Module 3

Computer Forensics
Part 4
41. Email Investigation/ Analysis-
 Emails play a very important role in business communications and have emerged
as one of the most important applications on internet. They are a convenient
mode for sending messages as well as documents, not only from computers but
also from other electronic gadgets such as mobile phones and tablets.

 The negative side of emails is that criminals may leak important information
about their company. Hence, the role of emails in digital forensics has been
increased in recent years. In digital forensics, emails are considered as crucial
evidences and Email Header Analysis has become important to collect evidence
during forensic process.

 Email investigation is a digital forensic process of finding out evidences from

suspect emails that allows investigator to examine, preserve and reveal digital
evidence (branch of forensic science).

42. Role of Email in Investigation-

Email plays a crucial role in modern investigations across various domains including law
enforcement, corporate, and legal proceedings.

1. Evidence Gathering: Email often contains valuable evidence such as

conversations, agreements, transactions and even potential threats.
Investigators can obtain warrants to access email accounts and analyze the
content to gather evidence pertinent to their investigation.
1
 2. Communication Trail: Email provides a detailed communication trail, showing
who communicated with whom, when, and about what. This helps investigators
to reconstruct timelines, establish relationships between individuals and
understand the context of events under investigation.

3. Digital Forensics: Email metadata (information about the email itself, such as
sender, receiver, timestamps, etc.) can be analyzed forensically to determine
authenticity, trace the origin of messages and identify any attempts at
manipulation or forgery.

4. Corroboration: Email correspondence can corroborate other forms of evidence

or witness testimony. For example, if a suspect denies involvement in a crime but
emails suggest otherwise, it can undermine their credibility.

5. Documentary Evidence: Emails often contain attachments such as contracts,

invoices or other documents relevant to an investigation. These documents can
serve as crucial evidence in proving or disproving a case.

43. Goal of investigator in email forensics-

An investigator has the following goals while performing email forensics −

1. To identify the main criminal

2. To collect necessary evidences

3. To present the findings

4. To build the case

2
44. Procedure to investigate an email-
Email crime investigation contains the following steps:

1. Obtain a search warrant and seize the computer and email account
2. Examine the email message
3. Copy the email message into USB key
4. Print the email message
5. View the mail headers
6. Examine the email headers
7. Examine attachment if it is there in email
8. Trace the email

1. Obtain a search warrant and seize the computer and email account:
The investigators should arrange a search warrant in an appropriate language
prior to carrying out an onsite examination of the computer and the email server.
A forensic test should be conducted on the permitted equipment which is
already stated in the warrant. The computers and email accounts suspected of
being involved in the crime should be seized. The investigators seize the email
account by changing it’s existing password.

2. Copy the email message into USB Key

3. Take the printout of the email message by using the print option available in
the mail program.

4. View the email headers:

To check the mail header
a) Open your email
b) Right click on your mail
c) After right click menus will display. Click on view full header.
d) The file header will get opened.

3
5. Examine the email header: The email header contains the message header and
the subject body. It also contains the information of the email origin. It also gives
the return path and receiver’s mail id.

6. Examine the attachment: If the mail contains any attachment, then copy that
attachment and also take the print out of that attachment.

7. Trace the email: The IP address of the origin computer tells who is the owner of
the email address which has been used in the possible crime that is being
investigated. It may be possible that this information may be fake. So it’s important
to validate the evidence before uncovering. There are many sites which tell the
owner associated with the domain name. For example: [email protected], everything
after the @ sign is the domain name.

4
45. Roles of the client and server in email-
 Email client message is made up of two parts i.e. header and body. The header
contains the information about the email origin, like the address from where it
comes, how it reached to the destination and who send it. The body contains the
message and attachment if any.
 Many organizations have their own mail server. Some users dial for the internet
service provider. When these users send the mail, that mail first go to the ISP
(Internet Service Provider) server, then ISP send that mail to receiver’s mail
server.
 The message stays on the receiver server till the recipient retrieve it. An email
server is a computer which runs on Linux, Windows or any other os. The server
contains the software to manage the transmissions and holds the message.
 When the email crime is investigated, the internal corporate emails are easy to
trace. They use Universal Naming Conventions (UNC) coupled with central
authentication. So it makes easy to find the sender and receiver of the email.
 The email client lists all the messages in mailbox by displaying message header as
well as the time and date of the message. It also tells the senders and the size of
the message. The client can view, compose or delete the message.

