Module 2

Introduction to Digital Forensics

Introduction to digital forensic
● Digital Forensics is defined as the process of preservation, identification,
extraction, and documentation of computer evidence which can be used by
the court of law.
● It is a science of finding evidence from digital media like a computer, mobile
phone, server, or network. It provides the forensic team with the best
techniques and tools to solve complicated digital-related cases
History of Digital forensics
1970s-1980s: The Early Days
The roots of digital forensics can be traced back to the late 1970s when personal computers
started becoming more common. Law enforcement agencies began recognizing the potential
for computers to be used in criminal activities. However, at this stage, there were no
standardized procedures for handling digital evidence.
1980s-1990s: Emergence of Computer Forensics
As computer use exploded in the 1980s and early 1990s, so did computer-related crimes. This
period saw the birth of computer forensics as a distinct field. Key developments included:
● The FBI's Magnetic Media Program in 1984
● The first Computer Analysis and Response Team (CART)
● Development of early forensic software tools

During this time, forensic techniques primarily focused on data recovery and file system
analysis.
History of Digital forensics
Late 1990s-Early 2000s: Standardization and Growth

● Establishment of organizations like the International Organization on Computer

Evidence (IOCE) in 1995
● Release of the first standardized protocols for digital forensics
● Expansion beyond just computers to include mobile devices and networks
● Integration of digital forensics into broader cybersecurity practices

2000s-2010s: The Mobile and Cloud Era

The proliferation of smartphones and cloud computing brought new challenges and
opportunities:

● Development of specialized tools for mobile device forensics

● Emergence of cloud forensics to deal with distributed and virtualized systems
● Increased focus on live forensics and memory analysis
History of Digital forensics
2010s-Present: Big Data and AI
Recent years have seen digital forensics evolve to handle massive datasets and leverage artificial
intelligence:
● Use of big data analytics to process large volumes of digital evidence
● Application of machine learning for pattern recognition and anomaly detection
● Advancements in handling encrypted data and cryptocurrencies
● Increased focus on IoT device forensics
Future Trends
As technology continues to advance, digital forensics will need to evolve further. Some areas
likely to see growth include:
● Quantum computing forensics
● AI-powered autonomous forensic tools
● Advanced techniques for analyzing data from emerging technologies like augmented
reality and brain-computer interfaces
History of Digital forensics
Here, are important landmarks from the history of Digital Forensics:
● Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
● FBI (1932): Set up a lab to offer forensics services to all field agents and other law
authorities across the USA.
● In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
● Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints
● In 1992, the term Computer Forensics was used in academic literature.
● 1995 International Organization on Computer Evidence (IOCE) was formed.
● In 2000, the First FBI Regional Computer Forensic Laboratory established.
● In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first
book about digital forensic called “Best practices for Computer Forensics”.
● In 2010, Simson Garfinkel identified issues facing digital investigations.
Objectives of digital forensics
● Evidence to Court: It recovers, analyzes, and preserves digital and forensic
evidence to help the department’s investigation to present the evidence in
court.
● Identifying the Culprit
● Legal Procedures: To ensure the evidence found at a suspicious crime scene
is uncorrupted, & to design the methods for collecting and preserving the
evidence.
● Data Redundancy: Recover the deleted files and subdivide them from digital
media to validate them.
● To find the evidence instantly
● Storing the evidence or the proofs by the procedures in the way of legal
custody in the court of law.
Flow of Legal process
CTIN has established three levels of law
enforcement expertise: (Computer Technology Investors Network)
● Level 1—Acquiring and seizing digital evidence, normally performed by a
police officer on the scene.

● Level 2—Managing high-tech investigations, teaching investigators what to ask

for, and understanding computer terminology and what can and can’t be
retrieved from digital evidence. The assigned detectives usually handle the case.

● Level 3—Specialist training in retrieving digital evidence, normally conducted

by a data recovery or computer forensics expert, network forensics expert, or
Internet fraud investigator.
Process of digital forensics
Digital forensics entails the following steps:
 Stage 1: Identification
● The first step in a digital forensics investigation involves identifying all
devices and resources that might hold relevant data.

● This includes organizational devices such as desktops, laptops, servers, and

network systems, as well as personal devices including smartphones, tablets,
and external storage media. Each identified device is then carefully seized
and isolated to prevent any possibility of data tampering.

● In cases where data resides on servers or in cloud storage, strict access

controls are implemented to ensure that only the authorized investigative
team can access the data, thereby maintaining its integrity and security.
 Stage 2: Extraction and Preservation
● Once the devices involved in the investigation have been secured, the digital
forensics investigator uses specialized forensic techniques to extract all
potentially relevant data. This process involves creating a "forensic image,"
which is an exact bit-by-bit digital copy of the original data.

