Cyber forensics, also known as digital forensics, is the process of collecting, analysing, and storing digital evidence in order to investigate and prevent cybercrime. It entails the use of specialised techniques, tools, and processes to unearth critical information connected to security breaches, data theft, hacking, and other digital offences. Cyber forensics is critical in identifying culprits, reconstructing events, and producing legally admissible evidence for prosecution. It contributes to the protection of persons, organisations, and society as a whole by maintaining the integrity and security of digital environments.
Cyber forensics, or digital forensics, investigates and analyzes digital evidence related to cybercrimes. It involves collecting, preserving, and examining data from various sources like computers, mobile devices, networks, and online platforms. Cyber forensic specialists use specialized tools and techniques to identify perpetrators, reconstruct events, and provide legally admissible evidence. The field constantly evolves due to technological advancements and emerging cyber threats, requiring continuous learning and adaptation. Cyber forensics is vital for ensuring the integrity of digital environments, combating cyber crimes, and upholding the security of individuals and organizations.
https://lumiversesolutions.com/cyber-forensics/
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Cyber forensics, also known as digital forensics, is the process of collecting, analysing, and storing digital evidence in order to investigate and prevent cybercrime. It entails the use of specialised techniques, tools, and processes to unearth critical information connected to security breaches, data theft, hacking, and other digital offences. Cyber forensics is critical in identifying culprits, reconstructing events, and producing legally admissible evidence for prosecution. It contributes to the protection of persons, organisations, and society as a whole by maintaining the integrity and security of digital environments.
Cyber forensics, or digital forensics, investigates and analyzes digital evidence related to cybercrimes. It involves collecting, preserving, and examining data from various sources like computers, mobile devices, networks, and online platforms. Cyber forensic specialists use specialized tools and techniques to identify perpetrators, reconstruct events, and provide legally admissible evidence. The field constantly evolves due to technological advancements and emerging cyber threats, requiring continuous learning and adaptation. Cyber forensics is vital for ensuring the integrity of digital environments, combating cyber crimes, and upholding the security of individuals and organizations.
https://lumiversesolutions.com/cyber-forensics/
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Download DOC word file from below Links:
Link 1 :http://gestyy.com/eiT4WO
Link 2: http://fumacrom.com/RQUm
Disclaimer: Above doc file is only for education purpose only
Process of Digital forensics
Identification
Preservation
Analysis
4. Presentation and Reporting:
5. Disseminating the case:
What is acquisition in digital forensics?
How to handle data acquisition in digital forensics
Types of Digital Forensics
Disk Forensics
Network Forensics
Wireless Forensics
Database Forensics
Computer Forensics-An Introduction of New Face to the Digital Worldrahulmonikasharma
Computer forensic is the current emerging and the future of the digital world. Computer forensics is the upcoming technology for the crime scene investigation and for the data assessment data discovery and data maintained and data recovery process. Computer forensics can also be used in the retaining the computer technology without major effect to the physical parts of the computer. As the use of technology is increasing day by day and the use of computers to reduce the human efforts and to maximize the efficiency and outcome and also to increase the accessibility of the resources has led others to the misuse of technology. As the technology is increasing the threat to the cyber security and data is also increasing. To reduce the threat for cyber security and to increase the reliability on data and information throughout the network, computer forensics is used as a tool and method to analyse and to reduce the cyber threat to the data and affiliated system on network.
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Download DOC word file from below Links:
Link 1 :http://gestyy.com/eiT4WO
Link 2: http://fumacrom.com/RQUm
Disclaimer: Above doc file is only for education purpose only
Process of Digital forensics
Identification
Preservation
Analysis
4. Presentation and Reporting:
5. Disseminating the case:
What is acquisition in digital forensics?
How to handle data acquisition in digital forensics
Types of Digital Forensics
Disk Forensics
Network Forensics
Wireless Forensics
Database Forensics
Computer Forensics-An Introduction of New Face to the Digital Worldrahulmonikasharma
Computer forensic is the current emerging and the future of the digital world. Computer forensics is the upcoming technology for the crime scene investigation and for the data assessment data discovery and data maintained and data recovery process. Computer forensics can also be used in the retaining the computer technology without major effect to the physical parts of the computer. As the use of technology is increasing day by day and the use of computers to reduce the human efforts and to maximize the efficiency and outcome and also to increase the accessibility of the resources has led others to the misuse of technology. As the technology is increasing the threat to the cyber security and data is also increasing. To reduce the threat for cyber security and to increase the reliability on data and information throughout the network, computer forensics is used as a tool and method to analyse and to reduce the cyber threat to the data and affiliated system on network.
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
1. 2OEE6102:Cyber Security
chapter 3
Cyber Forensics and Auditing
1. Reference Book:
- Cyber Security Understanding Cyber Crimes, Computer Forensics and Legal Perspectives by Nina
God bole and Sunit Belpure, Publication Wiley
2. Lecture Materials
2. Forensics - The science of investigating compromised computer systems to understand
attacker tools, techniques, and procedures, and also to determine indicators of
compromise. Forensic investigation involves analyzing logs, files, and sometimes
program code to understand attacker activities and methods.
3. Cyber Crime
What is cybercrime?
Cybercrime is criminal activity that either targets or uses a computer, a computer
network or a networked device.
Most, but not all, cybercrime is committed by cybercriminals or hackers who want to
make money. Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically
skilled. Others are novice hackers.
Rarely, cybercrime aims to damage computers for reasons other than profit. These
could be political or personal.
4. What are the categories of cybercrime?
Individual:
This cyber crime category includes disseminating malicious or illegal information
via the internet and digital-applications by one person. Cyber speaking,
pornography distribution, and trafficking are a few examples of this category of
cyber crime.
Property:
This cyber crime is similar to a real-life incident where a criminal keeps the bank or
credit card information illegally. The hacker steals an individual’s bank details to
acquire money or makes phishing scams online to obtain information from people.
Government:
It is the least frequent cyber crime, but it is the most serious misconduct. A cyber
crime against the government is also regarded as Cyber Terrorism. Government
cyber crime involves the hacking of websites, military websites, or the distribution
of government propaganda.
5. Cybercrime
Cybercrimes are often classified as:
Internal Attacks:
Examples of internal attacks: spy, theft of property , manipulation of records, and
computer virus attack.
External Attacks:
Examples of external attacks: SQL attack, bruteforce cracking, fraud,
phishing/spoofing, denial of service attack, and cyber defamation.
6. Types of cybercrime
Cyberespionage (Govt. or Company Data)
Crypto-jacking
Email and internet fraud.
Theft of financial/Card payment data.
Theft and sale of corporate data.
Ransomware attacks (Type of cyber extortion).
7. The Case 1: Insider Attack
Research
Company
Chief Information
Security Officer
(CISO)
Unusual Activity by
one worker
Found
Bit of Software
(Hacking Tools) Run
Observe
Seen (Black Screen
+ Scrolling white
Text
All
Worker’s
System
Decided
to
contact
Forensic
Team
8. The Investigation 1 :
The forensic team performed covert forensic imaging and examination of the suspect’s laptop and desktop
computers.
The examination revealed several interesting facts.
The suspect cracked the ‘local’ admire password on both of his computers and installed a key logger on all.
This is often to understand if someone became suspicious and accessed his computer while he was away.
He would catch anyone trying to place any sort of monitoring software on either one among his computers. For this
purpose, he deployed a potent detection mechanism to alert him if he was under investigation.
In his laptop, the suspect installed various hacker tools (network sniffers, password crackers, network vulnerability
scanners, etc.) additionally to data scrubber software.
Initially, the laptop revealed no evidence of wrong doing thanks to the presence of a knowledge scrubber, which he
used periodically to wash his disk drive .
Later, the forensic team collected the network traffic and analyzed the logs, the reality was finally revealed: he had
successfully compromised the whole network and cracked all other researcher’s passwords.
He would periodically log in to the server, access other researcher’s data and download it to his laptop to require it
home.
