Module 3:

Computer
Forensics
-By
Asst Prof Rohini M. Sawant
 Introduction to Computer Forensics
● Computer Forensics is a scientific method of investigation and analysis in order to gather evidence from
digital devices or computer networks and components which is suitable for presentation in a court of law
or legal body.
● It involves performing a structured investigation while maintaining a documented chain of evidence to
find out exactly what happened on a computer and who was responsible for it.
● Computer forensics is the process of collecting, analyzing, and preserving digital evidence from
computer systems, networks, and devices in a way that is legally admissible in court. It involves
investigating cybercrimes or incidents like hacking, data breaches, fraud, and even cases of harassment
or intellectual property theft.
● Computer forensics involves preserving, identifying, extracting, documenting, and interpreting
electronic data for legal evidence.
● It focuses on investigating digital devices such as hard drives, disks, and tapes to uncover information
related to criminal activities.
Introduction to Computer Forensics
 How does Computer Forensics Work?
● Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile
phones, PDAs, etc.
● Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence,
mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
● Analysis: Forensic lab personnel reconstruct fragments of data and draw
conclusions based on evidence.
● Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are
documented.
● Presentation: All the documented findings are produced in a court of law for further
investigations.
 Evidence Collection
In computer forensics, evidence collection is a critical phase that involves gathering and preserving data from various digital sources
while ensuring that the evidence remains unaltered. The types of evidence commonly collected include data from hard drives, system
memory, logs, and other devices. Let’s break down each type of evidence:

1. Disk Evidence Collection (Hard Drive, SSD, etc.)

● Hard drives and SSDs are often the primary storage devices in a computer. These contain files, documents, emails, system files,
and other data crucial to an investigation.
● Methods:
○ Forensic Imaging: A bit-by-bit copy of the entire disk (including slack space and deleted data) is created. This ensures
the original drive is not altered during the process.
○ Write Blockers: These devices ensure that data is not accidentally written to the drive during evidence collection,
preserving its integrity.
○ Live Analysis: In some cases, investigators may examine a running system while preserving a snapshot of the disk. This
is typically done when turning off the system would risk losing volatile data.
● Key Evidence: Files, deleted files, partitions, metadata, encrypted files, and file systems (e.g., NTFS, FAT, exFAT).
● Tools: Forensic Imager, dd ("data duplicator" or "disk dump,"), or EnCase
● Example:
○ Suppose a suspect's computer is suspected of containing evidence related to a cybercrime. A forensic investigator would
acquire a forensic image of the suspect's hard drive using a write-blocking device to prevent any modifications to the
original data. This image would then be analyzed to extract relevant files, documents, emails, browsing history, etc.
 Evidence Collection
2. Memory Evidence Collection (RAM)

● RAM (Random Access Memory) stores temporary data that could include passwords, encryption keys, running
processes, open files, and traces of activities. It is volatile, meaning it is lost when the system is powered off.
● Methods:
○ Memory Dump: A copy of the system’s RAM is taken while the computer is running, using specialized
forensic tools (e.g., Volatility, FTK Imager).
○ Forensic Analysis: After dumping the memory, investigators analyze it to uncover live sessions, running
applications, and active network connections.
● Key Evidence: Running processes, open applications, system state, encryption keys, passwords, browser
history, and network activity.
● Tools: Volatility, Rekall
● Example: Let's consider an investigation involving a suspected data breach, where the investigator wants to
collect evidence from a computer that may have been used to access sensitive data unlawfully. The goal is to
capture everything currently in the system's memory to potentially identify active processes and trace
 Evidence Collection
3. Log Evidence Collection

● Logs are records generated by operating systems, applications, and network devices that provide a trail of
activities on a system.
● Methods:
○ System Logs: These logs contain information about system events, user logins, and errors (e.g.,
Windows Event Logs, Syslog).
○ Application Logs: These logs track the activities of specific applications and services.
○ Network Logs: These logs record network traffic, including connections, requests, and communication
data (e.g., firewall logs, router logs, DNS logs).
○ Collection Tools: Investigators use forensic tools (e.g., Log2timeline, ELK Stack) to automate the
collection and analysis of log files.
● Key Evidence: User activities (login/logout), IP addresses, access times, file modifications, system alerts, and
application errors.
● Tools: ELK Stack, Splunk, or Wireshark
● Example: In a data breach investigation, log analysis can reveal unauthorized access attempts, abnormal
network traffic patterns, and data retreat activities, helping investigators determine the extent of the breach and
identify the attacker's tactics, techniques, and procedures (TTPs).
 Evidence Collection
4. Registry Evidence Collection: Registry evidence collection refers to the process of collecting and analyzing the Windows
registry, which is a central database used by the Windows operating system to store configuration settings, user preferences, and
system information. The registry contains valuable data about user activity, system operations, installed software, and security
settings, making it an essential source of evidence in many forensic investigations.

Collection Steps:

● Identify Relevant Registry Hives: The main registry hives of interest include:
○ HKLM\Software: Contains details of installed software and system configurations.
○ HKCU\Software: Contains user-specific configurations and recently accessed files.
○ HKU<userSID>: Contains information about other user accounts on the system.
○ HKEY_LOCAL_MACHINE\SYSTEM: Contains system settings such as boot information and network settings.
● Extract Registry Hives: Use tools like FTK Imager, RegRipper, or EnCase to extract the registry files from the system.
● Hashing: Create a hash of the extracted registry files to ensure that the data is unaltered.

Key Evidence Collected: Installed software details, User activity (e.g., recently accessed files), Malware persistence (via startup
keys), User login times and security settings (e.g., password hashes in SAM), USB device history.

Tools: Registry Viewer, RegRipper, or Registry Explorer

 Evidence Acquisition
In computer forensics, evidence acquisition, analysis, and examination are crucial stages in the
investigation process, regardless of the platform or type of digital evidence being examined.

Evidence Acquisition:
Definition: Evidence acquisition involves the collection and preservation of digital evidence in a
forensically sound manner to ensure its integrity and admissibility in legal proceedings.
Example:
For Windows:
■ Evidence acquisition from a Windows system involves creating a forensic image of the hard
drive using tools like FTK Imager, EnCase, or dd.
■ Example: In a case involving alleged data theft from a company's Windows-based
computers, forensic investigators would use write-blocking devices to acquire forensic
images of the suspect's hard drives to preserve the original evidence.
 Evidence Acquisition
For Linux:
■ Acquisition from a Linux system can be done similarly to Windows, creating a
forensic image of the hard drive or relevant partitions.
■ Example: In an investigation of a cyberattack on a Linux-based server, forensic experts
would use tools like dd or dc3dd to acquire a forensic image of the server's disk for
analysis.
For Email:
■ Evidence acquisition in email forensics involves obtaining copies of emails and
associated metadata from email servers, client applications, or cloud services.
■ Example: In a case involving email harassment, investigators may obtain a warrant to
collect email evidence from the suspect's email provider, capturing both the content
and metadata (e.g., sender, recipient, timestamps) for analysis.
 Evidence Acquisition
For Web:
🞑 Web evidence acquisition includes capturing web server logs, browser history, cache files,
and other artifacts related to web activity.
🞑 Example: In an investigation of an online fraud scheme, forensic analysts would collect
web server logs from the targeted website to trace the activities of the perpetrators, such
as IP addresses accessing the site, pages visited, and actions taken.
For Malware:
🞑 Acquiring evidence related to malware involves capturing samples of malicious files,
memory dumps, network traffic, and system logs.
🞑 Example: In a malware infection investigation, forensic investigators would use
specialized tools to acquire memory dumps, capture network traffic, and extract malware
samples from infected systems for analysis and identification.
 Evidence Analysis
Evidence Analysis:
◻ Definition: Evidence analysis involves examining and interpreting the collected
digital evidence to identify relevant information, patterns, and anomalies.
◻ Example:
For Windows:
■ Analysis of Windows evidence may include examining file system artifacts,
registry entries, event logs, and user activity to reconstruct events and identify
potential evidence of wrongdoing.
■ Example: Analyzing Windows event logs may reveal suspicious login
attempts, privilege escalation activities, or unauthorized software installations
linked to a security breach.
 Evidence Analysis
For Linux:
🞑 Linux evidence analysis involves scrutinizing file system structures, system logs,
shell history, and user account activities to uncover evidence of unauthorized access
