Unit-5

DIGITAL FORENSICS
 5.1.1 INTRODUCTION TO DIGITAL FORENSICS
5.1.1 Introduction

• We know that once a cyberattack has been occurred on our

organization, it may create extreme confusion about cyberattack.
You may need to answer some of the questions like how the
attack happened, how it affects your data, and how to move
forward from here. This information is vital to help both the
criminal investigation and to increase your network security and
prevent new attacks.

• A digital forensics investigation is the first step toward the

direction of answering these questions a also helped hundreds
of organizations navigate rough waters of a cyberattack.
5.1.2 What is Digital Forensics?

 "Digital forensics, also known as computer or cyber forensics, is a branch

of forensic science that deals with the investigation, collection, preservation,
analysis, and presentation of digital evidence.“

 It involves the application of scientific methods and techniques to extract

and interpret information for digital devices, networks, and online platforms
for legal purposes. It provides the forensic team with the best techniques and
tools to solve complicated digital-related cases.
 A digital forensic investigation can help you answer any questions you
might have about the attack, including

 What networks, systems, files, or applications were affected?

 How did the incident occur? (Tools, attack methods, vulnerabilities, etc.)
 What data and information were accessed or stolen?
 Are hackers still on my network? Is the incident finished, or is it ongoing?
 Where did the attack come from?
• Example Uses of Digital Forensics

 Intellectual Property theft

 Industrial espionage

 Employment disputes

 Fraud investigations

 Inappropriate use of the Internet and email in the workplace

 Forgeries related matters

 Bankruptcy investigations

 Issues concern with the regulatory compliance

The goal is to establish a chain of custody for the digital evidence, ensuring its integrity
and admissibility in legal proceedings.
5.1.3 Advantages and Disadvantages of Digital Forensics

• Advantages of Digital Forensics

 To ensure the integrity of the computer system.

 To produce evidence in the court, which can lead to the punishment of the
culprit.

 It helps the companies to capture important information if their computer

systems or networks are compromised.

 Efficiently tracks down cybercriminals from anywhere in the world.

 Helps to protect the organization's money and valuable time.

 Allows to extract, process, and interpret the factual evidence, so it proves

the cybercriminal actions in the court.
• Disadvantages of Digital Forensics

 Digital evidence accepted into court. However, it is must be proved that

there is no tampering

 Producing electronic records and storing them is an extremely costly affair

 Legal practitioners must have extensive computer knowledge

 Need to produce authentic and convincing evidence

 If the tool used for digital forensic is not according to specified standards,
then in the court of law, the evidence can be disapproved by justice.

 Lack of technical knowledge by the investigating officer might not offer the
desired result.
 5.2 LOCARD'S PRINCIPLE OF EXCHANGE IN DIGITAL FORENSICS

• 5.2.1 Locard's Principle of exchange in Forensic Science

• A person who is responsible for of the most important principles
in forensic science is Edmond Locard. He came up with the
Locard's exchange principle or Locard's theory which states that
"Any action of an individual, and obviously, the violent action
constituting the crime, cannot occur without leaving a trace.“
• A devout viewer of crime investigative series on television will be
able to understand the importance of this principle. Haven't we
all observed how the investigator goes to the site of a grisly
murder and examines the crime scene, to check for blood stains,
footprints or fingerprints, murder weapons and even the slightest
of traces of blood in the nails? This is known as trace evidence,
and according to Locard’s principle whenever a crime is
committed, trace evidence no matter how small or less, will
always be present.
• Locard's exchange principle is an important part of
forensic science investigation.
"It states that any criminal leaves behind a trace when
committing a violent crime. It is the investigator's
duty to find this trace evidence and reconstruct the
events of the crime.“

The trace evidence can be divided into:

• Physical (clothing, glass fragments, paint chips etc)
• Biological (DNA, fingerprints, hair)
• Natural evidence (soil, pollen, seeds and plants)
• Digital evidence (Images, audio, video, files, hard disks
etc...)
• 5.2.2 Locard's Principle of exchange in Digital Forensics

