Chapter 7

Basic Cyber Forensics

Noduction
[hischapterfocuses on the concept of Cyber Forensics. Cyber forensics is also
Computerforensics orrDigital
Digital forensics. Forernsics is related to the scientific
Rdas
thodsafinvestigatingand solving crimes; it involves examination of the objects
rsubstancestnat are involvedin the crime. Forensics is aterm which is generally
dorconventionalI crimes. For Cyber crimes, the term"Cyber forensics" is used.
(owadayscomputers are used in all aspects of life. Internet has revolutionized
anyaspects of our daily lives. Nowadays Internet is used for millions of
zmlications. Many people depend on Internet for several activities like on-line
aking, on-line shopping, on-line learning and on-line meetings etc. These
iancements in technologies have changed the way of living but they have also
tangedtheenature and types of crimes and criminals. Cyber crimes arethe crimes
stithare performed throughICTs(Inforrmation and Communication Technologies).
ir controlling and investigating Cyber crimes, a more systemnatic approach is
quired. This need of investigating and controlling cyber crimes has given rise to
anew discipline called "Cyber Forensics". Cyber Forensics is a process of
mestigating and analyzing the evidences from a particular computing device.
iber Forensics is a process of gatheringevidence from the computers located at
te scene of the crime.

BASIC CONCEPTS
Ditionary meaning of forensics
"scientific tests or techniques used in connection with the detection of crime".
174
Basic Cyber Forensic
"relating to the use of scientific knowledge or methods in
"Relating gto or denotingthe application of scientific methods sol
andv ing
i crimes'
the investigation of crime".
"related to scientific methods of solving crimes,involving
or substances that are involved in the crime".
techniquest
gexamining edijects
the
o
Dictionary meaning of Cyber forensics
"the application of scientifically proven methods to gather, process,
and to use digital evidence to provide a conclusive description of
activities". ,interpret,
cyber crime
Definitions of Cyber Forensics
Advancements in technologies have given rise to a new ategory of crimos
known as Cyber crimes which in turn has given rise to a new
"Cyber Forensics". discipline called
C
"Cyber forensics is the science of obtaining, preserving and documentino
evidence from digital electronicstorage devices, such as computers, PDA
digital caneras, mobile phones and various memory storage devices. AI
must be done in a manner designed to preserve the probative value of the
evidence and to assure its admissibility in a legal proceeding'".
(Source: Awhite paper by ISFS, http://www.isfs.org.hk/publications/
ComputerForensics_partl.pd1]
"Cyber Forensics is the process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is legally acceptable". (Rodney
McKemmish 1999)
Cyber forensics is used to deal with cyber crimes such as hacking, money
laundering, counterfeiting etc. Cyber forensice is used to conduct
investigations of computer related incidents. Cyber forensics is used to
identify digital evidences (information stored or transferred in digital form)
when computers are used in committing acrime.
Cyber forensics isthe application of science to the identification, collection,
examination and analysis of digital data while preserving the integrity of
the data and maintaining a strict chain of custody for the data. All these
tasks are performed by forensic specialists. Forensic Specialist is a
professional who locates, identifies, collects, analyzes, and examines data
while preserving the integrity and maintaining a strict chain of custody of
information discovered. The task of gathering information during cyber
forensics is not simple, average computer users can't extract the data required
for examination. Data may include the files that are encrypted, files that are
 winenies

