Cyber Security Unit 4
Cyber Security Unit 4
The forensic team will start by looking at the company’s network logs
and any suspicious activity on the servers.
They might find that the hacker exploited a vulnerability in the
company’s website (like an outdated software version).
By analyzing files and logs, they trace the hacker's activities—finding out
when they accessed the system, what they stole, and if they left any
malware behind.
Finally, the forensic experts preserve all the evidence (data, logs, and
malware) to build a case for law enforcement.
1|Page
How is it done? Experts carefully copy the data without altering anything on
the original device. The goal is to ensure that the evidence remains intact.
Example: Suppose a hacker breaks into a company's network and steals
customer data. The forensic team will collect all the data from the affected
servers, computers, and even network logs to find out what happened.
Real-Life Example: A company gets hacked, and sensitive customer data is
stolen. Forensic experts might collect logs from the company’s firewalls and
network routers to find out when the hacker first accessed the system, what they
took, and how they did it.
2. Data Analysis: After collecting the data, the next step is to analyze it.
Forensic experts look for clues, hidden files, and traces of the intruder’s
actions. This can involve looking at deleted files, logs, or patterns that
show how the crime occurred.
How is it done? Experts use special tools and software to dig deep into the
collected data. They search for any signs of malware, unusual behavior, or
files that could have been altered or deleted.
Example: If a hacker used a malware to steal bank account information,
forensic experts will analyze the files and logs to find out which device was
infected and how the hacker moved through the system.
Real-Life Example: In a case of a data breach at a financial institution, forensic
experts would examine system logs to track the movements of the hacker. They
might find that the hacker entered through an outdated software vulnerability,
and from there, they could map out every step the hacker took in stealing
sensitive information.
3. Data Preservation: Preservation ensures that the digital evidence is kept
safe and unaltered for future investigation or legal proceedings. This step
is vital because digital data can be easily modified or destroyed.
How is it done? The original data is never altered. Instead, experts create exact
copies (called "forensic images") of the hard drives or servers, and then they
work with those copies. The original evidence is stored securely to ensure it can
be used in court or in further investigations.
Example: If a laptop is involved in a cybercrime, forensic experts will create an
exact copy of the hard drive before analyzing it. This way, the original data
stays safe and can be used later in court.
2|Page
Real-Life Example: In a case where someone is accused of hacking into a
government system, forensic experts will first create a duplicate of the suspect’s
computer hard drive to avoid altering any original data. Only the copy is
analyzed for any traces of illegal activity.
4. Reporting: Reporting is the final step, where forensic experts document
everything, they discovered, the methods they used, and the findings. The
report is crucial for presenting the evidence in a way that is
understandable to non-technical people, like lawyers, judges, or company
executives.
How is it done? Experts write a detailed report that includes how the data was
collected, preserved, and analyzed. The report also explains how the findings
relate to the crime or breach and what the evidence shows.
Example: After investigating a data breach at a company, the forensic team
might write a report explaining how the hacker gained access, what data was
stolen, and how it can be prevented in the future.
Real-Life Example: After an investigation into a cybercrime, such as an
employee stealing company secrets, forensic experts will prepare a detailed
report. The report will explain the evidence found, like emails, files, or data
logs, and how it proves the employee's involvement in the crime. This report
may be presented in court as evidence.
3|Page
Key Aspects and Components of Digital Forensic Science:
1. Object and Purpose:
Object: The object of digital forensics is to find, preserve, and analyze data
from digital devices or systems.
Purpose: The purpose is to uncover digital evidence that can be used to
understand what happened during a crime, who was involved, and what damage
was done. It is also used to help law enforcement or organizations take action
based on the findings.
Example: If someone is accused of cyberbullying, digital forensics can help
identify the messages, emails, or social media activity related to the harassment.
2. Digital Evidence Type: Digital evidence includes any data that can be
used in an investigation. Common types include:
Emails, messages, and chat logs: Can show conversations, threats, or
suspicious activities.
Files and documents: Can be recovered from devices, showing important data
or evidence.
Web history and browsing logs: Can show what websites someone visited and
when.
System logs and metadata: Can show when a file was accessed or modified.
Images or videos: Can serve as evidence of crimes or activities.
Example: In a fraud case, emails, bank transaction records, and logs from a
financial system can be used as digital evidence.
3. Forensic Process: The forensic process consists of the following steps:
Identification: Find which devices or data might contain evidence.
Collection: Gather data without altering it.
Preservation: Safeguard the evidence to avoid tampering or loss.
Examination: Analyze the data to find relevant information.
Analysis: Interpret the findings to understand how the crime occurred.
Presentation: Document the findings and present them in a clear,
understandable way.
4|Page
Example: If an employee is suspected of leaking company secrets, the forensic
team would first identify their work computer, collect files and emails, preserve
data from the system, and then analyze the data for signs of illegal activities.
