digital Forensics

2.1 Purpose
The purpose of digital forensic is mainly due to the wide variety of computer crimes that take
place. In the present technological advancements it is common for every organization to employ
the services of the digital forensic experts. There arevarious computer crimes that occur on small
scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer
data or the information for which the crime has been committed.

The digital forensic has become vital in the corporate world. There can be theft ofthe data from
an organization in which case the organization may sustain heavy losses. For this purpose digital
forensic are used as they help in tracking the criminal.

The need in the present age can be considered as much severe due to the internet advancements
and the dependency on the internet. The people that gain access to the computer systems with
out proper authorization should be dealt in. The netwolk security is an important issue related to
the computer world. The digital forensic isa threat against the wrong doers and the people with
the negative mindsets.

The digital forensic is also efficient where in the data is stored in a single systemfor the backup.
The data theft and the intentional damage of the data in a single system can also be minimized
with the digital forensic. There are hard ware and software that employ the security measures in
order to track the changes and the updating of the data or the information. The user information
is provided in the log files that can be effectively used to produce the evidence in case of any
c1ime a legalmanner.

The main purpose of the digital forensic is to produce evidence in the court that can lead to the
punishment of the actual. The forensic science is actually the process of utilizing the scientific
knowledge for the purpose of collection, analysis, and most importantly the presentation of the
evidence in the court of law. The word forensic itself means to bring to the court.

The need or the importance of the digital forensic is to ensure the integrity of the computer
system. The system with some small measures can avoid the cost of operating and maintaining

P a g e 12 | 40
the security. The subject provides in depth knowledge for the understanding of the legal as well
as the technical aspects of computer crime. It is very much useful from a technical stand point,
view.

The importance of digital forensic is evident in tracking the cases of the child pornography and
email spamming. The digital forensic has been efficiently used to track down the terrorists from
the various parts of the world. The terrorists using the internet as the medium of communication
can be tracked down and their plans canbe known.

There are many tools that can be used in combination with the digital forensic tofind out the
geographical information and the hide outs of the criminals. The IP address plays an important
role to find out the geographical position of the terrorists. The security personnel deploy the
effective measures using the digital forensic. The Intrusion Detecting Systems are used for that
purpose.

The purpose of digital forensics is multifaceted and plays a critical role in both the investigative
and legal landscapes. Here are some key purposes:

1. **Investigate Cybercrimes:** Digital forensics helps in identifying, tracking, and prosecuting

individuals involved in cybercrimes such as hacking, phishing, and other online frauds.

2. **Gather Evidence:** It involves collecting and preserving digital evidence in a way that
maintains its integrity and admissibility in court, which is crucial for legal proceedings.

3. **Data Recovery:** Digital forensics can recover lost, deleted, or corrupted data from digital
devices, which might be important for investigations.

4. **Incident Response:** It helps organizations respond to security incidents by identifying the

cause, scope, and impact of a breach or attack.

5. **Prevent Fraud:** Digital forensics can detect and prevent various types of fraud, including
financial fraud, identity theft, and intellectual property theft.

6. **Enhance Cybersecurity:** By understanding how breaches and attacks occur, digital

forensics helps improve the overall cybersecurity posture of organizations.

7. **Protect Intellectual Property:** It helps in tracing unauthorized access, use, or distribution

P a g e 13 | 40
of proprietary information.

2.2 Why is Digital Forensics Important?

Digital forensics is crucial for several reasons:

1. **Cybercrime Investigation:** With the rise in cybercrimes like hacking, identity theft, and
online fraud, digital forensics helps in identifying and prosecuting offenders.

2. **Legal Evidence:** It provides critical digital evidence that can be used in court to convict
criminals or resolve disputes. This evidence must be collected and preserved meticulously to
maintain its integrity.

3. **Data Recovery:** In cases of data loss due to accidental deletion, hardware failure, or
cyberattacks, digital forensics can recover important data that may otherwise be lost forever.

4. **Incident Response:** During security breaches, digital forensics helps determine how the
breach occurred, what data was compromised, and how to mitigate future incidents.

5. **Fraud Prevention:** It can detect and prevent financial fraud, intellectual property theft, and
other illegal activities by analyzing digital data for suspicious patterns and activities.

6. **Regulatory Compliance:** Many industries are subject to strict regulations regarding data
protection and privacy. Digital forensics ensures that organizations comply with these regulations
and handle data breaches appropriately.

7. **Strengthening Cybersecurity:** By analyzing how cyberattacks happen and identifying

vulnerabilities, digital forensics helps improve cybersecurity measures and defenses.

8. **Protecting Intellectual Property:** It helps organizations safeguard their proprietary

information and track any unauthorized access or distribution.

Digital forensics is critically important in today's digital age due to its multifaceted role in
safeguarding information, solving crimes, and enhancing cybersecurity. By investigating
cybercrimes such as hacking and online fraud, digital forensics helps law enforcement identify and
prosecute offenders. The field ensures that digital evidence is meticulously collected and preserved,
making it admissible in court. It also aids in data recovery, incident response, and fraud prevention,
which are essential for both individuals and organizations. Moreover, digital forensics strengthens
cybersecurity measures by identifying vulnerabilities and improving defenses. Its significance
extends to protecting intellectual property, supporting corporate security, and contributing to
national security efforts. Overall, digital forensics is indispensable for maintaining the security,
integrity, and reliability of digital data across various sectors.

2.3 Digital forensic helps the organization in the following way:-

P a g e 14 | 40
 • RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER:

Computers systems may crash, files may be accidentally deleted, disks may
accidentally be reformatted, viruses may corrupt files, file may be accidentally overwritten,
disgruntled employees may try to destroy your files. All of this can lead to loss of your critical
data, but digital forensic experts should be able to employ the latest tools and techniques to
recover your data.

• ADVICE YOU ON HOW TO KEEP YOUR DATA AND INFORMATION SAFE

FROM THEFT OR ACCIDENTAL LOSS:

Business today relies on computers. Your sensitive records and trade secrets
are vulnerable to intentional attacks from, for e.g. hackers, disgruntled employees, viruses, etc.
also unintentional loss of data due to accidental deletion, h/w or s/w crashes are equally
threatening. Digital forensic experts can ad vice you on how to safeguard your data by
methods such as encryption and back-up.

• EXAMINE A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN

DOING:-

Whether you're looking for evidence in a criminal prosecution, looking for

evidence in a civil suit, or determining exactly what an employee has been up to. Your digital
forensic expert should be equipped to find and interpret the clues left behind.

• SWEEP YOUR OFFICE FOR LISTNENING DEVICES:-

There are various micro-miniature recording and transmitting devices available

in todays hi-tech world. The digital forensic expert should be equipped to conduct thorough
electronic countermeasure (ECM) sweeps of your prellllses.

• HI-TECH INVESTIGATION:-

The forensic expert should have the knowledge and the experience to conduct hi-tech
investigations involving cellular cloning, cellular subscription fraud, s/w piracy, data or
information theft, trade secrets, computer crimes, misuse of computers by employees, or any
other technology issue.

2.4 Advantage of Digital Forensic

The main task or the advantage from the digital forensic is to catch the culprit orthe criminal who
is involved in the crime related to the computers.
P a g e 15 | 40
Digital forensic deals extensively to find the evidence in order to prove the crime and the culprit
behind it in a court of law. The forensics provides the organization with a support and helps them
recover their loss.

The important thing and the major ad vantage regarding the digital forensic is the preservation
of the evidence that is collected during the process. The protection of evidence can be considered
as critical.

The ethicality can be considered as an advantage of the forensics in computer systems.

Digital forensics offers numerous advantages, making it a vital field in today's digital landscape.
Here are some key benefits:

1. **Enhanced Crime Solving:** By providing concrete digital evidence, digital forensics helps
solve a wide range of crimes, including cybercrimes, financial fraud, and intellectual property
theft.

2. **Data Recovery:** It can recover deleted, corrupted, or lost data from digital devices, which
is crucial in both legal investigations and business operations.

3. **Incident Response:** Digital forensics aids in identifying the source and impact of security
breaches, enabling organizations to respond swiftly and effectively to cyber incidents.

4. **Legal Compliance:** Ensures that digital evidence is collected and preserved in a manner
that is legally admissible, helping organizations comply with regulations and legal standards.

5. **Fraud Detection:** Helps detect and prevent various types of fraud by analyzing digital
data for suspicious activities and patterns.

6. **Improved Cybersecurity:** By understanding the methods used in cyberattacks, digital

forensics helps enhance cybersecurity measures and protect against future threats.

7. **Intellectual Property Protection:** Assists in tracing unauthorized access and distribution

of proprietary information, safeguarding intellectual property.

8. **Employee Monitoring:** Enables organizations to monitor employee activities to prevent

insider threats and ensure compliance with company policies.

P a g e 16 | 40
9. **Educational Value:** Provides valuable training and knowledge for cybersecurity
professionals and law enforcement, preparing them to handle modern digital threats.

Overall, digital forensics is essential for maintaining the integrity, security, and reliability of
digital data, supporting both investigative and preventative efforts in various fields.

P a g e 17 | 40
 Chapter 3

3. Digital Forensic Methodology

3.1 Methods Used

According to many professionals, Digital forensic is a four (4) step process Acquisition :
Physically or remotely obtaining possession of thecomputer, all netwoik mappingsfrom the
system, and external physical storage devices.

• Identification

This step involves identifying what data could be recovered and electronically retiieving it by
running vaiious Digital forensic tools and software suites.

• Evaluation

Evaluating the information/data recovered to determine if and how it could be used again the
suspect for employment termination or prosecution in court.

• Presentation

This step involves the presentation of evidence discovered in a manner which is understood by
lawyers, non-technically staff/management, and suitable as evidence asdetermined by United
States and internal laws

3.2 Digital Forensics Process:-

As in any investigation, establishing that an incident has occurred is the first key step.Secondly,
the incident needs to be evaluated to determine if digital forensic may be required. Generally, if
the computer incident resulted in a loss of time or money, orthe destruction or compromise of
P a g e 18 | 40
info1mation, it will require the application of digital forensic investigative techniques. When
applied, the preservation of evidence is the first rule in the process. Failure to preserve evidence
in its original state could jeopardize the entire investigation. Knowledge of how the crime was
initiated and committed may be lost for good. Assignment of responsibility may not be possible
if evidence is not meticulously and diligently preserved. The level of training and expe1tise
required to execute a forensics task will lai gely depend on the

level of evidence required in the case. If the result of the investigation were limited to
administrative actions against an employee, the requirement would be lower than taking the case
to court for civil or criminal litigation.

3.3 Approach to retrieve the evidence:-

Generally, if the computer incident resulted in a loss of time or money, or the destruction or
compromise of information, it will require the application of digital forensic investigative
techniques. When applied, the preservation of evidence is the first rule in the process. Failure to
preserve evidence in its original state could jeopardize the entire investigation. Knowledge of
how the crime was initiated and committed may be lost for good. Assignment of responsibility
may not be possible if evidence is not meticulously and diligently preserved.

Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to
do the authentication process. Mathematically, a 32 bit data validation is accurate to
approximately one in 4.3 billion. However, given the speed of today's computers and the vast
amount of storage capacity on today's computer hard disk drives, this level of accuracy is no
longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two
programs in its forensic suites of tools that mathematically authenticate data with a high level of
accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond
question. These programs are used to authenticate data at both a physical level and a logical level.

The following steps should be taken:-

3.3.1 Shut Down the Computer

P a g e 19 | 40
Depending upon the computer operating system involved, this usually involves pulling the plug
or shutting down a net work computer using relevant operating system commands. At the option
of the computer specialists, pictures of the screen image can be taken using a camera. However,
consideration should be given to possible destructive processes that may be operating in the
background. These can be resident in memory or available through a modem or network
connection.

Depending upon the operating system involved, a time delayed password protected screen saver
may potentially kick in at any moment. This can complicate the shutdown of the computer.
Generally, time is of the essence and the computer systemshould be shut down or powered down
as quickly as possible.

3.3.2 Document the Hardware Configuration of the System

It is assumed that the computer system will be moved to a secure location where a proper chain
of custody can be maintained and the processing of evidence can begin. Before dismantling the
computer, it is important that pictures are taken of the computer from all angles to document the
system hard ware components and how they are connected. Labeling each wire is also important
so that the original computer configuration can be restored. Computer evidence should ideally
be processed in a computer hard ware environment that is identical to the original hard ware
configuration.

