Unit-4

Digital Forensics

Cyber security helps to prevent cybercrimes from happening, while computer forensics helps
recover data when an attack does occur and also helps identify the culprit behind the crime. It
helps to think of cyber security professionals as a security company, and to think of computer
forensics experts as investigators.

Why is digital forensics important in cyber security?

The purpose of digital forensics is to identify and preserve the digital evidence in its most-purest
form, to make it possible for relevant investigation procedures to be performed and conclusions
made. For corporates and businesses, digital forensics is a very important part related to the
incident response process.
Digital Forensics in Cyber Security Security





Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting any valuable digital information in the digital devices related to the
computer crimes, as a part of the investigation. In simple words, Digital Forensics is the process
of identifying, preserving, analyzing and presenting digital evidences. The first computer crimes
were recognized in the 1978 Florida computers act and after this, the field of digital forensics
grew pretty fast in the late 1980-90’s. It includes the area of analysis like storage media,
hardware, operating system, network and applications. It consists of 5 steps at high level:
 1. Identification of evidence: It includes of identifying evidences related to the digital crime in
storage media, hardware, operating system, network and/or applications. It is the most
important and basic step.
2. Collection: It includes preserving the digital evidences identified in the first step so that they
doesn’t degrade to vanish with time. Preserving the digital evidences is very important and
crucial.
3. Analysis: It includes analyzing the collected digital evidences of the committed computer
crime in order to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidences, loop holes of the attacked system etc. so that the case can be studied and
analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidences and documentation in
the court in order to prove the digital crime committed and identify the criminal.
Branches of Digital Forensics:
 Media forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of audio, video and image evidences during the investigation
process.
 Cyber forensics: It is the branch of digital forensics which includes identification, collection,
analysis and presentation of digital evidences during the investigation of a cyber crime.
 Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
committed through a mobile device like mobile phones, GPS device, tablet, laptop.
 Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a crime
related to softwares only.

What is digital forensic types?

The main types of digital forensics tools include disk/data capture tools, file viewing tools,
network and database forensics tools, and specialized analysis tools for file, registry, web, Email,
and mobile device analysis.

What is the role of digital forensics?

In a corporate environment, Digital Forensics may examine malware or the effects of a breach to
understand the vulnerabilities that have been exploited, the damage caused and the identity of the
attackers. The conclusions help the organisation by preventing further incidents.

Cyber Forensics



Cyber forensics is a process of extracting data as proof for a crime (that involves electronic devices) while
following proper investigation rules to nab the culprit by presenting the evidence to the court. Cyber forensics
is also known as computer forensics. The main aim of cyber forensics is to maintain the thread of evidence and
documentation to find out who did the crime digitally. Cyber forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.

Why is cyber forensics important?

in todays technology driven generation, the importance of cyber forensics is immense. Technology combined
with forensic forensics paves the way for quicker investigations and accurate results. Below are the points
depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see. For example: in a
smart house, for every word we speak, actions performed by smart devices, collect huge data which is
crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like theft cases, murder,
etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and finding the
attackers.
The Process Involved in Cyber Forensics
1. Obtaining a digital copy of the system that is being or is required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach conclusions after proper
investigation of matters. The procedures that cyber forensic experts follow are:
 Identification: The first step of cyber forensics experts are to identify what evidence is present, where it is
stored, and in which format it is stored.
 Preservation: After identifying the data the next step is to safely preserve the data and not allow other
people to use that device so that no one can tamper data.
 Analysis: After getting the data, the next step is to analyze the data or system. Here the expert recovers the
deleted files and verifies the recovered data and finds the evidence that the criminal tried to erase by
deleting secret files. This process might take several iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record contains all the recovered and
available(not deleted) data which helps in recreating the crime scene and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in front of the court to solve
cases.
Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital investigation is needed.
The fields are:
 Network forensics: This involves monitoring and analyzing the network traffic to and from the criminal’s
network. The tools used here are network intrusion detection systems and other automated tools.
 Email forensics: In this type of forensics, the experts check the email of the criminal and recover deleted
email threads to extract out crucial information related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes. Here, the forensics expert
examines the malware, trojans to identify the hacker involved behind this.
 Memory forensics: This branch of forensics deals with collecting data from the memory(like cache, RAM,
etc.) in raw and then retrieve information from that data.
 Mobile Phone forensics: This branch of forensics generally deals with mobile phones. They examine and
analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the data from databases and their
related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by searching modified, active,
or deleted files.

Techniques that cyber forensic investigators use

Cyber forensic investigators use various techniques and tools to examine the data and some of the commonly
used techniques are:
 Reverse steganography: Steganography is a method of hiding important data inside the digital file, image,
etc. So, cyber forensic experts do reverse steganography to analyze the data and find a relation with the
case.
 Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital activity without
using digital artifacts. Here, artifacts mean unintended alterations of data that occur from digital processes.
 Cross-drive analysis: In this process, the information found on multiple computer drives is correlated and
cross-references to analyze and preserve information that is relevant to the investigation.
 Live analysis: In this technique, the computer of criminals is analyzed from within the OS in running
mode. It aims at the volatile data of RAM to get some valuable information.
 Deleted file recovery: This includes searching for memory to find fragments of a partially deleted file in
order to recover it for evidence purposes.

