CYBER SECURITY

by

GAYTRI GUPTA
Inderprastha Engineering College, Ghaziabad
Unit IV Cyber Security

Contents
1 Introduction to Computer Forensics and Digital Forensics Science 2
1.1 Types of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 The Need for Computer Forensics 4

3 Cyber Forensics and Digital Evidence: 5

ge
4 Forensics Analysis of E-Mail 5

le
5 Digital Forensics Life Cycle 8

ol
6 Chain of Custody Concept 9

C
6.1 Key Elements and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.2 Importance and Consequences of a Broken Chain of Custody . . . . . . . . . . . . . . 10

g
7 Network Forensics 10

n
7.1 Network forensics investigation process . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ri
7.2 Process and Techniques in Network Forensics . . . . . . . . . . . . . . . . . . . . . . 12
7.3 Challenges and Applications of Network Forensics . . . . . . . . . . . . . . . . . . . . 12
ee
8 Approaching a Computer Forensics Investigation 13
in

9 Forensics and Social Networking Sites: The Security/Privacy Threats 13

ng

10 Challenges in Computer Forensics 14

E
ha
st
ra
rp
de
In

1
Unit IV Cyber Security

1 Introduction to Computer Forensics and Digital Forensics

Science
Forensics involves gathering, analyzing, and presenting evidence that can be used in court. The word
”forensic” comes from a Latin word ”forensis,” which means ”from the forum.” In ancient Rome, the
forum was a public place where people talked about important things, including legal cases and
crimes. So, over time, the word forensic came to mean anything that is used to help solve crimes or

ge
used in court. Computer forensics is the process of finding and analyzing information from digital
devices like computers, phones, or servers to solve crimes.

le
Example: A police department uses computer forensics to find deleted emails on a suspect’s laptop
that relate to a fraud case.

ol
Digital Forensics Science: Digital Forensic Science is the field of study and practice
focused on identifying, preserving, analyzing, and presenting digital evidence from a wide range of

C
electronic devices. It plays a critical role in investigating cybercrimes, data breaches, fraud, and other
incidents involving digital systems. Unlike traditional computer forensics, which deals primarily with

g
desktop and laptop computers, digital forensic science encompasses mobile devices, cloud services,

n
networks, IoT devices, and even social media platforms. Experts in this field use specialized tools and

ri
techniques to recover deleted data, trace unauthorized access, detect malware, and build timelines
of digital activity. The goal is to uncover the truth in a legally sound manner, ensuring the integrity
ee
and admissibility of digital evidence in courts or internal investigations.
in

1.1 Types of Computer Forensics

ng
E
ha
st
ra
rp
de
In

Figure 1: Types of Computer Forensics

Disk Forensics: Disk forensics is the process through which experts recover and analyze
data from physical storage devices such as hard disks, SSDs, USB flash drives, and memory cards,
often using specialized tools to uncover deleted files and hidden partitions. This process involves
recovering deleted data, locating hidden or encrypted information, and thoroughly analyzing file
systems like FAT32 and NTFS to understand how data is organized and stored. Additionally, disk
forensics includes examining user activity by reviewing browser histories, system logs, and other

2
Unit IV Cyber Security

digital footprints. It also plays a crucial role in detecting malware infections or unauthorized access,
helping investigators gather critical evidence in cybersecurity incidents or criminal investigations.
Network Forensics: Network forensics simply implies the investigation of network traffic
to collect evidence regarding security incidents on systems, unauthorized access, or any other ma-
licious activity that occurred in the system. Network forensics involves intercepting and capturing
data packets and then analyzing their source to decipher cyber-attack origins, trace communication
patterns, or gather some details about an incident.
Database Forensics: Database forensics is the process of collecting and analyzing infor-

ge
mation contained within a database, including both the data and its related metadata. This field
uses the electronic data stored in databases—such as SQL Server, Oracle, MySQL, and others—to

le
detect crimes, reconstruct events based on the evidence, and help solve cases. It involves investigat-

ol
ing changes made to records, such as inserts, updates, and deletions, as well as analyzing transaction
logs and user activity to understand what occurred. Database forensics also focuses on checking for

C
unauthorized access or data breaches, ensuring data integrity, and interpreting timestamps to estab-
lish timelines. Additionally, it helps identify insider threats, such as tampering with financial records.

