Cyber

Forensics
Aahan Rampal
Kartik
Harsh Shah
Meet Soni
 Introduction
 Cyber forensics is a process of  Cyber forensics can do the following:
extracting data as proof for a crime  It can recover deleted files, chat logs,
(that involves electronic devices) emails, etc
while following proper investigation  It can also get deleted SMS, Phone calls.
rules to nab the culprit by presenting
the evidence to the court.
 It can get recorded audio of phone
conversations.
 The main aim of cyber forensics is to
 It can determine which user used which
maintain the thread of evidence and
system and for how much time.
documentation to find out who did
the crime digitally.
 It can identify which user ran which
program.
 Cyber forensics is also known as
computer forensics.
 Why is it Important?
 Cyber forensics helps in collecting important digital evidence to trace the
criminal.
 Electronic equipment stores massive amounts of data that a normal person fails
to see. For example: in a smart house, for every word we speak, actions
performed by smart devices, collect huge data which is crucial in cyber
forensics.
 It is also helpful for innocent people to prove their innocence via the evidence
collected online.
 It is not only used to solve digital crimes but also used to solve real-world crimes
like theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.
 Process Involved
 Obtaining a digital copy of the system that is being or is required to be inspected.

 Authenticating and verifying the reproduction.

 Recovering deleted files (using Autopsy Tool).

 Using keywords to find the information you need.

 Establishing a technical report.

 Procedures
 Identification: The first step of cyber forensics experts is to identify what
evidence is present, where it is stored, and in which format it is stored.
 Preservation: After identifying the data, the next step is to safely preserve the
data and not allow other people to use that device so that no one can tamper
data.
 Analysis: After getting the data, the next step is to analyze the data or
system. Here the expert recovers the deleted files and verifies the recovered
data and finds the evidence that the criminal tried to erase by deleting secret
files. This process might take several iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record
contains all the recovered and available (not deleted) data which helps in
recreating the crime scene and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in
front of the court to solve cases.
Types  Network forensics: This involves monitoring and analyzing the

of network traffic to and from the criminal’s network. The tools used
here are network intrusion detection systems and other
Computer automated tools.

Forensics  Email forensics: In this type of forensics, the experts check the
email of the criminal and recover deleted email threads to
extract out crucial information related to the case.
 Malware forensics: This branch of forensics involves hacking
related crimes. Here, the forensics expert examines the malware,
trojans to identify the hacker involved behind this.
 Memory forensics: This branch of forensics deals with collecting
data from the memory (like cache, RAM, etc.) in raw and then
retrieve information from that data.
 Mobile Phone forensics: This branch of forensics generally deals
with mobile phones. They examine and analyze data from the
mobile phone.
 Database forensics: This branch of forensics examines and
analyzes the data from databases and their related metadata.
 Disk forensics: This branch of forensics extracts data from
storage media by searching modified, active, or deleted files.
 Techniques Used
 Reverse steganography:
 Steganography is a technique of hiding the secret information inside or on top of
something, that something can be anything from an image to any type of file. So, cyber
forensic experts do reverse steganography to analyze the data and find a relation with the
case.
 Computer forensics investigators can counter this using reverse steganography, by looking
and comparing the hash value of the altered file and original file, the hash value will be
different for both files even though they might appear identical on visual inspection
 Stochastic forensics
 In Stochastic forensics, the experts analyze and reconstruct digital activity without using
digital artifacts. Here, artifacts mean unintended alterations of data that occur from digital
processes.
 Techniques Used
 Live analysis
 It is used to examine the computers from within the OS using various forensics and
sysadmin tools to get the information from the device.

 In forensic analysis, the collection of volatile data is very important like the installed
software packages, hardware information, etc. this approach is useful in the case where the
investigator is dealing with encrypted files.

 If the device is still active and running when it’s handed to the investigator, the investigator
should collect all the volatile information from the device such as user login history, which
TCP and UDP ports are open, what services are currently in use, and running, etc.
 Techniques Used
 Cross-drive analysis
 Cross-drive analysis (CDA) is a technique that allows an investigator to quickly identify and
correlate information from multiple data sources or information across multiple drives.
Existing approaches include multi-drive correlation using text searches, e.g., email
addresses, SSNs, message IDs, or credit card numbers.

 Deleted file recovery

 It is a technique that is used to recover deleted files. The deleted data can be recovered or
craved out using forensic tools such as CrashPlan, OnTrack EasyRecovery, Wise Data
Recovery, etc.
 Use Cases
 Criminal investigations:
 Law enforcement agencies and computer forensics specialists can use computer forensics to
solve computer-related crimes, like cyberbullying, hacking or identity theft, as well as crimes
in the physical world, including robbery, kidnapping, murder and more. For example, law
enforcement officials may use computer forensics on a murder suspect's personal computer
to locate potential clues or evidence hidden in their search histories or deleted files.

 Civil litigation
 Investigators can also use computer forensics in civil litigation cases, like fraud, employment
disputes or divorces. For example, in a divorce case, a spouse's legal team may use
computer forensics on a mobile device to reveal a partner's infidelity and receive a more
favorable ruling.
 Use Cases
 Corporate security:
 Corporations often use computer forensics following a cyberattack, such as a data breach or
ransomware attack, to identify what happened and remediate any security vulnerabilities. A typical
example would be hackers breaking through a vulnerability in a company's firewall to steal sensitive
or essential data. Using computer forensics to fight cyberattacks will continue as cybercrimes
remain on the rise. In 2022, the FBI estimated that computer crimes cost Americans USD 10.3 billion
in annual losses, up from USD 6.9 billion the previous year (link resides outside ibm.com).

 The protection of intellectual property:

 Computer forensics can help law enforcement officials investigate intellectual property theft, like stealing
trade secrets or copyrighted material. Some of the most high-profile computer forensics cases involve
intellectual property protection, notably when departing employees steal confidential information to sell it
to another organization or set up a competing company. By analyzing digital evidence, investigators can
identify who stole the intellectual property and hold them accountable.
 Use Cases
 National security:
 Computer forensics has become an important national security tool as cybercrimes continue
escalating among nations. Governments or law enforcement agencies like the FBI now use
computer forensics techniques following cyberattacks to uncover evidence and shore up
security vulnerabilities.
Legal Usage
 Apple Trade Secret Theft
 An engineer named Xiaolang Zhang at Apple's autonomous
car division announced his retirement and said he would be
moving back to China to take care of his elderly mother.
 He told his manager he planned to work at an electronic car
manufacturer in China, raising suspicion.
 According to a Federal Bureau of Investigation (FBI)
affidavit, Apple's security team reviewed Zhang's activity on
the company network and found, in the days prior to his
resignation, he downloaded trade secrets from confidential
company databases to which he had access. He was indicted
by the FBI in 2018.
 Enron
 In one of the most commonly cited accounting
fraud scandals, Enron, a U.S. energy,
commodities and services company, falsely
reported billions of dollars in revenue before
going bankrupt in 2001, causing financial harm
to many employees and other people who had
invested in the company.
 Computer forensic analysts examined terabytes
of data to understand the complex fraud scheme.
 The scandal was a significant factor in the
passing of the Sarbanes-Oxley Act of 2002, which
set new accounting compliance requirements for
This Photo by Unknown Author is licensed under CC BY-SA
public companies. The company declared
bankruptcy in 2001.
 Google Trade Secret Theft
 Anthony Scott Levandowski, a former executive
of both Uber and Google, was charged with 33
counts of trade secret theft in 2019.
 From 2009 to 2016, Levandowski worked in
Google's self-driving car program, where he
downloaded thousands of files related to the
program from a password-protected corporate
server.
 He departed from Google and created Otto, a
self-driving truck company, which Uber bought
in 2016, according to The New York Times.
 Levandowski plead guilty to one count of trade
This Photo by Unknown Author is licensed under CC BY-SA-NC
secrets theft and was sentenced to 18 months in
prison and $851,499 in fines and restitution.
 Challenges Faced
 Data Destruction
 Criminals may attempt to destroy digital evidence by wiping or destroying devices.
This can require specialized data recovery techniques
 Data Storage
 The sheer amount of data that can be stored on modern digital devices can make it
difficult for forensic investigators to locate relevant information.
 Data Encryption
 Encryption can make it difficult to access the data on a device or network, making it harder
for forensic investigators to collect evidence. This can require specialized decryption tools
and techniques
 Conclusion
 Importance
 Cyber forensics helps collect crucial digital evidence, aids innocent people, and solves both digital
and real-world crimes. Businesses also benefit from it by tracking system breaches and identifying
attackers.
 Process
 The process involves obtaining a digital copy of the system, authenticating it, recovering deleted
files, analyzing data, and documenting findings.
 Procedures
 Identification, preservation, analysis, documentation, and presentation are the key steps followed by
cyber forensics experts.
 Types
 Network, email, malware, memory, mobile phone, database, and disk forensics are some of the
specialized branches.
 Conclusion
 Techniques
 Reverse steganography, stochastic forensics, cross-drive analysis, live analysis, and deleted
file recovery are some of the commonly used techniques.
 Use cases
 Criminal investigations, civil litigation, intellectual property protection, corporate security, and
national security are some of the key areas where cyber forensics is applied.
 Real-world examples
 Apple trade secret theft, Enron scandal, Google trade secret theft, and Enron Group case
showcase the effectiveness of cyber forensics in court proceedings.
 Challenges
 Data encryption, destruction, and the sheer volume of data pose significant challenges for
cyber forensics professionals.
Thank You