pnthdby, passwords,hidden files or 175

requiredtoobtain this typedeleted files. Special skills,
md
a
tools are
arethree tvpes of data:
of data which is known as techniques
latent
There
tala.
fdata can be casily Active data (data that is visible
this type ofdata
beenacked up and retrieved),
stored) and Latent data Archived data
to
(data that
has
partiallh overwritten, this (data that has been deleted
type of data requires
the process
ntrievaland,
or
ofiretrievalis verytime specialized tools for
lerfoensicsshould ibe
als 1se
Iheseprofessionals conducted
licensed
consuming
by certified cyber and
forensic costly). S0,
evidencesfrcom all types of equipments
for
threats and investigation which professiprevents
onals.
the produced,
in court. ensure the validity of
obe Forensicsis the evidences
Cber
practice of gathering, retaining, and
mputer-related data for
integrityofthedata
investigative purposesin a manner that analyzing
maintains
the the;
Cyber.forensicsis investigation of a computer system that is believed to
involved.in cyber crime.
be
sis the application off
Cyberforernsics
togather
and preserve evidence from a investigation analysis techniques
particular
and
waythat suitable for presentation:in a court of law.computing device in a
is
forensicsis to perform a The goal of computer
structured investigationwhile
documented chain of evidence to find
out exactly what maintaining
a
computingdevice and who was responsible for it". happened on a
(Source:htp://searchsecurity.techtarget.com/ definition/computer-forensics)
NherForensics Process
IhtraditionalIforensics,,evidences like fingerprints are collected
rensicsdigitallevidences such as information in digital form are whereasin Cyber
eridencesarevulnerable to modifications and can be collected. Digital
idtinto other's systems tor damage and moveout altered easily. Cyber criminals
bomalicious activities. Cyber forensics can be describedwithout leaving any traces of
as the scientificexamination
ndanalysis of data held on, or retrieved from
yw that the information can be used as computer storage media in such a
evidence in a
dietives of aforensics analysis are to, determine what court of law. In short, the
problem, determine who was responsible and present this happened, the extent of the
hcourt if required. information as evidence
Various models have been developed for
describing the process of Cyber
haensics. In 2001, the First Digital Forensics Research
aneral purpose digital forensics investigation Workshop (DERWS) proposed
phases. process. This process has six
176 Basic Cyber Forensics
Phases (or Steps) of Cyber Forensics Process:

ldentification

Preservation

Collectign

Examination

Analysis

Presentation

[Phases of Cyber Forensics Process]

Identification
This is the preliminary step of a Cyber Forensic Process. Cyber forensic
investigation starts to respond to an incident. In this phase, the type of incident
(cyber crime) which has occurred is identified and characteristics of the incident
are identified. Examples of incidents are: Cyber crimes such as hacking, mongy
laundering and counterfeiting etc. In this phase location of critical information and
key data are identified. The other tasks which are performed in this phase are: to
identify where key data is likely to be located, what is the issue (or incident), what
is the aim of investigation and what output is expected. So, in this phase, forensis
experts should iderntify where and how the keydata is located, which operating
system is being used. Bàsed on this information the forensic investigator can identify
the appropriate recovery methods and the tools to be used in investigation proces.
Preservation
In this phase, the approach to be followed for preservation of data is defined to
make sure that no unauthorized individual can access the computers or stord
isolated,secured
devices involved in the investigation. Key data must be properly
 Forensh

evidences
ontanination. In this phase, data
are not damaged. A should be isolated so that
177

lata.
Sometimes, the properischain of custody is
whole system
software
and set offline
because mai
performing system maintenance may destroyn tained to
entering data,
certain
ollection