• In digital forensics, Locard's Principle of Exchange is still applicable,

and it emphasizes the idea that whenever two digital entities
come into contact, there will be an exchange of materials or
information.
Here's how Locard's Principle of Exchange can be applied
specifically to digital forensics:

1. Digital Contact
Whenever there is interaction between digital devices, systems, or
users, there is a potential to an exchange of digital information.
• Examples include file transfers, communication over networks,
logins, data access, and or digital transactions.
2. Exchange of Digital Evidence
• During digital interactions, data is created, modified, or
deleted, leaving behind a trail of digital evidence.
• This digital evidence can include files, logs, metadata,
timestamps, network activity record images, audio,
video and other artifacts that reflect the nature of the
interaction.
3. Analysis of Digital Artifacts
• Digital forensics experts analyse these digital artifacts to
reconstruct events, understand the series of actions, and
identify relevant information for an investigation.
• It involves examining file computer system logs, network
traffic, and other digital traces to together the timeline
and details of digital incident.
4. Chain of Custody and Integrity
• Locard's Principle reinforces the importance of
maintaining a secure chain of custody for digital
evidence. This involves documenting the handling,
storage, and transfer of digital evidence to ensure
its integrity and admissibility in legal proceedings.
5. Specialized Tools and Techniques:
• Digital forensics professionals use specialized tools
and techniques to acquire, preserve, analyse digital
evidence.
• These tools help investigators extract information
from digital devices without altering the original
data, maintaining the integrity of the evidence.
• 5.2.2 Limitations of Locard's Principle of Exchange
• One of the greatest drawbacks of Locard's exchange theory lies in evidence
dynamics. This refers to the alteration of physical evidence before it has been
examined by investigators.

 There are many factors that can lead to the tampering and destruction of
evidence.

 Staging (manipulation of objects in crime scene) by the offender

 Secondary transfer of evidence

 Actions of the victim before the crime

 Witness actions

 Natural factors like animal or insect activity, weather, decomposition.

 Fire suppression efforts

 Actions of police, scene technicians and medical personnel.

 5.3 BRANCHES OF DIGITAL FORENSICS
• Digital forensics plays a crucial role in modern criminal
investigations and is often relied upon in legal proceedings.
• It helps in identifying perpetrators, proving guilt or innocence,
recovering lost or deleted data, protecting digital evidence from
tampering, and enhancing the overall integrity of the justice
system in the digital age.

• 5.3.1 Types of Digital Forensics

• Digital forensics encompasses various types or sub-disciplines
based on the specific areas of focus and the nature of the
investigation. Here are some common types of digital forensics:
• Computer Forensics
• This is the most well-known widely practiced type of digital forensics. It involves the analysis and
investigation of computer systems, including desktops, laptops, servers, and storage devices.
Computer forensics aims to recover and examine digital evidence such as files, documents, emails,
internet browsing history, and system logs establish a timeline of events or support legal cases.
• When conducting an investigation and analysis of evidence, computer forensics specialists use
various techniques, here are some examples:
 Deleted file recovery
This technique involves recovering and restoring files or fragments deleted by a person-either
accidentally or deliberately--- or by a virus or malware.
 Reverse steganography
The process of attempting to hide data inside a digital message or file is called steganography. The
reverse steganography happens when computer forensics specialists look at the hashing of a
message or the file contents. A hashing is a string of data, which changes when the message or file
is interfered with.
 Cross-drive analysis
This technique involves analyzing data across multiple computer drives. Strategies like correlation
and cross-referencing are used to compare events from computer to computer and detect
anomalies.
 Live analysis
This technique involves analyzing a running computer's volatile data, which is data stored in RAM
(random access memory) or cache memory. This helps pinpoint the cause of abnormal computer
traffic.
• Memory Forensics
• Memory forensics focuses on the analysis of a computer's volatile memory (RAM) to
extract valuable information. Memory forensics is crucial in uncovering malicious
activities or detecting sophisticated malware at may not be present on disk.