Advantages

 Cyber forensics ensures the integrity of the computer.

 Through cyber forensics, many people, companies, etc get to know about such crimes, thus taking proper
measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in court, which can lead to the
punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public aware of it.

What are the required set of skills needed to be a cyber forensic expert?

The following skills are required to be a cyber forensic expert:

  As we know, cyber forensic based on technology. So, knowledge of various technologies, computers,
mobile phones, network hacks, security breaches, etc. is required.
 The expert should be very attentive while examining a large amount of data to identify proof/evidence.
 The expert must be aware of criminal laws, a criminal investigation, etc.
 As we know, over time technology always changes, so the experts must be updated with the latest
technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions from it and make proper
interpretations.
 The communication skill of the expert must be good so that while presenting evidence in front of the court,
everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.

What is digital evidence and its types?

When it comes to digital evidence, in essence, it can be anything from logs and all the way to
video footage, images, archives, temporary files, replicant data, residual data, metadata, active
data, and even data that's stored inside a device's RAM (otherwise known as volatile data),

Digital Evidence Collection in Cyber security





In the early 80s PCs became more popular and easily accessible to the general population, this
also led to the increased use of computers in all fields and criminal activities were no exception
to this. As more and more computer-related crimes began to surface like computer frauds,
software cracking, etc. the computer forensics discipline emerged along with it. Today digital
evidence collection is used in the investigation of a wide variety of crimes such as fraud,
espionage, cyberstalking, etc. The knowledge of forensic experts and techniques are used to
explain the contemporaneous state of the digital artifacts from the seized evidence such as
computer systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash drives, etc.), or
electronic documents such as emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence is
analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.
Types of Collectible Data:
The computer investigator and experts who investigate the seized devices have to understand
what kind of potential shreds of evidence could there be and what type of shreds of evidence
they are looking for. So, that they could structure their search pattern. Crimes and criminal
activities that involve computers can range across a wide spectrum; they could go from trading
illegal things such as rare and endangered animals, damaging intellectual property, to personal
data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been deleted
from the computer, they could be damaged or may even be encrypted, So the investigator should
be familiar with a variety of tools, methods, and also the software to prevent the data from
damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage device
such as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc.
the data on these devices is preserved even when the computer is turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as memory,
registers, cache, RAM, or it exists in transit, that will be lost once the computer is turned off
or it loses power. Since volatile data is evanescent, it is crucial that an investigator knows
how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the claims in
court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such as flash
drives, hard drives, documents, etc. an eyewitness can also be considered as a shred of
tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements. These
are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a person
who is not a testifying witness. It is done in order to prove that the statement was made rather
than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their
statement in court. The shreds of evidence presented should be authentic, accurate, reliable,
and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic media and it can
get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
 Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be
legally defensible to ensure that original pieces of evidence and data have not been altered in
any way and that no data was deleted or added from the original evidence.

Email Forensics – Definition and Guideline

The reason email forensics come into part of the digital forensics investigation is due to the
massive and common use of emails among people nowadays.
People’s using email to communicate with their friends, schoolmates, colleagues and a variety
of people. Hence, numerous data and information is transmitted across its use and meanwhile
some of those are illegal not surprisingly just like what other common communication
approach, e.g. mobile phone, has happened as well when it was popularized to certain extend.
In fact, it’s already a severe public concern that a majority of criminals are using email for
their crime committed in recent years, especially when it comes to cyber security and digital
crime. Not only that, increasingly noncomputer crimes and even civil litigation, has been
related to emails.
That’s being said, we do want to unveil the operation theory of email and thus extract email
related crimes via email forensics to bring the criminals to justice.

What is Email Forensics?

Email forensics is dedicated to investigating, extracting, and analyzing emails to collect
digital evidence as findings in order to crack crimes and certain incidents, in a forensically
sound manner.
The process of email forensics, it’s conducted across various aspects of emails, which mainly
includes
  Email messages
 Email addresses(sender and recipient)
 IP addresses
 Date and time
 User information
 Attachments
 Passwords
 logs (Cloud, server, and local computer)
To deeply and overall investigate the above crucial elements of email, potential clues are
going to be obtained to help push the progress of a criminal investigation.
Hence, knowing how to conduct scientific and effective email forensics has come into
account.
But before diving deep into practical email forensics, without a full understanding of the
operation and theory of emails themselves, the forensic work is likely to be stuck.

How Email Works?