g
For example, during a fraud investigation, database forensics can trace who altered or deleted entries
in a company’s customer database.

n
Memory Forensics: Memory forensics focuses on the collection of information in a com-
ri
puter’s volatile memory (RAM) and cache to extract information that is either active or in hiberna-
ee
tion. It includes information like encryption keys, open network connections, and active programs
that would not be available on conventional disk forensics.
in

Mobile Forensics: The procedure involves using special software with functions of ex-
tracting, investigating, and recovering (searching, analyzing, recovering, isolating) the data that is
ng

stored on Devices (i.e., smartphones, tablets, and GPS devices). In this process, investigations are
recovering and breaking down the different data sets such as in/out text messages, phone calls, and
E

any other data Tags. Lastly, these investigators search through data from other places where the
offender was, such as location information and digital artifacts in the phones.
Malware Forensics: The aim of malware forensics is finding, examining, and tracking
ha

down the attacking malware. The code is carefully examined to detect the various types of malicious
programs that are stored in software e.g. trojan horses, ransomware, adware, viruses, etc to protect
st

the software installed in the system. Researchers employ various techniques to examine malware
samples to uncover their actions and effects on compromised and corrupt systems. Through compre-
ra

hensive malware analysis including code structure, encoding techniques, and propagation methods,
it is up to cybersecurity analysts to trace the attacks back to the source, mitigate the risks, and
rp

improve the cyber defenses.

Email Forensics: It is the recovery and analysis of emails and information to collect digital
de

evidence as findings to crack crimes and certain incidents. It can include schedules and contacts.
Cloud Forensics: Cloud forensics is a branch of digital forensics focused on locating and
In

investigating evidence stored in cloud environments. This includes analyzing files, data, and other
digital artifacts hosted on online platforms such as Amazon Web Services (AWS), Microsoft Azure,
and Google Cloud Platform (GCP). The goal of cloud forensics is to uncover and preserve evidence
related to cybercrimes or security incidents that occur within these cloud infrastructures, enabling
investigators to trace unauthorized activities, data breaches, or other malicious behavior in the cloud.

3
Unit IV Cyber Security

ge
le
ol
C
n g
ri
Figure 2: Comparision table of Different Types of Cyber Forensics
ee
2 The Need for Computer Forensics
in
ng

Computer forensics is essential for uncovering and preserving digital evidence in investigations
involving cybercrime, data breaches, and unauthorized access. It helps ensure that electronic data is
accurately analyzed and presented in a way that supports legal proceedings and strengthens security
E

measures. Computer forensic is useful for following purpose:

Investigating Cybercrime: As cybercrimes increase, computer forensics is essential to
ha

trace illegal activities such as hacking, data theft, or financial fraud. For example, if a hacker steals
customer information from an e-commerce website, forensic experts can analyze digital evidence such
st

as server logs, malware signatures, and network activity to track the source and method of the at-
tack.
ra

Supporting Legal Proceedings: Digital forensics plays a key role in legal cases by
providing admissible evidence. In court, only properly collected and analyzed digital evidence is
rp

accepted. For instance, in a criminal trial involving identity theft, investigators may need to recover
deleted emails or transaction records from a suspect’s device to prove intent or involvement.
de

Internal Corporate Investigations: Organizations rely on forensics to investigate in-

ternal issues like employee misconduct, data leaks, or policy violations. For example, if sensitive
In

company files are shared outside without authorization, forensic experts can check USB activity,
email logs, and file transfer history to find the source.
Recovering Deleted or Hidden Data: Computer forensics tools help recover deleted,
encrypted, or hidden data. This is useful in situations where important information has been in-
tentionally erased. For instance, if a suspect tries to wipe a hard drive, forensic software can often
retrieve that information and use it as evidence.
Proving or Disproving Allegations: Sometimes digital forensics is used to clear some-
one’s name by proving they didn’t do something. For example, if someone is accused of sending a
threatening email, forensics can verify if the email was actually sent from their device or if it was

4
Unit IV Cyber Security

spoofed.
Ensuring Evidence Integrity: One of the key needs for computer forensics is to ensure
that digital evidence is collected and preserved without tampering. This is important for maintaining
the chain of custody and ensuring the evidence remains legally valid in court.