4. Techniques and Tools: Forensic experts use a variety of techniques and
tools to collect and analyze digital evidence. Some common tools
include:
Data imaging software (e.g., FTK Imager): To make exact copies of digital
data without altering it.
File recovery tools (e.g., Recuva, EnCase): To recover deleted files or data
from damaged systems.
Analysis software (e.g., Autopsy, X1 Search): To look for specific data,
patterns, or behaviors on a device.
Password-cracking tools (e.g., John the Ripper, Hashcat): To unlock encrypted
files or accounts.
Example: A forensic investigator might use specialized tools to recover deleted
emails from a suspect’s phone and analyze them for evidence of criminal intent.
5. Forensic Principles:
Admissibility: The evidence must be collected, preserved, and analyzed in a
way that it can be used in court. It must meet legal standards to be accepted as
evidence.
Integrity: The evidence must remain unchanged and protected from tampering
throughout the process.
Chain of Custody: Proper documentation and tracking of who handles the
evidence at every step to avoid questions of its authenticity in court.
Example: If a phone is seized as evidence, the investigator must document
every person who touches or handles the phone to ensure its integrity is
maintained.
6. Skills and Expertise:
Technical Skills: Forensic experts need to understand digital systems and be
familiar with various devices, operating systems, and software.
Analytical Skills: They must be able to analyze data, identify patterns, and
interpret findings to make sense of what happened.
5|Page
Legal Knowledge: They need to understand the legal aspects of evidence
collection, privacy laws, and how to handle evidence to ensure it is admissible
in court.
Attention to Detail: Since small digital traces can be important, forensic
experts must have a sharp eye for detail.
Example: A forensic expert analyzing a computer involved in a cybercrime
needs to know how to recover hidden files, understand the context of the
evidence, and present the findings clearly to the police or in court.
6|Page
3. Intellectual Property Theft:
Why it's important: Intellectual property (IP) theft involves stealing
valuable company data, patents, designs, or ideas. Computer forensics
helps track down the thief and recover stolen IP.
Example: If an employee steals confidential company documents or
trade secrets, forensic experts can trace the digital trail, find the thief, and
recover the stolen data.
4. Employee Misconduct:
Why it's important: Employees may misuse company resources for
personal activities or engage in illegal activities, such as fraud or
harassment. Computer forensics helps uncover these actions by
examining their work devices.
Example: If an employee is suspected of using company computers to
conduct personal business or steal sensitive data, forensic experts can
investigate the employee’s computer or emails to find evidence of
wrongdoing.
5. National Security:
Why it's important: Cyber attacks and online espionage can threaten
national security. Computer forensics is used to track down
cybercriminals or hackers who target government systems, organizations,
or infrastructure.
Example: If a foreign nation attempts to hack into a country's
government system, forensic experts can examine the attack's digital
footprint to identify the hacker and prevent further attacks.
6. Risk Management and Prevention:
Why it's important: Companies and organizations can use computer
forensics to identify weaknesses in their digital systems and prevent
future cyberattacks. By investigating past incidents, they can improve
their security measures and reduce risks.
Example: After a data breach, forensic experts analyze how the attackers
got in, what data was compromised, and what security measures need to
be strengthened to prevent similar attacks in the future.
7|Page
COMPUTER FORENSICS SERVICE-: Computer forensics service in
cybersecurity refers to the process of investigating and analyzing digital
devices, such as computers, smartphones, servers, or networks, to
uncover evidence of cybercrimes or security incidents. These services are
crucial for identifying cyber threats, tracking down cybercriminals,
recovering lost data, and preventing future cyberattacks. In simple terms,
it's like a digital detective service that helps find out what went wrong
when there is a security breach or crime involving technology.
8|Page
Example: A company may accidentally delete important files, or a hacker may
destroy evidence. Forensic experts can recover those files, ensuring nothing is
lost.
3. Evidence Preservation: This service ensures that any digital evidence
found is safely preserved, without being tampered with or destroyed. This
is critical for legal proceedings because the evidence needs to be in its
original form.
How it helps: Digital evidence is fragile, and it’s important that experts create
copies and secure the original evidence. This ensures that the evidence can stand
up in court or be used in further investigations.
Example: If a computer is involved in a crime, the forensic team makes an
exact copy of the hard drive to analyze, ensuring that the original drive remains
untouched.
4. Forensic Analysis of Data: Forensic experts carefully analyze the data
they have collected from a device or system. This analysis helps uncover
important information such as what happened during a cyberattack, how
the attacker got in, what actions they took, and who was involved.
How it helps: Through forensic analysis, experts can trace the steps of the
hacker, find out what files were accessed or stolen, and gather crucial evidence
for law enforcement or internal investigations.
Example: If a company suspects an employee is involved in a data breach,
forensic analysis can reveal the employee's activity, showing which files, they
accessed and whether they transferred any sensitive data.
5. Cybercrime Investigations: Computer forensics services are used to
investigate cybercrimes like hacking, identity theft, online fraud, and
more. Experts collect digital evidence from various devices to identify the
criminals involved.