Just like other digital forensics technology, it’s not easy to conduct forensics without
understanding the basis of the underlying technologies.
Emails are probably generated from various mediums and approaches and thus different
technologies are applied accordingly.
Commonly speaking, a man writes an email on his digital device, maybe a phone or
computer, and then sends it to the one he wants to. Though it’s seemingly the man has
finished his work, the upon email processing work just starts in order to successfully and
correctly be delivered to the recipient.
When an email is sent out, countless servers are actually undertaken the whole information of
the email before it can really arrive in the recipient’s inbox, which is said that we have to
understand what’s proceeding after we click the “send” button.
Email Programs and Protocols
During the process, there are 3 protocols and 3 email programs tightly related and are vital to
be known.
1. Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to transmit
and send emails.
2. Internet Message Access Protocol (IMAP): it is one of the standard protocols used for
receiving emails.
3. POP3 (Post Office Protocol 3): it is one of the standard protocols used to receive mail.
Mail Transfer Agent (MTA): sends and forwards emails through SMTP. e.g. Sendmail,
postfix.
Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or POP3
protocol to communicate with the server. e.g. Outlook, Apple Mail, Gmail.
Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud disk or
designated location, meanwhile it usually scans for spam mails and viruses. e.g. Promail,
Dropmail.
Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts with MUA.
e.g. dovecot
The theory of email running
 Let’s take an example below for instance to better explain the theory of email running.
 STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical MUAs
include Gmail, Apple Mail, Mozilla Thunderbird, and Microsoft Outlook Express.
 STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s mail transfer
agent (MTA) – the delivery process uses the SMTP protocol.
 STEP 3: The MTA then checks the recipient of the message (here we assume it is you),
queries the DNS server for the domain name corresponding to the recipient MTA, and sends
the message to the recipient MTA – again using the SMTP protocol.
At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet
Server Provider)’s a mail server and forwarded to your domain.

Digital Forensics Life Cycle

The digital forensics process is shown in the following figure. Forensic life cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying

Watch the below video to learn about digital forensics life cycle:
 1 1. Preparing for the Evidence and Identifying the Evidence
 2 2. Collecting and Recording Digital Evidence
 3 3. Storing and Transporting Digital Evidence
 4 4. Examining/Investigating Digital Evidence
 5 5. Analysis, Interpretation and Attribution
 6 6. Reporting
 7 7. Testifying
 8 Chain of Custody

1. Preparing for the Evidence and Identifying the Evidence

In order to be processed and analysed, evidence must first be identified. It might be possible that
the evidence may be overlooked and not identified at all. A sequence of events in a computer
might include interactions between:

 Different files
 Files and file systems
 Processes and files
 Log files
In case of a network, the interactions can be between devices in the organization or across the
globe (Internet). If the evidence is never identified as relevant, it may never be collected and
processed.

2. Collecting and Recording Digital Evidence

Digital evidence can be collected from many sources. The obvious sources can be:

 Mobile phone
 Digital cameras
 Hard drives
 CDs
 USB memory devices

Non-obvious sources can be:

 Digital thermometer settings

 Black boxes inside automobiles
 RFID tags

Proper care should be taken while handling digital evidence as it can be changed easily. Once
changed, the evidence cannot be analysed further. A cryptographic hash can be calculated for the
evidence file and later checked if there were any changes made to the file or not. Sometimes
important evidence might reside in the volatile memory. Gathering volatile data requires special
technical skills.

3. Storing and Transporting Digital Evidence

Some guidelines for handling of digital evidence:

 Image computer-media using a write-blocking tool to ensure that no data is added to the
suspect device
 Establish and maintain the chain of custody
 Document everything that has been done
 Only use tools and methods that have been tested and evaluated to validate their accuracy
and reliability
Care should be taken that evidence does not go anywhere without properly being traced. Things
that can go wrong in storage include:

 Decay over time (natural or unnatural)

 Environmental changes (direct or indirect)
 Fires
 Floods
 Loss of power to batteries and other media preserving mechanisms

Sometimes evidence must be transported from place to place either physically or through a
network. Care should be taken that the evidence is not changed while in transit. Analysis is
generally done on the copy of real evidence. If there is any dispute over the copy, the real can be
produced in court.

4. Examining/Investigating Digital Evidence

Forensics specialist should ensure that he/she has proper legal authority to seize, copy and
examine the data. As a general rule, one should not examine digital information unless one has
the legal authority to do so. Forensic investigation performed on data at rest (hard disk) is called
dead analysis.

Many current attacks leave no trace on the computer’s hard drive. The attacker only exploits the
information in the computer’s main memory. Performing forensic investigation on main memory
is called live analysis. Sometimes the decryption key might be available only in RAM. Turning
off the system will erase the decryption key. The process of creating and exact duplicate of the
original evidence is called imaging. Some tools which can create entire hard drive images are:

 DCFLdd
 Iximager
 Guymager

The original drive is moved to secure storage to prevent tampering. The imaging process is
verified by using the SHA-1 or any other hashing algorithms.
5. Analysis, Interpretation and Attribution

In digital forensics, only a few sequences of events might produce evidence. But the possible
number of sequences is very huge. The digital evidence must be analyzed to determine the type
of information stored on it. Examples of forensics tools:

 Forensics Tool Kit (FTK)

 EnCase
 Scalpel (file carving tool)
 The Sleuth Kit (TSK)
 Autopsy

Forensic analysis includes the following activities:

 Manual review of data on the media

 Windows registry inspection
 Discovering and cracking passwords
 Performing keyword searches related to crime
 Extracting emails and images

Types of digital analysis:

 Media analysis
 Media management analysis
 File system analysis
 Application analysis
 Network analysis
 Image analysis
 Video analysis

6. Reporting

After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation, and
attribution steps. As a result of the findings in this phase, it should be possible to confirm or
discard the allegations. Some of the general elements in the report are:

 Identity of the report agency

 Case identifier or submission number
 Case investigator
  Identity of the submitter
 Date of receipt
 Date of report
 Descriptive list of items submitted for examination
 Identity and signature of the examiner
 Brief description of steps taken during examination
 Results / conclusions