3.3.3 Transport the Computer System to A Secure Location

This may seem basic but all too often seized evidence computers are stored in less than secure
locations. It is imperative that the subject computer is treated as evidence and it should be stored
out of reach of curious computer users. All too often, individuals operate seized computers
without knowing that they are destroying potential computer evidence and the chain of custody.

P a g e 20 | 40
Furthermore, a seized computerleft unintended can easily be compromised. Evidence can be
planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of
custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how
can you say that relevant evidence was not planted on the computer after the seizure? The answer
is that you cannot. Do not leave the computer unattended unless it is locked in a secure location!
NTI provides a program named Seized to law enforcement computer specialists free of charge.
It is also made available to NTI's business and government in various suites of software that are
available for purchase. The program is simple but very effective in locking the seized computer
and warning the computer operator that the computer contains evidence and should not be
operated

3.3.4 Make Bit Stream Backups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be processed until bit
stream backups have been made of all hard disk drives and floppy disks. All evidence processing
should be done on a restored copy of the bit stream backup rather than on the original computer.
The original evidence should be left untouched unless compelling circumstances exist.
Preservation of computer evidence is vitally imp01tant. It is fragile and can easily be altered or
destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are
much like an insurance policy and they are essential for any serious computer evidence
processing.

3.3.5 Mathematically Authenticate Data on All Storage Devices

You want to be able to prove that you did not alter any of the evidence after the computer came
into your possession. Such proof will help you rebut allegations that you changed or altered the
original evidence. Since 1989, law enforcement and military agencies have used a 32 bit
mathematical process to do the authentication process. Mathematically, a 32 bit data validation
is accurate to approximately one in

4.3 billion. However, given the speed of today's computers and the vast amount of storage
capacity on today's computer hard disk drives, this level of accuracy is no longer accurate

P a g e 21 | 40
enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its
forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large
hashing number, provides a mathematical level of accuracy that is beyond question. These
programs are used to authenticate data at both a physical level and a logical level. The programs
are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a
restored bit stream backup and it is made available free of charge to law enforcement computer
specialists as pait of NTI's Free Law Enforcement Suite. The programs are also included in our
various suites of forensic software which ai e sold NTI's clients.

3.3.6 Document the System Date and Time

The dates and times associated with computer files can be extremely important from an evidence
standpoint. However, the accuracy of the dates and times is just as important. If the system clock
is one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong
time. To adjust for these inaccuracies,documenting the system date and time settings at the time
the computer is taken into evidence is essential.

3.3.7 Make a List of Key Search Words

Because modem hard disk drives are so voluminous, it is all but impossible for a computer
specialist to manually view and evaluate every file on a computer hard disk drive. Therefore,
state-of-the-art automated forensic text search tools are needed to help find the relevant evidence.

3.3.8 Evaluate the Windows Swap File

The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of
the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N,
FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies
patterns of English language text, phone numbers, social security numbers, credit card numbers,
Internet E-Mail addresses, Internet web addresses and names of people.

P a g e 22 | 40
3.3.9 Evaluate File Slack

File slack is a data storage area of which most computer users are unaware. It is a source of
significant 'security leakage' and consists of raw memory dumps that occur during the work
session as files are closed. The data dumped from memory ends up being stored at the end of
allocated files, beyond the reach or the view of the computer user. Specialized forensic tools are
required to view and evaluate file slackand it can prove to provide a wealth of information and
investigative leads. Like the Windows swap file, this source of ambient data can help provide
relevant key words and leads that may have previously been unknown.

3.3.10 Evaluate Unallocated Space (Erased Files)

The DOS and Windows 'delete' function does not completely erase file names or file content.
Many computer users are unaware the storage space associated with such files merely becomes
unallocated and available to be overwritten with new files.

Unallocated space is a source of significant 'security leakage' and it potentially contains erased
files and file slack associated with the erased files. Often the DOS Undelete program can be used
to restore the previously erased files. Like the Windows swap file and file slack, this source of
ambient data can help provide relevant key words and leads that may have previously been
unknown to the computer investigator.

3.3.11 Search Files, File Slack and Unallocated Space for Key Words

The list of relevant key words identified in the previous steps should be used to search all relevant
computer hard disk drives and floppy diskettes. There are several forensic text search utilities
available in the marketplace. NTI's forensic search Text Search NT can be used for that purpose
and it has been tested and certified for accuracy by the

U.S. Department of Defense. This powerful search tool is also included as part of NTl's suites of
software tools.
P a g e 23 | 40
3.3.12 Document File Names, Dates and Times

From an evidence standpoint, file names, creation dates, last modified dates and times can be
relevant. Therefore, it is important to catalog all allocated and 'erased' files.

NTI includes a program called File List Pro in its various suites of forensic tools. The

File List Pro program generates its output in the form of a database file. The file can be sorted
based on the file name, file size, file content, creation date, last modified date and time. Such
sorted information can provide a timeline of computer usage.

3.3.13 Identify File, Program and Storage Anomalies

Encrypted, compressed and graphic files store data in binary format. As a result, text data stored
in these file formats cannot be identified by a text search program. Manual evaluation of these
files is required and in the case of encrypted files, much work may be involved. NTI's Text
Search Plus program has built in features that automatically identify the most common
compressed and graphic file formats. The use of this feature will help identify files that require
detailed manual evaluation. Depending on the type of file involved, the contents should be
viewed and evaluated for its potential as evidence.

