www.hackingarticles.

in
 Table of Contents
Abstract 3
Elements of a Crime 4
Goals of a Digital Forensics Examiner 5
Classification Of Digital Forensics 6
Digital Evidence 7
Understanding Data and Metadata 8
Principles of Digital Forensics 9
Process of Digital Forensic Investigation 10
Types of Tools 11
Difference between E-discovery and Digital Forensics 12
• E-discovery 12
• Digital Forensics 12
Methodology for DF Investigator 13
Evidence Collection Methods 15
Disk Imaging and Cloning 16
Challenges faced by DF Investigator 17
Pros of Digital Forensics 18
Cons of Digital Forensics 18
Conclusion 18
References 18
About us 19

www.hackingarticles.in
 Page |3

Abstract
There are situations where an individual or an organization may become a victim of a cyber-attack,
and you might wonder what is the correct way to proceed with it. A thorough Digital Forensics
investigation can provide closure for investigating these attacks. In this article, we will be learning
about the fundamentals of Digital Forensics.

Digital Forensics is the application of scientific methods in preserving, recovering, and investigating
digital evidence in a Digital crime scenario. It can be correctly defined as, collection, examination,
analysis, and documentation by using scientifically proven methods to investigate a digital crime and
present it before the court.

www.hackingarticles.in
 Page |4

Elements of a Crime
To prove a digital crime, as an investigator you should have the following elements to bring out a
conclusion. All the elements will be related to one another in a more or so.

In the year 1978 the first computer crime was

recognized in the Florida Computer Crime Act.

www.hackingarticles.in
 Page |5

Goals of a Digital Forensics Examiner

As a digital forensic investigator, you should have a goal for investigation. Depicted below are the five
most important goals of investigation:

European lead international treaty, the Convention

on Cybercrime, came into force in 2004

www.hackingarticles.in
 Page |6

Classification Of Digital Forensics

Digital forensics is a very broad term that has various classifications within it. The most popular
forensic investigations are as follow:

1. Computer Forensics: It is the most primitive type of digital forensics which usually was
introduced in the early evolution of computer systems. It includes investigating computers,
laptops, logs, USB drives, hard drives, Operating systems, etc.
2. Network Forensics: It includes investigating by analyzing network events, intrusion, and data
packets that were transmitted to detect network attacks.
3. Multimedia Forensics: It comprises of investigation of images, audio, and video files that are
recovered as evidence in a digital crime scene.
4. Mobile Forensics: It comprises of investigation of smartphones like android, iOS, etc for
finding digital evidence and recovering the deleted data important for the case.
5. Memory Forensics: It is the forensic investigation of the memory or ram dump of the system
to find out volatile memory like chat history, clipboard history, browser history, etc.
6. Cloud Forensics: Considering the virtual storage are in demand, the investigation of the cloud
environment also plays a key role in a digital crime scene for gathering evidence.

The classification of digital forensics isn’t limited to the above diagram and as it can be classified into
more depending on the cases.

www.hackingarticles.in
 Page |7

Digital Evidence
Digital evidence or electronic evidence can be defined as any object that stores digital information
and transmits it in any form which was used in the act of crime or in supporting the investigation of
the case in a trial before the court.

The evidence found at the crime scene should have two key properties

a. They should be admissible in the court

b. They should be authentic.

The digital evidence can be of various types and should be availed ethically by following the prescribed
guidelines of investigations. Here are a few digital examples of evidence in the diagram below, but the
list goes on.

www.hackingarticles.in
 Page |8

Understanding Data and Metadata

The difference between the data and the metadata for the forensic investigation can be easily
understood with the help of the diagram below:

Metadata is often defined as Data in Data

www.hackingarticles.in
 Page |9

Principles of Digital Forensics

1. Securing the Crime Scene: This is the most primary principle of Digital Forensics. As an
investigator you should prohibit any access to your suspected digital evidence, document all
processes and connections, disconnecting wireless connections, etc. to keep your evidence
secure.
2. Limiting evidence Interaction: As an investigator, you should make sure that your evidence is
having a limited interaction by capturing the ram and can also perform cold boot attacks on
the evidence.
3. Maintaining Chain of Custody: Chain of custody is a record of sequence in which the evidence
was collected, date and timestamps at the collection, the investigator who accessed and
handled it, etc.

