ISHAN KAKKAR

UNIT 1
DIGITAL FORENSICS DEFINITION
The application of computer science and investigative procedures for a legal purpose involving the analysis
of digital evidence after proper search authority, chain of custody, validation with mathematics, use of
validated tools, repeatability, reporting, and possible expert presentation.
DIGITAL FORENSICS IN LAW ENFORCEMENT
In law enforcement digital forensics is used in following areas:1.
2.
3.
4.

Criminal Investigation
Court Cases (Civil Litigation)
Intelligence
Administrative Matters

Criminal Investigation
a. When you mention digital forensics in the context of a criminal investigation, people tend to think
first in terms of child pornography and identity theft. Although these investigations certainly focus
on digital evidence, they are by no means the only two.
b. In todays digital world, electronic evidence can be found in almost any criminal investigation.
Homicide (murder), sexual assault, robbery, and burglary are just a few of the many examples of
analog crimes that can leave digital evidence.
c. One of the major struggles in law enforcement is to change the habit (practice) of the police and
get them to think of and seek out digital evidence. Everyday digital devices such as cell phones and
gaming consoles can hold a treasure trove of evidence.
d. Unfortunately, none of that evidence will ever see a courtroom if its not first recognized and
collected. As time moves on and our law enforcement agencies are replenished with younger
blood, this will become less and less of a problem.
Court Cases (Civil Litigation)
a. The use of digital forensics in civil cases is big business. As part of a process known as electronic
discovery (eDiscovery), digital forensics has become a major component of many important cases
(litigation).
b. eDiscovery refers to any process in which electronic data is sought, located, secured, and searched
with the intent of using it as evidence in a civil or criminal legal case.
c. In a civil case, both parties are generally entitled to examine the evidence that will be used against
them before trial. This legal process is known as discovery.
d. Previously, discovery was largely a paper-based exercise, with each party exchanging reports,
letters etc.; but, the introduction of digital forensics and eDiscovery has greatly changed this
practice.
e. Digital evidence can quickly become the focal point of a case, no matter what kind of legal
proceeding its used in. The legal system and all its players are struggling to deal with this new
reality.

ISHAN KAKKAR

Intelligence
a. Terrorists and foreign governments, the purview of our intelligence agencies, have also joined the
digital age. Terrorists have been using information technology to communicate, recruit, and plan
attacks.
b. In Pakistan and Afghanistan, our armed forces are exploiting intelligence collected from digital
devices brought straight from the battlefield.
c. This process is known as Document and Media Exploitation (DOMEX). DOMEX is paying large
dividends by providing actionable intelligence to support the soldiers on the border.
Administrative Matters
a. Digital evidence can also be valuable for incidents other than litigation and matters of national
security. Violations of policy and procedure often involving some type of electronically stored
information; for example, an employee operating a personal side business, using company
computers while on company time. That may not constitute a violation of the law, but it may
warrant an investigation by the company.
COMPUTER FORENSICS
PROCEEDINNGS

ASSISTANCE

TO

HUMAN

RESOURCES/EMPLOYMENT

a. Computer forensics analysis is becoming increasingly useful to businesses. Computers can contain
evidence in many types of human resources proceedings, including sexual harassment suits,
allegations of discrimination, wrongful termination claims, and others.
b. Evidence can be found in electronic mail systems, on network servers, and on individual employees'
computers. However, due to the ease with which computer data can be manipulated, if the search
and analysis are not performed by a trained computer forensics specialist, it could likely be thrown
out of court.
Employer Safeguard Program
c. As computers become more prevalent in businesses, employers must safeguard critical business
information. An unfortunate concern today is the possibility that data could be damaged, destroyed
or misappropriated by a discontented person.
d. Employer Safeguard Program (ESP) is designed to protect employers in the event that an
individual's employment must be terminated for cause.
e. Before an individual is informed of their termination, a computer forensic specialist would come
on-site and create an exact duplicate of the data on the individual's computer.
f. In this way, should the employee choose to do anything to that data before leaving, the employer
is protected.
g. Damaged or deleted data can be replaced, and evidence can be recovered to show what occurred.
This method can also be used to bolster an employer's case showing the removal of proprietary
information, or to protect the employer from false charges made by the employee.
Choosing a computer forensics specialist for a civil case
h. When you need a computer forensics specialist, look for expertise and experience not only in
computer forensics, but also in court.

