Open in app

Sign in

Write

Sign in

What is Cyber Forensics?

Vishnu Shivalal P
4 min readSep 18, 2022

Cyber Forensics is also known as Digital Forensics or Computer Forensics. Cyber forensics is the process of investigating and analyzing digital data which is gathered as evidence in criminal cases.

Need for Cyber Forensics

  • Used in fighting against cyber crimes like hacking and DoS attack.
  • Motive behind the crime and the culprit can be identified easily.
  • Cyber forensics report can be produced to the court of law as an evidence.
  • Maintains the integrity of evidence.
  • To recover lost data.
  • Cyber crime investigation.
  • Incident handling and response.

Cyber Forensics Process

A methodological approach to investigate, seize, and analyze digital evidence and then manage the case from the time of search and seizure to reporting the investigation result.

Phases involved in the Forensics Investigation Process

1. Pre-investigation Process

  • Deals with tasks to be performed prior to the commencement of the actual investigation.
  • Involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, setting up an investigation team, getting approval from the relevant authority etc.

2. Investigation Process

  • Main phase of the Computer Forensics Investigation process.
  • Involves acquisition, preservation, and analysis of evidentiary data to identify the source of the crime and the culprit behind it.

3. Post-investigation Process

  • Includes documentation of all actions undertaken and all findings uncovered during the investigation.
  • Ensures that the report is easily explicable to the target audience and that it provides adequate and acceptable evidence.

Steps in Cyber Forensics Investigation

  1. Identification.
  2. Preservation.
  3. Analysis.
  4. Documentation.
  5. Presentation.

Types of Cyber Forensics

  1. Disk Forensics.
  2. Database Forensics.
  3. Network Forensics.
  4. Malware Forensics.
  5. Email Forensics.
  6. Memory Forensics.
  7. Mobile Forensics.

Computer Forensics Lab (CFL)

A Computer Forensics Lab (CFL) is a location that houses instruments, software & hardware tools, and forensic workstations required for conducting a computer-based investigation with regard to the collected evidence.

Setting up a Computer Forensics Lab (CFL)

1. Planning & Budgeting Considerations

  • Number of expected cases.
  • Type of investigation.
  • Manpower.
  • Equipment and software requirement.

2. Physical & Structural Design Considerations

  • Lab size.
  • Access to essential services.
  • Space estimation for work area and evidence storage.
  • Heating, ventilation, and air-conditioning.

3. Work Area Considerations

  • Workstation requirements.
  • Ambience.
  • Internet, network, and communication line.
  • Lighting systems and emergency power.

4. Physical Security Considerations

  • Electronic sign-in.
  • Intrusion alarm systems.
  • Fire suppression systems.

5. Human Resources Considerations

  • Number of required personnel.
  • Training and certification.

6. Forensic Lab Licensing

  • ASCLD/Lab accreditation.
  • ISO/IEC 17025 accreditation.

Cyber Forensics Investigator

Cyber Forensics Investigator is a professional who works with law enforcement agencies and other private firms to retrieve information from storage devices.

Roles and Responsibilities of a Forensics Investigator

  1. Determines the extent of any damage done during the crime.
  2. Recovers data of investigative value from computing devices involved in crimes.
  3. Creates an image of the original evidence without tampering to maintain its integrity.
  4. Guides the officials carrying out the investigation.
  5. Analyzes the evidence data found.
  6. Prepares the analysis report.
  7. Updates the organization about various attack methods and data recovery techniques, and maintains a record of them.
  8. Addresses the issue.

Cyber Forensics Tools

  • The Sleuth Kit.
  • FTK Imager.
  • Xplico.
  • OSForensics.
  • Bulk Extractor.

Challenges for Cyber Forensics

  • Excessive use of internet and storage space.
  • Evidence should be free from tampering.
  • Evidence should be authentic.
  • Investigators should have good technical knowledge.
  • Tools used for investigation should be of specific standards.

Types of Digital Evidence

1. Volatile Data

Data that are lost as soon as the device is powered off. For example system time, logged-on user, open files, network information, process information, command history, clipboard contents etc.

2. Non-volatile Data

Data that are permanently stored on a secondary storage devices such as hard disks, memory cards, thumb drives etc. For example hidden files, swap file, index.dat file, hidden or unused partitions, registry settings, event logs etc.

Roles of Digital Evidence

  1. Identity theft
  2. Malicious attacks
  3. Information leakage
  4. Abuse of internet or systems
  5. Digital document forgery

Sources of Potential Evidence

1. User-Created Files

  1. Address books
  2. Database files
  3. Media files
  4. Document files
  5. Internet bookmarks

2. User-Protected Files

  1. Compressed files
  2. Misnamed files
  3. Encrypted files
  4. Password-protected files
  5. Hidden files
  6. Steganography

3. Computer-Created Files

  1. Backup files
  2. Log files
  3. Configuration files
  4. Cookies
  5. Swap files
  6. System files
  7. Temporary files

Rules of Digital Evidence

Digital evidence collection must be governed by five basic rules.

1. Understandable

Evidence must be clear and understandable to the judges.

2. Admissible

Evidence must be related to the fact being proved.

3. Authentic

Evidence must be real and appropriately related to the incident.

4. Reliable

There must be no doubt the authenticity or veracity of the evidence.

5. Complete

The evidence must prove the attacker’s action.

Forensic Readiness

Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs.

Benefits of Forensic Readiness

  • Fast and efficient investigation with minimal disruption to the business.
  • Provides security from cyber crimes such as intellectual property theft, fraud, or extortion.
  • Offers structured storage of evidence that reduces the cost and time of an investigation.
  • Improves law enforcement interface.
  • Helps the organization use the digital evidence in its own defense.

Forensic Readiness Planning

Forensic readiness planning refers to a set of processes to be followed to achieve and maintain forensic readiness.

  1. Identify the potential evidence required for an incident.
  2. Determined the sources of evidence.
  3. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption.
  4. Establish a policy to handle and store the acquired evidence in a secure manner.
  5. Identify if the incident requires a full or formal investigation.
  6. Create a process of documenting the procedure.
  7. Establish a legal advisory board to guide the investigation process.
  8. Keep an incident response team ready to review the incident and preserve the evidence.
Cyber Forensics
Cybersecurity
Information Technology
Computer Forensics
Digital Forensics

--

--

Vishnu Shivalal P
Vishnu Shivalal P

Written by Vishnu Shivalal P

503 Followers
95 Following

Cyber Security Engineer | Bug Hunter | Security Researcher | CTF Player | PenTester | Security Enthusiast | TryHackMe Top 1% www.linkedin.com/in/vishnushivalalp

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams