busnsd

(iveahey
methd

ainst the unàuthupd

danag
pnhuet

(y
Concnsd wth tu
aguhhn Paseavat n

nteetic dagitad evidema

taken plue ,

taet
 Chaccahc &vidana unc

Aatishes fo
H (oth
cbiit
divcd avd puven methods towsd the preatratin
Collecticn, Nabdatin , idunthtn, anis [Link] n
doumetatiun and platutaon ot diit ei dane dai ved
acilitt
futheing the ecotutin events und ki

dictuphve t pland tpesci

dctnQd metdate Aasived

Containiemin - that is hotade and pehagi
- in

Cüetly dasived anc

pAeaevtia algchas
Pven mdnds tocsds the
cnelys,ita atali n,
atAch en ,idiathati n ,
)

tms o doital dcte , ixludinsg

PDA'
 be hidden, dol8

dicdoiu

induoti
Camag adment

agialatiun
tosnu tach,
 Foenga

dana hihe Histechnia Gapacy dn

A+ tu oprastuithesf
notti
Hene wehsneo

tgt
dote

law enmt on dita &idaul that

Wbi

FoAQico disoYe
Vaasan Piecs
Raac eecfrc nelue
Poteat i denca

evi denc
 Managps
Bvideny
hasd 09 le
atelaL

Whothe

ahaeln

iden

belind enm

wth
 withut daci t
padut
Distel eidons
n o domain
is dividad
Nedn oxsnicd

do Seach
-Hve matte rm
Qnd ayy gthee
epbitati n /nvar n o
apicatn
ond anags pathada
Qitable

im and maitain
what hapRnad
devis Cnd wh oaibk it

PhtlEidsnse papes
ihutivey hvios Chasacteith uch

t Can be made ituut haning

Pesttgt
 34)
be eNn
Digt
&svis

Conua foania helpr

Smoil has to Stive
bnow the tew
Bsts
les
tha dota tom dalitsdh les, dalslacd nail and
hiöócn les,

hles, ume

(Gn
buta t
pas a meutm

bolks
kpegdahesS,
cJend tcage lo,
)
 I819-I966 wau the a
Note: lhe gea c as th
Edmond Lo Cod. te was Knoun as the
Dr
populaay
Sheslock Holmes f Ban trae

kocasd's &rcha peauple

is Kusn Go
Act 184 Evidena my
adian Gidams
Acoidigto the
and odudo
witreA

3 Aang At 2 tsuh the Drhemation Tochuolo

Bvidees pplicaale t Retic
ta bedy luois
Ad (iTA) 2000,
Bvidonu
eth otthe dita
Gtet

Meda

> Evins
 t must ba dotnable, in its
choud ids On c

madic identhle as to is
alali
dtmut bo it 9xide
wbsdnas

gidnc in
must plae tte Thus
Ne maanig
its
Contox o sad
he cos
Jagjuiseloking
a nachine Jongua
tia bjt ycle:- phaseo
Diptd toan

Shosirg and tranast

oion inv atiasin
ptatinamd atss bidicn
Oays into

possd and apliec, vicdance

4 - nosdus to be idtid ao&viano
ust t t be

idsuted eNets win

Aoquence
Ghaidg Case
 Arag htea prataticn and Ati bdion
Inte
Media)
edia manajenan le byetam, Appicati
Netk )
Aetail sumentattn aalyeis
Cunsuing Gandiacn
based an aridstonrd

2lininatig
(tobs tdsin
ducunot the nding nd
bcth
Jenidono aualyi'nd ) intefetotian and dtàbuti m