He would then remove the info from his laptop and run scrubber software to eliminate any evidence that other
scientists’ data were ever present on his disk drive .
9. The Case 2: External Attack
ABC Bank (ABC) identified unauthorized wire transfers from their environment.
They needed to understand when and the way it happened quickly, so as to mitigate
future attacks and notify affected customers.
ABC engaged the “Security Engineering Research Team (SERT) to supply on-demand
critical incident response services.
The Result 2:
ABC could quickly notify only those customers suffering from the attacks, avoiding
the necessity for a broader public disclosure of the incident.
Doing so reduced the general cost of the incident and helped to preserve ABCs
reputation with customers not affected.
It also helped to stop additional fraudulent wire transfers from occurring.
10. The Investigation 2 :
SERT identified and provided an inventory of compromise indicators to ABC and
assisted with investigations of their network infrastructure to spot additional
unauthorized remote administration or other attacker tools.
Because the attacker used the cloud to mask the attack, SERT wrote special tools to
research the multi-host command and control the attacker used.
While reverse engineering malware identified during the attack, SERI experts pieced
together the precise methods the attacker wont to obtain an initial foothold into the
ABC protected network, Analysis revealed not only findings from the present incident,
but also aspects of security and process recommendations ABC should consider
improving to stop and detect future attacks.
during this case, SERI also found a SQL injection attack within a cloud application
employed by ABC Bank that allowed controls to be bypassed.
11. Cyber Crime Investigation
Digital crime or cybercrime is a crime that involves the usage of a computer, phone or
any other digital device connected to a network.
Cybercrime investigation is the process of investigating, analysing and recovering
critical forensic digital data from the networks involved in the attack—this could be the
Internet and/or a local network.
Cybercrime investigators must be:
• An experts in computer science,
• Understanding software, file
systems and OS,
• Also know how networks and
hardware work.
They must be knowledgeable enough to:
• Determine how the interactions between these
components occur,
• To get a full picture of what happened,
• Why it happened,
• When it happened,
• Who performed the cybercrime itself,
• And how victims can protect themselves in the
future against these types of cyber threats.
12. Cyber Crime Investigation
Conduct the Initial Investigation
The investigator should ask the following questions:
Who are the potential suspects?
What crimes were committed?
When were the crimes committed?
Were these crime limited to US jurisdiction?
What evidence is there to collect?
Where might the physical and digital evidence be located?
What types of physical and digital evidence were involved with the crime?
Does any of the evidence need to be photographed/preserved immediately?
How can the evidence be preserved and maintained for court proceedings?
Who conducts cybercrime investigations?
Criminal justice agencies
National security agencies
Private security agencies
13. Cybercrime investigation cases
Cybercrime investigation cases: Criminal, Civil, Administrative
Criminal
Investigators must follow the set of standard forensic processes accepted by law in the
respective jurisdiction.
Investigators, under court’s warrant, have the authority to force seize the computing
devices.
A formal investigation report is required.
The law enforcement agencies are responsible for collecting and analyzing evidence.
Standard of proof needs to be very high.
Difficult to capture certain evidence, e.g., GPS device evidences.
14. Cybercrime investigation cases
Cybercrime investigation cases: Criminal, Civil, Administrative
Civil
Investigators try to show some information to the opposite party to support the claims
and induce them for settlement.
Searching of the devices is generally based on mutual understanding and provides a
wider time window to the opposite party to hide the evidence.
The initial reporting of the evidence is generally informal.
The claimant is responsible for the collection and analysis of the evidence.
Punishments include monetary compensation.
Sometimes, evidence can be within the third party control.
15. Cybercrime investigation cases
Cybercrime investigation cases: Criminal, Civil, Administrative
Administrative
Generally involves an agency or government performing inquiries to identify facts with
reference to its own management and performance.
Such investigations are non-criminal in nature and are related to misconduct or
activities of an employee that includes but are not limed to:
Violation of organization’s policies, rules or protocols
Resources misuse or damage or theft
Threatening or violent behavior
Improper promotion or pay rises.