How it helps: When a cybercrime occurs, forensic services help law
enforcement track the criminal’s digital footprints, locate their identity, and
gather proof to support the case.
Example: If someone uses stolen credit card information to make fraudulent
purchases online, forensic experts can trace the hacker's IP address, examine
transaction logs, and gather evidence that leads to their identification.
9|Page
6. Preventive Cybersecurity Measures: Some computer forensics services
also help organizations improve their cybersecurity to prevent future
attacks. By identifying security weaknesses during an investigation,
experts can suggest better protective measures.
How it helps: After investigating a breach, forensic experts can recommend
ways to strengthen firewalls, update software, improve encryption, and take
other actions to prevent similar incidents in the future.
Example: After a ransomware attack, forensic experts might recommend
improving the company’s backup procedures or updating security protocols to
avoid future attacks.
1. Disk Forensics: Disk forensics is the analysis of data stored on hard drives,
SSDs, or any other storage media, such as external drives or USBs. It involves
recovering deleted files, analyzing file systems, and identifying suspicious
activities or data tampering.
How it helps: This type of forensics is used to investigate what happened on a
computer, what files were accessed or deleted, and whether any malicious
activity took place.
Example: If an employee is suspected of stealing company data, disk forensics
can be used to recover deleted files and identify any illegal activity.
2. Network Forensics: Network forensics involves monitoring and analyzing
network traffic (data being sent and received over the internet or local networks)
to detect and investigate security breaches, such as hacking attempts, data leaks,
or malware infections.
How it helps: It allows experts to trace the path of a cybercriminal, identify the
source of an attack, and collect evidence of data breaches or unauthorized
network access.
Example: If a company’s network is attacked, network forensics can help trace
the hacker's IP address, identify how they accessed the system, and track any
stolen data.
3. Mobile Device Forensics: Mobile device forensics is the process of
recovering, analyzing, and preserving data from smartphones, tablets, or other
mobile devices. This can include call logs, messages, emails, GPS data, photos,
and app activity.
How it helps: Mobile device forensics is useful in investigating cases where
mobile phones are used for illegal activities like harassment, fraud, or even
location tracking during a crime.
Example: In a cyberbullying case, mobile device forensics could be used to
recover deleted messages or social media activity from a suspect’s phone to
provide evidence of harassment.
11 | P a g e
4. Email Forensics: Email forensics involves analyzing email accounts to trace
the origin of malicious emails, recover deleted emails, and uncover any
fraudulent or illegal activities conducted via email. This is important for
investigating email-based crimes like phishing or spamming.
How it helps: Email forensics helps investigators find the sender, identify
forged or manipulated email content, and even track the chain of
communication leading to a cybercrime.
Example: In an email phishing scam, forensics can analyze the email headers to
trace the sender and determine how the scam was carried out.
5. Database Forensics: Database forensics is the examination of databases and
their associated systems. It’s used to recover deleted or altered data, trace who
accessed the data, and find out how it was manipulated or deleted.
How it helps: This type of forensics is crucial in investigations involving
sensitive business data, financial transactions, or unauthorized access to
databases.
Example: If someone manipulates financial data within a company’s database,
forensic experts can examine the database to find out what changes were made
and when, helping to identify the perpetrator.
6. Malware Forensics: Malware forensics involves the investigation and
analysis of malicious software (malware) that infects a computer or network. It
helps in identifying the type of malware, its impact, and how it spreads.
How it helps: Malware forensics is essential for understanding the nature of
cyberattacks, removing the malware from the system, and preventing future
attacks.
Example: If a computer is infected with ransomware, malware forensics can
help identify the type of ransomware, how it entered the system, and how to
recover from the attack.
7. Memory Forensics: Memory forensics focuses on analyzing a computer’s
RAM (Random Access Memory) to uncover traces of cybercriminal activity
that might not be stored on the hard drive. This can include running processes,
open files, and network connections.
How it helps: Memory forensics is useful when an attacker’s actions are hidden
in the system’s memory and not stored in traditional files or logs.
12 | P a g e
Example: If a hacker uses a memory-based attack (like injecting malicious
code), memory forensics can help detect the attack even if no files were left
behind.
8. Cloud Forensics:
What it is: Cloud forensics deals with the investigation of data and
activities in cloud computing environments (like Google Drive, Dropbox,
or other cloud storage services). It focuses on retrieving, preserving, and
analyzing cloud-based data for evidence.
How it helps: As more people store and share data on cloud platforms,
it’s essential to be able to investigate and recover cloud data in case of
data breaches or fraud.
Example: If an employee steals confidential company files stored on a
cloud server, cloud forensics can help track their actions, recover the
files, and determine how the breach occurred.