5
  The email server is having the list of all the accounts. It has text file for each
account. When a person clicks the send button to send the mail, it passes the
mail to the mail server with sender and receiver name and message. The server
formats this information and appends it to the bottom of the recipient’s text file.
To interact with the server the following email protocols are required.

1. Post Office Protocol(POP) : It stores only incoming messages. Investigation is

done at the workstation.
2. Internet Message Access Protocol (IMAP): It stores all the messages. Copies
of incoming and the outgoing messages are stored on the server or
workstation or both.
3. Microsoft’s Mail API (MAPI) : This protocol also work same as IMAP.
4. HTTP: This protocol is used for web based sends and receives.
5. Simple mail transfer protocol (SMTP): It is responsible for sending and
receiving the email. It uses TCP port 25. It is easy to spoof SMTP and send the
fake email.

46. Techniques used to investigate an email-

In email forensics, the source and content of emails is considered as evidence.
The process includes identifying the actual sender, recipient, date, time and
location of mail transaction, intention of sender etc. Various techniques that are
used for email investigation:

1. Header Analysis of emails: While investigating emails, investigators usually

start from the scratch and analyse the headers of the mails. Headers contain
information about the senders of the emails and also information about the
path through which the emails have travelled. During the time of a crime, the
email headers are spoofed in order to hide the identity of the sender. If the
message passing through SMTP server do not possess smtp characteristics,
then they are faked.

6
2. Link Analysis: It is a graphical data analysis method to evaluate emails
exchanged between users. Since a crime can involve multiple suspects, link
analysis is used in order to examine the link between the suspects.

3. Bait Tactics: The basic aim of this technique is to extract the IP address of the
culprit. Here an email with http:<img src> tag, which has some image source at
a computer that is monitored by investigators is sent to the email address that
is under investigation. Now the recipient is the one who originally was sender
during the crime. When the email is opened, a log entry which contains the IP
address of the recipient is recorded on the server which is hosting the image
and the recipient is recorded by the investigator.

4. Investigation of server: Here server logs and copies of delivered message

between sender and receiver are investigated. The emails from the sender and
receiver, which are not recoverable, are extracted from proxy or ISP servers, as
the servers store a copy of all the emails after their respective delivery.

5. Investigating network device: The source of an email message can also be

investigated with the help of logs maintained by network devices, such as
routers, firewalls and switches. Owing to it’s complexity, this technique is only
deployed in the absence of logs of ISP or proxy servers.

6. Fingerprints of Sender Mailers: The received header field proves to be helpful

in the identification of software which handles email at server. Also different
set of headers such as “X-Mailers” can be used for the identification of the
software, which handles email at the client. These headers describe
information about the applications and their servers used by the client to send
emails.

7. Software embedded identifiers: The information about the creator of emails

may be included in the custom headers or in form of MIME contents as a
TNEF. The investigation may reveal names of PST files, MAC address etc of the
computer, which was used to send emails.
7
47. Email Forensic Tools-
There are several tools which may contribute in the study of sender and text of email
messages, so that an attack or the mischievous motive of the invasions may be
examined.

1. eMailTrackerPro: This tool examines the header of an email to sense the IP

address of the computer that directed the message, so that the source can be
chased down. It can track numerous email at the same time.

2. EmailTracer: This is one of the cyber forensic tool. This tool tracks the initiating
IP address and other particulars from email header, produces detail HTML report
of email header analysis, discovers the city-level particulars of the source, plots
path traced by the email and show the initiating geographic position of the email.

3. Adcomplain: This is the tool for reporting unsuitable marketable emails and
make use of net positions, along with chain letters and “make money fast”
postings.

4. Aid4Mail Forensic: It is an email investigation software for forensic analysis and

court case proceedings support. It is an email relocation and translation tool,
which supports various mail formats together with Outlook(PST, MSG files),
Windows live mail, Eudora etc. It can explore through mail by date, header
content and by message body content.