Any violation may result in disciplinary action such as demotion, suspension,
revocation, penalties, and dismissal.
For situations like promotions, increments, transfers, etc., administrative investigations
can result in positive outcomes, like modifications to existing policies, rules, or
protocols.
16. Cybercrime investigation techniques
Background check:
Creating and defining the background of the crime with known facts will help
investigators set a starting point to establish what they are facing, and how much
information they have when handling the initial cybercrime report.
Information gathering:
One of the most important things any cybersecurity researcher must do is grab as
much information as possible about the incident.
Tracking and identifying the authors:
This next step is sometimes performed during the information-gathering process,
depending on how much information is already in hand.
Digital forensics:
Once researchers have collected enough data about the cybercrime, it’s time to
examine the digital systems that were affected, or those supposed to be involved in
the origin of the attack.
17. Steps of Forensic Investigation
The incident occurred in any company or organization.
The employees or members contact the company's advocate for legal advice.
Advocate contact cyber forensics investigator (external or internal).
The forensic investigator will come and prepare the FRP, i.e., First Response Procedure
documentation.
The investigator then seizes the evidence and other assets related to the crime scene and
transports them to a forensics lab.
He/she will start analysing the files and other assets.
Examine all the data one after another and further contact the person or group of people
associated with the incident.
The report will be formed and concludes the investigation, where all the analyses will be
written and explained.
The report is then handed to the organization's legal authorities.
The legal authority will then go through the report(s) and will press charges against the
offensive in the court of law.
The forensic investigator will delete all the data once the entire case is closed.
18. Challenges cyber crimes present to Investigators
Cyber crimes pose new challenges because of
Speed
Anonymity
Volatile nature of Evidence
Evidence Size and Complexity
Anti-Digital Forensics
Global origin and difference in laws
Limited legal understanding
19. Cyber Forensics (Computer Forensics / Digital Forensics)
Cyber forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law.
The goal of cyber forensics is to perform a structured investigation and maintain a
documented chain of evidence to find out exactly what happened on a computing device
and who was responsible for it.
Computer Forensics - A set of methodological procedures and techniques that help
identify, gather, preserve, extract, interpret, document, and present evidence from
computers in a way that is legally admissible.
20. Computer forensics -- which is sometimes referred to as computer forensic
science -- essentially is data recovery with legal compliance guidelines to make
the information admissible in legal proceedings. The terms digital
forensics and cyber forensics are often used as synonyms for computer
forensics.
Digital forensics starts with the collection of information in a way that
maintains its integrity. Investigators then analyze the data or system to
determine if it was changed, how it was changed and who made the changes.
The use of computer forensics isn't always tied to a crime. The forensic process
is also used as part of data recovery processes to gather data from a crashed
server, failed drive, reformatted operating system (OS) or other situation where
a system has unexpectedly stopped working.
21. Cyber forensics plays a key role in investigation of cybercrime. "Evidence in the case of
"cyber forensic is extremely imponent from legal perspective. There are legal aspects
involved in the investigation as well as handling of the digital forensics evidence. Only
the technically trained and experienced experts should be involved in the forensics
activities.
22. WHAT IS COMPUTER FORENSICS?
Computer forensics is the process of methodically examining
computer media (hard disks, diskettes, tapes, etc.) for evidence. In
other words, computer forensics is the collection, preservation,
analysis, and presentation of computer-related evidence.
Computer forensics also referred to as computer forensic analysis,
electronic discovery, electronic evidence discovery, digital discovery,
data recovery, data discovery, computer analysis, and computer
examination.
Computer evidence can be useful in criminal cases, civil disputes,
and human resources/ employment proceedings.
23. Objectives of Computer Forensics
Identify, gather, and preserve the evidence of a cybercrime
Track and prosecute the perpetrators in a court of law
Interpret, document and present the evidence to be admissible during prosecution
Estimate the potential impact of a malicious activity on the victim and assess the intent
of the perpetrator
Find vulnerabilities and security loopholes that help attackers
Understand the techniques and methods used by attackers to avoid prosecution, and
overcome them
Recover deleted files, hidden files, and temporary data that could be used as evidence
Perform incident response to prevent further loss of intellectual property, finances and
reputation during an attack
24. USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT
Computer forensics assists in Law Enforcement. This can include:
Recovering deleted files such as documents, graphics, and photos.