3 Cyber Forensics and Digital Evidence:

ge
Cyber forensics, also known as digital forensics, is a specialized field that involves the identifi-
cation, preservation, analysis, and presentation of digital data in a way that is acceptable in legal

le
settings. It is a branch of forensic science focused on investigating crimes involving computers, net-
works, and various digital storage devices. The main objective of cyber forensics is to uncover reliable

ol
digital evidence that helps explain incidents such as cyberattacks, unauthorized data access, fraud,
or any form of illegal activity committed through digital means.

C
Understanding and Collecting Digital Evidence: Digital evidence refers to any data
that can support or disprove facts in a legal case, provided it is stored or transmitted in digital

g
form. Common types of digital evidence include emails, chat messages, internet browsing history,

n
documents, images, server logs, GPS data, and social media activity. Even metadata—information

ri
about other data, such as when a file was created or last modified—can be crucial. To maintain
credibility, this evidence must be collected in a forensically sound manner that preserves its integrity,
ee
ensuring it remains unaltered and admissible in court.
Sources of Digital Evidence: Digital evidence can originate from a wide variety of
in

sources. These include personal and workplace computers, smartphones, tablets, USB drives, and
external hard disks. In addition, cloud-based services like Google Drive or Dropbox often contain key
ng

data. Network equipment such as routers and switches, as well as web and application servers, also
serve as valuable sources of digital evidence. Security camera systems and surveillance devices can
E

provide digital footage and logs that support an investigation. In today’s connected world, nearly
every digital interaction leaves behind a trace that can be analyzed.
ha

Importance and Challenges of Cyber Forensics: Cyber forensics plays a vital role
in solving modern crimes that involve digital technology. It is used in cases ranging from corporate
st

data breaches and financial fraud to cyberbullying and acts of terrorism. For example, if sensitive
company data is leaked, forensic investigators would analyze employee computers, server logs, and
ra

communication records to find the source of the breach. They might recover deleted files, check access
permissions, or study login timestamps to determine responsibility. Despite its importance, cyber
rp

forensics faces several challenges. Investigators often deal with large volumes of data, which can slow
down the process. Encryption makes it difficult to access certain files, and criminals sometimes use
de

anti-forensic techniques to delete or hide evidence. Additionally, investigators must operate within
legal limits to ensure any collected data is valid in court.
In

4 Forensics Analysis of E-Mail

Email running is the process through which an email is created, transmitted, and delivered from
the sender to the recipient. It begins when a user composes and sends an email using an email client,
which then forwards the message to the sender’s SMTP (Simple Mail Transfer Protocol) server. The
server performs a DNS lookup to find the recipient’s mail server using MX (Mail Exchange) records.
The email is then routed over the internet and delivered to the recipient’s mail server. The recipient

5
Unit IV Cyber Security

ge
le
ol
C
n g
ri
ee
in
ng
E
ha
st

Figure 3: Sources of Digital Evidence

ra

retrieves the email using either POP3 or IMAP protocols through their email client or webmail,
rp

allowing them to read and respond to the message. This entire process occurs quickly and efficiently,
often within seconds.
de

Email forensics is a branch of digital forensics focused on the recovery, analysis, and investigation of
email communications. As email remains one of the most commonly used tools for both legitimate
In

and malicious activities, it plays a significant role in cybercrime, including phishing, fraud, data
breaches, identity theft, and corporate espionage. The goal of email forensics is to examine email
content and metadata to uncover evidence that can be used in legal, organizational, or criminal
investigations. It involves identifying the true sender and recipient, verifying the authenticity of the
message, analyzing routing details, and detecting any tampering or spoofing. This discipline also
supports the recovery of deleted messages and the analysis of attachments for hidden data or threats,
making it essential in both cybersecurity and law enforcement.
Components and Sources of Email Evidence: Understanding the structure of an email

6
Unit IV Cyber Security

ge
le
ol
C
n g
ri
ee
in
ng

Figure 4: Process of email running

E

is key to its forensic analysis. An email is typically made up of three core parts: the header, the
ha

body, and any attachments. The header provides crucial metadata including sender and receiver
addresses, timestamps, IP addresses, and the mail servers the message passed through. The body
st

contains the actual content of the message, which could be in plain text or HTML, sometimes with
embedded links or images. Attachments may include documents, images, or executables, and can
ra

contain metadata or malware. Emails also store hidden metadata such as read/unread status and
modification history. Evidence can be collected from various sources such as local email clients (e.g.,
rp

Outlook, Thunderbird), webmail services (e.g., Gmail, Yahoo), mobile devices, and corporate mail
servers. Backup archives like PST, OST, or MBOX files and cloud storage systems are also critical
de

sources of email data, particularly when deleted messages must be recovered.