5. AbusePipe: This tool examines abuse objection emails and regulates which of
ESP’s client are disturbing spam prounded on the material in e-mailed objection.

6. AccessData’s FTK: It is typically court-validated digital investigations platform

computer forensics software, passing on computer forensic analysis, decryption
and password cracking within a spontaneous and personable interface.

7. Encase Forensic: It is an computer forensic application that offers detectives the

capability to copy a drive and reserve it in a forensic way by means of the Encase
evidence file format, a digital evidence container examined by courts universally.

8
 8. FINALeMAIL: It can bring back the email database file and finds lost emails that
do not have data position information related with them.

48. Challenges in Email Forensic: -

Email forensics play a very important role in investigation as most of the
communication in present era relies on emails. However, an email forensic investigator
may face the following challenges during the investigation –

Fake Emails

The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary
email which is a service that allows a registered user to receive email at a temporary
address that expires after a certain time period.

Spoofing

Another challenge in email forensics is spoofing in which criminals used to present an

email as someone else’s. In this case the machine will receive both fake as well as
original IP address.

Anonymous Re-emailing

Here, the Email server strips identifying information from the email message before
forwarding it further. This leads to another big challenge for email investigations.

9
49. Investigating Web Browser: -
 Often the source of incidents and malware can be traced down using the artifacts
found inside of browsers. From the navigation history to downloaded files,
browsers are a critical piece in any forensic analysis.

 Each browser stores it’s files in a different place than other browsers and they all
have different names, but they all store(most of the time) the same type of
data(artifacts).

 Let us take a look of a most common artifacts stored by browsers:

 Navigation History: Contains data about the navigation history of the user.
Can be used to track down if the user has visited some malicious sites for
example.

 Autocomplete data: This is the data that the browser suggest based on
what you searched the most.

 Bookmarks: Bookmarked contains

 Extensions and addons: Extensions to programs

 Cache: When navigating websites, the browser creates all sorts of cache
data for many reasons. For example, to speed loading time of websites.
These cache files can be a great source of data during a forensic
investigation.

 Logins: Saved passwords

 Favicons: They are the little icon found in tabs, URLs, bookmarks and the
such. They can be used as another source to get more information about
the website or places the users visited.

 Browser Sessions: Browsed contents.

 Downloads: Downloaded data.

10
  Form data: Anything typed inside forms is often times stored by the
browser. So the next time the user enters something inside of a form the
browser can suggest the previously entered data.

 Tools for analysis: Internet evidence finder, WEFA, Encase, FTA.

50. Web Analysis: -

 Nowadays there are many web browsers available in the market like internet
explorer, google chrome and Mozilla etc.
 These all web browsers are slightly different in web services. To display the same
website faster on future occasions, web browsers maintain the downloaded
website data, so that it remains available on the computer even if the user closes
the browser or shuts down the machine.
 The downloaded web files are known as caches, cached history or temporary
files. Based on the operating systems and browser applications they are in
different locations.

a) Internet Explorer: It is the most famous and frequently used default web
browser. In Windows 10 IE is replaced with Microsoft Edge (ME). IE and ME both
work in private mode, without storing information about web resources visited
by the user.

b) Google Chrome:
 It is the browser provided by google. It has incorporation with
google services. It allows the synchronization of user
passwords between devices. One can use the extensions and
plug-in. Google chrome performs fast operations and collects
user data but it consumes large amount of memory.
 It work in incognito mode, which prevents the browser from permanently
storing any history information, cookies, site data or form inputs.
11
 c) Opera: The Opera web browser is also a famous web browser. It was the first
web browser to introduce features that other web browsers adapted like: pop-
up blocking, speed dial, private browsing and tabbed browsing re-opening
recently closed pages. Opera has a free virtual private network (VPN) service,
which permits users to surf the web incognito.

d) Firefox: Firefox is also one of the popular web browsers. It is more secure as
compared to other browsers. It has advanced incognito mode, disabling tracking
of user’s locations and advertisements. Firefox has it’s own extensions.

51. Difficulties of Web Browser Forensic Analysis: -

There are following difficulties faced by the forensic examiner while analysing the
web browsers:

 Many web browsers are available with lots of different data.

 To protect the data, encryption need to be used.