Searching unallocated space on the hard drive, places where an
abundance of data often resides.
Tracing artifacts, those tidbits of data left behind by the operating
system. Our experts know how to find these artifacts and, more
importantly, they know how to evaluate the value of the information
they find.
25. USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT
Processing hidden files — files that are not visible or accessible
to the user — that contain past usage information. Often, this
process requires reconstructing and analyzing the date codes for
each file and determining when each file was created, last
modified, last accessed and when deleted.
Running a string-search for e-mail, when no e-mail client is
obvious.
26. COMPUTER FORENSICS SERVICES
Computer forensics professionals should be able to successfully perform complex evidence
recovery procedures with the skill and expertise that lends credibility to your case. For
example, they should be able to perform the following services:
1. DATA SEIZURE
Following federal guidelines, computer forensics experts should act as the representative,
using their knowledge of data storage technologies to track down evidence.
The experts should also be able to assist officials during the equipment seizure process.
2. DATA DUPLICATION/PRESERVATION
When one party must seize data from another, two concerns must be addressed: the data must
not be altered in any way
the seizure must not put an undue burden on the responding party
The computer forensics experts should acknowledge both of these concerns by making an
exact duplicate of the needed data.
When experts works on the duplicate data, the integrity of the original is maintained
27. COMPUTER FORENSICS SERVICES
3. DATA RECOVERY
Using proprietary tools, your computer forensics experts should be able to safely
recover and analyze otherwise inaccessible evidence.
The ability to recover lost evidence is made possible by the expert’s advanced
understanding of storage technologies.
4. DOCUMENT SEARCHES
Computer forensics experts should also be able to search over 200,000 electronic
documents in seconds rather than hours.
The speed and efficiency of these searches make the discovery process less complicated
and less intrusive to all parties involved.
5. MEDIA CONVERSION
Computer forensics experts should extract the relevant data from old and un-readable
devices, convert it into readable formats, and place it onto new storage media for
analysis.
28. COMPUTER FORENSICS SERVICES
6. EXPERT WITNESS SERVICES
Computer forensics experts should be able to explain complex technical processes in an
easy-to- understand fashion.
This should help judges and juries comprehend how computer evidence is found, what it
consists of, and how it is relevant to a specific situation.
29. The main aim of cyber forensics is to maintain the thread of evidence and
documentation to find out who did the crime digitally. Cyber forensics can do the
following:
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how much time.
• It can identify which user ran which program.
30. Incident handling
Cybersecurity and forensics have another essential terminology that is often used in
this field - incident handling.
Computer security incidents are some real or suspected offensive events related to
cybercrime and cybersecurity and computer networks.
Forensics investigators or internal cybersecurity professionals are hired in
organizations to handle such events and incidents, known as incident handlers.
Incidents are categorized into three types:
Low-level incidents: where the impact of cybercrime is low.
Mid-level incidents: The impact of cybercrime is comparatively high and needs
security professionals to handle the situations.
High-level events: where the impact of cybercrime is the most serious and needs
security professionals, and forensic investigators to handle the situations and
analyze the scenario, respectively.
31. Digital forensics is the process that deals with the recovery and investigation of
data that is stored on digital devices. It also pertains to the hardware and
software tools that experts use to retrieve the data without loss. In this lesson,
we will discuss data storage devices, what these devices are, how they are used,
and the benefits of each separately in digital forensics.
32. Objectives of computer forensics
Here are the essential objectives of using Computer forensics:
It helps to recover, analyze, and preserve computer and related materials in such a
manner that it helps the investigation agency to present them as evidence in a court of
law.
It helps to postulate the motive behind the crime and identity of the main culprit.
Designing procedures at a suspected crime scene which helps you to ensure that the
digital evidence obtained is not corrupted.