ISHAN KAKKAR

BENEFITS OF PROFESSIONAL FORENSICS METHODOLOGY

a. The computer expert who helps during discovery will typically have experience on a wide range of
computer hardware and software. This is always beneficial when the case involves hardware and
software with which this expert is directly familiar.
b. But fundamental computer design and software implementation is often quite similar from one
system to another, and experience in one application or operating system area is similar to a new
system.
c. Unlike paper evidence, computer evidence can often exist in many forms, with earlier versions still
accessible on a computer disk. The discovery process can be served well by a knowledgeable
expert.
d. During on-site premises inspections, for cases where computer disks are not actually seized or
forensically copied, the forensics expert can more quickly identify places to look, signs to look for,
and additional information sources for relevant evidence.
e. These may take the form of earlier versions of data files (eg. memos, spreadsheets) that still exist
on the computer's disk or on backup media, or differently formatted versions of data, either created
or treated by other application programs (eg. word processing, spreadsheet, e-mail, timeline,
scheduling, or graphic).
f. Protection of evidence is critical. A knowledgeable computer forensics professional will ensure
that a subject computer system is carefully handled to ensure that:
1. No possible evidence is damaged, destroyed by the procedures used to investigate the
computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected from later
mechanical or electromagnetic damage.
4. A continuing chain of custody is established and maintained.
STEPS TAKEN BY DIGITAL FORENSICS SPECIALISTS
a. There are 8 steps taken by a digital forensics specialists:
1. Search Authority
2. Chain of Custody
3. Imaging/Hashing Function
4. Validated Tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible Expert Presentation
b. Search Authority1. Without the proper search authority (permission), any evidence recovered (no matter how
compelling) will very likely be suppressed. Search authority includes.
i. In a criminal case- A search warrant, consent etc.
ii. In civil cases, parties could consent to a search or one could be ordered by the court.
2. Its important to note that this first step only applies in a legal context. There may also be
special circumstances where legal consequences become secondary to obtaining
the
evidence (such as when a child is missing and in danger).

ISHAN KAKKAR

c. Chain Of Custody1. A well-documented chain of custody is essential to maintain the integrity of the evidence. The
chain of custody accounts for each evidence item from the time it is collected to the time it is
presented in court.
2. Typically the chain of custody is documented via forms, reports, evidence receipts, notes, and
marking the actual evidence item itself. Each time the evidence changes hands it should be
recorded. Thats because, should the chain be broken, the evidence could be excluded from the
case.
d. Imaging/Hashing Function1. Examining the original media is something that should be absolutely avoided if possible. The
danger is that the original evidence could very well be modified in some way or even destroyed
outright.
2. Preferably, a forensic image is made and all examinations are made on this duplicate, rather
than on the original. A forensic copy, also known as a bitstream image, is an exact copy of
every bit (1 or 0) that is on the media. The process of creating a bitstream image is called
imaging.
3. Hashing is a mathematical process (via an algorithm) that produces a unique value that is
essentially the digital fingerprint or DNA of a particular file, piece of media, etc. This
digital fingerprint can be used to compare the original evidence to the forensic image.
4. These two values should match exactly. If they do, then, for all intents and purposes, they are
identical.
e. Validated Tools1. In forensics, nothing is taken for granted. That includes the proper functioning of the tools.
2. Forensic tools, be they hardware or software, must be tested before they are used to verify the
accuracy of their results.
3. Both new tools and updates should be validated. This validation process should be documented
every time its done. In forensics, the documentation never stops.
f. Analysis1. The analysis depends on the facts and circumstances of the investigation. Analysis includes the
following:
Linking some activity with a specific user account
Establishing a timeline of events
Determining whether a USB storage device was connected to the machine
Breaking encryption
Identifying relationships/connections between individuals (i.e., suspect and victim)
Identifying websites that have been visited
Determining whether certain files were opened or downloaded
g. Repeatability1. A hallmark of a true forensic process is an accurate result. Much care is taken from beginning
to end to make certain the results are correct.
2. The results of a forensic examination (and the process used to reach them) should be able to be
duplicated.
1. A separate examiner should be able to repeat the process using the same evidence, the same
steps, and the same tools and come up with the same result.