www.hackingarticles.in
 P a g e | 10

Process of Digital Forensic Investigation

• Identification: This is the first step that an investigator takes at the crime scene is to
identify the purpose of the investigation and recognize the potential digital evidence.
• Preservation: This is the next step where the investigator has to be careful as he
should make sure that the evidence has not tampered which may complicate the
investigation
• Collection: This step involves acquiring the evidence most appropriately without
causing any harm to the evidence and packing it in a Faraday Bag.
• Examination: This step is a precursor to performing any analysis of the evidence. This
step requires careful inspection of the evidence for any other secondary details.
• Analysis: In this step, the investigator carries out the most crucial things like joining
the bits and pieces of the pieces of evidence, retrieving deleted files, etc.
• Interpretation: This step involves concluding the investigation finding after
reconstruction of the crime scene.
• Documentation: This step usually involves preparing a detailed report or a document
on the entire investigation.
• Presentation: This is a mandatory step only when it is asked for cross-examination
which is to be mentioned in very simple terms of understanding for commoners.

www.hackingarticles.in
 P a g e | 11

Types of Tools
An investigator needs to have the right set of tools for conducting a digital forensic
investigation. It is for the investigator to decide the tool appropriate for the case. The tools
also depend on the application based on hardware and software. The types of tools can be
classified into three types; Open Source, Proprietary, and Self-created.

www.hackingarticles.in
 P a g e | 12

Difference between E-discovery and Digital

Forensics
The Internet community is many times confused between these two terms. Here a few points that
highlight the importance and usage of E-discovery and Digital Forensics.

E-discovery
E-Discovery stands for Electronic Discovery. It can be defined as the process involved in collecting,
preparing, reviewing, interpreting, and presenting the electronic documents from hard disks and other
forms of storage devices in civil litigations. The following are the key points to remember in E-
discovery.

Digital Forensics
Digital Forensics can be defined as the process of preservation, identification, extraction, and
documentation of digital evidence which is used by the court of law to facilitate criminal
investigations.

www.hackingarticles.in
 P a g e | 13

Methodology for DF Investigator

A Digital Forensic Investigator has a huge responsibility on his shoulders when he is investigating a
case as his findings will bring justice to the innocent and punish the criminal. Therefore, there a set of
steps that he should follow when he is investigating a case. The following are a generalized step of the
investigation, whereas the Investigator can follow the steps prescribed by their Institution or the
framework they follow.

STEP 01: Prepare a preliminary design or a method to approach the case- The investigator should
prepare a method on how he will go about with the investigation and have a clear understanding of
the crime scene.
He should make sure that at a scene where the computer or a device is in a power-on state, he should
not make the mistake of turning it off, or running any program or perform any other activity.

STEP 02: Determine the resources that are required for the case- The investigator has to understand
the requirements of tools and technologies that are required for the case to be investigated further.
He should be qualified enough and should make sure that he prevents data from being over-written.

STEP 03: Discover and obtain the evidence- The investigator has to make sure that he does not miss
out on any evidence at the scene of the crime and obtains them within the most accurate way, which
does not cause any damage to the evidence.
The Investigator should make sure to collect the evidence sample in a Faraday Bag or an anti-static
bag so that the evidence cannot be tampered with.
He should make sure at every moment to maintain the chain of custody.

STEP 04: Make multiple Forensic copies of the evidence- In Digital Forensic Investigation, it is very
essential to remember that as long as possible, one should never work on the original evidence item.
The investigator should make sure to create multiple copies of the same and perform analysis on the
copy of the original evidence.
Before he creates a copy of the evidence, he should always calculate the hash value of the evidence
that as recovered in the original form to maintain the authenticity of the evidence.

STEP 05: Identify and minimize the risks involved- The investigator should remember that the
evidence that is collected is not always easy to analyse. There are a huge number of risks and
consequences that are involved. He should be qualified enough to estimate the amount of risk and
possible damage. He should try to come up with better alternatives to minimize the risk.

STEP 06: Analyse and Recover the evidence- Once the investigator has the evidence, he can now start
analysing the copy of the original evidence by using various commercial and open-source software
that is suitable for that case. He can also use various software to recover the evidence that has been
deleted.