 Each web browser has it’s own artifacts in operating system. If the user is using
the incognito mode (private mode) then computer do not contain the browser
artifacts which are depending on the version of web browser. Usually the
artifacts which are common those are History, cache, cookie, typed URLs,
sessions, most visited sites, screenshots, form values(searches, autofill),
downloaded files, favourites etc.

12
52. Web Analysis Technique: -
a) Cookie Storage and Analysis:

 Cookies are the text files. These files are used to feedback from the user to the
server. When performing some actions with a web resource like viewing web
links, downloading files etc, these actions are registered in a cookie that is
secretly sent by the server to the user’s computer. By using this web resource,
the server can find out what actions the user has taken on previous visits to this
web resource.
 The cookies are stored in cookies folder, but the location of the cookies folder is
based on the web browser and the operating system.

b) Analysing cache and temporary internet files:

Cache files:
The cache folder contains the browser history and it automatically creates
the profile folder at start. This folder is the storage place for the browsing
history.

Windows Temporary Internet files:

 These files (C:\Windows\Temporary internet files) are immediate downloads
from the internet, more often than not containing realistic pictures in windows
bitmap(bmp), jpeg, gif or .art format. There will html files present for website
home page components.
 Downloaded movies, mpegs, avi files and adobe pdf files will be found in
temporary internet files.

Temporary files:
 Windows temp files (C:\Windows\Temp) are temporary files made by windows
as different programs are running and diverse processes are occurring. They are
regularly exact copy of files put away somewhere else on the pc. At different
occasions, they are exact duplicate of files which are waiting to be handled by PC.
13
  For instance, a print work heading off to a laser printer will make a temporary
document called an EMF(Enhanced Windows metafiles). EMF’S can frequently be
found in the temp index a very long time after laser printer was utilized.
 Numerous different sorts of files can be found in the temp registry too.

53. Malware Handling/Analysis: -

Malware analysis is a process to perform analysis of malware and how to study
the components and behaviour of malware. It is important, since many malwares
at this day are not detectable by antivirus.

Malware Analysis Method

Two methods of malware analysis are used :

a) Static Analysis
b) Dynamic Analysis

14
 a) Static Analysis:
It is a method of analysis of malware that is done without running the
malware and analysis using this method is much more secure. This method can
further be divided into two stages:
i) Basic Static Analysis
ii) Advanced Static Analysis

i. Basic Static Analysis:

This method carried out testing against a program which is called as
malware with doing the scanning using antivirus, moreover also doing hashing
and detection of packed at the program.

ii. Advanced Static Analysis:

In this method, further analysis will be undertaken of the method of static
analysis with analysis against the strings, linked libraries and function as well as
using IDA disassembler.

b) Dynamic Analysis:
It is a method of analysis of malware by running the malware. To make it
more secure, malware will run inside a virtual machine, so that malware will not
damage the computer system.
This method can further be divided into two stages:
i) Basic Dynamic Analysis
ii) Advanced Dynamic Analysis

i) Basic Dynamic Analysis:

This basic method in dynamic analysis will be build a virtual machine that
will be used as a place to do a malware analysis. Here malware will be analysis
using malware sandbox and monitoring process of malware and analysis packets
data made by malware.

15
 ii) Advanced Dynamic Analysis:
In this method, further analysis will be undertaken of the method of
dynamic analysis with debugging on malware, analysis the registry and so an
analysis on a windows system.

Malware Analysis Report:

From the result of malware analysis using both methods, a report can be
obtained which contains the information about characteristics of malware.

54. Challenges in Computer Forensics: -

Challenges in computer forensics are of three types.

1. Technical challenges
2. Legal challenges
3. Resource Challenges

1. Technical Challenges:
Crimes and criminals evolve in tandem with technological advancements. In
digital forensics, this process is known as anti forensic technique and it is considered
a major challenge in the world of digital forensics. Digital forensic experts use
forensic tools to collect shreds of evidence against criminals and criminals use such
tools to hide, alter or remove the traces of their crime.