13 | P a g e
PROCESS OF DIGITAL FORENSICS-: Digital forensics is the
practice of investigating and analyzing digital devices (like computers,
phones, or networks) to gather evidence of cybercrimes or security
incidents. There’s a clear process to follow in digital forensics to ensure
that evidence is properly handled and the investigation is successful.
Here's a simple explanation of the process, step-by-step:
1. Identification: This is the first step where the forensic investigator identifies
the devices or digital items that could contain important evidence. These can be
computers, smartphones, hard drives, flash drives, or even cloud storage.
How it helps: Identifying the right devices helps focus the investigation on the
most relevant sources of data. The goal is to find all the digital evidence needed
for the case.
Example: If someone is suspected of hacking into a company’s network, the
first step would be to identify which computers, servers, or devices connected to
that network may have been used by the attacker.
2. Collection and Preservation: Once the devices are identified, the next step
is to collect and preserve the digital evidence. This is a critical step because
digital data can easily be altered or lost. Investigators create copies (or "forensic
images") of the data to prevent any changes to the original data.
How it helps: Collecting and preserving the evidence ensures that it remains
intact and can be used later in court. Experts make sure nothing is accidentally
altered during the process.
Example: If a suspect’s smartphone is part of the investigation, forensic experts
will make an exact copy of the phone’s data before analyzing it, ensuring the
original data remains unchanged.
3. Examination and Analysis: This step involves looking closely at the
collected data to find evidence and understand what happened during the crime
or security incident. Experts will search through files, logs, emails, and other
data for any signs of criminal activity or policy violations.
How it helps: This step allows forensic investigators to reconstruct what
happened during the incident, who was involved, and what data or systems were
affected.
Example: If an employee is suspected of leaking confidential company
information, forensic experts would examine the employee’s computer for email
records, document accesses, or file transfers to uncover evidence of the breach.
14 | P a g e
4. Documentation: During the investigation, it’s crucial to document
everything thoroughly. This includes recording every step of the process—how
the evidence was collected, the tools used for analysis, and the findings.
How it helps: Proper documentation ensures that all evidence is legally
admissible in court. It also helps track the investigative process and ensures
transparency.
Example: If a digital forensic expert is investigating a data breach, they will
document when and how they collected the data, what tools they used for
analysis, and what files were found during the investigation.
5. Presentation: The final step is presenting the findings to stakeholders, such
as law enforcement, company management, or even in court. This involves
clearly explaining the findings and showing how the evidence leads to the
conclusion.
How it helps: The findings need to be presented in a clear and understandable
way, especially in legal proceedings. Forensic experts often need to explain
technical details in a way that non-technical people (like jurors or managers)
can understand.
Example: If a cybercriminal is caught after stealing sensitive company data,
forensic experts might present their findings in court, explaining how they
traced the hacker’s actions using logs and data, and how they identified the
person responsible.
15 | P a g e
CYBER FORENSICS AND DIGITAL EVIDENCE-:
Cyber forensics is a field that focuses on investigating digital devices and
networks to find and analyze evidence related to cybercrimes or security
incidents. It is a part of the broader field of digital forensics, which looks at all
kinds of digital data, from computer files to mobile phones and even cloud
systems. Cyber forensics specifically deals with investigating incidents that
happen on the internet or within computer systems.
What is Digital Evidence?
Digital evidence refers to any information stored or transmitted in digital form
that can be used to prove something in an investigation. This could include
anything from files, emails, messages, photos, videos, logs, or even data traces
left by online activities.
16 | P a g e
How it helps: Digital evidence is crucial in proving what happened during a
cybercrime. For example, finding logs of unauthorized logins to a system can
show who accessed the system and when.
Example: In a fraud case, the digital evidence might include bank transaction
records, emails between the fraudster and the victim, or IP addresses showing
where the crime originated.
3. Types of Digital Evidence:
File Data: Includes documents, images, videos, or any kind of file that
can be stored on a computer or mobile device.
Example: If someone illegally copies a company's confidential documents,
these files can be used as evidence.
Network Data: Includes logs of internet activity, like server logs, IP
addresses, and timestamps that show when data was transferred or
accessed.
Example: If a hacker attacks a company, network logs can show the attacker's
IP address and trace the hacker's actions.
Email and Messaging Data: Emails or messages that can prove
communication during a crime.
Example: In an online scam case, emails between the scammer and the victim
can serve as digital evidence.
Metadata: Information that describes a file's characteristics, like when it
was created, modified, or accessed.
Example: In a case of file tampering, metadata can show if someone altered the
file after it was initially created.
Cloud Data: Data stored in online cloud services (like Google Drive or
Dropbox) that can also serve as evidence.
Example: If a person uses cloud storage to share illegal files, forensic experts
can access those files from the cloud to gather evidence.
4. Steps in Cyber Forensics:
1. Identification: This step involves identifying the devices or systems that
may contain important evidence, like computers, phones, servers, or
network logs.
17 | P a g e
Example: If a company suspects a data breach, investigators identify which
servers or computers may have been affected.