● The forensic image is then used for in-depth analysis, ensuring the original
data remains untouched and stored securely in a safe location. This
meticulous approach safeguards the integrity of the evidence, even if the
investigation encounters unforeseen issues, preventing any tampering or data
loss.
 Stage 3: Analysis
● After securing and duplicating the data, digital forensic investigators employ a
variety of advanced techniques to meticulously analyze the extracted data for
evidence of wrongdoing. This process includes:
○ Reverse Steganography: Extracting hidden data by examining the
underlying hash or character string of an image or other data items.
○ File or Data Carving: Identifying and recovering deleted files by locating
and reconstructing file fragments.
○ Keyword Searches: Using specific keywords to locate and analyze relevant
information, including deleted data.
● Investigators also use other sophisticated methods to uncover, piece together, and
interpret evidence, ensuring a thorough examination of all potential digital clues.
This comprehensive analysis helps build a clear and detailed understanding of the
activities in question.
 Stage 4: Documentation
● After completing the analysis, computer forensics investigators meticulously
document their findings to provide a clear and comprehensive overview of
the entire investigative process and its results.

● This documentation includes detailed reports, logs, and visual aids such as
charts and timelines, which highlight critical activities involved in the
wrongdoing.

● Proper documentation ensures that each step of the investigation is recorded

accurately, facilitating the reconstruction of events and the presentation of
evidence in legal proceedings. This thorough approach significantly
enhances the credibility and reliability of the investigation.
 Stage 5: Presentation
● Upon completing the investigation, the findings are compiled and presented
to the appropriate court, board, or group responsible for deciding the
outcome of an allegation. Digital forensic investigators frequently function
as expert witnesses, summarizing the evidence they have uncovered and
explaining their analysis and conclusions.

● They prepare comprehensive reports and visual aids to illustrate the findings
clearly and effectively, ensuring that all relevant evidence is communicated
in an understandable and persuasive manner, thereby supporting the judicial
or administrative decision-making process.
 Types of digital forensics
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network
traffic to collect important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to
collect and analyze the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their related
metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses, worms,
etc.
Types of digital forensics

Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then carving
the data from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone and SIM
contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Uses of Digital Forensics

● Intellectual Property theft

● Industrial espionage
● Employment disputes
● Fraud investigations
● Inappropriate use of the Internet and email in the workplace
● Forgeries related matters
● Bankruptcy investigations
● Issues concern with the regulatory compliance
Challenges faced by digital forensics
● The increase of PC’s and extensive use of internet access
● Easy availability of hacking tools
● Lack of physical evidence makes prosecution difficult.
● The large amount of storage space into Terabytes that makes this
investigation job difficult.
● Any technological changes require an upgrade or changes to solutions.
● Huge amount of data is stored in computer, but only a certain amount
of data form valid evidences. If forensic professional do not know
where to find it, it may take a lot of time to locate.
● Possibility that information has been deleted. Searching is worthless.
● If files are secured with password, investigators must find a way to
read data in an unauthorized manner.
● Data may be stored on damaged device.
● Protect data from modifications. It is very tedious to prove that the
data under examination is unaltered.
● Each and every case is different. Hence identifying tools and
techniques takes time.
 To simplify the investigation process,
1. A common procedure for investigation and standard techniques for
collecting and preserving digital evidences are desired.
2. Data can be used in investigation as, use usage profile, chronological
timeline activity, internet usage, etc.
3. User evidences can be found in home directories and folders,
registry, file property, etc.
 Advantages of Digital forensics

● To ensure the integrity of the computer system.

● To produce evidence in the court, which can lead to the punishment of the
culprit.
● It helps the companies to capture important information if their computer
systems or networks are compromised.
● Efficiently tracks down cyber criminals from anywhere in the world.
● Helps to protect the organization’s money and valuable time.
● Allows to extract, process, and interpret the factual evidence, so it proves
the cybercriminal action’s in the court.
Disadvantages of Digital Forensics
● Digital evidence accepted into court. However, it must be proved that there
is no tampering.
● Producing electronic records and storing them is an extremely costly affair
● Legal practitioners must have extensive computer knowledge
● Need to produce authentic and convincing evidence.
● If the tool used for digital forensic is not according to specified standards,
then in the court of law, the evidence can be disapproved by justice.
● Lack of technical knowledge by the investigating officer might not offer the
desired result.