Jouuti
dubmt

dalusipten ta teken
ard stt
Teatfyg

fonding
Testing. dopunds testime bad on Suyhont
 dastiucin data
dta ) dat nhoamaticn
to
method
media digitas
to
tatnal daa invai Art:fsnsia:
ianic catino apli the is +
idanc
donttyt Copdu oplPaini
Nehiske Same *0
toe
usity tha sonic
lau arart vert nhk Captui
moving &da al
coiFi oVe Conveat
ns
ntwoK
and uidane he
Nw
ably oli
and
psincipleo the afpldi has ortno he and
Thexs

ispa Ahald hove a Cabin iJolsp

nteanio

Qlectrenntic
Sahovdole had dsiyesy
fapas
fonsi
ratable

Faunsia hool kit , Yapu

La ) QdNnihe
 ste band
individucs ao tho
thsscts
ohidJu aidsaed is 04
methd' antocnic
nsphy ak The ntesnet th
dote and
cd agpund rn viae can
be
y.t nhamda ast is
otStoganogephy
omaut
t\esctig
 Sidneunda

wth Sociah nnehoKiny

Apioag
Visun and laul

Pouys Digtd dses

Tachaia Udosotend tho Rou deGvd

1e Ascn
qaekat Pakots HTmiea, iodS
Data se dudin is sed
to Aole qyuantit
Psoblon
Croun ata
ko
idenhfy kon
 Stouti Gust,FAT &ties
lusts Rai
totid ute Cote
Lict

ians and i psslthive velus m

mdesial Gnd Coustont

atohian

TohiçGno

lbig pichuand Soin

ruiG

catoy
O cogis and mauntan Chauno
follo dunendd hsun
 ut 3: Focnhu

What is computer forensics?

investigation and analysis
Computer forensics is the application of from a particular computing
techniques to gather and preserve evidence
in a court of law. The goal of
device in a way that is suitable for presentation investigation and maintain a
computer forensics is to perform a structured happened on a
documented chain of evidence to find out exactly what
computing device and who was responsible for it.

as computer forensic
Computer forensics -- which is sometimes referred to
compliance guidelines to
science -- essentially is data recovery with legal
The terms digital
make the information admissible in legal proceedings.
synonyms for computer
forensics and cyber forensics are often used as
forensics.

in a way that
Digital forensics starts with the collection of information
or system to
maintains its integrity. Investigators then analyze the data the changes.
determine if it was changed, how it was changed and who made The forensic
tied to a crime.
The use of computer forensics isn't always
to gather data from a
process is also used as part of datarecovery processes
(OS) or other
crashed server, failed drive, reformatted operating system
situationwhere a system has unexpectedly stopped working.

Why is computer forensicsimportant?

helps ensure the
In the civil and criminal justice system, computer forensics computers and
integrityy of digital evidence presented in court cases. As
aspect of life,
other data-collecting devices are used more frequently in every preserve and
digital evidence -- and the forensic process used to collect, legal
other
investigate it -- has become more important in solving crimes and
issues.

devices
The average person never sees much of the information modern
collect. For instance, the computersin cars continually collect information on
when a driver brakes, shifts and changes speed without the driver being
aware. However,this information can prove critical in solving a legal matter
or acrime, and computer forensics often plays arole in identifying and
preserving that information.

Digital evidence isn't just useful in solving digital-world crimes, such as data
theft, network breaches and illicit online transactions. It's also used to solve
physical-world crimes, such as burglary, assault, hit-and-run accidents and
murder.

Businessesoften useamulti-layered data management, data governance and

network security strategy to keep proprietary information secure. Having
data that's well managed and safe can help streamline the forensic process
should that data ever come under investigation.
Businesses also use computer forensics to track information related to a
system or network compromise, which can be used to identify and prosecute
cyber attackers. Businesses can also use digital forensic experts and
processes to help them with data recovery in the event of a system or
network failure caused by a natural or other disaster.

As the world becomes more reliant on digital technology for the core
functions of life, cybercrime is rising. As such, computer forensic specialists
no longer have amonopoly on the field. See how the police in the U.K. are
adopting computer forensic techniques to keep up with increasing rates of
cybercrime.