The following are the different types of anti-forensic techniques:

a) Encryption:
It is legitimately used to protect information’s privacy by keeping it hidden from
unauthorized users/persons. Unfortunately, criminals can use it to conceal their
crimes.

b) Data hiding in storage space:

Using system commands and programmes, criminals usually hide chunks of data
inside the storage medium in an invisible form.
16
c) Covert channel:
It is a communication protocol that enables an attacker to get around intrusion
detection systems and hide data on the network. It was used by the attacker to
conceal his connection to the compromised system.

d) Steganography:
It is an encryption technique that can be used in conjunction with cryptography to
provide an extra layer of security for data protection. Steganography is a technique
for concealing information within a file carrier without altering it’s appearance. This
steganography is used by attackers to hide their hidden data within the
compromised system. When investigating computer crimes, the investigator must
first locate the hidden data in order to reveal it for future use.

2. Legal Challenges:
 The presentation of digital evidence is more difficult than it’s collection
because there are many instances where the legal framework acquires a soft
approach and does not recognize every aspects of cyber forensics.

 This occurs in the majority of cases because the cyber police lack the necessary
qualifications and ability to identify and provr a possible source of evidence.
Also, electronic evidence is frequently challenged in court due to it’s
inconsistency.

 The following are few legal challenges:

a) Absence of guidelines and standards: There are no clear guidelines for
collecting and acquiring digital evidence in India. Investigative agencies and
forensic laboratories are developing their own set of guidelines. As a result,
the value of digital evidence has been diminished.

b) Limitation of the Indian Evidence Act,1872: This act has a limited approach;
it is unable to evolve with the times and address the fact that electronic
evidence is more vulnerable to tampering, alteration, transposition and

17
 other forms of fraud. This act is silent on how e-evidence is collected,
instead, it focuses on how electronic evidence is presented in court with a
certificate in accordance with Section 65B, subsection 4. This means that
whatever procedure is used, it mustbe documented with a certificate.

3. Resource Challenges:
Because digital evidence is more sensitive than physical evidence, it can
easily disappear as the rate of crime rises. As a result, the burden of analysing
such vast amounts of data falls on a digital forensic expert. Forensic experts use
various tools to check the authenticity of data in order to make the investigation
process faster and more useful but dealing with these tools are a challenge.

The following are few resource challenges:

a) Change in technology:
Reading digital evidence has become more difficult due to rapid changes
in technology such as operating systems, application software and hardware.
Newer versions of software are not supported by older versions and software
developers have not provided any backward compatibles, which has legal
implications.

b) Volume and Replication:

Electronic documents’ confidentiality, availability and integrity all are
easily manipulated. Wide-area networks and the internet combine to form a
large network that allows data to flow across physical boundaries. The ease
with which people can communicate and the availability of electronic
documents has increased the volume of data, making it more difficult to identify
original and relevant data.

18
55. Needs of Computer Forensics Tool: -
The objective is to discover the best value of using computer forensic tool. Some
questions may be there when assessing tools comprises of the following:

1) On which OS, does the forensic tool run?

2) Is the tool versatile? For example, does it work in Windows 98, XP and Vista and
produce the same results in all three OSs?
3) Can the tool analyse more than one file system, such as FAT,NTFS and Ext2fs?
4) Can a scripting language be used with the tool to automate repetitive functions
and tasks?
5) Does the tools have any automated features that can help reduce the time
needed to analyse data?
6) What is the vendor’s reputation for providing product support?

56. Different types of Computer Forensics Tool: -

1. SANS SIFT:
 The SANS Investigative forensic toolkit (SIFT) is based on Ubuntu Server Live CD
containing a complete set of tools in which you wish to perform a rigorous
forensic cybercrime or any incident-responsive inquiry.
 It supports analysis of Expert Witness Format (E01), Advanced Forensic
format(AFF) and RAW(dd) evidence formats. SIFT includes tools such s log
timeline for generating a timeline from system logs, Scalpel for data file carving
etc.

2. CrowdStrike CrowdResponse: It is a lightweight console application that can be

used as part of an incident response scenario to gather contextual information
such as a process list, scheduled tasks etc.

19
3. X-Ways Forensics: X-Ways Forensics is known for its speed and efficiency in
processing large volumes of data. It provides comprehensive forensic analysis
features and supports various disk image formats, file systems, and encryption
methods.