• This is usually achieved by running special software that captures the current state of
the system's memory as a snapshot file, also known as a memory dump. This file can
then be taken offsite and marched by the investigator. It involves examining the
contents of the memory at a given time to identify running processes, network
connections, open files, passwords, encryption keys, and other volatile data.

• This is useful because of the way in which processes, files and programs are run in
memory, and once a snapshot has been captured, many important facts can be
ascertained by the investigator, such

 Processes running
 Executable files that are running
 Open ports, IP addresses and other networking information
 Users that are logged into the system, and from where
 Files that are open and by whom
• Network Forensics
• Most of the attacks move through the network before hitting the target and they leave some
track According to Locard's exchange principle, "every contact leaves a trace, even in
cyberspace.

• Network forensics deals with the examination of network traffic and data packets to
investigate network-based security incidents or cybercrimes. It involves capturing, analysing,
and interpreting network traffic to identify potential threats, unauthorized activities, or
evidence of malicious actions.

 There are two methods of network forensics:

 "Catch it as you can" method: All network traffic is captured. It guarantees that there is no
omission of important network events. This process is time-consuming and reduces store
efficiency as storage volume grows.

 "Stop, look and listen" method: Administrators watch each data packet that flows across
network but they capture only what considered suspicious and deserving of in-depth analysis
While this method does not consume much space, it may require significant processing power.
 Investigators focus on two primary sources:
 Full-packet data capture: This is the direct result of the "Catch it as you can" method.
 Log files: These are the files which reside on web servers, proxy servers, Active Directory
servers, firewalls, Intrusion Detection Systems (IDS), DNS and Dynamic Host Control Protocol
(DHCP). Unlike full-packet capture, logs do not take up so much space.
• Database Forensics
• It involves the systematic examination of database systems, structures, contents, and logs
identify, preserve, analyse, and present digital evidence that may be relevant to an
investigation.

 The different kind of activities performed during database forensics are as under.

• Data Collection: The process begins with the collection of data from the database system
under investigation. This may include capturing disk images, memory dumps, transaction
and database backups.

• Data Preservation : It's crucial to preserve the integrity of the data during the forensic
investigation. This involves creating forensic copies of original data to prevent any
alterations or modifications that could compromise its evidentiary value.

• Data Analysis and Reconstruction: Forensic analysts examine the database contents and
structures to reconstruct events, transactions, and user activities that may be relevant to
the Investigation. This may involve examining tables, records, metadata, and transaction
logs to identify anomalies, unauthorized access, or suspicious activities.

• Timeline Analysis: Establishing a timeline of events is essential in database forensics.

Analysts correlate timestamps from database logs, transaction records, and system logs to
reconstruct the sequence of activities leading up to a security incident or data breach.
• User and Access Analysis: Investigators analyse user accounts, permissions, and
access logs to determine who had access to the database, what actions they
performed, and whether any unauthorized or suspicious activities occurred.

• Data Recovery and Reconstruction: In cases where data has been deleted, altered, or
corrupted, forensic analysts may employ specialized techniques and tools to recover
and reconstruct the original data or transactional history.

• Documentation and Reporting: Forensic findings are documented in detail, including

the methods used, analysis results, conclusions, and recommendations. A forensic
report is prepared to present the findings in a clear and understandable manner,
which may be used as evidence in legal proceedings.

• Legal Considerations: Database forensics must adhere to legal and regulatory

requirements governing the handling, preservation, and admissibility of digital
evidence. This may involve obtaining proper authorization, maintaining chain of
custody, and ensuring compliance with relevant privacy laws and regulations.

• Overall, database forensics plays a crucial role in uncovering digital evidence,

identifying perpetrators, and mitigating the impact of cyber incidents on
organizations. It requires a combination of technical expertise, analytical skills, and
adherence to legal standards to conduct thorough and effective investigations.
• Mobile Device Forensics:
• The term "mobile devices" encompasses a wide array of gadgets ranging from mobile
phones. Smartphones, tablets, and GPS units to wearables and PDAs. What they all
have in common is the fact that they can contain a lot of user information.
• Mobile devices are right in the middle of three booming technological trends: Internet
of Things, Cloud Computing, and Big Data.