Forensic Techniques and Tools Email forensics involves analyzing email data to uncover
In

useful information in investigations. Key techniques include email header analysis to trace the sender
and route, keyword searches to find relevant content, and attachment analysis to detect hidden or
malicious files. Hashing ensures message integrity, while timeline reconstruction reveals the sequence
of communications. Tools like FTK, EnCase, MailXaminer, and Autopsy assist in examining email
formats, managing large data sets, and maintaining the chain of custody for legal reliability.
Challenges, Legal Considerations, and Applications Email forensics faces challenges
like encryption, cloud service restrictions, and identity-masking tactics such as spoofing and VPNs.
Large volumes of data can overwhelm investigators, making automated tools essential. Legal com-

7
Unit IV Cyber Security

pliance is crucial to maintain the chain of custody and avoid violating privacy laws like GDPR or
HIPAA. Despite these hurdles, email forensics is vital in cases involving phishing, insider threats,
fraud, data leaks, and cyber harassment, helping uncover key evidence in modern investigations.

5 Digital Forensics Life Cycle

Digital Forensics is a branch of forensic science which includes the identification, col-

ge
lection, analysis and reporting any valuable digital information in the digital devices related to the
computer crimes, as a part of the investigation. In simple words, Digital Forensics is the process of

le
identifying, preserving, analyzing and presenting digital evidences. The first computer crimes were
recognized in the 1978 Florida computers act and after this, the field of digital forensics grew pretty

ol
fast in the late 1980-90’s. It includes the area of analysis like storage media, hardware, operating
system, network and applications. It consists of 5 steps at high level:

C
1. Identification of evidence: It includes of identifying evidences related to the digital crime in

n g
ri
ee
in
ng
E
ha

Figure 5: Digital Forensics Life Cycle

storage media, hardware, operating system, network and/or applications. It is the most important
st

and basic step. Example: Investigators search a suspect’s laptop and identify suspicious files, browser
ra

history, and login logs that could be related to hacking a bank’s server.
2. Collection: It includes preserving the digital evidences identified in the first step so that they
rp

doesn’t degrade to vanish with time. Preserving the digital evidences is very important and crucial.
Example: A forensic expert uses a special tool to make an exact copy (forensic image) of the suspect’s
de

hard drive to preserve all data, including deleted files and timestamps.
3. Analysis: It includes analyzing the collected digital evidences of the committed computer crime
in order to trace the criminal and possible path used to breach into the system. Example: The expert
In

analyzes the copied hard drive and finds an unauthorized script that was used to extract customer
data from the bank’s server.
4. Documentation: It includes the proper documentation of the whole digital investigation, digital
evidences, loop holes of the attacked system etc. so that the case can be studied and analysed in
future also and can be presented in the court in a proper format. Example: The forensic team doc-
uments each piece of evidence, the timeline of events, and system weaknesses the attacker exploited.
5. Presentation: It includes the presentation of all the digital evidences and documentation in
the court in order to prove the digital crime committed and identify the criminal. Example: The

8
Unit IV Cyber Security

investigator presents the report and screenshots showing when the hack happened, who accessed the
system, and how the attack was carried out — helping prove the suspect’s guilt.