7. Testifying

This phase involves presentation and cross-examination of expert witnesses. An expert witness
can testify in the form of:

 Testimony is based on sufficient facts or data

 Testimony is the product of reliable principles and methods
 Witness has applied principles and methods reliably to the facts of the case

Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:

 No action taken by law enforcement agencies or their agents should change the evidence
 When a person to access the original data held on a computer, the person must be
competent to do so
 An audit trial or other record of all processes applied to digital evidence should be
created and preserved
 The person in-charge of the investigation has overall responsibility for ensuring that the
law and these are adhered to

Chain of Custody

A chain of custody is the process of validating how evidences have been gathered, tracked, and
protected on the way to the court of law. Forensic professionals know that if you do not have a
chain of custody, the evidence is worthless.

The chain of custody is a chronological written record of those individuals who have had custody
of the evidence from its initial acquisition to its final disposition. A chain of custody begins
when an evidence is collected and the chain is maintained until it is disposed off. The chain of
custody assumes continuous accountability.
 Chain of Custody – Digital Forensics



Chain of Custody refers to the logical sequence that records the sequence of custody,
control, transfer, analysis and disposition of physical or electronic evidence in legal
cases. Each step in the chain is essential as if broke, the evidence may be rendered
inadmissible. Thus we can say that preserving the chain of custody is about following
the correct and consistent procedure and hence ensuring the quality of evidence.
In this article, we will be discussing-
1. What Chain of Custody entails in Digital Forensics.
2. Importance of maintaining Chain of Custody.
3. Chain of Custody Process.
4. The Chain of Custody Form.
5. Procedure to establish the Chain of Custody
6. How Chain of Custody can be assured?
Let’s get started with each section in detail.
What the Chain of Custody entails in Digital Cyber Forensics?
If you are in the field of Cyber Security, you will be at one point in your career will be
involved in Digital Forensics. One of the concepts that is most essential in Digital
Forensics is the Chain of Custody.
The chain of custody in digital cyber forensics is also known as the paper trail or
forensic link, or chronological documentation of the evidence.
 Chain of custody indicates the collection, sequence of control, transfer and analysis.
 It also documents details of each person who handled the evidence, date and time it
was collected or transferred, and the purpose of the transfer.
 It demonstrates trust to the courts and to the client that the evidence has not
tampered.
Digital evidence is acquired from the myriad of devices like a vast number of IoT
devices, audio evidence, video recordings, images, and other data stored on hard
drives, flash drives, and other physical media.
Importance of maintaining Chain of Custody?
Importance to Examiner:
 To preserve the integrity of the evidence.
 To prevent the evidence from contamination, which can alter the state of the
evidence.
 In case you obtained metadata for a piece of evidence but unable to extract any
meaningful information from the metadata. In such a case, the chain of custody
helps to show where possible evidence might lie, where it came from, who created it,
and the type of equipment used. This will help you to generate an exemplar and
compare it to the evidence to confirm the evidence properties.
Importance to the Court: If not preserved, the evidence submitted in the court might
be challenged and ruled inadmissible.
Chain of Custody Process
In order to preserve digital evidence, the chain of custody should span from the first
step of data collection to examination, analysis, reporting, and the time of presentation
to the Courts. This is very important to avoid the possibility of any suggestion that the
evidence has been compromised in any way.

Let’s discuss each stage of the chain of custody in detail:

1. Data Collection: This is where chain of custody process is initiated. It involves
identification, labeling, recording, and the acquisition of data from all the possible
relevant sources that preserve the integrity of the data and evidence collected.
2. Examination: During this process, the chain of custody information is documented
outlining the forensic process undertaken. It is important to capture screenshots
throughout the process to show the tasks that are completed and the evidence
uncovered.
3. Analysis: This stage is the result of the examination stage. In the Analysis stage,
legally justifiable methods and techniques are used to derive useful information to
address questions posed in the particular case.
4. Reporting: This is the documentation phase of the Examination and Analysis stage.
Reporting includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures that can be taken.
The Chain of Custody Form
In order to prove a chain of custody, you’ll need a form that lists out the details of how
the evidence was handled every step of the way. The form should answer the following
questions:
 What is the evidence?: For example- digital information includes the filename,
md5 hash, and Hardware information includes serial number, asset ID, hostname,
photos, description.
 How did you get it?: For example- Bagged, tagged or pulled from the desktop.
 When it was collected?: Date, Time
 Who has handle it?
 Why did that person handled it?
 Where was it stored?: This includes the information about the physical location in
which proof is stored or information of the storage used to store the forensic image.
 How you transported it?: For example- in a sealed static-free bag, or in a secure
storage container.
 How it was tracked?
 How it was stored?: For example- in a secure storage container.
 Who has access to the evidence?: This involves developing a check-in/ check-out
process.
The CoC form must be kept up-to-date. This means every time the best evidence is
handled off, the chain of custody form needs to be updated.
Procedure to establish the Chain of Custody
In order to assure the authenticity of the chain of custody, a series of steps must be
followed. It is important to note that the more information Forensic expert obtains
concerning the evidence, the more authentic is the created chain of custody. You should
ensure that the following procedure is followed according to the chain of custody for
electronic devices:
 Save the original material
 Take photos of the physical evidence
 Take screenshots of the digital evidence.
 Document date, time, and any other information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence content into forensic computers.
 Perform a hash test analysis to authenticate the working clone.
How can the Chain of Custody be assured?
A couple of considerations are involved when dealing with digital evidence and Chain of
Custody. We shall discuss the most common and globally accepted and practiced best
practices.
1. Never ever work with the Original Evidence: The biggest consideration that
needs to be taken care of while dealing with digital evidence is that the forensic
expert has to make a full copy of the evidence for forensic analysis. This cannot be
overlooked as when errors are made to working copies or comparisons need to be
done, then, in that case, we need an original copy.
2. Ensuring storage media is sterilized: It is important to ensure that the
examiner’s storage device is forensically clean when acquiring the evidence.
Suppose if the examiner’s storage media is infected with malware, in that case,
malware can escape into the machine being examined and all of the evidence will
eventually get compromised.
3. Document any extra scope: During the process of examination, it is important to
document all such information that is beyond the scope of current legal authority and
later brought to the attention of the case agent. A comprehensive report must
contain following sections:
 Identity of the reporting agency.
 Case identifier.
 Case investigator.
 Identity of the submitter.
 Date of receipt.
 Date of report.
 Descriptive list of items submitted for examination: This includes the serial
number, make, and model.
 Identity and signature of the examiner
 Brief description of steps taken during the examination: For example- string
searches, graphics image searches, and recovering erased files.
 Results.
4. Consider the safety of the personnel at the scene: It is very important to
ensure that the crime scene is fully secure before and during the search. In some
cases, the examiner may only be able to do the following while onsite:
 Identify the number and type of computers.
 Interview the system administrator and users.
  Identify and document the types and volume of media: This includes removable
media also.
 Determine if a network is present.
 Document the information about the location from which the media was removed.
 Identify offsite storage areas and/or remote computing locations.
 Identify proprietary software.
 Determine the operating system in question.
The Digital evidence and Digital Chain of Custody are the backbones of any action taken
by digital forensic specialists. In this article, we have examined the seriousness of the
digital evidence and what it entails and how slight tampering with the digital evidence
can change the course of the forensic expert’s investigation.

Network forensics
Network forensics is a sub-branch of digital forensics relating to the monitoring and
analysis of computer network traffic for the purposes of information gathering, legal evidence,
or intrusion detection.[1] Unlike other areas of digital forensics, network investigations deal with
volatile and dynamic information. Network traffic is transmitted and then lost, so network
forensics is often a pro-active investigation.[2]

Network forensics generally has two uses. The first, relating to security, involves monitoring a
network for anomalous traffic and identifying intrusions. An attacker might be able to erase all
log files on a compromised host; network-based evidence might therefore be the only evidence
available for forensic analysis.[3] The second form relates to law enforcement. In this case
analysis of captured network traffic can include tasks such as reassembling transferred files,
searching for keywords and parsing human communication such as emails or chat sessions.
Two systems are commonly used to collect network data; a brute force "catch it as you can" and
a more intelligent "stop look listen" method.

Overview
Network forensics is a comparatively new field of forensic science. The growing popularity of
the Internet in homes means that computing has become network-centric and data is now
available outside of disk-based digital evidence. Network forensics can be performed as a
standalone investigation or alongside a computer forensics analysis (where it is often used to
reveal links between digital devices or reconstruct how a crime was committed). [2]
Marcus Ranum is credited with defining Network forensics as "the capture, recording, and
analysis of network events in order to discover the source of security attacks or other problem
incidents".[4]
Compared to computer forensics, where evidence is usually preserved on disk, network data is
more volatile and unpredictable. Investigators often only have material to examine if packet
filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security. [2]
Systems used to collect network data for forensics use usually come in two forms:[5]
 "Catch-it-as-you-can" – This is where all packets passing through a certain traffic point are
captured and written to storage with analysis being done subsequently in batch mode. This
approach requires large amounts of storage.
 "Stop, look and listen" – This is where each packet is analyzed in a rudimentary way in
memory and only certain information saved for future analysis. This approach requires a
faster processor to keep up with incoming traffic.

Types
Ethernet
Wireshark, a common tool used to monitor and record network traffic