STEP 07: Create a detailed case report about the investigation- Once the investigator has completed
the analysis of the evidence and has found important artefacts on recovering data, he can then create
a detailed report about his findings, methodologies, and tools used by him in the investigation.
If required by the jury or the court, the investigator has to represent himself in the court as an expert
witness to give his testimony on the case in simpler terms for the people from a non-technical
background to have a better understanding of the case.

www.hackingarticles.in
 P a g e | 14

www.hackingarticles.in
 P a g e | 15

Evidence Collection Methods

The method of collection of evidence terms are inter-related and almost serve the same purpose, the
only important thing for an investigator to remember is that the copy should be forensically sound.

• Image Copy: It refers to be the duplicate of the original disk.

• Bit-Stream Image: It is a clone copy of the original evidence. It includes files from sectors,
clusters, and retrieves deleted files of a disk.
• Bit-Stream Copy: A bit-stream copy can be defined as a bit-by-bit copy of the original evidence
or storage medium which can be its exact copy. A bit-stream copy can also be called a Forensic
Copy of the disk.
• Mirror Copy: A mirror copy is the precise replica (backup) of the disk.

www.hackingarticles.in
 P a g e | 16

Disk Imaging and Cloning

❖ Disk Imaging
It is the process of making an archival or backup copy of the entire hard drive. It is a storage file that
contains all the necessary information to boot to the operating system. However, this imaged disk
needs to be applied to the hard drive to work. One cannot restore a hard drive by placing the disk
image files on it as it needs to be opened and installed on the drive using an imaging program. A
single hard drive can store many disk images on it. Disk images can also be stored on flash drives
with a larger capacity.

❖ Disk Cloning
It is the process of copying the entire contents of a hard drive to another including all the
information that can boot to the operating system from the drive. It allows you to create a one-to-
one copy of one of your hard drive on another hard drive. The other copy of the hard drive is
completely functional and can be swapped with the computer's existing hard drive. If the cloned
drive is booted, its data will be identical to the source drive at the time it was created.

Below is a simple difference between Disk Imaging and Cloning.

www.hackingarticles.in
 P a g e | 17

Challenges faced by DF Investigator

Legal Issues: The most important issue an investigator may encounter is getting the guarantee
evidence admissibility which means that it should be accepted by the court.

Nature of Digital Evidence: The advancement in technology has impacted the investigation in such a
way that it detecting the digital evidence has become extremely difficult. For example, cloud storage,
PDAs, IoT devices, etc.

Alteration of Evidence: The chain of custody should be maintained at all times to keep the evidence’s
credibility intact. If the evidence is in the wrong hands, the evidence might get altered and may lose
its credibility. Therefore, having a Forensic image and the hash value of the evidence is extremely
important for the investigator.

Size and Distribution of the evidence: The size and the distribution of the evidence matter because
the data is no smaller. There is a huge amount of data produced regularly. In cases of Big data Forensic
Investigation, the size and the widely distributed data comes up as a challenge for the investigator as
he does not know where to start.

Malware Present in evidence: The criminals can outsmart the investigators and insert malware in the
evidence device which can mislead or disrupt the ongoing investigation.

Steganography: In earlier times, steganography had only limited types but today, due to the
availability of various tools and software on the dark web, it has become extremely difficult to detect
steganography present in the evidence items. Sometimes the investigator doesn’t consider it as
evidence as they aren’t able to get many in-depth ideas about the evidence.

Encryption: Many a time, the evidence is recovered in an encrypted form and the investigator has a
hard time to decrypt the evidence with no assurance of recovery of the original contents.

www.hackingarticles.in
 P a g e | 18

Pros of Digital Forensics

• Its purpose is to make sure of the integrity of the
digital system.
• It also assists in protecting the organization’s
valuable money.
• It benefits the organizations to record essential
information in cases where the systems have been
compromised.
• If the investigation is performed efficiently, it
helps arrests the cyber-criminals globally.
• It helps in producing the correct evidence, which can
help punish the culprit.

Cons of Digital Forensics

• The digital evidence accepted into court should be
proven to be tamper-free.
• Storing and producing electronic documents is
expensive
• Legal practitioners lack technical knowledge.

• The evidence should be convincing and authentic.

• Unrecognized investigation tools may not be accepted

by the court

Conclusion
Hence, in this article we have covered the basic topics that are required to have a better understanding
of Digital Forensics for another level.

References
• https://www.hackingarticles.in/digital-forensics-an-introduction/
• https://www.hackingarticles.in/digital-forensics-an-introduction-part-2/

www.hackingarticles.in
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in