• This machines allow digital investigators to get a lot of information.

 information that resides on mobile devices:
• Incoming outgoing, missed call history
• Phonebook or contact lists
• SMS text, application based, and multimedia messaging content
• Pictures, videos, and audio files and sometimes voicemail messages
• Internet browsing history, content, cookies, search history, analytics information
• To-do lists, notes, calendar entries, ringtones
• Documents, spreadsheets, presentation files and other user-created data
• Passwords, passcodes, swipe codes, user account credentials
• Historical geolocation data, cell phone tower related data, Wi-Fi information
• user dictionary content
• system files, usage logs, error messages
• deleted data from all of the above
• E-mail Forensics
• Due to the rapid spread of internet use all over the world, email has become a primary
communication medium for many official activities. Not only companies, but also members of the
public tend to use emails in their critical business activities such as banking, sharing official
messages, and sharing confidential files. However this communication medium has also become
vulnerable to attacks.
• The primary evidence in email investigations is the email header. The email header contains
considerable amount of information about the email like From, To Cc, Bcc, Subject, Date Reply-to,
Message-id, References, and Received. This information becomes very vital for the email
investigation activity.
• Email forensics refers to analysing the and content of emails as evidence. Investigation of email
related crimes and incidents involves various approaches as discussed below.

 Header analysis: Email header analysis is the primary analytical technique. This involves analysing
metadata-data like sender, receiver, sending time etc. in the email header. It is evident that
analysing headers helps to identify the majority of email-related crimes. Email spoofing, phishing,
scams and even internal data leakages can be identified by analysing the header.
 server Investigation: This involves investigating copies of delivered emails and server logs. In some
organizations they do provide separate email boxes for their employees by having internal mail
servers. In this case, investigation involves the extraction of the entire email box related to the
case and the server logs.
 Network Device Investigation: In some investigations, the investigator requires the logs
maintained by the network devices such as routers, firewalls and switches to investigate the
source of an email message. This is often a complex situation where the primary evidence is not
perfect.
 Software Embedded Analysis: Some information about the sender of the
email, attached files or documents may be included with the message by the
email software used by the sender for composing the email. This information
may be included in the form of custom headers or in the form of MIME
content as a Transport Neutral Encapsulation Format (TNEF)
 Sender Mail Fingerprints: The "Received" field includes tracking information
generated by mail servers that have previously handled a message, in reverse
order. The "X-Mailer" or "User-Agent" field helps to identify email software.
Analysing these fields helps to understand the software, and the version
used by the sender.

 Use of Email Trackers: In some situations, attackers use different techniques

and locations to generate emails. In such situations it is important to find out
the geographical location of the attacker. To get the exact location of the
attacker, investigators often use email tracking software embedded into the
body of an Email.
• When a recipient opens a message that has an email tracker attached, the
investigator will be notified with the IP address and geographical location of
the recipient. This technique is often used to identify suspects in murder or
kidnapping cases, where the criminal communicates via email.
• Malware forensics and Malware Analysis
• Malware forensics is the process of examining the traces and artifacts left by malware on a
compromised system or network. The goal of malware forensics is to identify the source, nature, and
impact of the malware infection, and to collect evidence for legal or investigative purposes. Malware
forensic typically involves acquiring and analysing disk images, memory dumps, network traffic, registry
entries, log and other data that can reveal the malware's behavior, origin, and targets. Malware
forensics requires a thorough knowledge of operating systems, file systems, network protocols, and
digital forensics tools and techniques.

• Difference between Malware Forensics and Malware Analysis

• Malware forensics and malware analysis are two related but distinct skills that can help you understand
and counter malicious software. The differences between them are based on their goals, methods,
tools and techniques used. These differences are discussed as under.