3.3.14 Evaluate Program Functionality

Depending on the application software involved, running programs to learn their purpose may
be necessary. NTl's training courses make this point by exposing the students to computer
applications that do more than the anticipated task. When destructive processes are discovered
that are tied to relevant evidence, this can be used to prove willfulness. Such destructive
processes can be tied to 'hot keys' or the execution of common operating commands tied to the
operating system or applications. Before and after comparisons can be made using the File List
Pro program and/or mathematical authentication programs. All these tools are included in most
of NTI's suites of forensic tools

P a g e 24 | 40
3.3.15 Document Your Findings

As indicated in the preceding steps, it is important to document your findings as issues are
identified and as evidence is found. Documenting all of the software used inyour forensic
evaluation of the evidence including the version numbers of the programs used is also important.
Be sure that you are legaUy licensed to use the forensic software

P a g e 25 | 40
 Chapter 4

4. Digital Forensic Technology

Digital forensic tools and techniques have proven to be a valuable resource for law enforcement in
the identification of leads and in the processing of computer- related evidence. Digital forensic
tools and techniques have become important resources for use in internal investigations, civil law
suits, and computer security riskmanagement. Forensic S/w tools and methods can be used to
identify passwords, logons, and other information that is automatically dumped from the computer
memory. Such forensic tools can be used to tie a diskette to the computer that created it. Some of
the tools used are as follows:-

4.1 Get Free - Forensic Data Capture Tool

When files are 'deleted' in DOS, Windows, Windows95 and Windows 98, the data associated with
the file is not actually eliminated. ltis simply reassigned to unallocated storage space where it may
eventually be overwritten by the creation of new files over time. Such data can provide the digital
forensic investigator with valuable leads and evidence. However, the same data can create a
significant security risk when sensitive data has been erased using DOS, Windows, Windows 95
and Windows 98 file deletion procedures and commands.

GetFree software is used to capture all of the unallocated file space on DOS, Windows, Windows
95 and Windows 98 based computer systems. The program can be used to identify leads and
evidence. It is also effectively used to validate the secureScrubbing of unallocated storage space
with programs like NTI's M-Sweep ambient data deletion software .

When Get Free software is used as an investigative tool, it eliminates the need to restore potentially
hundreds or thousands of files on computer hard disk drives and floppy diskettes. The software was
primarily developed as a digital forensic tool for use in computer related investigations and internal
audits. However, Get Free has also proven to be an ideal tool for use in computer security risk
assessments because the software automatically captures the data associated with unallocated file
space. Such data can be reviewed and analyzed using other NTI forensic tools, e.g., Filter I,Net
Threat Analyzer and Graphics Image File Extractor.

Get Free Software - Primary Uses:

• Calculates the amount of unallocated storage space on a computer storage device.

• Automatically captures all logical unallocated storage space on one or more computer
hard disk drives and floppy diskettes.
• Captures the contents of a dynamic Windows swap file for analysis with other tools.
P a g e 26 | 40
 • ?Used in internal audits, security reviews and computer-related investigations.
• ?Validates the effectiveness of computer security data scrubbers.
• Identifies classified data spills in unallocated data storage areas.
• Identifies violations of company policy through the identification of sensitive data
leakage into unallocated storage space.
• Used very effectively with NTI's Image File Extractor in investigations involving
computer generated graphic file images, e.g., child pornography investigations.

Get Free - Program Features and Benefits:

• DOS-based for speed and ease of use.

• Compact program size easily fits on one floppy diskette with other forensic software tools.
• Non-printable characters (ASCII values 0-31 and non ASCII values 127-255) are replaced
by a space character, at the option of the user.
• Does not alter any data on the target computer and can therefore be operated covertly.

• Captures unallocated clusters marked as bad (by a user or the operating system) in the event that
sensitive data is stored in sectors associated with suchclusters.
• Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.
• Estimates the output storage space needed for the data capture prior to use.
• Processes more than one logical drive in one work session.
• Automatically increments the output file names and prompts the user for additional removable
media in the event additional storage space is needed in achieving the data capture.
• Supports 12 bit, 16 bit and 32 bit FAT types (32-bit FATs).
• If 32 bit FAT (FAT32) file systems are involved, Get Free should be run with a FAT 32 aware
version of DOS, e.g., DOS 7x.
• Automatically creates output files which are less that 2 gigabytes in capacity. This aids in the
analysis of the output files and avoids the 2 gigabyte DOS file limitations.

4.2 Get Slack - Forensic Data Capture Utility

This software is used to capture all of the file slack contained on a logical hard disk drive or floppy diskette
on a DOS, Windows, Windows 95 and/or Windows 98 computer system. The resulting output from Get
Slack can be analyzed with standard computer utilities or with special NTI tools, e.g., Filter I and Net Threat
Analyzer software. Get Slack software is an ideal digital forensic tool for use in investigations, internal
audits and in computer security reviews. NTI places special importance on the use of this tool in computer
security risk assessments because memory dumps in file slack are the cause for security related concerns.
Typically, network logons and passwords are found in file slack. It is also possible for passwordsused in file
encryption to be stored as memory dumps in file slack.

From an investigative standpoint, file slack is a target rich environment to find lead sand evidence. File slack
can contain leads and evidence in the fo1m of fragments of word processing communications, Internet E-
mail communications, Internet chat room communications, Internet news group communications and
Internet browsing activity. As a result, this program is a good tool for use in computer related investigations.
It also acts as a good validation tool for use with computer security programs which are designed to
eliminate file slack, e.g., NTI's M-Sweep ambient data scrubbing software.

P a g e 27 | 40
Get Slack Software - Primary Uses:

• Quickly calculates the amount of storage space which is allocated to file slack on a logical
DOS/Windows partition.
• Captures all file slack on a logical DOS/Windows drive and converts it into one or more files
automatically.
• Used in covert and overt internal audits, computer security reviews and computer investigations.
• Valid ates the results of computer security scrubbers used to eliminate sensitive or classified data
from file slack on computer storage devices.

Get Slack Software - Program Features and Benefits:

• DOS based for speed.

• Compact program size easily fits on a single floppy diskette with other forensic software tools.
• At the option of the user, non-printable characters (ASCII values 0-31 and 127- 255) can be replaced
with space characters.
• Does not alter or modify the data stored on the target computer.
• Does not leave any trace of operation. Therefore, it can be used coverly when laws permit such use.
• Does not alter evidence on the target drive. Therefore, this tool is ideal for the processing of
computer evidence.
• Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.
• Estimates the output file space needed prior to use.
• Multiple logical storage devices can be specified in one operating session.
• Configures the output files to fit on one or more removable storage devices depending on the
volume of the computed output.
• Supports 12 bit, 16 bit and 32 bit FAT types (32-bit FATs are currently found on Windows
95B/98/OSR2/NT).