2. Collection and Preservation: In this stage, experts safely collect digital
evidence from the identified devices and preserve it to avoid any changes
or loss of information.
Example: If a hacker has stolen data, forensic experts will create copies of the
data to analyze it later without modifying the original information.
3. Analysis: This step involves carefully examining the digital evidence to
find out what happened, how it happened, and who was involved. Experts
analyze files, logs, emails, or anything that could provide clues.
Example: If someone is using stolen credit card information, experts might
analyze transaction logs to find out where the data was used and track the
criminal's actions.
4. Reporting: The final step is to document all the findings in a clear and
detailed report. This report can be used in court or to help an organization
improve its cybersecurity.
Example: After a cybercrime investigation, experts will prepare a report
explaining how the crime occurred, the evidence found, and how the criminal
was identified.
5. Challenges in Cyber Forensics:
Encrypted Data: Some criminals use encryption to hide their activities.
This can make it difficult for investigators to access the evidence.
Large Amounts of Data: With so much data available today, sorting
through everything to find the relevant evidence can be overwhelming.
Changing Technology: As technology advances, new devices and
systems are created, and cybercriminals develop new ways to hide their
tracks, which makes investigations harder.
6. Why is Cyber Forensics Important?
Solves Cybercrimes: It helps law enforcement track down criminals
involved in cybercrimes like hacking, fraud, and data theft.
Protects Businesses and Individuals: By finding out how a cyber-attack
happened, businesses can fix vulnerabilities and prevent future attacks.
Supports Legal Action: Digital evidence plays a crucial role in proving
someone’s guilt or innocence in cybercrime cases, making it essential for
justice.
18 | P a g e
FORENSICS ANALYSIS OF EMAIL-:
Email forensics involves examining email communications to uncover evidence
of cybercrimes or security incidents. It helps investigators track down the source
of malicious emails, recover deleted emails, and identify fraudulent activities
like phishing or spamming.
Example of Email Forensics:
Imagine a company is being targeted by a phishing attack. Employees are
receiving emails that appear to come from the company's CEO, asking for
sensitive information like bank account details. One of the employees becomes
suspicious and reports the email. Cybersecurity experts perform email forensics
to track down the source and understand how the attack occurred.
Step 1: Analyzing the Email Header
Forensic experts look at the email header, which contains metadata such as the
sender’s IP address, the path the email took to reach the recipient, and the mail
servers involved.
They discover that the email didn’t come from the company’s legitimate server
but from an external server that was spoofed to look like the CEO's address.
Step 2: Tracking the IP Address
Investigators use the IP address found in the header to trace the location of the
attacker. They find the location is from an unknown foreign IP, suggesting it’s a
targeted attack from an external hacker.
Step 3: Recovering Deleted Emails
By examining the company's email server and backup logs, the experts recover
deleted versions of similar phishing emails. These emails contain links to
fraudulent websites designed to steal employees' personal information.
Through this process, the forensics team can track the attack's origin,
understand the technique used, and provide evidence to prevent future attacks.
Overview of the Key Elements of Email Architecture:
In email forensics, understanding how emails are sent and received is important.
Here are the key components involved in the architecture of email
communication:
1. Mail User Agent (Email Client): This is the software or application used by
individuals to send, receive, and manage emails. Examples include Microsoft
Outlook, Gmail, or Apple Mail.
19 | P a g e
How it works: The email client connects to the email server to send or receive
messages. It allows users to compose, read, and organize emails.
Example: When you open Gmail on your phone, you are using the Mail User
Agent to send or receive emails.
2. Simple Mail Transfer Protocol (SMTP) Server: SMTP is the protocol used
to send emails from one server to another. SMTP servers handle the outgoing
emails from the sender’s email client and send them to the recipient's mail
server.
How it works: When you send an email, your email client connects to an
SMTP server to forward the email to the recipient's mail server.
Example: When you send an email from Gmail to someone with a Yahoo email
address, Gmail’s SMTP server sends the email to Yahoo’s mail server.
3. Mail Transfer Agent (MTA): An MTA is the software responsible for
routing and transferring emails between different mail servers using SMTP.
MTAs ensure that emails are properly delivered to the correct destination.
How it works: When an email is sent, the MTA looks at the email address and
determines which mail server should receive the email. It then forwards the
email to that server.
Example: Gmail's MTA will forward an email to Yahoo's MTA to be delivered
to a Yahoo inbox.
4. Mail Delivery Agent (MDA): An MDA is responsible for delivering
incoming emails to a recipient’s email inbox. After the MTA forwards the email
to the recipient's server, the MDA ensures the email is stored in the recipient's
inbox.
How it works: Once the email reaches the recipient’s mail server, the MDA
places it in the appropriate folder in the recipient’s mailbox.
Example: When your Yahoo mail receives an email, the MDA stores it in your
inbox.
5. Mail Server: A mail server is a computer system that receives, stores, and
sends emails. It acts as a central hub for sending and receiving emails for users
connected to it.