1. Working and Objectives: Malware analysis is the process of dissecting and understanding inner workings
of a malware sample or code. The goal of malware analysis is to determine the functionality,
capabilities, and purpose of the malware, and to find ways to detect, remove or mitigate it. Malware
analysis typically involves reverse engineering, debugging, decompiling. t disassembling the malware
code, and observing its execution in a controlled environment. Malware analysis requires a solid
background in programming, assembly, binary formats, and malware analysis tools and frameworks.

2. Type of analysis method used: One of the main differences between malware forensics and malware
analysis is the type of analysis they perform: static or dynamic. Static analysis refers to examining the
malware without running it, while dynamic analysis refers to observing the male while it is running.
3. Tools and Techniques used: Another difference between malware forensics and
malware analysis is the tools and techniques they use. Malware forensics uses tools
such as FTK Imager EnCase, Autopsy, Volatility, Wireshark, and RegRipper to acquire
and analyze various types data from infected systems or networks. Malware analysis
uses tools such as IDA Pro, Ghidra OllyDbg, x64dbg, Radare2, Cuckoo Sandbox, and
VirusTotal to examine and manipulate malware code or samples.

4. When they are used? Malware forensics is often used in response to a malware
incident, sup as a ransomware attack, a data breach, or a cybercrime investigation.
Malware analysis is often used in research or development of malware detection or
mitigation solutions, such as antivirus software, firewall rules, or threat intelligence..

5. Outcome of the technique: The outcome of malware forensics is to provide a

comprehensive report of the incident, including the timeline, scope, impact,
attribution, and recommendations f recovery and prevention. The outcome of
malware analysis is to provide a detailed description of the malware's features,
functions, and weaknesses, and to develop signatures, patches, countermeasures.

• Both malware forensics and malware analysis also use techniques such as hashing,
signature scanning, code obfuscation, encryption, unpacking, and sandboxing to deal
with different challenges an scenarios.
• Software Forensics
• Software forensics is a branch of science that investigates computer software text codes and
binary codes in cases involving patent infringement or theft. Software forensics can be used to
support evidence legal disputes over intellectual property, patents, and trademarks.
• Software forensics is especially important in patent and trade cases. In these cases, someone m
we copied another person's code, but rewritten that code in a way to hide the theft.

• Cloud forensics
• Cloud forensics focuses on the investigation of digital evidence stored in cloud computing
environments. It involves extracting and analysing data from cloud storage, virtual machines, and
other cloud-based services. Cloud forensics addresses the unique challenges of investigating data
stored remotely in shared environments and requires specific expertise in handling cloud-based
evidence.

• Multimedia Forensics
• Multimedia forensics deals with the analysis and authentication of digital images, audio
recordings. video recordings, and other forms of multimedia. It involves techniques such as image
analysis, video forensics audio forensics, and steganography analysis to determine the
authenticity, integrity, or origin of multimedia files.

• These are just a few examples of the different types of digital forensics. Depending on the nature
of the investigation and the specific digital artifacts involved, other specialized areas of digital
forensics may Include email forensics, social media forensics, IoT forensics, and more. Each type
requires specialize tools, techniques, and expertise to effectively analyse and interpret digital
evidence within its respective domain.
 5.4 PHASES OF DIGITAL FORENSIC INVESTIGATION
• It involves the application of scientific methods and techniques to extract and
interpret information from digital devices, networks, and online platforms for
legal purposes.
5.4.1 Objectives of Digital Forensic Investigation

• The primary goal of digital forensics is to identify, preserve, and analyse digital
evidence support investigations and legal proceedings.
• It helps to postulate the motive behind the crime and identity of the main
culprit.
• Designing procedures at a suspected crime scene which helps you to ensure that
the digital evidence obtained is not corrupted.
• Data acquisition and duplication: Recovering deleted files and deleted partitions
from digital media to extract the evidence and validate them.
• Helps you to identify the evidence quickly, and also allows you to estimate the
potential impact of the malicious activity on the victim.
• Producing a computer forensic report which offers a complete report on the
investigation process.
• Preserving the evidence by following the chain of custody.
5.4.2 Digital Forensic Investigation Process Model
• The Digital Forensic investigation process is carried out as the model shown in the figure

[Fig. 5.2: Digital Forensic Investigation Process Model]

• Identification and Collection: The first step is to identify the
purpose of investigation, identify the required resources, and to
identify potential sources of digital evidence and collect relevant
data from the identified sources.
• This includes to find out what evidence is present, where it is
stored and lastly how it is stored It also includes seizing and
imaging digital devices, making backups, and capturing network
traffic.