Data acquisition and duplication: Recovering deleted files and deleted partitions from
digital media to extract the evidence and validate them.
Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim
Producing a computer forensic report which offers a complete report on the
investigation process.
Preserving the evidence by following the chain of custody.
33. Data Forensics Introduction
Forensic technologies are designed to prepare and extract evidence from
computer systems. Any devices that store data (e.g. computers, laptops,
smartphones, memory cards or external hard drives) are within the ambit of
digital forensics. The forensics process is outlined as follows:
1.Identification
2.Preservation
3.Collection
4.Examination
5.Analysis
6.Presentation
34. Identification
It is the first step in the forensic process. The identification process mainly includes things like what
evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital
device so that digital evidence is not tampered with.
Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence
found. However, it might take numerous iterations of examination to support a specific crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime scene and
reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching,
and crime-scene mapping.
Presentation
In this last step, the process of summarization and explanation of conclusions is done.
35.
36. The two basic types of data that are collected in computer forensics are persistent data, or data
stored on a local hard drive (or another device) which is preserved when the computer is turned off.
volatile data, or data that is stored in memory and lost when the computer loses power.
loses power.
In forensics, to handle this data there exist experts in operating and file systems, data recovery, cloud
computing, and more.
They analyze hard disks or hard-disk images from a variety of different operating systems and provide
an interface so that files can be analyzed and information or data gathered in an electronic format is
extremely easy to extract and store.
37. Forensics & Storage Devices
Solid State Disks (SSD)
Solid State Disks (SSD's) store data with the use of flash-memory chips
(called NAND flash memory).
There are no moving parts to break and data is stored electronically, not
magnetically. The advantages of SSD's are its size, weight, and less power
usage than hard disks. They come in many different shapes depending on chip
count and how those chips are arranged.
They are more expensive, but are faster in reading and writing data. One
drawback is that there are no warning signs if a total drive failure is about to
occur.
They are a suitable replacement for hard drives in desktop and laptop
computers. Traditional forensic methods fail when attempting recovering
information deleted from SSD drives, so new methods have been determined.
38. Forensics & Storage Devices
Magnetic Media
Magnetic media store data on a magnetized medium. There are three types
of storage devices in this area:
• Floppy disks: These devices contain soft magnetic disks used for data
transfer, storage and backup of small amounts of data. An important
disadvantage is that they can be affected by heat, dust and magnetic fields.
Floppy disks have been largely replaced by flash memory, optical disks, and
external hard drives.
• Magnetic tapes: These devices are similar to an audio cassette tape. They are
well-suited for archiving because of their high capacity, low cost and long
durability.
• Compared to a hard disk, these are very slow. You can only get to data by
winding through the tape. Data is downloaded to magnetic tapes mostly for
long-term storage. Because data is stored magnetically, care must be taken
to keep tapes away from all types of magnetic fields. They differ in the way
that data is retrieved because they must be read in a linear fashion, from the
start of the tape through the end of the tape. This drastically increases the
time it takes to make a forensic recovery.
39. Forensics & Storage Devices
Hard drives: These devices contain hard magnetic platters which store and
retrieve digital information.
They are more accessible and affordable than SSD's and with the largest
capacity. One drawback is that they consume more power and produce noise
while in operation than do SSD's. Because of movable, mechanical parts, a
hard drive it is vulnerable to damage when shaken or dropped.
Data resides on these disks even after the power supply is turned off.
Information from hard drives may be recoverable using data
carving techniques or by using a commercial data recovery tool.
Another forensic recovery method is to clone a hard drive to an image file.
This is more practical but depends of the size of the source hard drive and
the equipment that it is used.
40. Forensics & Storage Devices
Digital Audio Tapes
DAT (Digital Audio Tape) is an electronic cassette that has a background recording
facility and playback singing medium. It is similar to a compact cassette, but it has
the main difference. Earlier tapes were analog, but DAT is digital. Unlike standard
tapes, digital tapes do their work in only one direction. The DATs can record multiple
vibrations or rates than CD, which can be higher or lower. Consumers took it pretty
casually, and its market produces the right amount of revenue.
