Digital forensics is a scientific field that involves the identification, collection, examination, and analysis of digital data for use as evidence in court. It has several sub-disciplines including computer forensics, network forensics, mobile device forensics, digital image/video/audio forensics, memory forensics, and cloud forensics. The goal of digital forensics is to recover electronic evidence from computers, networks, mobile devices, and digital media in a forensically sound manner.

3.  Digital forensics is a constantly evolving scientific
field with many sub-disciplines. Some of these sub-
disciplines are:
 1) Computer Forensics: the identification,
preservation, collection, analysis and reporting on
evidence found on computers, laptops and
storage media in support of investigations and
legal proceedings.
 2) Network Forensics: the monitoring, capture,
storing and analysis of network activities or
events in order to discover the source of security
attacks, intrusions or other problem incidents, i.e.
worms, virus or malware attacks, abnormal
network traffic and security breaches.
 3) Mobile devises Forensics: the recovery of
electronic evidence from mobile phones,
smartphones, SIM cards, PDAs, GPS devices,
tablets and game consoles.

4.  Digital forensics is a constantly evolving scientific field
with many sub-disciplines. Some of these sub-disciplines
are:
 4) Digital Image Forensics: the extraction and analysis
of digitally acquired photographic images to validate
their authenticity by recovering the metadata of the
image file to ascertain its history.
 5) Digital Video/Audio Forensics: the collection,
analysis and evaluation of sound and video recordings.
The science is the establishment of authenticity as to
whether a recording is original and whether it has been
tampered with, either maliciously or accidentally.
 6) Memory forensics: the recovery of evidence from the
RAM of a running computer, also called live acquisition.
 7) Cloud Forensics: Cloud Forensics is actually an
application within Digital Forensics which oversees the
crime committed over the cloud and investigates on
it.

5. Criminal
forensics
Intelligence
gathering
Intrusion
investigation
Electronic
discovery
(eDiscovery)

6. Admissibility: It must be in conformity with common law and
legislative rules.
Reliability: The evidence must be from indisputed origin.
Completeness: The evidence should prove the culprit ’s actions
and help to reach a conclusion.
Convincing to Judges: The evidence must me convincing and
understandable by the judges.
Authentication: The evidence must be real, related to the incident and
reliabile.

7. Cross-drive analysis: correlates information found on multiple hard drives
Live analysis: occurs in the operating system while the device or computer is running. It involves
using system tools that find, analyze, and extract volatile data, typically stored in RAM or cache.
Recovery of Deleted files: searching a computer system and memory for fragments of files that
were partially deleted in one place but leave traces elsewhere on the machine
Stochastic forensics: analyze and reconstruct digital activity without the use of digital artifacts.
Stochastic forensics is frequently used in data breach investigations where the attacker is thought
to be an insider, who might not leave behind digital artifacts
Reverse Steganography: Steganography is a common tactic used to hide data inside any type of
digital file, message or data stream. Compare the hash of the file and comparing it to the original
image (if available.)

8. Intellectual Property theft
Employment disputes

9. ROLE OF FORENSICS INVESTIGATORS
 Confirms or dispels whether a resource/network is compromised.
 Determine extent of damage due to intrusion.
 Answer the questions: Who, What, When, Where, How and Why.
 Gathering data in a forensically sound manner.
 Handle and analyze evidence.
 Prepare the report
 Present admissible evidence in court

10. Forensic readiness is the ability of an organization to maximize its potential to use digital
evidence whilst minimizing the costs of an investigation.

11. to gather admissible evidence legally and without interfering with business
processes
to gather evidence targeting the potential crimes and disputes that may
adversely impact an organization
to allow an investigation to proceed at a cost in proportion to the incident
to minimise interruption to the business from any investigation
to ensure that evidence makes a positive impact on the outcome of any legal action

12. act in an organization's defence if
subject to a lawsuit
used as a deterrent to the insider
threat
in the event of a major incident,
an efficient and rapid
investigation can be conducted
and actions
can significantly reduce the costs
and time of an internal
investigation
can reduce the costs of any court
ordered disclosure or regulatory
or legal need to disclose data (e.g.
in response to a request under
data protection legislation)

13. it demonstrates due diligence and
good corporate governance of the
company's information assets
it can demonstrate that regulatory
requirements have been met
improve and facilitate the
interface to law enforcement if
involved
improve the prospects for a
successful legal action
provide evidence to resolve a
commercial dispute
support employee sanctions based
on digital evidence (for example to
prove violation of an acceptable
use policy)