• Preservation: Digital evidence is fragile and can be easily

modified or destroyed. Preservation involves taking measures to
protect the integrity and original state of the evidence. So, data
isolated, secured, and preserved.
• This includes creating forensic images, hashing, and storing the
evidence in a secure an controlled environment and preventing
people from using the digital device so that digital evidence is
not tampered with.
• Analysis: In this phase, the collected digital evidence is analysed
using specialized tools an techniques. This can involve recovering
deleted files, examining system logs, analysing network traffic,
decrypting encrypted data, and reconstructing digital activities to
establish a timeline events.

• Examination (Interpretation): The analysis results are interpreted

to draw conclusions an establish the significance of the evidence.
This includes identifying relevant information establishing links
between different pieces of evidence, and identifying potential
suspects or lead

• Presentation (Documentation and Reporting): A comprehensive

report is prepared detail the findings of the investigation. This
report is often presented in a clear and concise manner assist
legal professionals, law enforcement agencies, or other
stakeholders in understanding technical aspects of the case.
 5.5 METHOS TO PRESERVE DIGITAL EVIDENCE
5.5.1 Why Should We Preserve Digital Evidence?
One of the greatest drawbacks of Locard's exchange theory lies in evidence dynamics. But
there are many factors that can lead to the tampering and destruction of evidence.

• Staging (manipulation of objects in crime scene) by the offender

• Secondary transfer of evidence

• Actions of the victim before the crime

• Witness actions

• Natural factors like animal or insect activity, weather, decomposition.

• Fire suppression efforts

• Actions of police, scene technicians and medical personnel.

• These factors lead to the removal or obliteration of the evidence. They can often mislead the
investigators and cause problems with crime reconstruction. Misinterpretations or misleading
evidence can lead to inaccurate crime reconstruction. To avoid this there is a need to preserve the
digital evidence. Due to this fundamental importance of digital evidence preservation, it is necessary
to preserve digital evidence in well-structured manner.
5.5.2 Digital Evidence Preservation Methods
• In this section, we'll go over three techniques that forensics specialists might employ to protect a evidence before
the analysis process begins.

Drive Imaging
• Forensic investigators must first produce an image of the evidence before they can start examining from a source.
A forensic procedure called "drive imaging" involves an analyst making a bit-by-bit copy of the original disk.
The following considerations should be made by forensic professionals when examining an image:

• It is possible for crucial and recoverable data to remain on even erased drives.
• Using forensic procedures, experts in the field of forensics can recover all erased files.
• Never examine the original media through forensic examination. Utilize the duplicate image for all operations.
Forensic investigators should construct the image for analysis using a "write blocker," which is a piece of hardware
or software that aids in the forensic image's legal defensibility.

Hash Values
Cryptographic hash values such as MD5, SHA1, and others are produced when a forensic investigator prepares a
picture of the evidence for analysis. Hash values are important because:

• They are used to confirm that the image is an exact reproduction of the source media It is authentic and intact.
• Hashing values are essential when introducing evidence in court since even the smallest change to the data will
result in an entirely new hash value.
• A new hash value is generated for any modifications you make to a file on your computer, such as adding new
content or changing an already-existing one.
• Analysts can use specialized software to obtain information that is not available in a standard fie explorer window,
such as the hash value and other file metadata.
Chain of Custody

When forensic investigators gather and transfer media from the client, they
should record all actions taken throughout the transfer of media and
evidence on Chain of Custody (CoC) forms. They should also get signatures,
the time and date of the media handoff. For the following reasons,
completing CoC paperwork is imperative:

• The Certificate of Consistency (CoC) serves as proof that the image has
been in know possession since its creation.