41. Guide to Computer Forensics and Investigations 41
Understanding Storage Formats for Digital Evidence
Three formats
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
42. Guide to Computer Forensics and Investigations 42
Raw Format
Makes it possible to write bit-stream data to files
Advantages
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format
Disadvantages
Requires as much storage as original disk or data
Tools might not collect marginal (bad) sectors
43. Guide to Computer Forensics and Investigations 43
Proprietary Formats
Features offered
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
Disadvantages
Inability to share an image between different tools
File size limitation for each segmented volume
44. Guide to Computer Forensics and Investigations 44
Advanced Forensics Format
Developed by Dr. Simson L. Garfinkel of Basis Technology
Corporation
Design goals
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for
metadata
Simple design with extensibility
Open source for multiple platforms and OSs
45. Guide to Computer Forensics and Investigations 45
Advanced Forensics Format (continued)
Design goals (continued)
Internal consistency checks for self-authentication
File extensions include .afd for segmented image files and .afm for AFF metadata
AFF is open source
46. Guide to Computer Forensics and Investigations 46
Determining the Best Acquisition Method
Types of acquisitions
Static acquisitions and live acquisitions
Four methods
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-disk data
Sparse data copy of a file or folder
47. Guide to Computer Forensics and Investigations 47
Determining the Best Acquisition Method (continued)
Bit-stream disk-to-image file
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways,
iLook
Bit-stream disk-to-disk
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy
48. Guide to Computer Forensics and Investigations 48
Determining the Best Acquisition Method (continued)
Logical acquisition or sparse acquisition
When your time is limited
Logical acquisition captures only specific files of interest to the case
Sparse acquisition also collects fragments of unallocated (deleted) data
For large disks
PST or OST mail files, RAID servers
49. Guide to Computer Forensics and Investigations 49
Determining the Best Acquisition Method (continued)
When making a copy, consider:
Size of the source disk
Lossless compression might be useful
Use digital signatures for verification
When working with large drives, an alternative is using tape backup systems
Whether you can retain the disk
50. Guide to Computer Forensics and Investigations 50
Contingency Planning for Image Acquisitions
Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
Use different tools or techniques
Copy host protected area of a disk drive as well
Consider using a hardware acquisition tool that can access the drive at the BIOS
level
Be prepared to deal with encrypted drives
Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
51. Guide to Computer Forensics and Investigations 51
Using Acquisition Tools
Acquisition tools for Windows
Advantages
Make acquiring evidence from a suspect drive more
convenient
Especially when used with hot-swappable
devices
Disadvantages
Must protect acquired data with a well-tested
write-blocking hardware device
Tools can’t acquire data from a disk’s host
protected area
52. WHY INVESTIGATE A CYBERCRIME?
Conducting a cyber investigation may be initiated for many
reasons and not just to find out who the bad guy is and
prosecute them. Some reasons include identifying where the
weaknesses in systems are, how they were exploited, how to
tighten security, and developing training packages for staff to
make them more aware of cyber safety.
Clients who have their data stolen may want answers as to the
severity of the attack, and should the data stolen belong to
another party, there is the potential for the process of taking
legal action to follow.
A final reason is that cyber insurers may want to know whether
there were security failures that allowed the attack to occur or if
system flaws magnified the attack.
53. THE CYBER INVESTIGATOR
The role of the cyber investigator is different from that of the IR(Incident
Response) team. The investigator is like the detective at the homicide
scene. The lead detective directs the investigation, including tasking
experts to perform photography, scientific examination, area inquiries,
forensic examination of exhibits, ballistic examination, interviews, and so
on at the scene.
The investigator does not have to be an expert in each of these fields, but
they must understand the role of each expert, be able to direct the experts,
and be able to understand the relevance of the evidence each produces,
which will then lead to further lines of inquiry.
Whereas on television a cyber investigator may be an expert on everything
digital they see and touch, in a real-world investigation this is not even
close to reality. There is just too much technology: it is constantly changing
and no one person is an expert on everything.