4. AccessData Forensic Toolkit (FTK): FTK is another popular computer forensics

tool that enables examiners to collect, analyze and preserve digital evidence. It
supports a wide range of file systems and data types and offers advanced search
and analysis capabilities.

5. EnCase Forensic: EnCase Forensic is one of the most widely used computer
forensics tools. It allows forensic examiners to conduct thorough investigations
by acquiring, analyzing, and reporting on digital evidence from various sources,
including computers, smartphones, and cloud storage.

6. Autopsy: Autopsy is an open-source digital forensics platform that offers a wide

range of features for forensic analysis, including disk imaging, file analysis,
keyword searching, and timeline analysis. It is widely used by forensic examiners
and is continuously updated with new features.

7. Sleuth Kit (TSK): Sleuth Kit is a collection of command-line tools for forensic
analysis and incident response. It includes utilities for examining disk images, file
systems, and data structures, making it a valuable tool for forensic investigators.

8. Volatility Framework: Volatility is a powerful memory forensics framework used

for analyzing volatile memory (RAM) dumps. It allows examiners to extract
valuable information such as running processes, open network connections, and
malware artifacts from memory images.

20
57. Tasks performed by Computer Forensics Tool: -
All computer forensics tools, both hardware and software, execute specific
functions such as:

1. Acquisition
2. Validation and discrimination
3. Extraction
4. Reconstruction
5. Reporting

1. Acquisition:
Acquisition, the first task in computer forensic investigations, is making a
copy of the original drive. Subfunctions in the acquisition category comprises of
the following:
a) Physical data copy
b) Logical data copy
c) Data acquisition format
d) Command-line acquisition
e) GUI acquisition
f) Remote Acquisition
g) Verification

2. Validation and Discrimination:

Two concerns in dealing with computer evidence are critical. First is

guaranteeing the integrity of data being copied (i.e. the validation process).
Second is the discrimination of data, which includes sorting and searching
through all analysis and research data. Many forensic software vendors propose
three methods for discriminating data values. These are the sub-purpose of the
validation and discrimination function.
a) Hashing
b) Filtering

21
 c) Analysing file headers

Validating data is done by obtaining hash values. The primary purpose of data
discrimination is to take away good data from suspicious data.

3. Extraction:
The extraction function is referred as the recovery task in a computing
investigation and is the most stimulating of all tasks to master. Recovering data is
the first step in analyzing an investigation’s data. The following subfunctions of
extraction are used in investigation:
a) Data viewing
b) Keyword Searching
c) Decompressing
d) Carving
e) Decrypting
Many computer forensic tools comprises of a data viewing mechanism for digital
evidence. Tool such as ProDiscover, X-Ways Forensics. FTK. Encase, SMART, ILooK
and others offer numerous methods to view data, together with logical drive
structures like folders and files. These tools also show allocated file data and
unallocated disk areas with special files and disk viewers.

4. Reconstruction:
The purpose of having a reconstruction feature in a forensic tool is to re-
create a suspect drive to display what happened during a crime or an incident.
These are the subfunctions of reconstruction:
a) Disk-to-disk copy
b) Image-to-disk copy
c) Partition-to-partition copy
d) Image-to partition copy

There are several ways to re-create an image of a suspect drive.

22
 The following are some tools that perform an image-to-disk copy.

1. SafeBack
2. SnapBack
3. Encase
4. FTK Manager
5. ProDiscover

5. Reporting:
To complete a forensic disk analysis and examination, a report should be
created. Newer Windows forensic tools can generate electronic reports in a
variety of formats like word processing documents, HTML web pages or Acrobat
PDF files. These are the subfunction of the reporting functions.
1. Log Reports
2. Report Generator
As part of the validation process, one need to document the steps which he/she
took to obtain data from a suspect drive. The tools such as Encase, FTK, ILook,
ProDiscover may offer report generators to display bookmarked evidence.

58. Application of Computer Forensics: -

• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Misuse of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concerned the regulatory compliance

23
59. Advantage of Computer Forensics: -
 To produce evidence in the court, which can lead to the
punishment of the culprit.
 It helps the companies in gathering important information about
their computer systems or networks that may have been
compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.

60. Disadvantage of Computer Forensics: -

 Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then
in a court of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the
desired result.

24