Apt all data on this layer and allows the user to filter for different events. With these tools,
website pages, email attachments, and other network traffic can be reconstructed only if they are
transmitted or received unencrypted. An advantage of collecting this data is that it is directly
connected to a host. If, for example the IP address or the MAC address of a host at a certain time
is known, all data sent to or from this IP or MAC address can be filtered.
To establish the connection between IP and MAC address, it is useful to take a closer look at
auxiliary network protocols. The Address Resolution Protocol (ARP) tables list the MAC
addresses with the corresponding IP addresses.
To collect data on this layer, the network interface card (NIC) of a host can be put into
"promiscuous mode". In so doing, all traffic will be passed to the CPU, not only the traffic meant
for the host.
However, if an intruder or attacker is aware that his connection might be eavesdropped, he might
use encryption to secure his connection. It is almost impossible nowadays to break encryption
but the fact that a suspect's connection to another host is encrypted all the time might indicate
that the other host is an accomplice of the suspect.
TCP/IP
On the network layer the Internet Protocol (IP) is responsible for directing the packets generated
by TCP through the network (e.g., the Internet) by adding source and destination information
which can be interpreted by routers all over the network. Cellular digital packet networks,
like GPRS, use similar protocols like IP, so the methods described for IP work with them as well.
For the correct routing, every intermediate router must have a routing table to know where to
send the packet next. These routing tables are one of the best sources of information if
investigating a digital crime and trying to track down an attacker. To do this, it is necessary to
follow the packets of the attacker, reverse the sending route and find the computer the packet
came from (i.e., the attacker).
Encrypted Traffic Analytics
Given the proliferation of TLS encryption on the internet, as of April 2021 it is estimated that
half of all malware uses TLS to evade detection.[6] Encrypted traffic analysis inspects traffic to
identify encrypted traffic coming from malware and other threats by detecting suspicious
combinations of TLS characteristics, usually to uncommon networks or servers.[7] Another
approach to encrypted traffic analysis uses a generated database of fingerprints, although these
techniques have been criticized as being easily bypassed by hackers[8][9] and inaccurate.
The Internet
The internet can be a rich source of digital evidence including web browsing, email, newsgroup,
synchronous chat and peer-to-peer traffic. For example, web server logs can be used to show
when (or if) a suspect accessed information related to criminal activity. Email accounts can often
contain useful evidence; but email headers are easily faked and, so, network forensics may be
used to prove the exact origin of incriminating material. Network forensics can also be used in
order to find out who is using a particular computer[10] by extracting user account information
from the network traffic.

Wireless forensics[edit]
Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics
is to provide the methodology and tools required to collect and analyze (wireless) network
traffic that can be presented as valid digital evidence in a court of law. The evidence collected
can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies,
especially over wireless, can include voice conversations.
Analysis of wireless network traffic is similar to that on wired networks, however there may be
the added consideration of wireless security measures.
Approaching a Computer Forensics Investigation

The phases in a computer forensics investigation are:

 Secure the subject system

 Take a copy of hard drive/disk
 Identify and recover all files
 Access/view/copy hidden, protected, and temp files
 Study special areas on the drive
 Investigate the settings and any data from programs on the system
 Consider the system from various perspectives
 Create detailed report containing an assessment of the data and information collected

Digital forensics deals with the recovery, investigation and analysis of electronic data, and is

often used to unearth evidence in litigation cases, criminal cases, or in internal investigations.

Electronic data can provide critical evidence and clues in many cases, and aid in the discovery of

cybercrime, data theft, crypto crimes, security breaches, instances of hacking, and more. Digital

forensics play an instrumental role in getting to the bottom of complex data challenges.
Digital forensic investigators use a variety of tools and software to conduct investigations that

can help to:

 Discover the source and cause of a cyberattack

 Identify whether a hack was perpetrated and how long the hacker had access to the

system

 Create a timeline of criminal events, such as unauthorized access or altering of data

 Secure digital evidence

A digital forensic investigation can help identify and prove different kinds of wrongdoing,

including data theft or disclosure, internet abuse, network or system breaches, espionage, and

financial fraud.

In civil or criminal cases, it is crucial to carry out a structured and process-driven digital

forensics investigation, to ensure the integrity of the data and its admissibility in a court of law.

The core stages of a digital forensics investigation include:

1. Identification of resources and devices involved in the investigation

2. Preservation of the necessary data
3. Analysis
4. Documentation
5. Presentation

Data acquired in this way is permissible in court, and can be used as evidence to support

litigation cases. Digital forensics investigators are trained in extracting and handling evidence in

a way that is permissible in court, and their expertise can be invaluable in a litigation case

involving digital data.

The Stages of a Digital Forensics Investigation

 Digital Forensics Investigation Stage 1: Identification

The very first step in a digital forensics investigation is to identify the devices and resources

containing the data that will be a part of the investigation. The data involved in an investigation
could be on organizational devices such as computers or laptops, or on users’ personal devices

like mobile phones and tablets.

These devices are then seized and isolated, to eliminate any possibility of tampering. If the data

is on a server or network, or housed on the cloud, the investigator or organization needs to ensure

that no one other than the investigating team has access to it.

 Digital Forensics Investigation Stage 2: Extraction and Preservation

After the devices involved in an investigation have been seized and stored in a secure location,

the digital forensics investigator or forensics analyst uses forensic techniques to extract any data

that may be relevant to the investigation, and stores it securely.

This phase can involve the creation of a digital copy of the relevant data, which is known as a

“forensic image.” This copy is then used for analysis and evaluation, while the original data and

devices are put in a secure location, such as a safe. This prevents any tampering with the original

data even if the investigation is compromised.

 Digital Forensics Investigation Stage 3: Analysis

Once the devices involved have been identified and isolated, and the data has been duplicated

and stored securely, digital forensic investigators use a variety of techniques to extract relevant

data and examine it, searching for clues or evidence that points to wrongdoing. This often

involves recovering and examining deleted, damaged or encrypted files, using techniques such

as:

 Reverse Steganography: a technique used to extract hidden data by examining the

underlying hash or string of characters representing an image or other data item

 File or Data Carving: identifying and recovering deleted files by searching for the

fragments that deleted files may leave

  Keyword Searches: using keywords to identify and analyze information relevant to

the investigation, including deleted data

These are just some of the many techniques digital forensic investigators to unearth evidence.