54. Role of forensics Investigator
The forensics investigator is the person initially responsible for examining the
“captured” evidence from the scene of the incident or event.
The investigator documents the various types of data captured, provides the research
in the parameters and technical specifications of the data storage devices, and details
the types and locations of the various data components of the evidence as it is
presented to him by the data capture specialist identified above.
The forensics investigator needs to have “expert-level” skills and technical knowledge
for:
1. The operating system under review
2. The application and its data structures under review
3. The hardware and machines under review
4. Any databases being reviewed for data
5. The network appliances and devices and their data
55. Role of forensics Investigator
The basic steps for the forensics investigator process include:
1. Record how the data was acquired from the suspect drive or dataset.
2. Process the data methodically and logically.
3. List all folders and files on the image or drive.
4. If possible, examine the contents of all data files in all folders, starting at the root
directory of the volume partition.
5. For all password-protected files that might be related to the investigation, make a best
effort to recover file contents.
6. Identify the function of every executable (binary or .exe) file that doesn’t match known
hash values.
7. Maintain control of all evidence and findings, and document everything as the
examination is conducted.
8. Document every step as the reason for each step of the examination.
56. Types of computer forensics
There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
Network forensics:
This involves monitoring and analyzing the network traffic to and from the criminal’s
network. The tools used here are network intrusion detection systems and other
automated tools.
Email forensics:
In this type of forensics, the experts check the email of the criminal and recover deleted
email threads to extract out crucial information related to the case.
Malware forensics:
This branch of forensics involves hacking related crimes. Here, the forensics expert
examines the malware, trojans to identify the hacker involved behind this.
57. Types of computer forensics
Memory forensics:
• This branch of forensics deals with collecting data from the memory(like cache,
RAM, etc.) in raw and then retrieve information from that data.
Mobile Phone forensics:
This branch of forensics generally deals with mobile phones. They examine and
analyze data from the mobile phone.
Database forensics:
This branch of forensics examines and analyzes the data from databases and their
related metadata.
Disk forensics:
This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.
58. Techniques that cyber forensic investigators use
Cyber forensic investigators use various techniques and tools to examine the data and
some of the commonly used techniques are:
Reverse steganography:
Steganography is a method of hiding important data inside the digital file, image, etc. So,
cyber forensic experts do reverse steganography to analyze the data and find a relation
with the case.
Stochastic forensics:
In Stochastic forensics, the experts analyze and reconstruct digital activity without using
digital artifacts. Here, artifacts mean unintended alterations of data that occur from
digital processes.
59. Cross-drive analysis:
In this process, the information found on multiple computer drives is correlated and
cross-references to analyze and preserve information that is relevant to the investigation.
Live analysis:
In this technique, the computer of criminals is analyzed from within the OS in running
mode. It aims at the volatile data of RAM to get some valuable information.
Deleted file recovery:
This includes searching for memory to find fragments of a partially deleted file in order to
recover it for evidence purposes.
60. What are the required set of skills needed to be a cyber
forensic expert?
The following skills are required to be a cyber forensic expert:
As we know, cyber forensic based on technology. So, knowledge of various technologies,
computers, mobile phones, network hacks, security breaches, etc. is required.
The expert should be very attentive while examining a large amount of data to identify
proof/evidence.
The expert must be aware of criminal laws, a criminal investigation, etc.
As we know, over time technology always changes, so the experts must be updated with
the latest technology.
Cyber forensic experts must be able to analyse the data, derive conclusions from it and
make proper interpretations.
The communication skill of the expert must be good so that while presenting evidence
in front of the court, everyone understands each detail with clarity.
The expert must have strong knowledge of basic cyber security.
Editor's Notes
Novice: aperson who is new to the circumstances, work
Disseminating:spread (something, especially information) widely malicious :intending or intended to do harm
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found
SQL injection is a code injection technique that might destroy your database.
fraud, phishing:the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users
Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source
https://www.guru99.com/digital-forensics.html
Severity: the fact or condition of being severe.
Flaw: a fault or weakness in a person's character.