• A breach in the CoC renders the image's legal value and the analysis it
contains void.

• It is troublesome if there are any gaps in the procession record, such as

instances where the evidence was left unsupervised in an unguarded area
or in plain sight.
5.5.3 Issues with Maintaining Digital Evidence
• Some of the issues that arise with preserving evidence are as under.
Legal Admissibility

• This poses the greatest risk. Digital media evidence should be placed under
the CoC right away and quarantined if it is a piece of criminal evidence; an
investigator can subsequently make image.

Evidence Destruction

• Future forensic analysis will depend on the program remaining accessible

and not being removed from the system in the event that threat actors
have installed an application on a server.

Media is still in Service?

• If so, the longer it has been since the occurrence, the greater the chance is
that important evidence will be destroyed.
 5.6 CRITICAL STEPS IN PRESERVING DIDITAL EVIDENCE

Misinterpretations or misleading evidence can lead to inaccurate crime reconstruction. So, we need follow a
series of steps in order to preserve digital evidence, as even a small inattentive move need wad to a loss of
evidence and the break of a case.
5.6.1 Critical Steps in Preserving Digital Evidence
This section will cover the essential actions that must be taken in order to prevent digital evidence ass before
delivering the it to the forensic specialists. When it comes to digital evidence preservation, time is crucial.

1. Do not change the current state of the device: If the device is OFF, it must be kept OFF and if the device is ON,
it must be kept ON. Call a forensics expert before doing anything.
2. Power down the device: In the case of mobile phones, If it is not charged, do not charge it. In case, the mobile
phone is ON power it down to prevent any data wiping or data overwriting due to automatic booting.
3. Do not leave the device in an open area or unsecured place: Ensure that the device is not left unattended in
an open area or unsecured area. You need to document things like- where the device is, who has access to the
device, and when it is moved.
4. Do not plug any external storage media in the device: Memory cards, USB thumb drives, o any other storage
media that you might have, should not be plugged into the device.
5. Do not copy anything to or from the device: Copying anything to or from the device will cause changes in the
slack space of the memory.
6. Take a picture of the piece of the evidence: Ensure to take the picture of the evidence from all the sides. If it
is a mobile phone, capture pictures from all the sides, to ensure the device ha not tampered till the time
forensic experts arrive.
7. Make sure you know the PIN/ Password Pattern of the device: It is very important for you to know the login
credentials of the device and share it with the forensic experts, for them to cam their job seamlessly.
8. Do not open anything like pictures, applications, or files on the device: Opening a application, file, or picture
on the device may cause losing the data or memory being overwritten.
9. Do not trust anyone without forensics training: Only a certified Forensics expert should be allowed to
investigate or view the files on the original device. Untrained Persons may cause the deletion of data or the
corruption of important information.

10. Make sure you do not Shut down the computer, if required Hibernate it: Since the digital evidence can be
extracted from both the disk drives and the volatile memory. Hibernation mode will preserve the contents of
the volatile memory until the next system boot.

5.6.2 Key Points to Remember to Speed Up Preserving Evidence

• For the evidence to be professionally acquired by forensics investigators, the device is either seize a forensic
copy is created at the site of the "crime" scene.
• The key points to remember to speed up the process of preserving digital evidence and me out the process for
the authorities:
 Prepare yourself to share your authentication codes like screen patterns and passwords.
 You may also need to share the device manuals, chargers, cables.
 Device interactions will the Internet can also be analysed to build a complete and most appropriate picture of
overall activity.
 Have ownership of the device that you plan to submit to the police. In case you do not have the authority or
you're not voluntarily submitting the device, then, in that case, Police may need to seize the device under
their lawful powers.
 It is easier to share external memory storage than your devices with the police instead of giving your phone
away every time, so it is recommended that you have an external memory configured for your phone.
 Regularly back-up your phone data and retain copies of these back-ups for future use. These will help you
restore another handset or your phone if needs be at a later today, and also can help to log a trail of
incidence.
 5.7 ROLE OF DEVICES AS EVIDENCE IN DIGITAL FORENSICS
• Digital forensic investigators must be adept at extracting evidence from an array of devices, each
with unique structures, operating systems, storage capabilities, and security features. A case
involving a desktop for example, may require an understanding of operating systems, file systems,
and data recover) Conversely, a case involving a Smartphone may call for expertise in mobile
operating systems GPS technologies, and app data extraction. In network or cloud-based
investigations, data transmission, network protocols, cloud architectures, and multi-tenancy
environments critical. Thus, the device or system at the centre of the investigation often shapes
the strategy and methodologies employed by the investigators.