4.3 Disk Scrub - Hard Drive Data Elimination Software

It is becoming standard practice in corporations, government agencies, law firms and accounting firms to
reassign computers and to donate older computers to charity.
Millions of personal computers have been put to use since 1981 when the IBM Personal Computer came into
existence. Many of the older personal computers have been reassigned or donated to charity and many more
will fall into this category in thefuture. However, data security is often ignored when computers change
hands.

You must be aware that personal computers were never designed with security in mind. Potentially anything
that transpired on a used computer still exists. Multiply that by the number of computers your organization
will reassign or surplus this year, and you get the point. Computers should be reassigned and donated to
charity but the contents of the hard disk drives should not be ignored.

With computer technology changing almost daily, corporations and government agencies have to stay
current while still making the best uses of aging computer resources. Advancements in hard disk drive
storage capacities, operating systems and software applications cause corporations to buy or lease new
computers every year.
But what is done with the old computers? What is done about the sensitive data still existing, essentially
"stored" on these computers when they are sold, transferred or donated? That is a serious problem, and NTI's
Disk Scrub software was specifically designed to deal with these risks, for corporations, government
agencies, hospitals, financial institutions, law firms and accounting firms.

P a g e 28 | 40
4.4 Forensic Graphics File Extractor
NTI's Forensic Graphics Image File Extractor is a digital forensic software tool which was designed to
automatically extract exact copies of graphics file images fromambient data sources and from Safe Back bit
stream image backup files. The latter process has the potential of quickly identifying all graphics file images
stored on a computers hard disk drive. The resulting output image files can be quickly evaluated using a
graphics file viewer, e.g., Fire hand Ember Millennium by Fire hand Technologies which NTI recommends.
Fire hand Ember Millennium fits limited law enforcement budgets, e.g., priced at under $50 and it is an ideal
product for investigations involving computer graphic images.

NTI's Image File Extractor software was developed with our law enforcement friends in mind and it has
been priced accordingly. Law enforcement computer crime specialists spend much of their valuable time in
the investigation of computer crimes involving the possession and distribution of graphic image files which
involve child pornography. This digital forensic tool saves time and it was specifically created to accurately
and quickly reconstruct evidence grade copies of "deleted" image files.

The software can also be used effectively to identify and reconstruct residual graphics file images which
passed through Windows Swap and Windows Page files during Internet web browsing sessions. An "after
the fact" analysis of such files can quickly determine how a computer may have been used. Such information
is invaluable to corporate investigators and law enforcement computer crime specialists alike. NTI's
Graphics Image File Extractor also provides benefits in internal audits involving them issues of corporate
computers by employees and corporate due diligence reviews of computers.

Forensic Graphics File Extractor - Primary Uses:

1. Used to find evidence in corporate, civil and criminal investigations which involve computer graphics
files, e.g., investigations which potentially involve child pornography and/or inappropriate Internet web
browsing in a corporate
or government setting.
2. Used with other digital forensic software to quickly reconstruct previously deleted BMP, GIP and JPEG
graphics files stored on computer storage media.
3. Used to quickly identify and preview BMP, GIP and JPEG image files stored on a computer hard disk
drive when used with Safe Back and Fire hand Embers.
4. Used effectively in computer investigations involving the distribution of child pornography.
5.Used "after the fact" to determine what files may have been viewed over or downloaded from the Internet.
6. Used very effectively with NTI's Get Free software this can be purchased separately.

Forensic Graphics File Extractor - Program Features and Benefits:

1.Operates under DOS/WIN9x/WINNT/WIN2000/WINXP for ease of operation and speed.

2. Compact program size which easily fits on one floppy diskette with other forensic software utilities for
portabiJjty
.
3.Searches a targeted Windows Swap File or a file created from erased file space for patterns of BMP, GIP
and JPG file images and it reconstructs partialor complete image files in one highly accurate operation. The
accuracy of this process is dependent upon the degree of fragmentation involved, etc.

P a g e 29 | 40
4.When complete image files are identified and reconstructed by the program the output of restored graphics
images files is exact. Our tests indicate that a majority of reconstructed files will pass a CRCMD5 hash test
when restored image files are compared with the original files prior to deletion. This feature makes the
software ideal for evidence reconstruction in criminal cases. It also allows for the exact reconstruction of
graphics image files which may contain hidden files or other messages through the use of steganography.

5.Partial image file patterns (caused due to fragmentation and/or file corruption) can be automatically
reconstructed and viewed.

6.The highly accurate graphics file identification search engine ensures that every byte is checked for
integrity.

7.The software operates in batch file mode for automatic processing when combined with other NTI
software processes.

8.It automatically creates a complete log of the processing steps taken by the program to aid in expert
witness testimony.

9.Priced to easily fit limited law enforcement budgets.

10. Operation of the software is easy and is not hampered by hardware anti-theft software protection.

11. Free Upgrades for one year from the date of purchase.

P a g e 30 | 40
Chapter No. 5
5. REQUIRMENTS AND ANALYSIS

5.1 The Tools:-

The tools developed perlorm the following functions:

? Analysing a hard disk and detecting HPAs, DCOs and bad sectors with a reasonable degree of accuracy
? Creating a bit stream image of a hard disk and verifying the copy
? Mapping the systems logical partitions and locating hidden data with a reasonable degree of accuracy.
? Locating file contained in a file system, recovering deleted file where possible, and recon-structing
fragmented files.
? Displaying the contents of an encrypted file (where possible) and at least identify that the file is encrypted,
? Reconstructing computer events which occurred before a crime was committed.
? Detecting the use of steganographic methods, with reasonable accuracy, and extracting the data hidden
using those methods.