How it works: The mail server stores your incoming emails and sends outgoing
emails. It handles the connection between the MTA, MDA, and email clients.
20 | P a g e
Example: Gmail’s mail server stores all incoming and outgoing emails for
users with Gmail accounts.
6. Domain Name System (DNS): The DNS translates domain names (like
gmail.com or yahoo.com) into IP addresses. This helps email servers locate each
other over the internet.
How it works: When an email is sent, the DNS helps the sending server find
the recipient's mail server by translating the domain name into an IP address.
Example: When sending an email to john@example.com, DNS helps the
sending mail server find the IP address of example.com’s mail server.
7. Email Protocols: Email protocols are rules and standards that define how
email communication works. There are several key protocols involved in
sending and receiving emails:
SMTP (Simple Mail Transfer Protocol): Used for sending emails from
the client to the server.
POP3 (Post Office Protocol 3): Used for retrieving emails from a server
to a client, downloading them to be read offline.
IMAP (Internet Message Access Protocol): Used for accessing and
managing emails on a server without downloading them, allowing email
to be read from multiple devices.
How it works: Email clients and servers use these protocols to communicate
and deliver emails.
Example: If you use Gmail on your phone and on your computer, IMAP
ensures you can see the same emails on both devices.
22 | P a g e
Example: In a case of cyberbullying, investigators may analyze the
suspect’s social media and email accounts to uncover messages,
locations, and contacts that could serve as evidence.
Phase 5: Analysis, Interpretation, and Attribution
What it is: Once the evidence has been examined, investigators interpret
the findings and try to attribute them to a specific person or event. This
step involves piecing together the information to build a timeline of what
happened and how it fits into the crime.
How it works: The digital evidence is analyzed to draw conclusions,
such as who accessed the data, when it was accessed, and what actions
were taken. Investigators may also connect different pieces of evidence to
build a stronger case.
Example: If a hacker used a specific method to steal data, the
investigator might trace back the stolen data to the hacker’s IP address or
uncover how they bypassed security measures.
Phase 6: Reporting
What it is: The final phase is creating a report that summarizes the
findings of the investigation. This report is often used for legal or
corporate purposes, such as taking action against a criminal or
strengthening security.
How it works: Forensic investigators prepare a clear and detailed report
of the evidence, findings, and conclusions. The report should explain the
methods used, the data found, and how it supports the case.
Example: After an investigation, the report may show that the data
breach occurred due to weak security measures, identify the hacker’s
methods, and provide recommendations for improving security.
Summary of the Digital Forensics Life Cycle:
1. Preparation and Identification: Identify the devices and data involved
in the incident.
2. Collection and Recording: Collect and document the evidence carefully.
3. Storing and Transporting: Store and transport the evidence securely to
prevent tampering.
4. Examination/Investigation: Analyze the evidence to understand the
crime or incident.
23 | P a g e
5. Analysis, Interpretation, and Attribution: Interpret the evidence and
link it to the crime or individual responsible.
6. Reporting: Prepare a detailed report with findings and recommendations.
Each phase in the Digital Forensics Life Cycle plays an important role in
ensuring that evidence is handled properly and that the investigation can lead to
reliable conclusions. The goal is to ensure that the investigation is thorough,
accurate, and legally admissible in court if necessary.
24 | P a g e
Key Points of the Chain of Custody Concept:
1. Tracking the Evidence:
What it is: Chain of custody tracks the digital evidence's movement,
starting from when it is collected until it is presented in court or used in
an investigation.
How it works: Every person who handles the evidence must sign and
document what they did with it, when they did it, and why. This way,
there’s a clear record of who had the evidence and when.
Example: If a cybercriminal’s laptop is seized as evidence, the person
who collects it will document the time, date, and condition of the laptop.
Each person who handles the laptop afterwards (like a forensic
investigator or a lawyer) must also sign the chain of custody form.
2. Preventing Tampering:
What it is: One of the main purposes of chain of custody is to prevent the
evidence from being altered, tampered with, or destroyed during an
investigation.
How it works: By keeping track of everyone who handles the evidence
and ensuring it’s stored securely, the process makes sure no one can
change or destroy important information.
Example: If a person alters the evidence by deleting files on a seized
laptop or tampering with the timestamps of emails, the evidence could
become unreliable and inadmissible in court.
3. Documenting the Evidence Handling:
What it is: Each step in the process of handling the evidence must be
documented, including who collected it, where it was stored, and when it
was transferred or analyzed.
How it works: This is done through a chain of custody log or form,
which is a record showing the "journey" of the evidence.
Example: A digital forensic expert might log that they received the
laptop on a specific date, stored it in a locked evidence room, and then
analyzed it on a later date. This ensures that there’s a clear record for any
future investigations or legal proceedings.
25 | P a g e
Why is Chain of Custody Important in Cybersecurity?