or malicious activities.
🞑 Example: Analyzing Linux shell history files may reveal commands executed by an
intruder, providing insights into their actions and intentions during a system
compromise.
For Email:
🞑 Email evidence analysis entails examining email content, headers, attachments, and
metadata to identify relevant communications, relationships, and timelines.
🞑 Example: Analyzing email headers may reveal the source IP addresses, routing
information, and timestamps, helping investigators trace the origins of phishing
emails or identify email spoofing attempts.
 Evidence Analysis
For Web:
🞑 Web evidence analysis involves parsing web server logs, browser artifacts, cookies,
and session data to reconstruct user interactions, website access patterns, and online
activities.
🞑 Example: Analyzing web server logs may uncover patterns of suspicious HTTP
requests, such as SQL injection attempts, directory traversal attacks, or attempts to
upload malicious files.
For Malware:
🞑 Malware analysis encompasses static and dynamic analysis techniques to understand
the behavior, functionality, and impact of malicious software on affected systems.
🞑 Example: Dynamic analysis of malware involves executing it in a controlled
environment (e.g., sandbox) to observe its behavior, network communications, and
system modifications, enabling analysts to identify its capabilities and intent.
 Evidence Examination
Evidence Examination:
◻ Definition: Evidence examination involves reviewing, validating, and documenting
findings from the analysis to support investigative conclusions and legal
proceedings.
◻ Example:
For Windows:
■ Examination of Windows evidence may involve generating forensic reports,
timelines, and summaries to document key findings and present them as
evidence in court.
■ Example: Producing a forensic report detailing the timeline of events, user
activities, and file accesses can help corroborate witness testimonies and
support legal arguments in a criminal trial.
 Evidence Examination
For Linux:
● Linux evidence examination includes documenting findings, generating forensic
artifacts, and preparing expert witness testimonies to present technical evidence in
legal proceedings.
● Example: Providing expert testimony on Linux system logs, file system structures, and
network traffic analysis can help clarify complex technical concepts and assist the
court in understanding the significance of digital evidence.
For Email:
● Examination of email evidence involves validating the authenticity of emails,
preserving metadata integrity, and preparing email chains or excerpts for presentation
in court.
● Example: Presenting authenticated email evidence with preserved metadata, such as
email headers and timestamps, can strengthen the credibility of electronic
communications and support legal arguments in civil litigation or criminal trials.
 Evidence Examination
For Web:
🞑 Web evidence examination includes preparing visual aids, logs summaries, and data
visualizations to illustrate key findings and facilitate understanding by legal stakeholders.
🞑 Example: Creating graphical representations of web access patterns, user sessions, and IP
geolocation data can help elucidate complex technical evidence and enhance jury
comprehension in a cybercrime trial.
For Malware:
🞑 Examination of malware evidence involves documenting malware characteristics,
behavior analysis results, and mitigation recommendations to support incident response
efforts and legal actions.
🞑 Example: Providing expert testimony on malware analysis findings, including indicators
of compromise (IOCs), mitigation strategies, and potential attribution information, can
assist prosecutors in building a case against cybercriminals and malware authors.
 Challenges in Computer Forensics
Computer forensics involves the identification, collection, preservation, analysis, and presentation of digital evidence in a
manner that is legally acceptable. It plays a vital role in criminal investigations, cybersecurity, and civil disputes. However,
several challenges complicate the process:

● Data Volatility: Digital evidence can be easily altered or destroyed. For example, data stored in volatile memory (RAM)
can disappear when the system is turned off or rebooted. This makes it critical to acquire data quickly while maintaining
its integrity.
● Encryption and Password Protection: Many devices and files are encrypted or password-protected, which can prevent
investigators from accessing the data without proper authorization. Cracking encryption or bypassing passwords can be
time-consuming, technically difficult, and legally problematic.
● Large Volume of Data: Modern devices often store vast amounts of data, including emails, documents, photos, videos,
and logs. Identifying relevant evidence from this data can be overwhelming, especially with the increasing use of cloud
storage.
● Data Fragmentation: Files are often fragmented across a storage device, meaning that parts of a single file can be
stored in different locations. Reconstructing these files can be difficult, especially if parts of the file are overwritten or
corrupted.
● Cloud Computing: The growing use of cloud-based services means that data may not be stored locally, making it harder
to obtain and examine. Jurisdictional issues also arise when data is stored in multiple countries, each with different legal
frameworks.
 Challenges in Computer Forensics
● Anti-Forensic Techniques: Cybercriminals often use anti-forensic tools and techniques to hide or destroy evidence.
These methods may include wiping data, altering timestamps, or using software to make files undetectable.
● Diverse Operating Systems and File Formats: Different operating systems (Windows, macOS, Linux) and
file formats make it challenging to create universal forensic methods and tools. Each system has its own way of
organizing data, and investigators must be familiar with these nuances to extract relevant information.
● Emerging Technologies: The rapid evolution of technology, such as virtual and augmented reality, Internet of
Things (IoT) devices, and AI-based applications, presents new challenges in terms of forensics. These
technologies often generate new forms of digital evidence that traditional forensics may not yet be equipped to
handle. Detecting AI-generated deepfakes, tracing AI-driven cyberattacks, and addressing AI’s ethical impact
on digital evidence are future challenges for forensic experts. IoT devices, from smart home appliances to
wearables, generate abundant investigative data. Extracting and analyzing data across diverse IoT devices, each
with its unique OS and format, demands specialized skills and tools.
● Time Constraints: In criminal cases, there may be tight timelines for investigating and presenting digital
evidence. Time pressure can lead to mistakes, especially if investigators are not adequately trained or lack the
resources to process large amounts of data efficiently.
 Tools used in Computer Forensics
In computer forensics, various tools are employed to help investigators recover, analyze, and present digital evidence in a legally
acceptable manner. These tools cover different aspects of forensics, such as disk imaging, data recovery, file analysis, and network
traffic examination. Here are some commonly used tools in computer forensics:
◻ Forensic Imaging Tools: Forensic imaging tools are essential in computer forensics as they allow investigators to create exact, bit-for-
bit copies (images) of digital storage devices such as hard drives, SSDs, flash drives, and other storage media. These tools are crucial
because they ensure the integrity of the original evidence is maintained, allowing investigators to work on the image rather than the
original device. The imaging process captures all data, including deleted files, unallocated space.
1. FTK Imager

● Purpose: Forensic disk imaging and analysis.

● Features: FTK Imager is a powerful tool that allows investigators to create forensic images of hard drives, memory devices, and other
storage media. It can also generate hash values (MD5, SHA1) to verify the integrity of the image and perform file recovery.
● Use Cases: Widely used for creating bit-for-bit copies of devices and verifying the integrity of the copied data.

2. EnCase Forensic

● Purpose: Comprehensive digital forensics tool with imaging capabilities.

● Features: EnCase Forensic is one of the most well-known tools in computer forensics. It can acquire disk images, including network
drives and cloud-based data. EnCase also ensures the integrity of the data by generating hash values for every image created.
● Use Cases: Used by law enforcement and private investigators for creating evidence images, searching for digital evidence, and
preparing reports for court.and hidden files, preserving everything for further analysis.
 Tools used in Computer Forensics
Data Recovery Tools are software programs designed to help recover lost, deleted, or corrupted data from storage
devices such as hard drives, solid-state drives (SSDs), USB drives, memory cards, and other media. These tools are
crucial in digital forensics, where investigators might need to retrieve data from devices that have been intentionally
deleted, formatted, or damaged. They are also useful in cases of system failure or accidental file deletion.

1. Recuva
● Purpose: Data recovery for Windows systems.
● Features: Recuva is a popular, easy-to-use tool that helps recover deleted files from hard drives, memory cards,
USB drives, and even from formatted disks. It can recover a variety of file types, including documents, images,
audio files, and videos.
● Use Cases: Recuva is commonly used by individuals or small businesses to recover accidentally deleted files or
recover files from corrupted storage devices.
● Key Features:
○ Recover deleted files from hard drives, memory cards, and other media.
○ Supports deep scanning for difficult-to-recover files.
○ Offers secure overwrite feature to permanently delete files.
 Tools used in Computer Forensics
2. EaseUS Data Recovery Wizard

● Purpose: User-friendly data recovery solution.