14. Define the
business
scenarios
that require
digital
evidence
Identify
available
sources and
different types
of potential
evidence
Determine the
evidence
collection
requirement
Establish a
capability for
securely
gathering legally
admissible
evidence to meet
the requirement
Establish a
policy for secure
storage and
handling of
potential
evidence
Steps for Forensic Readiness Planning

15. Ensure
monitoring is
targeted to
detect and
deter major
incidents
Specify
circumstances
when escalation
to a full formal
investigation
should be
launched
Train staff in
incident
awareness, so that
all those involved
understand their
role in the digital
evidence process
and the legal
sensitivities of
evidence
Document an
evidence-based
case describing the
incident and its
impact
Ensure legal
review to
facilitate action in
response to the
incident

17. Never mishandle the evidence (Imaging,
Chain of custody)
Never work on the original evidence
(integrity, authenticity and admissibility
in court).
Never trust the SUBJECT‟S operating
system
Document all the findings
Results should be repeatable, reproducible
and verifiable by third party
(cryptographic hash value, MD5 or SHA-1)

19. SEARCH AND
SEIZURE
PREPARATION
PHASE
•Nature of crime under
investigation
•Suspect’s Technical
knowledge
Location of
data
storage
•The authorization for the seizure
• Obtaining forensic images (“on-site” or
not)
• Analysis of the devices “on-site”
•Use of applications to obtain access
passwords
• Authorization to change the password of
email accounts or social networks, etc.
SEARCH AND SEIZURE OF DIGITAL EVIDENCE

21. Equipment preparation
The following is a list that the
officer must take into account
consisting of the minimum
forensic tools needed for a
successful search and seizure
activity:
Laptop with the necessary standard forensic tools
installed

22. Equipment preparation
Hardware write blockers
Forensic tools dongle licenses
Enough memory storage
media (external HDDs)
HD with extra forensic software or bootable devices

23. Tools to Dismantle
Screwdrivers (flat, star,
hexagonal and other specific for
certain models)
Pliers (standard and
pointed)
Clamps (for cutting cables)
Small tweezers

24. Exhibit Documentation
Photo or video camera (to take
pictures of the scene and the
screen content)
Permanent markers (to
encode and identify the
investigated material)
Labels (to mark and identify parts of the equipment,
power supplies)
Evidence tags

25. Resources needed for packaging and transport/Consumables
Evidence bags and seal
Evidence carton boxes for media
storage devices such as USB
devices, DVDs, or CDs;
Anti-static zip-lock
evidence bags
Faraday Bags to inhibit signals
to mobile phones and other
devices that may receive data
from mobile/Wi-Fi network
Other items: Small torch with stand,
Gloves, Large rubber bands, Magnifying
glasses, Network cables (crossed and
braided), Mask

26. Secure the scene
(Remove/locate/che
ck/refuse)
Assessment
Document the scene
(Type, Brand and
model, Storage
capacity, Serial
number, State:
Damaged, on, off, etc.,
Location, Security:
Access password, PIN,
Comments
Collection and
the handling of
digital evidence
(equipment
turned off, on,
modifications
made)
Seizure Phase
(Uniquely and
properly
registered and
labelled, label
details of
cloning/copying
process,
Packaging ) and
Transport :
protection from
shock, EM wave,
Humidity etc
SEARCH AND SEIZURE EXECUTION PHASE

27. Search and seizure of volatile

28. Guidelines Avoid tools that use a GUI interface.
Command line tools are best here. Use
safe and tested tools you know that
work.
Create two or three floppy disks
containing your volatile collection tools
and write protect them.
Generate a checksum and validation for
each of your tools and store it safely
within your toolkit

31. Some of the tools for the collection of volatile data are
Srvcheck.exe: displays the shares locally or remotely.
Kill.exe: A Windows Support tool for terminating a selected task or
process.
Rasusers.exe: lists all user accounts on a domain or server that
have been granted permission to dial in to the network.
Dumpel.exe: copy of the Event Viewer Logs.
Filemon: displays all file system activity in real time.
Regmon: displays all registry activity in real time.