5.1.1 Partition Analysis:-

Once an image has been acquired it is then necessary to find and recover deleted (and undeleted) files.
However these files will be contained inside a file system so it is obviously necessary to find the file system
before this can happen. File systems, on most systems, are contained inside partitions of which there may be
several so the first step is to be able to analyse the partitioning formation. This is why the next tool to be
developed will be a partition analysis tool.
The first, and most obvious, requirement of the partition analysis tool is that it must be able to map the
partitions and present the information to the user. However the partition table (for many systems) is
contained inside the first sector of the disk, therefore it will be necessary for the tool to know how many
bytes are in a sector so that it knows how many bytes to read. This information will have been gathered and
stored by the disk imaging tool so the first step of analyzing a paitition will be to parse the disk information
file to find the info1mation required for the analysis. It will also be necessary to find the size of the disk
from this file for use when finding slack space. During a digital forensic investigation every procedure and
result must be well documented. The tool should therefore also be able to store the partition information

5.1.2 File System Analysis:-

Now that the file systems have been found the tool should now be able to analyze them and recover files.
There may be many file systems and the user may only want to analyze data from one of these file systems.
Therefore the first requirement of the tool will be to parse the partition information file created by the
partition analysis tooland present the user with a choice of file systems to analyze.
The initial requirement for the file system tool is to be able to record the type of file system(i.e. FAT, NTFS
etc.) and the directory stmcture it contains for all current non deleted files. This information should both be
stored in the log file and presented to the user. Again it could be helpful if the information was presented to
the user in the form of a diagram but this isn't a critical requirement as the user should be able to quite easily
understand directory listings. The tool must also record basic file system information such as the number of
sectors per cluster, the size of the file system and other file system specific information.
The tool must record which clusters are marked as good and which are marked as bad. The bad clusters
should be analyzed for possible evidence although this will depend on the kind of information the user is
P a g e 31 | 40
searching for. In other words the tool should include bad sectors in any searches.
One problem is that many file systems, such as FAT and NTFS, store files in clusters rather than sectors and
it will be necessary to identify these clusters before the files can be recovered. File system generally have
data structures which contain this information along with other general file system information such as the
date it was created that might be useful to an investigation. It is therefore necessary for the tool tobe capable
of analyzing the appropriate data structure(s) and presenting the information to a user.
Now that the basic file system information is known files containing evidence can be recovered. Whilst there
has been some work on creating models for automated.

5.1.3 General Requirements:-

By definition the whole point of digital forensic analysis is that the evidence recovered will be used in a
court of law. There are various rules and procedures which must be followed in order for evidence to be
deemed admissible. I have b1iefly highlighted some of these procedures in the literature survey such as
verifying that an image is identical to the original disk data. Following on from this a requirement of the
tools developed will be that they adhere to the appropriate procedures so that the output they produce can be
used.

5.1.4 Non Functional Requirements:-

The tool kit developed will need to be portable as it could be necessary to use it on a variety of machines.
For the most part I will therefore be using the Java programming language as the programs developed could
be used on any machine which has the java virtual machine installed. However there will be a problem with
the disk imaging tool as Java would be unable to perform the necessary low level disk access. For this tool I
will use the C++ programming language as it overcomes these difficulties but I would need to make sure this
tool still has the required p01tability.
The system developed would obviously need to be secure although this can be achieved by using a
standalone machine which isn't connected to any outside sources such as the internet.
However where this isn't possible I will aim to make the tools as secure as I can. It is very difficult to
develop nonfunctional requirements related to the time taken to complete the analysis as every case could be
different in terms of the amount of analysis necessary and the amount of time available to conduct the
investigation.
These requirements may be added at a later date. The system will need to be reliable as any analysis
interrupted by system failure will need to be repeated and some of the analysis could take a long while, e.g.
disk imaging may take a few hours depending on the size of the disk

P a g e 32 | 40
Chapter No. 6

6. DIGITAL FORENSIC SERVICES

There are many different areas of computers where in the services of digital forensic is employed. Most of
digital forensic services provide useful services to an organization. It is very much useful in professional
environment where the requirement is quite high. Digital forensic services also include investigative
assistance. The digital forensic is also important in corporate consulting. Forensicdatarecovery-FDR is also a
part of digital forensic. Incident Response Systemsalso play a part of digital forensic. The services of digital
forensic are availed in private as welJ as government organizations.

The secrecy or the privacy of organization is important in some cases where it is maintained as per
expectations. Some of important fields where in the services of digital forensic can be applied include the
following. Incident response systemsand internal investigations can be done using the digital forensic.
Digital forensic is extensively used in criminal as well as civil litigations. There are many laws that provide
the support to a computer forensic.

Another aspect of digital forensic is the electronic document discovery. Data recovery in itself is a large
topic. But some times it is referred to as a part of computerf orensic. Security risk management can also be
carried out using the digital forensic tools. The services provided by the digital forensic are the development
of the plans to gather the electronic evidence. Digital forensic can be used for its services to support criminal
and civil warrants.

Also the digital forensic is useful in electronic discovery requests. Even digital forensic investigation is
beneficent for the purpose of identification, acquisition, preservation, analysis and reporting of digital
evidence. The digital evidence may be from desktop computers, laptops, storage servers, or any type of
removable storage devices. The services are also available for dispute resolution and to provide an expert
witness testimony. In the event of conducting the audits also its services can be availed. These audits may
involve remote or even network analysis.

The compliance of proactive reviews as well as risk assessment and even for the investigation of specific
allegations the services of digital forensic can be availed.In case of corporate consultations the services
provided by the digital forensic professional include the development of in house standards. Also the
protection of intellectual property is a major service.

The protection of corporate assets is also a service of digital forensic. The consultation of digital forensic can
be provided to adhere to the legislation involving federal and provincial privacy. The electronic file retention
policies are alsoa part of consultancy services of digital forensic.

Apart from all these services, the digital forensic can be even applied for individual case studies involving
personal issues. Even the services of digital forensic can be used for data recovery problems. Intentional
misuse of privacy or personal information can be considered as a legal case with the help of digital forensic.

**Digital Forensic Services** encompass a wide range of specialized offerings designed to investigate and
analyze digital evidence. Here are some of the key services provided in this field:

1. **Incident Response:** Rapid identification, containment, and mitigation of security incidents to

minimize damage and prevent further breaches.
2. **Data Recovery:** Retrieval of lost, deleted, or corrupted data from various digital devices, ensuring the
integrity and availability of critical information.
3. **Computer Forensics:** Examination and analysis of digital evidence from computers and storage
P a g e 33 | 40
devices to uncover relevant data for investigations.
4. **Mobile Device Forensics:** Recovery and analysis of data from mobile phones, tablets, and other
handheld devices, including text messages, call logs, and app data.
5. **Network Forensics:** Monitoring and analysis of network traffic to detect and investigate malicious
activities and unauthorized access.
6. **Malware Analysis:** Identification, examination, and reverse engineering of malicious software to
understand its behavior and impact.
7. **E-Discovery:** Collection, processing, and review of electronic data for legal proceedings, ensuring
compliance with legal and regulatory requirements.
8. **Expert Testimony:** Provision of expert analysis and testimony in legal cases involving digital
evidence to support the judicial process.
9. **Forensic Consulting:** Advising organizations on best practices for digital evidence handling, incident
response, and cybersecurity measures.