5.7.1 Types of Devices

• Digital forensics is not a single-size-fits-all discipline: it branches out into several areas, each
addressing a specific kind of device or system. Some of them are as discussed under.

• Computing Devices (Computers and laptops):

• Data preservation is the first step in computer forensics, and it is accomplished by making a
forensic image of the system’s storage devices. To guarantee data integrity, this procedure by
making a forensic with the use ding history, king device. Next, the forensic picture is examined for
files (both deleted and present), surfing history, email conversations, system logs, information
(such as timestamps and file ownership), and metadata. These components may offer vital proof
of the ownership, usage, and intent of the gadget.
• The main sources of difficulty in computer forensics are anti-forensic
methods and encryption. disk encryption is a common feature of modern
computers that might keep investigators from accessing the data if they
don't have the right encryption key.

• Anti-forensic techniques, such as data wiping, data hiding, and

obfuscation, can also be employed to complicate the investigation. Tools
and strategies such as file carving, keyword searching, and comparison can
help overcome these challenges.

• Network Devices and Servers

• Network forensics focuses on monitoring and analysing network traffic,

Investigators can network packets in or from saved logs, using tools like
Wireshark or tcpdump. Analysing packets can reveal suspicious activities,
data exfiltration, or malicious network anomalies. Network also store log
files, providing a record of network events, while servers may contain user
data, logs, and databases.
• Tracking and attributing network activities to specific
individuals can be challenging due to network address
translation (NAT), proxies, VPNs, or anonymizing networks
like Tor. Another challenge is dealing with the high volume
of data and isolating relevant information. Furthermore,
evidence might be distributed across multiple devices in the
network, requiring synchronized investigation.

• CCTVS

• Video recordings, access logs, and configuration information

are all available from closed-circuit television systems.
Forensic specialists usually obtain information by taking off
the hard drive from the CCTV system's Digital Video
Recorder (DVR) and creating an Image.
• CCTV systems come with their own set of difficulties. For
example, video footage is frequently recorded again and over
it to access older data. It may require sophisticated methods
to retrieve overwritten or erased video. Moreover, video
footage processing and analysis can take a long time,
particularly in high-resolution systems where large amounts
of data may be involved.
• Automobiles:
• Several onboard computers, referred to as Electronic Control
Units (ECUs), are installed in modern cars and they are in
charge of multiple operations, including engine control,
navigation, communications, and more. A portion of them,
known as Event Data Recorders (EDRs), are able to offer vital
event data before during aged following a collision, such as
vehicle speed, brake application, airbag deployment, and
seatbelt usage.
• In order to interface with these ECUs via the onboard diagnostics (OBD)
port and other interfaces and understand the data that is vehicle forensics
requires specialist tools. The process is made much more difficult by the
fact that these car systems are proprietary and there are many different
manufacturers and models. For security reasons, a lot of car systems
encrypt communications as well, which makes forensic extraction difficult.

• Other than above discussed devices some other devices are also there like
Smartphones and Tablets, Internet of Things (IoT) Devices, Wearables,
Drones, Medical Devices, Device Memory, Gaming Consoles, Cloud
Storage.

• With the varied types of devices and systems involved in digital forensic
investigations, a singular approach often proves insufficient. A more
encompassing, holistic approach is necessary to conduct an effective and
thorough investigation. This involves considering all the digital devices and
systems relevant to the case and understanding how data from each
device contributes to the overall picture.