 Digital Forensics Investigation Stage 4: Documentation

Post analysis, the findings of the investigation are properly documented in a way that makes it

easy to visualize the entire investigative process and its conclusions. Proper documentation helps

to formulate a timeline of the activities involved in wrongdoing, such as embezzlement, data

leakage, or network breaches.

 Digital Forensics Investigation Stage 5: Presentation

Once the investigation is complete, the findings are presented to a court or the committee or

group that will determine the outcome of a lawsuit or an internal complaint. Digital forensics

investigators can act as expert witnesses, summarizing and presenting the evidence they

discovered, and disclosing their findings.

Selecting a Strong Digital Forensics Team

Digital forensics investigations are not just useful to law enforcement agencies or companies

suspecting fraud on a large scale. They can also help corporations who suspect an employee is

leaking data to an external party, or to determine the scope of and recovery from a cyberattack.

In case of a cyberattack, an investigation can help identify the source of the attack and secure

systems against further breach, ensuring attackers no longer have access to the system. An

investigation also helps take stock of the data that has been accessed, distributed or altered, and

may even help in getting the original data restored.

A qualified and experienced digital forensics company like ERM Protect can help unearth

evidence in cases of security breaches, data leaks or cyber attacks, and help win litigation cases.
We are a world-wide leader in cyber security solutions and digital forensics, and can help

mitigate your cyber security risk.

Forensics and Social Networking Sites

Social networking site is defined as web-based services that allow individuals to:

 Create a public or semi-public profile

 Search or navigate through a list of users with whom they share a common connection
 View connections of other users

Although social networking sites have their uses, there are several associated security threats.
The concerns regarding social networking sites are:

 Does the social networking site violate people’s intellectual property rights
 Whether these sites infringe the privacy of their own users
 Whether these sites promote fraudulent and illegal activities

Content preservation can be challenging given the dynamic, short-lived and often multi-format
nature of social media. There is generally no control over the content posted on social media
networking sites. High level of forensic skill is required to analyze and quantify the preserved
data to answer questions such as:

 Who posted the offending content?

 Is there a real live person to whom the offending content can be attributed even when
evidence exists?
 Can we identify the time frame associated with the posting of the offending content?
 How much of the offending content exists across the entire social networking platform?
 Is there other content that supports interpretation of the relevant content?
 How accurate is the reported physical location?

Security issues that are associated with social networking sites are:

 Corporate espionage
 Cross site scripting
 Virus and Worms
 Social networking site aggregators
 Phishing
 Network infiltration leading to data leakage
 ID theft
  Cyberbullying
 Content-Based Image Retrieval (CBIR)
 Spam
 Stalking

Security/Privacy Threats
Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to
steal data, cause damage to or disrupt computing systems. Common categories of cyber threats
include malware, social engineering, man in the middle (MitM) attacks, denial of service (DoS),
and injection attacks—we describe each of these categories in more detail below.

Cyber threats can originate from a variety of sources, from hostile nation states and terrorist
groups, to individual hackers, to trusted individuals like employees or contractors, who abuse
their privileges to perform malicious acts.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and
institutions, aiming to interfere with communications, cause disorder, and inflict damage.
 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing
critical infrastructure, threaten national security, disrupt economies, and cause bodily harm to
citizens.
 Criminal groups—organized groups of hackers aim to break into computing systems for
economic benefit. These groups use phishing, spam, spyware and malware for extortion, theft of
private information, and online scams.
 Hackers—individual hackers target organizations using a variety of attack techniques. They are
usually motivated by personal gain, revenge, financial gain, or political activity. Hackers often
develop new threats, to advance their criminal ability and improve their personal standing in the
hacker community.
 Malicious insiders—an employee who has legitimate access to company assets, and abuses their
privileges to steal information or damage computing systems for economic or personal gain.
Insiders may be employees, contractors, suppliers, or partners of the target organization. They
can also be outsiders who have compromised a privileged account and are impersonating its
owner.
 Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans,

spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a
system, usually via a link on an untrusted website or email or an unwanted software download. It
deploys on the target system, collects sensitive data, manipulates and blocks access to network
components, and may destroy data or shut down the system altogether.