6 Chain of Custody Concept

The Chain of Custody is a critical concept in digital forensics that refers to the documented and
unbroken process of collecting, handling, storing, and transferring digital evidence. It ensures the

ge
integrity, authenticity, and admissibility of evidence in legal proceedings by tracking every individual
who accessed the evidence, the time and date it was accessed, and the purpose of access. Key

le
Elements of Chain of Custody:
1. Identification Phase: In this phase, potential sources of digital evidence are identified.

ol
C
n g
ri
ee
in

Figure 6: Chain of Custody

ng

This involves determining what data may be relevant to the case and where it is located—such as
computers, mobile devices, servers, or storage media.
E

Example: During a corporate fraud investigation, a forensic investigator identifies the suspect’s office
computer and an external USB drive as potential sources of evidence.
ha

2. Collection Phase: This phase involves the careful and legal acquisition of digital evidence from
identified sources. Proper tools and procedures are used to ensure that the data is collected without
st

alteration. Each piece of evidence is logged, labeled, and preserved in its original state.
Example: The investigator uses a write-blocker to create an exact bit-by-bit copy (forensic image)
ra

of the suspect’s hard drive and securely stores it in a sealed evidence bag with a documented chain
of custody form.
rp

3. Examination Phase Here, the collected data is examined using forensic tools to uncover relevant
information. The goal is to identify hidden, deleted, or encrypted files and determine their structure
de

and content.
Example: Using forensic software, the investigator uncovers previously deleted financial spreadsheets
In

and emails stored in the suspect’s system.

4. Analysis Phase: This phase focuses on interpreting the examined data to understand its
meaning and relevance to the case. It involves correlating data from multiple sources, constructing
timelines, and identifying anomalies or patterns.
Example: The deleted spreadsheets are analyzed alongside email communication to reveal a timeline
of fraudulent transactions that match the dates of suspicious activities.
5. Presentation Phase Finally, the findings are presented in a clear and legally acceptable format.
This includes detailed reports, exhibits, and possibly expert testimony in court. The report must
maintain the integrity of the evidence and include documentation of the entire chain of custody.

9
Unit IV Cyber Security

Example: The forensic investigator prepares a formal report summarizing the findings, supported by
screenshots, logs, and hash values, and presents it during a court hearing as digital evidence of the
fraud.

6.1 Key Elements and Best Practices

A valid chain of custody includes detailed records of who collected the evidence, when and where
it was collected, and each person who subsequently handled or analyzed it. This documentation also

ge
captures the reasons for access and the methods of storage, creating a clear, chronological trail. Best
practices in cyber security involve creating forensic images (exact copies) of digital data to avoid

le
working directly on the original source, using write blockers to prevent accidental modification, stor-
ing evidence in secure, tamper-evident containers, and employing cryptographic hashing techniques

ol
like MD5 or SHA-256 to verify data integrity. These measures help prevent unauthorized access and

C
ensure that the evidence remains unchanged throughout the investigation.

g
6.2 Importance and Consequences of a Broken Chain of Custody

n
Maintaining a strong chain of custody is essential because any break or gap—such as missing docu-
ri
mentation, unauthorized access, or improper handling—can undermine the credibility of the evidence.
ee
In legal contexts, this often results in evidence being ruled inadmissible, potentially jeopardizing an
entire case. Even in corporate investigations, a broken chain of custody can lead to disputes or
in

dismissal of findings. Therefore, organizations and forensic teams prioritize thorough training, strict
protocols, and secure procedures to safeguard digital evidence. By doing so, they uphold the integrity
ng

of the investigation and ensure that justice can be fairly served.

E

7 Network Forensics
ha

Network forensics is a branch of digital forensics focused on capturing, monitoring, and analyz-
ing network traffic to investigate cybercrimes, security breaches, and suspicious activities. Unlike
st

traditional forensics that analyze data from devices after an incident, network forensics often works
with live or recorded network data. Its main goal is to uncover how attackers infiltrate networks,
ra

move within systems, and execute attacks. This field plays a crucial role in incident response, threat
detection, and forensic investigations by providing detailed insights into network communications
rp

and potential security violations.

de

7.1 Network forensics investigation process

Network forensics is the process of monitoring and analyzing computer network traffic to find evidence
In

of cybercrimes or security incidents. The investigation usually follows a series of steps to make sure
the evidence is collected properly and can be used in legal or internal actions.