These services are essential for organizations to effectively manage and resolve digital incidents, protect
sensitive information, and support legal investigations.

P a g e 34 | 40
Chapter No. 7

7. APPLICATION OF DIGITAL FORENSIC

System forensics is not different from any other forensic science when it comes to application. It can be
applied to any activity, where other mainstream traditional forensics such as DNA mapping is used, if there
has been an involvement of a system or computer in the event.

Some of the common applications of digital forensic are:-

• FINANCIAL FRAUD DETECTION:-

Corporates and banks can be detect financial frauds with the help of evidence collected from systems. Also,
insurance companies can detect possible fraud in accident, arson, and workman's compensation cases with
the help of computer evidence.

• CRIMINAL PROSECUTION:-

Prosecutors can use computer evidence to establish crimes such as homicides, drug and false record-
keeping, financial frauds, and child pornography in the court of law.

• CIVIL LITIGATION:-

Personal and business records found on the computer systems related to fraud, discrimination, and
harassment cases can be used in civil litigations.

• "CORPORA TE SECURITY POLICY AND ACCEPTABLS USE VIOLATIONS":-

A lot of digital forensic work done is to support management and human resources (HR) investigations of
employee abuse.
Besides cyber crimes and system crimes, criminals use computers for other criminal activities. In such cases,
besides the traditional forensics, system forensic investigation also plays a vital role.

Here are the detailed applications of digital forensics across various sectors:

1. **Law Enforcement:** Digital forensics is pivotal in solving cybercrimes, such as hacking, identity theft,
and online fraud. It helps gather digital evidence, which is crucial for prosecution.

2. **Corporate Investigations:** Companies use digital forensics to investigate internal issues like fraud,
intellectual property theft, and employee misconduct. This helps protect corporate assets and ensure
compliance with company policies.

3. **Cybersecurity:** Digital forensics is essential for detecting, analyzing, and responding to security
breaches. It helps organizations understand how attacks occurred and how to prevent them in the future.

4. **Legal Disputes:** In civil litigation cases, digital forensics provides crucial evidence. This can include
disputes over digital contracts, intellectual property cases, and divorce proceedings where digital data is
P a g e 35 | 40
relevant.

5. **Incident Response:** Organizations rely on digital forensics to quickly respond to security incidents. It
helps identify the source of the breach, assess the impact, and develop strategies to mitigate future risks.

6. **Regulatory Compliance:** Digital forensics ensures that organizations comply with data protection and
privacy regulations. It helps in investigating and reporting data breaches as required by law.

7. **Data Recovery:** It aids in recovering lost, deleted, or corrupted data from various digital devices,
which can be crucial for legal, personal, or business purposes.

8. **Fraud Detection:** Digital forensics helps detect and investigate various types of fraud, including
financial fraud, insurance fraud, and identity theft, by analyzing digital data for suspicious activities.

9. **Education and Training:** It provides essential training for cybersecurity professionals and law
enforcement officers, equipping them with the skills needed to handle modern digital threats.

10. **Healthcare:** Digital forensics is used to investigate breaches of patient data, ensuring compliance
with healthcare regulations like HIPAA and protecting sensitive medical information.

11. **Insurance:** It assists in investigating insurance fraud by analyzing digital evidence related to claims,
ensuring the integrity of the insurance process.

12. **Education:** Educational institutions use digital forensics to address issues such as academic
dishonesty, cyberbullying, and data breaches, ensuring a safe and fair academic environment.

13. **Intellectual Property:** It protects against the theft or misuse of trade secrets, patents, and other
intellectual property, which is vital for innovation-driven industries.

14. **Financial Sector:** Financial institutions use digital forensics to identify and mitigate instances of
financial fraud, ensuring the integrity and security of financial transactions and records.

15. **Military and Defense:** Digital forensics is crucial for protecting against cyber espionage and cyber
warfare, safeguarding national security interests and sensitive military information.

16. **Gaming Industry:** It helps investigate cheating, hacking, and other forms of misconduct within
online gaming environments, ensuring fair play and the integrity of gaming platforms.

17. **Supply Chain:** Digital forensics ensures the integrity of digital transactions and records within
complex supply chain networks, preventing fraud and data tampering.

18. **Smart Devices and IoT:** It analyzes data from smart devices and Internet of Things (IoT) systems,
which can be critical in various investigations, including those involving smart home devices and connected
vehicles.

19. **Blockchain and Cryptocurrency:** Digital forensics investigates illegal activities involving
cryptocurrencies, such as money laundering and fraud, and ensures the security of blockchain transactions.

Digital forensics is an essential tool in the modern world, offering invaluable support in the fight against
digital crime, protecting sensitive information, and ensuring the integrity of digital systems across various
sectors.

Here are additional applications of digital forensics:

P a g e 36 | 40
20. **Telecommunications:** Digital forensics helps in monitoring and investigating telecommunication
networks for any unauthorized access, fraud, or misuse, ensuring the security and integrity of
communication systems.

21. **Smart Cities:** It plays a crucial role in ensuring the security and integrity of the digital infrastructure
in smart cities, including public transportation, utilities, and surveillance systems.

22. **E-commerce:** Digital forensics is used to investigate online fraud, payment disputes, and
unauthorized transactions, ensuring the security and trustworthiness of e-commerce platforms.

23. **Digital Marketing:** Helps in monitoring and investigating digital marketing campaigns for any
fraudulent activities, ensuring the integrity of online advertising and promotions.

24. **Media and Entertainment:** Assists in protecting digital content, such as movies, music, and games,
from piracy and unauthorized distribution.

25. **Telemedicine:** Digital forensics ensures the security and privacy of patient data in telemedicine
platforms, preventing unauthorized access and data breaches.

26. **Energy Sector:** Helps in securing digital infrastructure in the energy sector, including smart grids
and energy management systems, against cyber threats.