Types of computer forensics

There are various types of computer forensic exanminations. Each deais with a
specific aspect of information technology. Some of the main types include the
following:

Database forensics. The examination of information contained in databases,

both data and related metadata.
Email forensics. The recovery and analysis of emails and other information
contained in email platforms, such as schedules and contacts.
Malware forensics. Sifting through code to identify possible malicious
programs and analyzing their payload. Such programs may include Trojan
horses, ransomware or various viruses.
Memory forensics. Collecting information stored in a computer's random
access memory (RAM) and cache.
Mobile forensics. The examination of mobile devices to retrieve and analyze
the information they contain, including contacts,incoming and outgoing text
messages, pictures and video files.
Network forensics. Looking for evidence by monitoring network traffic, using
tools such as a firewall or intrusion detection system.
How does computer forensics work?
Forensic investigators typically follow standard procedures, which vary
depending on the context of the forensic investigation, the device being
investigated or the information investigators are looking for. In general, these
procedures include the following three steps:

Data collection. Electronically stored information must be collected in a way

that maintains its [Link] often involves physically isolating the device
under investigation to ensure it cannot be accidentally contaminated or
tampered with. Examiners make a digital copy, also called a forensic image,
of the device's storage media, and then they lock the original device in a safe
or other secure facility to maintain its pristine condition. The investigation is
conducted on the digital copy. In other cases, publicly available information
may be used for forensic purposes, such as Facebook posts or public Venmo
charges for purchasing illegal products or services displayed on the Vicemo
website.

Analysis. Investigators analyze digital copies of storage media in a sterile

to
environment to gather the information for a case. Various tools are used
drive
assist in this process, including Basis Technology's Autopsy for hardjiggler
investigations and the Wireshark network protocol analyzer. A mouse
and losing
is useful when examining a computer to keep it from falling asleep
sleep or loses
volatile memory data that is lost when the computer goes to
power.
a legal
Presentation. The forensic investigators present their findings inresult of a
determine the
proceeding, where a judge or jury uses them to help
present what they
lawsuit. In a data recovery situation, forensic investigators
were able torecover from a compromised system.
investigations to validate
Often, multiple tools are used in computer forensic Kaspersky Lab in Asia
the results they produce. Learn how a researcher at
collecting malware
created an open source forensics tool for remotely
evidence without compromising system integrity.

Techniques forensic investigators use

forensic
Investigators use a variety of techniques and proprietary device.
applications to examine the copy they've made of a compromised deleted,
Theysearch hidden folders and unallocated disk space for copies of
digital copy is
encrypted or damaged files. Any evidence found on the original device
the
carefully documented in a finding report and verified with
preparation for legal proceedings that involve discovery, depositions or
in
actual litigation.
 Computer forensic investigations use acombination of techniques and expert
knowledge. Some common techniques include the following:

Reverse steganography. Steganography is a common tactic used to hide data

inside any type of digital file, message or data stream. Computer forensic
experts reverse a steganography attempt by analyzing the data hashing that
the file in question contains. If a cybercriminal hides important information
inside an image or other digital file, it may look the same before and after to
the untrained eye, but the underlying hash or string of data that represents
the image will change.
Stochastic forensics. Here, investigators analyze and reconstruct digital
activity without the use of digital artifacts. Artifacts are unintended
alterations of data that occur from digital processes. Artifacts include clues
related to a digital crime, such as changes to file attributes during data theft.
Stochastic forensics is frequently used in data breach investigations where
the attacker is thought to be an insider, who might not leave behind digital
artifacts.

Cross-drive analysis. This technique correlates and cross-references

information found on multiple computer drives to search for, analyze and
preserve information relevant to an investigation. Events that raise suspicion
are compared with information on other drives to look for similarities and
provide context. This is also known as anomaly detection.
Live analysis. With this technique, a computer is analyzed from within the OS
while the computer or device is running, using system tools on the computer.
The analysis looks at volatile data, which is often stored in cache or RAM.
Many tools used to extract volatile data require the computer in to be in a
forensic lab to maintain the legitimacy of a chain of evidence.
Deleted file recovery. This technique involves searching a computer system
and memory for fragments of files that were partially deleted in one place but
leave traces elsewhere on the machine. This is sometimes known as file
carving or data carving.