ISHAN KAKKAR

h. Reporting1. In almost every context where digital forensics is used, some type of report is likely to be
required. Reports can take many forms. Some are quite long and detailed (reaching over 100
pages or more). Others are less so (even as few as one or two pages). The report length and
format will be dictated by the organization or client.
2. Many forensic tools (all of the major commercial ones) have robust reporting functionality
built-in.
i. Possible Expert Presentation1. In a purely legal context, the most important part of the forensic process is the presentation of
the findings to a judge or a jury. Explaining complex technology to nontechnical people (such
as a judge or a jury) is not easy.
2. An expert is not necessarily an expert witness. Too often, experts give trial testimony that is
on useful explanations.
3. The outcome of a case could very well come down to the judges understanding of a specific
piece of technology or technical process.
4. A failure at this point could completely destroy all the good work done to that point.
5. Anyone whos ever explained some part of technology to a nontechnical person knows how
hard this can be.
CYBER-CRIMES DEFINITION
a. Cybercrime is defined as a crime in which a computer is the object of the crime (hacking, phishing,
spamming) or is used as a tool to commit an offense (child pornography, hate crimes).
b. Cybercriminals may use computer technology to access personal information, business trade
secrets, or use the Internet for malicious purposes.
c. Criminals can also use computers for communication and document or data storage. Criminals who
perform these illegal activities are often referred to as hackers.
CYBER-CRIMES MOTIVES
a. Cyber-crimes are committed by people i.e. criminals. The motives of these people behind
committing cyber-crimes is known as Cyber Crimes Motives.
b. There are 4 main motives behind cyber-crimes:
1. Financial Gain
2. Political/Religious Action
3. Revenge/Emotions
4. Entertainment
c. Financial Gain1. This is the top reason for cybercrime. Most cyber-criminals are in it for the money (some say,
easy money). Some of them force their way directly into bank accounts while others
impersonate banks to trick firms and individuals.
2. Cyber-criminals either work on their own, or are hired by others who do not have the necessary
skills to carry out cyber-attacks. Some are also paid to steal confidential information for rival
companies.
d. Political/Religious Action
1. Some cyber-criminals are strong supporters of certain political views or religious movements.
Thus, they carry out cyber-attacks to make known their political/religious views. This is also
known as hacktivism.

ISHAN KAKKAR

2. These cyber-criminals use cybercrime to spread propaganda, or to stage protests supporting

their political/religious beliefs. Commonly, corporate websites are vandalized (corrupted) with
political/religious messages.
e. Revenge/Emotions
1. Similar to real-life, emotions sometimes lead people into hurting others. Cyber-criminals might
act out of anger and revenge.
2. These might include retrenched (those that have been fired) employees who are displeased with
the company's decision, or even dissatisfied customers who are not happy with changes in a
company's products/services.
f. Entertainment
1. Some cyber-criminals enjoy the thrill of making successful cyber-attacks on major companies.
They see it as recognition of their hacking abilities. Cyber-criminals in this category are usually
teenagers.
2. Most of them carry out cyber-attacks just because they can. To them, launching a successful
attack would earn them respect and honor from the online hacking community.
CLASSIFICATION OF CYBER-CRIMES
Cyber-crimes can be classified in to 4 major categories as:1.
2.
3.
4.