● Features: EaseUS Data Recovery Wizard is an intuitive tool that helps users recover lost files from hard drives,
memory cards, external drives, and more. It’s designed to be beginner-friendly with a simple interface, yet it’s
powerful enough for more advanced data recovery tasks.
● Use Cases: This tool is suitable for home users, small businesses, or IT professionals looking for a straightforward
solution to recover files that were accidentally deleted or lost due to system errors.
● Key Features:
○ Recovers lost data due to deletion, formatting, virus attacks, and system crashes.
○ Can recover from external devices, network drives, and damaged partitions.
○ Offers both quick and deep scan modes for different recovery situations.
 Tools used in Computer Forensics
File Analysis Tools are software applications designed to examine, analyze, and interpret files, their structures, and contents in a
detailed, forensically sound manner. These tools are critical in digital forensics, where investigators need to understand how files
are structured, detect hidden or malicious data, or identify file artifacts that could be important evidence in legal investigations.

File analysis tools are used to perform tasks like file signature verification, metadata extraction, identifying file system anomalies,
and identifying the presence of hidden or deleted data.

1. Autopsy
● Purpose: Open-source digital forensics platform.
● Features: Autopsy is an open-source tool used for analyzing disk images, file systems, and other types of digital evidence. It
provides various modules for analyzing files and directories, extracting metadata, detecting hidden or deleted files, and
performing keyword searches on large datasets.
● Use Cases: Frequently used by forensic investigators to analyze hard drives, mobile devices, and storage media to uncover
evidence of criminal activity or misconduct.
● Key Features:
○ File analysis and metadata extraction.
○ Detects deleted and hidden files using file carving techniques.
○ Built-in modules for timeline analysis, keyword searching, and hash analysis.
○ Supports analysis of FAT, NTFS, HFS+, and other file systems.
 Tools used in Computer Forensics
2. FileAlyzer

● Purpose: A file analysis tool for Windows.

● Features: FileAlyzer provides a detailed breakdown of file headers, metadata, and content, and can also
perform a basic file signature analysis. It is used to determine file types, inspect file structures, and uncover
hidden content or metadata in files.
● Use Cases: Often used in forensic investigations to analyze files that are suspected of containing hidden
data or to identify files with unusual structures.
● Key Features:
○ Displays file headers, metadata, and content in a readable format.
○ Can detect hidden or embedded data in files.
○ Allows analysis of file signatures to identify file formats.
 Tools used in Computer Forensics
Memory Forensics Tools are specialized software used to analyze the contents of a computer's memory (RAM) to uncover crucial
evidence that may not be found on disk drives or other storage media. Memory forensics is an essential aspect of digital forensics
because volatile memory can contain valuable information, such as running processes, encryption keys, passwords, network
connections, and artifacts of malicious activity, which can be erased from a system’s hard drive once the system is powered off or
rebooted.

1. Volatility Framework
● Purpose: A widely used open-source tool for memory forensics.
● Features: Volatility is a powerful and flexible framework for memory analysis. It supports analyzing memory dumps from a
variety of operating systems, including Windows, Linux, macOS, and more. Volatility can extract detailed information about
running processes, network connections, loaded kernel modules, DLLs, and much more from a system’s memory image.
● Use Cases: Volatility is commonly used in digital forensics to investigate memory dumps from live systems or compromised
devices, uncovering malware, tracking user activity, or understanding the system's state at a given point in time.
● Key Features:
○ Supports Windows, Linux, macOS, and Android memory dumps.
○ Can extract information about running processes, open network connections, loaded modules, and registry keys (for
Windows).
○ Capable of detecting rootkits, hidden processes, and other types of malicious activity.
○ Offers plugins for advanced analysis (e.g., timeline creation, file and registry analysis).
 Tools used in Computer Forensics
2. Rekall

● Purpose: A comprehensive open-source memory analysis tool.

● Features: Rekall is another open-source memory forensics framework that provides similar functionalities to
Volatility but with a focus on simplicity and automation. Rekall supports analysis of Windows, Linux, and macOS
memory dumps. It’s known for its ability to run quickly and its powerful set of commands for memory analysis.
● Use Cases: Rekall is useful for analyzing memory dumps in cases of suspected malware infections, unauthorized
access, or abnormal system activity.
● Key Features:
○ Works on Windows, Linux, and macOS memory dumps.
○ Automates memory analysis, reducing the complexity for users.
○ Includes a wide range of analysis plugins for process extraction, network activity, and malware analysis.
○ Supports the analysis of process memory, file system activity, and kernel-mode memory.