Howis computer forensics used as evidence? Case study

Computer forensics has been used as evidence by lawenforcement agencies
and incriminal and civil law since the 1980s. Some notable cases include the
following:

Apple trade secret theft. An engineer named Xiaolang Zhang at Apple's

autonomous car division announced his retirement and said he would be
moving back to Chinato take care of his elderly mother. He told his manager
he planned to work at an electronic car manufacturer in China, raising
suspicion. According to a Federal Bureau of Investigation (FBI) affidavit,
Apple's security team reviewed Zhang's activity on the company network and
found, in the days prior to his resignation, he downloaded trade secrets from
confidential company databases to which he had access. He was indicted by
the FBI in 2018.
scandals, Enron,
Enron. In one of the most commonly cited accounting fraud
falsely reported billions of
aU.S. energy, commodities and services company,
causing financial harm to
dollars in revenue before going bankrupt in 2001,
invested in the company.
many employees and other people who had of data to understand the
Computer forensic analysts examined terabytes factor in the passing of
complex fraud scheme. The scandal was a significantaccounting compliance
set new
the Sarbanes-Oxley Act of 2002, which company declared bankruptcy in
requirements for public companies. The
2001.
secret theft. Anthony Scott Levandowski, a former executive of
Google trade counts of trade secret theft in
Google, was charged with 33
both Uber and worked in Google's self-driving car
2009 to 2016, Levandowski
2019. From program
where he downloaded thousands of files related to the
program,
password-protected corporate server. He departed from Google and
from a
self-driving truck company, which Uber bought in 2016,
created Otto, a Levandowski plead guilty to one count of
according to The New York Times. months in prison and $851,499 in
and was sentenced to 18
trade secrets theft received a presidentiai pardon in
January
fines and restitution. Levandowski
2021.
2016 Thomas
Thomas. Thomas shot and killed Rito Llamas-Juarez in
Larry posts he made
convicted with the help of hundreds of Facebook
was later
name of Slaughtaboi Larro. One of the posts included a picture
under the fake
was found at the crime scene.
of him wearing a bracelet that
Investigators used metadata and medical documents from
Michael Jackson. showed the doctor, Conrad Murray,
Michael Jackson's doctor's iPhone that
Jackson, who died in 2009.
prescribed lethalamounts of medication to
Munn drowned her newborn baby in the bathtub of her
Mikayla Munn. Investigators found Google
Manchester University dorm room in 2016.
phrase "at home abortion," which
searches on her computer containing the
were used to convict her.
crime computer forensics can aid in
Murder is just one of the many types of analysis software is used to combat
combating. Learn how forensic financial
 Cyber forensics is a process of extracting data as proof for a crime (that
involves electronic devices) while following proper investigation rules to nab
the culprit by presenting the evidence to the court. Cyber forensics is also
known as computer forensics. The main aim of cyber forensics is to maintain
the thread of evidence and documentation to find out who did the
crime
digitally. Cyber forensics can do the following:

It can recover deleted files, chat logs,

emails, etc
It can also get deleted SMS, Phone calls.
It can get recorded audio of phone
conversations.
It can determine which user used which system and for how much time.
It canidentify which user ran which program.
Why is cyber forensics important?
in todays technology driven generation, the
importance of cyber forensics is
immense. Technology combined with forensic forensics paves the way for
quicker investigations and accurate results. Below are the points
the importance of cyber forensics: depicting

Cyber forensics helps in collecting important digital evidence to trace the

criminal.

