ὗ️‍♂️ Unit 4 – Understanding Computer

Forensics
1. What is Cyber Forensic / Digital Forensic / Computer Forensic?
All three mean the same thing – the process of collecting, analyzing, and saving digital
evidence from electronic devices (like computers, phones, etc.) in a way that can be used
in court.

Digital Forensics Process Cycle

1
Collect Evidence
Gather digital data from
devices

4 2
Present in Court Analyze Evidence
Use evidence in legal Examine data for
proceedings relevant information

3
Save Evidence
Securely store analyzed
data

Used for:
• Solving cyber crimes
• Recovering lost data
• Investigating hacking or fraud
 Cyber Security Services

Cyber Crime Data Recovery Fraud

Solutions Recovering lost data Investigation
from cyber attacks.
Providing solutions Investigating
to solve cyber hacking or fraud
crimes. attempts.

Example:
If someone hacks a company, computer forensic experts check logs, emails, and files to
find out who did it, how, and when.

Computer Forensic Investigation Process

Determine
Incident Occurs Check Logs Review Files Method

Experts Analyze Emails Identify Establish

Investigate Perpetrator Timeline

2. What is “Chain of Custody”? Explain its importance.

Chain of Custody is the process of keeping a record of who handled the digital evidence,
when, and where.
 Chain of Custody Cycle

1
Record Handling
Document who handled
the evidence

4 2
Maintain Integrity Document Time
Ensure evidence Note when the evidence
remains unaltered was handled

3
Note Location
Specify where the
evidence was handled

Why it’s important:

• Proves that the evidence is real and not changed.
• Maintains trust in the investigation.
• Without it, evidence may be rejected in court.
 Pillars of Evidence Integrity

1
2
3

Authenticity
Trust Ensures evidence is
genuine and unaltered.
Upholds confidence in Admissibility
the investigative
process. Guarantees evidence is
accepted in court.

Example:
If a hard disk is collected as evidence, every time it changes hands, it is logged with date,
time, and person’s name.
 Chain of Custody for Hard Disk Evidence

Repeat
Hard Disk Transfer to Transfer
Collection Next Custodian Process
The hard disk is The hard disk is The process repeats
initially collected as transferred to the for each subsequent
evidence. next custodian. transfer.

Log Entry Log Entry

Creation Update
A log entry is The log entry is
created with date, updated with the
time, and person's new custodian's
name. details.

3. What is Digital Evidence? Compare with Physical Evidence.

Digital Evidence: Information stored on electronic devices that can be used in legal
investigations.Examples: emails, chat logs, call history, deleted files.
 Digital Evidence Examples

Emails Chat logs Call history Deleted files

Electronic mail Records of online List of phone calls Files removed from
messages conversations made storage

Physical Evidence: Things you can touch.Examples: fingerprints, a weapon, broken glass.

Physical Evidence Types

Touch Weapon Glass Evidence

Evidence Evidence Shattered remains
Tangible items Instrument used to from a window
related to crime cause harm
Feature Digital Evidence Physical Evidence Nature Electronic, intangible Solid, tangible
Easily destroyed? Yes, can be deleted/modified quickly Harder to destroy completely
Copyable? Yes, can make exact copies No, only one original

Comparing Digital and Physical Evidence

Solid and
Electronic and tangible
intangible
Harder to
Easily destroyed destroy

Easily copyable Only one original

Digital Evidence Physical Evidence

4. Write a short note on ‘Rule of Evidence’.

Rule of Evidence means the set of laws and guidelines that say how evidence must be
collected and presented in court.
 The Cycle of Evidence Handling

1
Collect Evidence
Gathering relevant data

4 2
Preserve
Evaluate Evidence
Evidence
Assessing data for
validity Maintaining integrity of
data

3
Present Evidence
Submitting data in court

For digital evidence:

• Must be original or an exact copy.
• Collected legally without changing data.
• Should follow chain of custody.
 Data Collection Requirements

Originality Legality Chain of

Data must be Data must be Custody
original or copied collected legally Data requires chain
of custody

If not followed, the evidence can be rejected by the judge.

5. What is Forensic Analysis of Email? Discuss various approaches used.
Email Forensics is the study of emails to find out details like:

Email Forensics Process

Identify Sender
Determine the email's origin
Determine Time and
Location
Establish when and where
the email was sent

Verify Authenticity
Confirm if the email is
genuine

• Who sent the email?

• When and where it was sent?
• Was it real or fake?
 Email Verification Process

Sender Timestamp Authenticity

Identification Verification Check Verified Email
Unverified Email
Determine the Check sending time Confirm legitimacy, Safe, authentic
Potential threat in inbox sender's identity and origin avoid phishing communication

Approaches:
1. Header Analysis – Read email header to trace IP address and source.
2. Server Logs – Check email servers for logs of sent/received messages.
3. Keyword Search – Look for suspicious words in inbox or trash.
4. Deleted Email Recovery – Use tools to recover deleted messages.
5. Attachment Analysis – Check if any harmful files were attached.

Forensic Analysis of Email

Header Keyword
Analysis Search Attachment
Read email header Look for suspicious
Analysis
to trace IP address words in inbox or Check if any harmful
and source trash files were attached

Server Logs Deleted Email

Check email servers Recovery
for logs of Use tools to recover
sent/received deleted messages
messages
 6. What things to avoid during a computer forensic investigation? What
can’t be avoided?
✅ Things to be avoided:
• Turning the device on/off randomly.
• Using the suspect’s system normally (may change data).
• Editing files or software.
• Not following the chain of custody.
• Ignoring hidden files or folders.

Forensic investigation errors

Random device
control
Switching the device
on/off randomly can
alter data.

Normal system
File editing usage
Editing files or software Using the suspect’s
can lead to data system normally might
corruption. change data.

Ignoring files Custody breach

Ignoring hidden files or Not following the chain
folders misses crucial of custody taints
evidence. evidence integrity.

❌ Things that can’t be avoided:

• Taking a copy (image) of the data for investigation.
• Following proper legal steps.
• Using forensic tools for analysis.
• Documenting everything clearly.
 Computer Forensics Investigation Process

Use Forensic
Create Data Tools
Image Employ specialized
Capture a copy of tools for data
the data for analysis analysis

Follow Legal Document

Steps Findings
Adhere to legal Record all findings
procedures during and processes
investigation clearly