1. Legal Admissibility:
In cybersecurity investigations, if the digital evidence isn’t properly
documented and stored, it could be considered unreliable or tainted, which
means it might not be allowed in court.
Example: If a hacker’s computer is seized but the chain of custody is not
maintained, the defense lawyer might argue that the evidence was tampered
with and should be thrown out.
2. Ensuring Integrity:
Chain of custody guarantees that the evidence is genuine and hasn’t been
altered. It provides confidence that what was collected is exactly what’s being
presented.
Example: If a company is investigating an internal data breach and they present
email logs as evidence, chain of custody ensures that those logs were not
tampered with to protect or incriminate anyone.
3. Preventing Loss or Misplacement:
Proper tracking and documentation help prevent digital evidence from getting
lost, misplaced, or destroyed during an investigation.
Example: If several investigators are handling evidence during an investigation,
it’s easy to get confused or make mistakes. Chain of custody forms help avoid
this by clearly recording each person’s actions.
Steps Involved in Chain of Custody in Cybersecurity:
1. Identification and Collection:
Digital evidence (e.g., hard drives, laptops, servers) is identified and securely
collected by a trained investigator or forensic expert.
Form: A chain of custody form is filled out to note the exact details of the
evidence (e.g., type, make, model, serial number).
2. Securing and Storing:
The evidence is stored in a secure, controlled environment to prevent
unauthorized access or tampering.
Form: Every time the evidence is stored or transferred; the new handler must
sign the chain of custody form to confirm its safekeeping
26 | P a g e
3. Analysis:
The digital evidence is examined using forensic tools. Investigators must
continue to document all actions, including when the evidence is analyzed and
what tools are used.
Form: Forensic experts update the chain of custody form with the details of the
examination process.
4. Presentation:
If needed, the evidence is presented in court or to relevant authorities. The chain
of custody form will help prove that the evidence presented is the same as the
original and hasn’t been tampered with.
Form: The form will be presented as proof of the integrity of the evidence.
27 | P a g e
NETWORK FORENSICS-:
Network forensics is a branch of digital forensics that involves monitoring and
analyzing computer network traffic to gather information and evidence related
to cybercrimes, security incidents, or malicious activities. It focuses on
capturing, storing, and analyzing data packets that flow across a network to
identify potential threats, understand how an attack happened, and gather
evidence for investigations.
In simpler terms, network forensics is like being a detective who watches a
network’s "footprints" (the data moving across it) to figure out what happened
and how it happened when there’s a cyber-attack or security breach.
Why is Network Forensics Important in Cybersecurity?
Network forensics helps in:
1. Identifying Intruders: Detecting unauthorized access or hacker activity
in a network.
2. Tracing Attacks: Finding out how and when an attack occurred and what
methods the attacker used.
3. Evidence Collection: Collecting important data and logs that can be used
in legal or investigative processes.
4. Improving Security: Understanding network vulnerabilities and
improving defenses to prevent future attacks.
5. Compliance: Meeting regulatory requirements to monitor and secure
sensitive data.
Key Concepts in Network Forensics:
1. Traffic Analysis:
Network forensics involves looking at the flow of data across the network to
analyze how information is being transmitted, who is sending it, and what kind
of data is being exchanged.
By examining the network traffic, investigators can identify unusual or
suspicious activities such as unauthorized logins, data exfiltration, or malware
communication with external servers.
2. Packet Capture: Packet capture refers to capturing individual data
packets that travel across the network. These packets contain information
about what’s happening in the network.
28 | P a g e
Example: If a hacker is trying to access sensitive data from a company’s
network, network forensic tools capture the packets containing the hacker’s
activities, such as login attempts or commands to steal data.
3. Logs and Alerts:
Network logs keep a record of network activity, including device
communications, login times, IP addresses, and actions taken on the
network.
Alerts are warnings generated when suspicious activity is detected. For
example, a sudden spike in data transfer or an unknown device
connecting to the network may trigger an alert.
These logs and alerts help investigators piece together the timeline and details
of the attack.
4. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems
(IPS):
IDS monitors network traffic for suspicious behavior and alerts
administrators when it detects potential attacks or security breaches.
IPS goes a step further by actively blocking malicious activities or
unauthorized access based on predefined security policies.
Both systems provide critical information to forensic investigators when an
attack is detected on the network.
Steps in Network Forensics Process:
1. Identification of Evidence: The first step is to identify which parts of the
network need to be monitored. For example, devices or segments of the
network that were involved in the attack are prioritized for further
analysis.
Example: If a company’s database server is compromised, forensic
investigators focus on monitoring traffic between the server and other devices
on the network.
2. Data Collection: The next step is to collect network traffic data, such as
logs, packet captures, and network device configurations.
Example: Forensic tools like Wireshark or tcpdump might be used to capture
network packets and save them for further analysis.
3. Traffic Analysis: After the data is collected, it’s analyzed to identify
signs of suspicious activity. This includes looking for unusual data
29 | P a g e
patterns, unexpected communications, or any anomalies that could
suggest a cyber-attack.