phase,the approach to be
this
retrieve
kresiCeAperts retrieve
relevant followed for collection of data is
active data on thedata from all storage
jnUNSIble media,active defined.
and unused media, deleted data including
and/ or
data from
data, deleted email,
Forensicpassword protected and encrypted files,
tive
ina databasesetc.
nm contained investigators
on the media take a"snap-shot" or
"mirrorinformation
image"
data without affecting the
Jataorfect sector-by-sector copy of the drive, originalall data. This "snap
the
shot"is a perfect:
of
partiallyoverwritten spaces. The including of the unused and
imaging process is safe and does not require
; hence it works without affecting the system.
Examination
lo this phase, all the collected data
are examined. Examination is
rformed copy(Snap-shot) of the system, hard drive, etc. to
on a always
original.data is kept intact. In this phase, data is ensure that the
such as origin and content of the incident. examined determine the
to details
Analysis
In this phase, all the collected data are analyzed and
possible evidences. Analysis is always performed on ainterpreted to determine
copy (snap-shot) of the
system, hard drive, etc. to ensure that the original data is kept intact.
of disks that are normally inaccessible are analyzed in this phase. Special areas
Also,
investigators determine that whether computer evidences were tamperedforensic with,
altered, damaged or removed. Forensic investigators analyze the hidden information
associated with recovered files,content contained in the files, user activity (people
who had access to the drive), Internet activity,e-mail communication etc.
Presentation
In this phase, reporting documents that present the evidences in a legally
acceptable and understandable manner are prepared. Without proper
documentation evidences may not be acceptable. Forensic investigators also provide
proofs (along with documentation) that their investigations preserved all the data
on computer systems from modification and damage. Proper presentation completes
the forensic process because only a properly documented report can be presented
178
Basic Cyber Forensie
inthe court. Presenting admissible evidences in court, proving i of
In court and supporting the client's court case are also the
torensicinvestigator. Documentation should contain stepstaken to
any changes tothe evidence (including whatthe change was and the
rtehsepionsncaptteigburriieltiyty
the
change).
So, on the basis of above discussion, the roles and
for hreason dat ,
responsibilities
forensic investigator are: Identification, preservation, collection.
analysis and presentation of evidences related to Cyber crime thaa
that has be n
committed in an organization. The task of data recovery (if possible)
responsibility of forensic investigator. is
also the
examination,
Rules for Cyber Forensic Process
Original media (or data) should not be used for cyber forensics
"snap-shot" or"mirror-image" or"duplicate-copy" should bebe used
usoda
investigation purpose. Snap-shot should be a sector-by-sector for
procescysbe. A
drive (exact copy of the original data). copy of the
All the deleted information, hidden files, access protected
recovered. filles must be
All the data and evidences should be preserved from
modification orr
Aproper chain of custody for all the data and evidences damage.be
implemented and maintained. should
Integrity of evidences should not be compromised.
Changes (f any) must be properly documented. In some cases, the changes
to data and evidences are unavoidable, for example: b0oting process wll
change the memory and temporary files, also the shutting down of system
can introduce changes. So nature of change, extent of change and reason for
the change should be documented.
For legal proceedings, the incident should be documented in a legally
acceptable and understandable manner.
Relevant evidences should be collected. Evidences related to the incident
(that is under investigation) must be collected.
All the evidences should be collected: exculpatory evidences (focuses on
who else are suspects that is in favor of an attacker) as well as inculpatory
evidences (focuses on who committed the crime that is against an attacker).
The evidences collected must be presented in a way that is easily
understandable in a court of law.
Each and every step of the investigation procedure must be documented.
Allthe laws and rules of Indian IT Act 2000are applicable for Cyber Forersio
 Fiensics 179
ofCyber Forensics
olcations
llegal activities that are performed via computers)
(all the illegal
the
yber. forensics process. The applications of cyber forensics
iusing
Inveestigationof cyber-crimes
Investigationof credit-card frauds
Investigationof identityy-frauds
Investigation of identity-thefts
Investigationof Denial-of-Service attacks
Investigation of Cyber terrorism
o Investigationofinternal penetration (or intrusion)
Investigation of. external penetration (or
intrusion)
Investigation of money laundering
Investigationoffcounterfeiting
Investigation of crimes that weren't directly committed via computer, but
forwhich the accused might have stored evidences on computer systems.
Detection of vulnerabilities in an organization's systems (ethical hacking)
Data recOvery

References
to://newyorkcomputerforensics.com/comp
1. http:// /computer-forensics-process/
/www.krollontrack.co.uk/ publications/UK%20EE%20Newsletter %
2011 %20V3 %20AP%20CF.pdf
3. http://www.pcmag.com/encyclopedia/ term/40151/ computer-forensics