32. Some of the tools for the collection of volatile data are
Tokenmon: displays logons, logoff, privilege usage and impersonation.
Handle: displays what files are open by which processes
ListDLLs: lists all Dynamic-link library (DLLs) that are currently loaded
including the version and the full path names of the loaded modules, etc.
Process Explorer: A tool that displays open files, object processes,
registry keys, DLLs and owners of object processes.
MD5sum: generates the checksum of a file and provides verification.
Fport: maps application processes to the NETWORK ports they listen
on.
TCPView: shows the endpoints of all open TCP and UDP
connections.
Cmd.exe: The command prompt for Win NT/2000

33. TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)

34. A lost cluster , A bad sector , The boot sector

35. There are three types of partitions: primary partitions,
extended partitions and logical drives.

36. First Incident Response A. Shut downed machines
Tag every connection and take photo.
Search for the physical evidence first.
Open and find out the storage device
Make enough documentation (serial no,
size, manufacturer of disk, etc.)
Seal it in a proper way and go for further
operations.

37. B. Live machines with no harmful
activity
Take a photo of current activity first.
Ensure that after shutting down the
system, it will not harm the
investigation.
Hibernate option will be beneficial so
after imaging we can directly resume
the system.
C. Live machine with harmful activity
going on (destroying data etc.)
Capture a snapshot
As soon as possible, remove the power
cord to avoid further damage.
Then start with imaging of the disk

39. In disk imaging, we make exact copies of storage devices or its partition and
then store it in a larger storage or directly burn it on another device.
integrity of the evidence : Several standard algorithms like MD5 (message-
digest algorithm) , SHA (Secure Hash Algorithm) etc
The different tools available for Imaging and Cloning are:
SOLO 4
Forensic Dossier
SuperSonix
WinHex
FTK Imager
EnCase Forensic Imager
Acronis True Image Home
CloneZilla
DriveImage XML V2.50,

40. Precautions for Disk Imaging
Cloning hardware has a built in write blocker so there is
no need to connect any additional write blocker hardware.
Original device is never connected directly to the
investigation machine; it may increase the possibility of
damage.
Source device should be used only once and that too for the
imaging only. For further requirements, replicas are made
from first copy.

41. the file system removes the file logically
(the meta-data and stamps). However, the file
still resides in the disk as a physical entity
until it is overwritten.
Retrieving cached files
The cache file of an
application can be searched
by using typical keywords
elated to the case or probable
websites
Software: Chrome cache
viewer
Retrieving files in unallocated
space
a deleted file can be searched
sequentially or structurally by
looking for file headers or extensions.
Metadatatools: Meta Viewer,
Metadata Analysis, iscrub
.

42. Social media Forensics

43. Type of Social Networking Platforms
Media Sharing Networks:
Social Networks
Discussion Forums
Bookmarking and Content Curation Networks
(E/S/E/D Trending content and media)

44. Consumer Review Networks
S/R/S reviews/opinions
Blogging and Publishing Networks
Sharing Economy Networks
Anonymous Social Networks

46. The Three Basic Stages of Social Media Forensics
Evidence
Identification :social
networking
victim/culprit
Collection
Examination
•Manual documentation
•Screen scrape/Screenshot
•Open source tools (HTTrack)
•Commercial tool (X1)
•Web service (Page freezer)
•Forensic recovery
•Content subpoena
social networking footprints (Facebook
Artifacts/Twitter Artifacts with
timestamp)

47. Email forensics investigation

48. capturing, securing and analyzing, and reporting
email evidence
 study the source and contents
of e-mail messages for evidence
identification of the actual
sender and recipient
date and time when it was sent,
etc.
also involves the investigation of
clients or server computers
suspected of being used or
misused to carry out e-mail
forgery.

49. Forensically important email parts
EMAIL HEADER
EMAIL HEADER

51. Forensically important email parts
EMAIL BODY

52. EMAIL ATTACHMENTS

53. EMAIL FORENSIC TOOLS
Various software tools have been developed to assist in e-
mail forensic investigation.
1.eMailTrackerPro (http://www.emailtrackerpro.com/)
2. EmailTracer (http://www.cyber forensics. in)
3.Adcomplain(http://www.rdrop.com/users/billmc/adcompla
in.html)
4. Aid4Mail Forensic(http://www.aid4mail.com/)
5. AbusePipe(http://www.datamystic.com/ abusepipe.html)
6.AccessData’s FTK (www.accessdata.com/)
7. EnCase Forensic (http://www.guidancesoftware.com)
8. FINALeMAIL(http://finaldata2. com)
9.SawmillGroupWise (http://www.sawmill.net)
10. Forensics Investigation Toolkit
(FIT)(http://www.edecision4u. com/FIT.html)
11.Paraben (Network) E-mail
Examiner(http://www.paraben.com/email-examiner.html) ;

55. Mobile devices can be used to save several types of personal information such as contacts, photos,
calendars and notes, SMS and MMS messages, video, email, web browsing information, location
information, and social networking messages and contacts.