Example: If there is an unusually large amount of data being sent to an external
IP address, it could indicate a data breach or exfiltration.
4. Reconstructing the Attack: Using the collected data, investigators try to
piece together how the attack occurred, including which systems were
compromised, the attacker's methods, and any damage caused.
Example: By analyzing network traffic logs, investigators might discover that
an attacker gained access via an old, unpatched vulnerability in the system, and
then used a specific tool to exfiltrate data.
5. Evidence Documentation and Reporting: All findings must be
documented in detail, including the steps taken to collect and analyze the
data, the results of the analysis, and any conclusions drawn. This report
may be used for legal purposes or to improve security protocols.
Example: If a cybercriminal is caught stealing customer data, the network
forensic team would document all the steps they took to identify the breach and
present their findings as evidence.
30 | P a g e
4. Step 4: Reporting and Action: After gathering evidence, the network
forensics team compiles a detailed report on how the hacker accessed the
data, what methods were used, and how much data was stolen. The
company can now take action by patching vulnerabilities and improving
network security.
31 | P a g e
restarted, certain data (such as temporary files or logs) may be lost or
overwritten.
Why it’s a challenge: Time is critical in computer forensics. If investigators
don’t act quickly, they might lose important evidence due to data being
overwritten or erased.
Example: When investigating a cyber-attack on a computer, the system might
overwrite crucial log files after a reboot, making it hard to trace the attacker’s
activities.
4. Data Storage and Cloud Environments: Many organizations and
individuals store data in cloud environments, which can be spread across
multiple servers in different locations. This can include email accounts, cloud
storage services (like Google Drive or Dropbox), and social media platforms.
Why it’s a challenge: Investigators may struggle to access and collect data
from cloud storage because it is not always easy to determine where the data is
stored, who owns it, and how to get legal access to it.
Example: If a cybercriminal uses a cloud storage service to hide stolen files, it
might be hard for law enforcement to retrieve these files without cooperation
from the cloud service provider.
5. Anti-Forensics Techniques: Anti-forensics refers to techniques that
cybercriminals use to deliberately hide or destroy evidence, making it difficult
for investigators to trace their activities. These techniques can include wiping
files, altering timestamps, or using software to erase evidence.
Why it’s a challenge: Criminals are getting smarter and using advanced
methods to cover their tracks. As a result, forensic investigators must stay up-to-
date with the latest anti-forensics techniques and develop new ways to detect
them.
Example: A hacker might use a tool to permanently erase all logs of their
activities from a compromised computer, making it harder for investigators to
figure out what they did.
6. Legal and Jurisdictional Issues: Cybercrimes often involve data and
systems located in different countries. Different countries have different laws
regarding privacy, data protection, and cybersecurity, which can make it
difficult to obtain and use digital evidence across borders.
Why it’s a challenge: Investigators may face legal restrictions on where and
how they can access data, especially if it’s stored outside their jurisdiction. They
32 | P a g e
might need to work with foreign governments or comply with international
treaties to get permission to access evidence.
Example: If a company in the U.S. is attacked by hackers in another country,
investigators may need permission from the foreign government to access the
hacker’s computer, making the process slower and more complicated.
7. Expertise and Skill Requirements: Computer forensics requires specialized
knowledge and expertise in various fields such as data recovery, networking,
operating systems, and legal procedures. Investigators need to stay updated with
new technologies and cybercrime trends.
Why it’s a challenge: There is a shortage of skilled professionals in the field,
and it can be difficult to find individuals with the right combination of technical
and legal knowledge. Additionally, the constant evolution of technology
requires forensic experts to continuously update their skills.
Example: A forensic investigator may need to understand how the latest
smartphone operating system works in order to retrieve deleted data from a
suspect’s device.
8. Time Constraints: Computer forensic investigations can take a long time to
complete because of the complexities involved in gathering, analyzing, and
presenting digital evidence.
Why it’s a challenge: In some cases, time is critical. Investigators may face
tight deadlines, such as legal proceedings or ongoing attacks, and may not have
enough time to thoroughly analyze all the data before important decisions need
to be made.
Example: If a company is experiencing a cyber-attack, forensic experts may
need to identify and stop the threat as quickly as possible, which could prevent
them from conducting a complete investigation.
9. Handling Large-Scale Attacks: Large-scale cyber-attacks, such as
Distributed Denial of Service (DDoS) attacks or ransomware attacks, can
generate a huge amount of data and affect many systems at once.
Why it’s a challenge: Investigating large-scale attacks is more complex due to
the volume of data and the number of affected systems. Forensic investigators
need to prioritize critical systems, track the flow of malicious traffic, and
coordinate efforts across multiple teams.
33 | P a g e
Example: During a massive ransomware attack, investigators may need to
examine thousands of network devices and identify which systems were
infected first, while also trying to stop the attack.
34 | P a g e