Cyber-crime against Individual

Cyber-crime Against Property
Cyber-crime Against Organization
Cyber-crime Against Society

Cyber-crime against individual

a. Email spoofing : A spoofed (made to look like original) email is one in which e-mail header is
forged so that mail appears to originate from one source but actually has been sent from another
source
b. Spamming: Spamming means sending multiple copies of unsolicited mails or mass e-mails such
as chain letters.
c. Cyber Defamation: This occurs when defamation (damaging someones reputation) takes place
with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about
someone on a website or sends e-mails containing defamatory information.
d. Harassment & Cyber stalking: Cyber Stalking Means following the moves of an individual's
activity over internet. It can be done with the help of many protocols available such at e- mail,
chat rooms, user net groups.
Cyber-crime against property
a. Credit Card Fraud
b. Intellectual Property crimes: These include
Software piracy: illegal copying of programs, distribution of copies of software.
Copyright infringement: Using someone elses programs and software illegaly.
Trademarks violations
Theft of computer source code:
c. Internet time theft: The usage of the Internet hours by an unauthorized person which is actually
paid by another person.

ISHAN KAKKAR

Cyber-Crime against an Organization

a. Unauthorized Accessing of Computer: Accessing the computer/network without permission
from the owner. It can be of 2 forms:
1. Changing/deleting data: Unauthorized changing of data.
2. Computer monitoring: The criminal reads or copies confidential or proprietary information,
but the data is neither deleted nor changed.
b. Denial Of Service: When Internet server is flooded with continuous fake requests so as to
denying real users to use the server or to crash the server.
c. Virus attack: A computer virus is a computer program that can infect other computer programs
by modifying them in such a way as to include a copy of it. Viruses can be file infecting or
operating system infecting of the computer. Worms, unlike viruses do not need the host (real
computer program) to attach themselves to.
d. Email Bombing: Sending large numbers of mails to the individual or company or mail servers
thereby ultimately resulting into crashing.
e. Logic Bomb: It is an event dependent program, as soon as the designated event occurs, it crashes
the computer, release a virus or any other harmful possibilities.
f. Trojan Horse: An unauthorized program which functions from inside what seems to be an
authorized program, thereby concealing what it is actually doing.
Cyber-Crime against Society
a. Forgery: Currency notes, revenue stamps, mark sheets etc can be forged using computers and
high quality scanners and printers.
b. Cyber Terrorism: Use of computer resources to intimidate or coerce others.
c. Web Jacking: Hackers gain access and control over the website of another, even they change the
content of website for fulfilling political objective or for money.
MODUS OPERANDI (M.O.) OF CYBER CRIMINALS & TYPES OF CYBER CRIMES
a. In general, modus operandi is the behavior necessary for the successful commission of a crime
i.e. "what an offender has to do to accomplish a crime."
b. At a minimum, every Modus Operandi will contain elements that involve the following:
1. Ensure success of the crime;
2. Protect identity; and
3. Effect escape.
c. ELEMENTS RECORDED IN THE MODUS OPERANDI FILES
1. Class word (the kind of property attacked)
2. Entry (the point of entry)
3. Means (any implements or tools used)
4. Object (kind of property taken)
5. Time (the time of day or any significance about the day)
6. Style (whether the criminal described himself as someone else to gain entry)
7. Tale (any disclosure by the criminal about himself)
8. Transport (how the criminal transported himself)
9. Trademark (any unusual behavior in connection with the crime)

ISHAN KAKKAR

Types Of Cyber-Crimes
a. Cyber-trespass1. Hacking
2. Viruses and Worms/Trojan Horses etc.
3. Infringement (violation) of privacy
4. Economic & industrial espionage
5. Computer sabotage and computer extortion
b. Cyber Thefts
1. Computer Fraud
2. Software Piracy and Other copyright violation
3. Theft of telecommunication services
4. Computer forgery and counterfeiting
c. Cyber Obscenities
1. Child Pornography
2. Sex Trade
d. Cyber Violence
1. Cyber Stalking
2. Sending hate-emails etc.