The topic “Computer Forensics” deals with performing a structured investigation
while maintaining a documented chain of evidence to find out exactly what
happened on a computer and who was responsible for it. With the increase in the
use of computer and internet, there evolved an increasing cybercrime such as
stalking, hacking, blackmailing etc. In such a situation computers, mail services,
social networking sites can be major evidences to prove the crime and find out the
persons involved in it. The tools used by the forensic experts are also a part of the
Computer Forensics is a branch of
forensic science that uses
investigation and analysis techniques
to find and determine legal evidences
found in computer and digital storage
mediums. It is the practice of lawfully
establishing evidence and facts. The
core goals of it are fairly straight
forward: preservation, identification,
extraction, documented and
interpretation of computer data. Data
should be retrieved and analyzed
without it is damaged. The
authenticity of the data is also
There is a plethora
hardware and software tools available
to assist with the interpretation of
Computer Forensics is referred to as
computer forensics analysis,
electronic discovery and data
discovery. Computer analysis and
computer examination is the process
of methodically examining computer
media (Hard diskettes, disk tapes etc.)
The field of computer forensics began
in 1980s, after personal computers
became a viable option for
consumers. In 1984, an FBI program
was created known for a time as
magnet media program, it is now
known as the computer analysis and
response team (CART). Shortly
thereafter, the man who is credited
with being “the father of computer
forensics” began work in this field.
His name was Michael Anderson.
1995: International Organization on
Computer Evidence (IOCE) was
1997: The G8 countries declared that
“Law enforcement personnel must be
trained and equipped to address high-
tech crimes” in the Moscow.
1998: INTERPOL Forensic Science
1999: FBI CART case load exceeds
2000 cases examining, 17 terabytes of
2000: First FBI Regional Computer
Forensic Laboratory established.
2003: FBI CART case load exceeds
6500 cases, examining 782 terabytes
IV Need for Computer
The purpose of it is mainly due to the
wide variety of computer crimes that
take place in recent times. The loss
caused depends upon the sensitivity of
the computer data or the information
for which the crime has been
committed. It is also efficient where
in the data is stored in a single system
for the backup.
The main objective of
computer forensics is to produce
evidence in the court that lead to the
punishment of the actual. The word
forensic itself means bringing to
V Types of crimes:
A) Breech of computer security.
C) Copyright violation.
D) Identity theft.
E) Narcotics Investigation.
VI How forensic experts
A) Make an initial assessment about
the type of case that is going to be
B) Determine a preliminary design or
approach to the case.
C) Determine the reasons needed.
D) Obtain a copy of the disk drive.
E) Identify and minimize or avoid the
F) Investigate the data that is
G) Complete the case report.
VII Forensic tools:
The forensic tools are software’s or
hardware’s used for gathering the
required data from the media storage
devices of the computer that is
believed to be used to commit any
illegal activity or crime.
Some of the basic and commonly
used computer forensic tools are:
A) Registry Recon: It extracts registry
information from a piece of evidence
(disk image etc.) whether that
information was active, backed up or
deleted and rebuilds all the registries
represented by the extracted
B) SANS Investigative Toolkit:
It is pre-configured with all the
necessary tools to perform a detailed
forensic examination. The new
version is rebuilt on an Ubuntu base
with additional tools like replaying of
entire computer activity in detail etc.
Memory forensic tools:
Memory tools are used to acquire and
analyze a computers volatile memory.
Some of them are
Compile Memory Analysis Tool is a
self-contained memory analysis tool
that analyzes windows OS memory
and extracts information about
This tool can acquire live memory
images and analyze memory dumps.
It is inclusive to Microsoft Windows.
Mobile device forensics tools:
Mobile forensic tool tend to have
hardware and software components.
A) Cellebrite Mobile Forensics:
It is a Universal Forensic extraction
device which is both hardware and
software. It is used to gather evidence
from mobile devices, mobile media
cards, Sims and GPS devices.
B) MicroSystemation XRY:
XRY is digital forensic product by
MicroSystemation used to recover
information from mobile phones,
smartphones, GPS, navigation tools
and Tablets computers.
Network Forensics tools:
Network forensic tools are designed
to capture and analyze network
packets either from LAN or Internet.
A) Wire Shark:
It captures and analyzes packets. In
short it is a protocol analyzer.
B) TCP flow:
It is a TCP/IP session reassembles. It
records the TCP flow and stores the
data such that it is convenient for
Database forensic tools:
Database forensic is related to the
investigations applied on database and
A) Hash keeper:
It uses an algorithm to establish
unique numeric identifiers (hash
values) for files known to be good or
bad. It was developed to reduce the
amount of time required to examine
files on digital media.
Arbutus data tool is a window based
analysis and conversion tool that
fraud investigators use to analyze
server or mainframe data.
A) Uncover evidences of illegal
activities such as credit card fraud,
intellectual property theft etc.
B) Investigate and find evidence for
crimes that were not directly
committed via computer but for which
the accused might have stored
evidence on computer data storage
C) Detect and close computer system
security holes through ‘legal hacking’.
D) Tracking the activities of the
Terrorists by using Internet.
Cybercrimes are increasing in number
day to day. The Forensic Department
has been efficiently delivering its
duties by controlling the crime rate on
the Internet. The techniques
developed by the forensic science are
also used by army in detecting the
presence of chemical weapons and
high explosives. Almost in all the
cases the persons involved in crime
are found out. On the other hand it is
the duty of judiciary to resolve any
disputes and punish the accused.
A) Computer Forensics, Computer
Crime Investigation by John R.
B) Computer Forensics and
Investigation by Nelson, Phillips
C) List of Computer Forensic Tools,
Computer Forensics, Wikipedia