Electronic equipment stores massive amounts of data that a

fails to see. For example: in a smart house, for every word we normal person
speak, actions
performed by smart devices, collect huge data which is crucial in cyber
forensics.
It is also helpful for innocent people to prove their
collected online.
innocence via the evidence
It is not only used to solve digital crimes but also used to
solve real-world
crimes like theft cases, murder, etc.
Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.
The Process Involved in Cyber Forensics

1 Obtaining a digital copy of the systemn that is being or is

required to be
inspected.
Authenticating andverifying the reproduction.
3) Recovering deleted files (using Autopsy Tool).
 Using keywords to find the information you need.
Establishing a technical report.
Howdid Cyber Forensics Experts work?
Cyber forensics is a field that follows certain procedures to find the evidence
to reach conclusions after proper investigation of matters. The procedures
that cyber forensic experts follow are:
ldentification:The first step of cyber forensics experts are to identify
what evidence is present, where it is stored, and in which format it is
stored.
Preservation: After identifying the data the next step is to safely preserve
the data and not allowother people to use that device so that no one can
tamper data.
Analysis: After getting the data, the next step is to analyze the data or
system. Here the expert recovers the deleted files and verifies the
recovered data and finds the evidence that the criminal tried to erase by
deleting secret files. This process might take several iterations to reach
the final conclusion.
Documentation: Now after analyzing data a record is created. This
record contains all the recovered and available(not deleted) data which
helps in recreating the crime scene and reviewing it.
Presentation:This is the final step in which the analyzed data is
presented in front of the court to solve cases.

Types of computer forensics

There are multiple types of computer forensics depending on the field in

which digital investigation is needed. The fields are:
Network forensics: This involves monitoring and analyzing the network
traffic to and from the riminal's network. The tools used here are
network intrusion detection systems and other automated tools.
Emailforensics: In this type of forensics, the experts check the email of
the criminal and recover deleted email threads to extract out crucial
informationrelated to the case.
Malware forensics: This branch of forensics involves hacking related
[Link], the forensics expert examines the malware, trojans to
identify the hacker involved behind this.
Memory forensics: This branch of forensics deals with collecting data
from the memory(like cache, RAM, etc.) in raw and then retrieve
information from that data.
Mobile Phone forensics:This branch of forensics generally deals with
mobile phones. They examine and analyze data from the mobile phone.
Database forensics: This branch of forensics examines and analyzes the
data from databases and their related metadata.
Disk forensics: This branch of forensics extracts data from storage
media by searching modified, active, or deleted files.
Techniques that cyber forensic investigators use

Cyber forensic investigators usevarious techniques and tools to examine

the data and some of the commonly used techniques are:
Reverse steganography: Steganography is a method of hiding
important
datainside the digital file, image, etc. So, cyber forensic experts do
reverse steganography toanalyze the data and find a relation with the
case.
Stochastic forensics: In Stochasticforensics, the experts analyze and
reconstruct digitalactivity without using digital artifacts. Here, artifacts
mean unintended alterations of data that occur from digital processes.
Cross-drive analysis: In this process, the information found on multiple
computer drives is correlated and cross-references to analyze and
preserve information that is relevant to the investigation.
Live analysis: In this technique, the computer of criminals is analyzed
from within the 0S in running mode. It aíms at the volatile data of RAM to
get some valuable information.
Deleted file recovery:This includes searching for memory to find
fragments of a partially deleted file in order to recover it for evidence
purposes.

Advantages
Cyber forensics ensures the integrity of the computer.
Through cyner forensics, many peopie, companies, eto get to know
about such crimes, thus taking proper measures to avoid them.
Cyber forensics find evidence from digital devices and then present them
in court, which can lead to the punishment of the culprit.
They efficiently track down the culprit anywhere in the world.
They help people or organizations to protect their money and time.
The relevant data can be made trending and beused tn making the public
aware of it.

What are the required set of skills needed to be a cyber forensic expert?

As we know, cyber forensic based on technology. So, knowledge of.

various technologies, computers, mobile phones, network hacks,
security breaches, etc. is required.
The expert should be very attentive while examining a large amount of
data to identify prooflevidence.
The expert must be aware of criminal laws, a criminal investigation, etc.
As we know, over time technology always changes, so the experts must
be updated with the latest technology.
Cyber forensic experts must be able to analyse the data, derive
conclusions from it and make proper interpretations.

Cot undentades each doteil wit