Digital Forensics & Cyber Security

Data Recovery and Evidence Collection

UNIT 5
 Recovery deleted files
• Data recovery is the process of recovering and handling
the data through the data from damaged, failed, corrupted,
or inaccessible secondary storage media when it cannot be
accessed normally. Often times, these files are being
stored in hard drives and removable disks, including CDs,
DVDs, tape cartridges, flash memories
 Data Recovery Tools
• Different data recovery tools are
1. Puran File Recovery
2. Glary Undelete
3. Pandora Recovery
4. Recuva
5. FreeUndelete
6. Restoration
7. Wise Data Recovery
8. EaseUS Data Recovery Wizard
9. SoftPerfect File Recovery
10. Diskinternal_s
 Reasons of Data Loss
1. Hardware or System Malfunctions
2. Human Errors
3. Software Corruption
4. Computer Viruses and Malware
5. Natural Disasters
File System
 What is a File System?
• A file system is a process of managing how and where data on a storage disk,
which is also referred to as file management or FS. It is a logical disk
component that compresses files separated into groups, which is known as
directories. It is abstract to a human user and related to a computer; hence, it
manages a disk's internal operations. Files and additional directories can be in
the directories. Although there are various file systems with Windows, NTFS
is the most common in modern times. It would be impossible for a file with
the same name to exist and also impossible to remove installed programs and
recover specific files without file management, as well as files would have no
organization without a file structure.
Different File systems
Partition
 Partition
• A partition is a logical division of a hard disk that is treated as a separate
unit by operating systems (OSes) and file systems.
• The OSes and file systems can manage information on each partition as
if it were a distinct hard drive.
• This allows the drive to operate as several smaller sections to improve
efficiency, although it reduces usable space on the hard disk because of
additional overhead from multiple OSes.
Different File systems
A disk (e.g., Hard disk drive) has a
file system, despite type and usage.
Also, it contains information about
file size, file name, file location
fragment information, and where
disk data is stored and also describes
how a user or application may
access the data. The operations like
metadata, file naming, storage
management, and directories/folders
are all managed by the file system.
 FAT
(File Allocation Table)
• A FAT stand for File Allocation Table
and FAT32 is an extension which means
that data is stored in chunks of 32 bits.
• These are an older type of file system that
isn’t commonly used these days.
• A file allocation table (FAT) is a table that
an operating system maintains on a hard
disk that provides a map of the clusters
(the basic units of logical storage on a
hard disk) that a file has been stored in.
 FAT
(File Allocation Table)
• When you write a new file to a hard disk, the file is stored in one or more
clusters that are not necessarily next to each other; they may be rather widely
scattered over the disk.
• The operating system creates a FAT entry for the new file that records where
each cluster is located and their sequential order.
• When you read a file, the operating system reassembles the file from clusters
and places it as an entire file where you want to read it.
• For example, if this is a long Web page, it may very well be stored on more
than one cluster on your hard disk.
• Today, FAT is not used by later versions of Microsoft Windows like
Windows XP, Vista, 7, and 10 as they use NTFS. The FAT8, FAT12,
FAT32, FAT16 are all the different types of FAT (for file allocation table).
 GFS (Global File System)
• GFS: A GFS is a file system, which stands for Global File System. It has the
ability to make enable multiple computers to act as an integrated machine,
now it is maintained by Red Hat. When the physical distance of two or more
computers is high, and they are unable to send files directly with each other, a
GFS file system makes them capable of sharing a group of files directly. A
computer can organize its I/O to preserve file systems with the help of a
global file system.
 HFS (Hierarchical file system)
• HFS: HFS (Hierarchical file
system) is the file system that is
used on a Macintosh computer
for creating a directory at the
time a hard disk is formatted.
Generally, its basic function is
to organize or hold the files on a
Macintosh hard disk.
 NTFS
(New Technology File System)
• NTFS stands for New Technology File System and this took over
from FAT as the primary file system being used in Windows.
• NTFS is the file system that the Windows NT operating system
uses for storing and retrieving files on a hard disk.
• NTFS is the Windows NT equivalent of the Windows FAT and the
High Performance File System (HPFS).
• NTFS offers a number of improvements over FAT and HPFS in
terms of performance, extendibility, and security
 UDF (Universal Disk Format)
• UDF: A UDF is a file system, stands for Universal Disk Format
and used first developed by OSTA (Optical Storage Technology
Association) in 1995 for ensuring consistency among data written
to several optical media. It is used with CD-ROMs and DVD-
ROMs and is supported on all operating systems. Now, it is used in
the process of CD-R's and CD-RW's, called packet writing.
Forensics Evidence, Collection,
Processing and the phases of
forensics investigation

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
Process of Digital forensics

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
Phases of forensics investigation

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Policy & Procedure Development of Phases of forensics
investigation

• Computer forensics requires specially trained personnel in

sound digital evidence recovery techniques.
• As the primary aim of any digital forensics investigation,
is to allow others to follow the same procedures and steps
and still end with same result and conclusions,
considerable effort must be spent on developing policies
and standard operating procedures (SOP) in how to deal
with each step and phase of the investigation.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Evidence Assessment
• All sources of possible digital evidence should be thoroughly assessed with
respect to the scope of the case. This will help establish the size of the
investigation and determine the next steps.
• Special attention should be given to reviewing the scope of search warrant(s)
and other other legal authorizations to establish the nature of hardware and
software to be seized, other potential evidence sought together with the
circumstances surrounding the acquisition of the evidence to be examined.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Evidence Acquisition (precuations)

• Digital evidence is fragile and can be easily altered, damaged, or destroyed by

improper handling or examination. Even the act of opening files can alter
timestamp information destroying information on when the file was last
accessed. So special precuations are needed to preserve this type of evidence.
Failure to do so may render it unusable or lead to an inaccurate conclusion.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Evidence Examination
• The same general forensic principles apply when examining digital
evidence as they do to any other crime scene. However, different types of
cases and media may require different methods of examination. Only
trained personnel should conduct an examination of digital evidence.
• It is important to make a distinction.:-
• Extraction refers to the recovery of data from whatever media the data is
stored on.
• Analysis refers to the interpretation of the recovered data and placement of
it in a logical and useful format, answering such questions as how did it get
there, where did it come from, and what does it mean?
• Separating the forensic examination this helps the examiner in developing
procedures and structuring the examination and presentation of the digital
evidence.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Documentation & Reporting

• The investigator must document completely and accurately their

each step in their investigation from the start to the end. The aim is
to allow others following the steps outlined in the documentation
to reproduce the investigation and reach the same conclusions.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
Types of Computer Forensics

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
Types of Computer Forensics

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 Types of Computer Forensics
Disk Forensics:
It deals with extracting data from storage media by searching active,
modified, or deleted files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis
of computer network traffic to collect important information and legal
evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is
to offers the tools need to collect and analyze the data from wireless
network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of
databases and their related metadata.
Prof.Reeta Singh ( MCA, Course Cordinator-
IMCOST)
 Types of Computer Forensics
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload,
viruses, worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars,
and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM)
in raw form and then carving the data from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to
retrieve phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS,
Audio, videos, etc.

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)
 University Question
• What is Digital Forensics? Explain Process & Phases of
DF.
• What is Computer Forensics? Explain types of Computer
Forensics in detail?

Prof.Reeta Singh ( MCA, Course Cordinator-

IMCOST)