27. **Transport and Logistics:** Assists in ensuring the security of digital systems in transportation and
logistics, including fleet management, cargo tracking, and automated systems.

28. **Agriculture:** Digital forensics helps in monitoring and securing digital tools and systems used in
modern agriculture, such as precision farming technologies and automated machinery.

29. **Environmental Protection:** Assists in investigating and monitoring environmental data, ensuring the
integrity and accuracy of data used for environmental protection and sustainability efforts.

30. **Space Exploration:** Digital forensics plays a role in ensuring the security and integrity of digital
systems used in space missions, including satellite communications and data transmission.

Digital forensics continues to expand its applications as technology advances, proving its critical importance
in maintaining the security, integrity, and reliability of digital systems across various sectors.

P a g e 37 | 40
Chapter No. 8

CONCLUSION

As computers become increasingly integral to our daily lives, both in professional and social contexts, the
field of digital forensics has become essential. Digital forensics enables the discovery of crucial electronic
evidence, whether it has been lost, deleted, damaged, or hidden, and this evidence can be used to prosecute
individuals who believe they have successfully evaded detection.

The importance of digital forensics is underscored by the need for collaboration across private, public, and
international sectors. All stakeholders must be willing to share information about the impact of economic
and cybercrime on their operations and the methods they use to detect and prevent such activities. This
collaborative approach is vital for addressing the complex challenges posed by digital crime.

Digital forensics encompasses several specialized services, including incident response, data recovery,
computer and mobile device forensics, network forensics, malware analysis, e-discovery, expert testimony,
and forensic consulting. These services are crucial for managing and resolving digital incidents, protecting
sensitive information, and supporting legal investigations.

Digital forensics has a wide range of applications across various sectors:

- **Law Enforcement:** Investigates cybercrimes, gathers digital evidence, and supports criminal
prosecutions.
- **Corporate Investigations:** Addresses internal fraud, intellectual property theft, and employee
misconduct, protecting corporate assets.
- **Cybersecurity:** Detects, analyzes, and responds to security breaches, improving an organization’s
cybersecurity posture.
- **Legal Disputes:** Provides evidence in civil litigation cases, including disputes over digital contracts
and intellectual property.
- **Incident Response:** Enables organizations to quickly respond to and investigate security incidents.
- **Regulatory Compliance:** Assists organizations in complying with data protection and privacy
regulations.
- **Data Recovery:** Recovers lost, deleted, or corrupted data, crucial for legal, personal, or business
purposes.
- **Fraud Detection:** Helps identify and investigate financial fraud, insurance fraud, and identity theft.
- **Education and Training:** Provides training for cybersecurity professionals and law enforcement
officers.
- **Healthcare:** Investigates breaches of patient data, ensuring compliance with healthcare regulations.
- **Insurance:** Assists in investigating insurance fraud.
- **Education:** Addresses academic dishonesty, cyberbullying, and data breaches in educational
institutions.
- **Intellectual Property:** Protects against theft or misuse of trade secrets and patents.
- **Financial Sector:** Mitigates financial fraud, ensuring the integrity of financial transactions.
- **Military and Defense:** Protects against cyber espionage and cyber warfare.
- **Gaming Industry:** Investigates misconduct in online gaming environments.
- **Supply Chain:** Ensures the integrity of digital transactions within supply chain networks.
- **Smart Devices and IoT:** Analyzes data from smart devices and IoT systems, critical in various
investigations.
- **Blockchain and Cryptocurrency:** Investigates illegal activities involving cryptocurrencies and ensures
the security of blockchain transactions.
P a g e 38 | 40
Digital forensics also plays a crucial role in protecting national security by investigating cyber espionage,
terrorism, and other threats to national infrastructure. It is essential for monitoring employee activities to
prevent insider threats and ensuring compliance with company policies. The field provides valuable training
and knowledge for cybersecurity professionals and law enforcement, preparing them to handle modern cyber
threats.

Conclusion
Digital forensics is an indispensable field that plays a critical role in modern investigations, cybersecurity,
and legal proceedings. It enables the identification, collection, preservation, and analysis of digital evidence,
which is essential for solving crimes, responding to security incidents, and ensuring regulatory compliance.
By recovering lost or corrupted data, preventing fraud, and protecting intellectual property, digital forensics
helps maintain the integrity and security of digital systems. As technology continues to advance, the
methodologies and challenges in digital forensics will evolve, making it an ever-important discipline in
safeguarding our digital world. Through its contributions to law enforcement, corporate security, and
national security, digital forensics remains a cornerstone in the fight against cybercrime and the protection of
digital information. The collaborative efforts of various stakeholders are crucial in addressing the challenges
and needs of digital forensics, ensuring a secure and resilient digital environment for all.

P a g e 39 | 40
Chapter No. 9

REFERENCES

[I] I. Resendez, P. Martinez, and J. Abraham, "An Introduction to Digital Forensics," June 2014,

[2] N. Kumari and A. K. Mohapatra, "An insight into digital forensics branches and tools," Proceeding; of
the International Conference on Computational Techniques in Information and Communication
Technologies, 2016.

[3] M. Reith, C. Carr, and G. Gunsch, "An examination of digital forensic models," International Journal of
Digital Evidence, vol. 1, no. 3, Fall 2002

[4] E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. San
Diego, CA: Academic Press, 3rd edition, 2011, chapter 1.

[5] "Digital forensics," Wikipedia, the free encyclopedia ,

[6] 0. M. Adedayo, "Big data and digital forensics: Rethinking digital forensics," Proceedings of IEEE
International Conference on Cybercrime and Computer Forensic, June 2016.

[7] N. M. Karie and H. S. Venter, "Taxonomy of challenges for digital forensics," Journal of Forensic
Sciences, vol. 60, no. 4, July 2015, pp. 885-893.

[8] M. Losavio, K. C. Seigfried-Spellar, and J. J. Sloan Ill, "Why digital forensics is not a profession and
how it can become one," Criminal Justice Studies, vol. 29, no. 2, 2016, pp.143 -162.

[9] S. L. Garfinkel, "Digital forensics research: The next 10 years," Digital Investigation, vol. 7, 2 0 1 0, pp.

P a g e 40 | 40