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the
malicious code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an
operating system. Once installed in the network, the worm can carry out attacks such as
distributed denial of service (DDoS).
 Trojans—malicious code or software that poses as an innocent program, hiding in apps, games
or email attachments. An unsuspecting user downloads the trojan, allowing it to gain control of
their device.
 Ransomware—a user or organization is denied access to their own systems or data via
encryption. The attacker typically demands a ransom be paid in exchange for a decryption key to
restore access, but there is no guarantee that paying the ransom will actually restore full access or
functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin using their
computing resources to generate cryptocurrency, without their knowledge. Affected systems can
become slow and cryptojacking kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive
information such as passwords and payment details. Spyware can affect desktop browsers,
mobile phones and desktop applications.
 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests,
allowing advertisers to send the user targeted advertising. Adware is related to spyware but does
not involve installing software on the user’s device and is not necessarily used for malicious
purposes, but it can be used without the user’s consent and compromise their privacy.
 Fileless malware—no software is installed on the operating system. Native files like WMI and
PowerShell are edited to enable malicious functions. This stealthy form of attack is difficult to
detect (antivirus can’t identify it), because the compromised files are recognized as legitimate.
 Rootkits—software is injected into applications, firmware, operating system kernels or
hypervisors, providing remote administrative access to a computer. The attacker can start the
operating system within a compromised environment, gain complete control of the computer and
deliver additional malware.
 Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The victim
provides sensitive information or unwittingly installs malware on their device, because the
attacker poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.
 Pretexting—similar to baiting, the attacker pressures the target into giving up information under
false pretenses. This typically involves impersonating someone with authority, for example an
IRS or police officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing often
involves sending fraudulent emails to as many users as possible, but can also be more targeted.
For example, “spear phishing” personalizes the email to target a specific user, while “whaling”
takes this a step further by targeting high-value individuals such as CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older individuals but
can be employed against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.
 Piggybacking—an authorized user provides physical access to another individual who
“piggybacks” off the user’s credentials. For example, an employee may grant access to someone
posing as a new employee who misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a location, for example
by quickly slipping in through a protected door after the authorized user has opened it. This
technique is similar to piggybacking except that the person being tailgated is unaware that they
are being used by another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is
to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and hide
malicious content.

Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.
 Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware components
 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two

endpoints, such as a user and an application. The attacker can eavesdrop on the communication,
steal sensitive data, and impersonate each party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

such as a business, that users may connect to. The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and intercept data such as payment card details and login
credentials.
 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a
bank, and uses it to trick users into giving up sensitive information or transferring money to the
attacker. The user follows instructions they think come from the bank but are actually from the
attacker.
 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site or
steal the user’s credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific website. An attacker
can spoof an IP address to pose as a website and deceive users into thinking they are interacting
with that website.
 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can
also be used to trick the browser into thinking that a malicious website is safe. The attacker uses
“HTTPS” in the URL to conceal the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices is
known as a distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an
application or web server. This technique does not require high bandwidth or malformed packets,
 and typically tries to force a target system to allocate as many resources as possible for each
request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence
involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not responding to
the SYN-ACKs from the host.
 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets sent to
random ports. This technique forces the host to search for applications on the affected ports and
respond with “Destination Unreachable” packets, which uses up the host resources.
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming both
inbound and outgoing bandwidth. The servers may try to respond to each request with an ICMP
Echo Reply packet, but cannot keep up with the rate of requests, so the system slows down.
 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and can
be exploited by an attacker to send large volumes of UDP traffic to a targeted server. This is
considered an amplification attack due to the query-to-response ratio of 1:20 to 1:200, which
allows an attacker to exploit open NTP servers to execute high-volume, high-bandwidth DDoS
attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a DoS
attack or compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a web
form or comment field. A vulnerable application will send the attacker’s data to the database,
and will execute any SQL commands that have been injected into the query. Most web
applications use databases based on Structured Query Language (SQL), making them vulnerable
to SQL injection. A new variant on this attack is NoSQL attacks, targeted against databases that
do not use a relational data structure.
 Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.
 OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data or
take over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access Protocol
(LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These attacks are
very severe because LDAP servers may store user accounts and credentials for an entire
organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-constructed
XML documents. This differs from other attack vectors because it exploits inherent
vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML documents can
be used to traverse paths, execute code remotely and execute server-side request forgery (SSRF).
 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious JavaScript.
The target’s browser executes the code, enabling the attacker to redirect users to a malicious
website or steal session cookies to hijack a user’s session. An application is vulnerable to XSS if
it doesn’t sanitize user inputs to remove JavaScript code.

Challenges in Digital Forensics




Digital forensics also known as computer forensics, is the application of scientific

methods and techniques to identify, preserve, analyze, and present digital evidence in a
manner that is legally admissible. It is a branch of forensic science that deals
specifically with digital devices, networks, and storage media.

Techniques Used in Digital Forensics

 Acquisition: The process of collecting digital evidence from a device or network.
This is done through various methods such as imaging, logging, and live acquisition.

 Analysis: The process of examining the acquired evidence to identify relevant

information. This can be done through manual or automated means.

 Reporting: The process of documenting the findings of the analysis and presenting
them in a clear and concise manner. This can include creating a detailed report, as
well as providing expert testimony in court.
Tools Used in Digital Forensics
 Forensic Software: Specialized software that can analyze and extract data from
digital devices and networks. Some examples include EnCase, FTK, and X-Ways
Forensics.
 Forensic Imaging: The process of making a bit-by-bit copy of a digital device or
network, also known as disk cloning or disk imaging. This can be done through
hardware or software means.

 Forensic Analysis Software: Used to analyze the data from a forensic image.
Examples include Sleuth Kit, Autopsy, and the open-source toolkit The Coroner’s
Toolkit (TCT).

Challenges in Digital Forensics

Data Encryption: Encryption can make it difficult to access the data on a device or
network, making it harder for forensic investigators to collect evidence. This can require
specialized decryption tools and techniques.

Data Destruction: Criminals may attempt to destroy digital evidence by wiping or

destroying devices. This can require specialized data recovery techniques.

Data Storage: The sheer amount of data that can be stored on modern digital devices
can make it difficult for forensic investigators to locate relevant information. This can
require specialized data carving techniques to extract relevant information.