Computer Forensics

Cyber Forensics plays a key role in the investigation of cybercrime and involves the application of computers for investigating computer-based crime.

This field is crucial because as technology becomes more pervasive, it creates new risks and opportunities for crime. Digital evidence is now central to everything from corporate litigation to criminal investigations.

There are two categories of computer crime:

• A criminal activity that involves using a computer to commit a crime.
• A criminal activity that has a computer as a target.

Digital Forensics Science

The term forensics refers to evidence that is suitable for admission as fact in a legal setting.

The term forensics is generally considered to be related to the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded. The objective of forensics is to provide digital evidence of a specific or general activity.

Computer Forensics vs. Digital Forensics

Computer Forensics is the lawful seizure, acquisition, analysis, and safeguarding of data from digital devices for evidentiary value in investigations. It involves the tools and techniques used to find evidence on a computer. Experts can retrieve data from standard directories, hidden files, deleted files, and encrypted partitions.

Digital Forensics is the broader, proven methods which are science-based approach to preserving, collecting, validating, analyzing, and presenting digital evidence from any digital source to reconstruct criminal events.

Need for Digital Forensics

The convergence of Information and Communication Technology (ICT) and the pervasive use of computers worldwide provide avenues for misuse as well as opportunities for committing crime. This has led to new risks for computer users and also increased opportunities for social harm.

Digital evidence plays a crucial role in the threat management life cycle, from incident response to corporate litigation. Evidence can reside on more than a user's hard drive, requiring the capture and analysis of evidence from servers, network logs, or proprietary databases.

Digital forensics is essential for uncovering and documenting digital evidence and leads. Because digital evidence can be found on devices not traditionally seen as computers (like cell phones and smart devices), its role is constantly expanding.

Key functions include:

• Corroborating evidence discovered through other means.
• Showing a pattern of events, sometimes using data mining techniques.
• Extracting data that may be hidden, deleted, or otherwise inaccessible.

Typical scenarios for digital forensics are:

• Data breaches or leaks.
• Employee internet abuse.
• Industrial espionage and corporate spying.
• Criminal cases, fraud, and copyright violation.

Security Policy vs. Forensic Policy

A security policy is a proactive document with rules to protect an organization's assets and prevent incidents before they happen. Its audience is all staff and IT personnel. It partitions system states into "secure" and "unauthorized" to implement mechanisms that enforce system security.

A forensic policy is a reactive statement that identifies forensically important assets and specifies how data should be collected and preserved for an investigation after an incident occurs.

It applies to specialized teams like incident responders and legal epartments. A well-defined forensic policy is critical to ensure evidence is admissible in court.

Aspect	Security Policy	Forensic Policy
Goal	Prevention of incidents.	Investigation after an incident.
Timing	Proactive. Enforced continuously to maintain a secure state.	Reactive. Activated only after a security incident is detected or suspected.
Focus	Access control, passwords, network security, data encryption, physical security and employee duties.	Chain of custody, evidence handling, legal compliance. Investigation procedures, use of forensic tools and legal compliance
Audience	All Staff. Applies broadly to all employees, IT staff, and third-party contractors who access company systems.	Specialized Teams. Primarily used by incident response teams, forensic analysts, and legal or compliance departments.
Example	"All employees must change their system passwords every 90 days."	"Upon seizure, a bit-for-bit image of the digital media must be created, and its cryptographic hash must be logged."

A well-defined forensic policy is critical to ensure that if a breach occurs, the collected evidence is admissible in court.

Chain of Custody Concept

The chain of custody is a central concept in digital forensics. It is a chronological written record of everyone who has had custody of a piece of evidence from its initial acquisition until its final disposition. Its purpose is to prove that the evidence has not been tampered with. If the chain of custody is broken, the evidence can be declared inadmissible in court.

To maintain the chain of custody, you must be able to answer:

• Where did the evidence come from?
• Who found it and who has handled it?
• Where was it stored?

Cyber-forensics and Digital Evidence

Cyber Forensics can be divided into two domains:

1. Computer Forensics
2. Network Forensics

Digital evidence is much easier to change or manipulate, but its integrity can be proven by creating a defensible clone of a storage device. It originates from sources like hard drives, backup media, real-time E-Mail messages, chat logs, and network traffic.

---

Digital Forensics Life Cycle

The forensics life cycle involves the following phases:

1. Preparation and Identification: Recognize the incident, prepare tools, and get proper authorization or search warrants.

2. Collection and Recording: Collect digital evidence from sources like computers, cell phones, and hard drives, ensuring to calculate a cryptographic hash to record its original state.

3. Storing and Transporting / Preserving: Properly maintain digital media in a secure location to assure a proper chain of custody and documenting everything done. Use write-blocking tools when imaging media to prevent adding of data.

4. Examination/Investigation: Create an exact duplicate ("image") of the original media for analysis. This can be a "dead analysis" (on data at rest) or "live analysis" (on a running system).

5. Analysis, Interpretation, and Attribution: Use specialized tools like FTK, EnCase, or The Sleuth Kit to analyze the data and draw conclusions.

6. Reporting and Testifying: Present the findings in a written report or as oral testimony to law enforcement, legal experts, or corporate management.

Network Forensics

Network forensics is the study of network traffic to search for evidence in civil, criminal, or administrative matters. It aims to protect users and resources from exploitation or other crimes fostered by network connectivity.

Wireless forensics is a specific discipline within network forensics that provides the methodology to collect and analyze wireless network traffic so it can be presented as valid digital evidence.

Open networks can be the source of many network-based cyber attacks. The wireless forensics process involves capturing all data moving over a Wi-Fi network and analyzing network events to uncover network anomalies, discover the source of security attacks, and investigate breaches on computers and wireless networks.

Forensics Analysis of E-Mail

Forensics analysis of E-Mails is an important aspect of cyber forensics analysis as it helps to establish the authenticity of an Email when suspected.

An E-Mail consists of two parts: the header and the body. The header is very important from a forensics point of view as it provides the entire path of the E-Mail's journey from its origin to its destination, including the originating IP address.

Electronic Messages and the Indian Evidence Act

According to Section 88A of the Indian Evidence Act, the court may presume that an electronic message forwarded by an originator corresponds with the message as fed into the person's computer for transmission. However, the court shall not make any presumption as to the person by whom such message was sent.

RFC (Request for Comments)

In the context of email, RFC refers to a series of technical documents that define the standards and protocols for the internet, including email, developed by the Internet Engineering Task Force (IETF). RFCs are important because they provide the specifications that email software and systems use to ensure interoperability and proper functioning.