56. • Storage capacity has increased
• mobile devices are used constantly evolve.
• Hibernation behavior

57. a) 802.11or WiFi :
MOBILE COMMUNICATION
b) Bluetooth:
Infrared(IrDA):

58. EVIDENCES IN A MOBILE DEVICE
Service provider logs
Subscriber identification module (SIM)
Mobile Logs
Phone books/contact lists
Text messages
Application files

59. MOBILE FORENSIC
PROCESS
Analysis
Acquisition
Seizure

60. Mobile devices can be isolated in many ways; the following ways can be
used to isolate a mobile on seizure
Isolating its wireless
features: By using a
Faraday bag or a jamming
device mobile phones can be
isolated to the network till
the battery drains
completely.
Switch off the device: This
method is fine however, on
switching on the phone lock
or sim lock can be activated
which can lead the phone
unusable.
Airplane mode: When the
"airplane mode" is activated, it will
disable all cellular services (GSM,
UMTS, LTE) as well as other signal-
transmitting technologies such as Wi-
Fi and Bluetooth. Wi-Fi and Bluetooth
can be enabled separately even while
the device is in airplane mode.

61. Mobile FORENSIC ACQUISITION TOOLS
There are two categories of forensics acquisition tools.
They are:
a) Hardware acquisition tools.
b) Software acquisition tools.
Acquisition involves:
 Identifying the type of cellular network
 Manufacture information is seen on the logo, serial number, and
manufacturing code (IMEI: international mobile equipment
identification)
 Phone characteristics such as Operating system, wireless access
mode, camera, manufacturer application, internet access methods,
messages etc.

62. Hardware acquisition tools
Faraday bag
SIM card reader
SIM card reader
read SIM and USIM cards
USB cable with a mini-USB connectio

63. Software acquisition tools.
a. www.MobileForensicsCentral.com
This website provides access to
a comprehensive database of
phones supported by various
software suppliers. A user of
the website can enter a model of
a phone and the site will return a
detailed report of which software
and cables support it, as well as
what information can be retrieved
from the device with the
software.

64. CELLDEK: The revolutionary celldek has been
developed in cooperation with the UK's
forensic science service. The portable celldek
acquires data from over 200 of the most
popular cell phones and PDAs. Built to
perform in the field (not just in the lab),
investigators can immediately gain access to
vital information, saving days of waiting for a
report from a crime lab.

65. Cell Seizure: Cell seizure allows you to acquire, analyze,
and report cell phone data for certain models of GsmSim
Cards, Nokia, Samsung, Motorola, Sony-Ericsson, Lg, And
Siemens cell phones.
It can also acquire data from CDMA/TDMA phones.
Designed for computer forensic examiners, cell seizure offers
complete forensic examinations that can be presented in court
with md5 & sha1 hash verification, write protection, HTML
reporting, and full data dumps on some models.

66. Mobilyze: Mobilyze is a mobile data triage tool,
designed to give users immediate access to data from
iOS and Android devices.

67. Oxygen Phone Manager II (Forensic
Version)5: A special software for police departments, law
enforcement units, and all government services that wish to
use the power of Oxygen Phone Manager II for investigation
purposes. The forensic edition secures phone data to remain
unchanged during extraction and exporting.
phonebook, call register, calendar, todo lists, SMS and MMS
messages, logos, tones, profiles, phone dictionary, FM
stations, Java games, and applications.

68. Paraben's SIM Card Seizure: SIM
card seizure includes the software as well as a forensic SIM
card reader.
Paraben's PDASeizure: Paraben's PDA seizure is a
commercially available forensic software toolkit that allows
forensic examiners to acquire and examine information on
PDAs for both the pocket pc (PPC) and palm OS
platforms HotSync.

69. The forensics toolkit: The forensics toolkit
gives today's law enforcement agencies the capability to safely
and confidently recover digital evidence from GSM SIM and 3G
USIM devices.

70. EVIDENCES IN A MOBILE DEVICE FOR ANALYSIS
Service provider logs
Subscriber identification module (SIM)
Mobile Logs
Phone books/contact lists
Text messages
Application files