10
Unit IV Cyber Security

ge
le
ol
C
Figure 7: Network Forensic Tools

n g
ri
ee
in
ng
E
ha
st

Figure 8: Network forensics investigation process

ra

1. Preparation: Before starting the investigation, proper tools, policies, and procedures are
put in place. This includes making sure logging systems are active, monitoring tools are ready, and
rp

staff knows how to respond to incidents. Example: A company installs network monitoring software
and trains its IT team to detect unusual activity in case of a future attack.
de

2. Collection of Evidence: When a suspicious event happens, data from the network is collected.
This may include logs, traffic data, IP addresses, timestamps, and user activity. The evidence is
In

collected in a way that avoids any changes or damage. Example: After a suspected data breach,
firewall logs, server logs, and copies of network traffic are saved for investigation.
3. Pre-processing Evidence: The collected data is cleaned and organized to remove irrelevant
information and focus on what might be useful. This makes the next steps easier and more accurate.
Example: Network logs from several days are filtered to show only traffic to and from a specific
suspicious IP address.
4. Analysis and Identification of Evidence: Experts analyze the data to find patterns or un-
usual behavior. They try to identify how the attack happened, which systems were affected, and

11
Unit IV Cyber Security

what information was accessed or stolen. Example: The investigation reveals that a hacker used a
fake email link to get into the internal system and downloaded sensitive files.
5. Attack Detection: This phase confirms whether an attack actually occurred, and if so, deter-
mines the type of attack (e.g., DDoS, malware, phishing). The goal is to understand the attacker’s
methods and entry points. Example: The analysis shows that the attacker used a brute-force login
attack followed by data exfiltration using encrypted traffic.
6. Generate Forensic Report: A detailed report is created to document all findings. It includes
what happened, when it happened, how it happened, and what data was affected. This report may

ge
be used for legal cases or to improve future security. Example: The final report explains that the at-
tacker used stolen credentials to access the finance department’s data and provides logs, screenshots,

le
and a timeline of events.

ol
7.2 Process and Techniques in Network Forensics

C
The network forensics process includes data collection, preservation, analysis, and reporting. Data
collection involves capturing network packets using tools like packet sniffers and intrusion detection

g
systems (IDS), either in real-time or from stored capture files. Preservation ensures that this data

n
is securely stored to prevent tampering. Analysis consists of filtering traffic, reconstructing sessions,
ri
examining communication protocols, and identifying anomalies or malicious behavior. Investigators
ee
often use automated tools and advanced analytics to correlate network events and uncover hidden
threats. The final step is documenting findings comprehensively to support security teams or legal
in

proceedings.
ng
E
ha
st
ra
rp
de

Figure 9: Categories of Network Forensics

In

7.3 Challenges and Applications of Network Forensics

Network forensics faces challenges such as handling large volumes of data, dealing with encrypted
traffic that obscures payload content, and identifying sophisticated attacker techniques like tunneling
or proxying. Despite these hurdles, network forensics is vital for identifying the sources of attacks like
denial-of-service, investigating data breaches, detecting insider threats, and supporting compliance

12
Unit IV Cyber Security

audits. By understanding network behaviors and attacker methods, organizations can respond swiftly
to incidents, strengthen their defenses, and ensure accountability in cybersecurity investigations.

8 Approaching a Computer Forensics Investigation

Approaching a computer forensics investigation begins with thorough preparation and planning.
Before any evidence is collected, investigators must clearly understand the scope and objectives of

ge
the investigation. This includes defining what type of incident occurred—such as data breaches,
unauthorized access, fraud, or malware infection—and identifying the systems and data that may be

le
involved. Investigators also need to ensure they have the proper legal authority and documentation,
such as search warrants or corporate approval, to access and seize digital evidence legally. Preparation

ol
includes assembling the right tools and forensic software, setting up a secure working environment,
and establishing a chain of custody protocol to maintain evidence integrity throughout the process.

C
1. Preparation and Planning:A computer forensics investigation starts with clear preparation.
Investigators must define the objective—such as a data breach, malware, or insider threat—and

g
determine which systems and users are involved. Legal approval, like a search warrant or internal

n
authorization, must be secured. The team also gathers necessary forensic tools and sets up a secure

ri
workspace. Establishing a chain of custody is crucial to ensure all evidence is properly tracked and
protected from tampering.
ee
2. Evidence Collection and Preservation:his phase involves collecting digital evidence without
altering its original state. Investigators create forensic images—exact copies of devices like hard
in

drives and USBs. Volatile data such as RAM or active network connections may be captured before
system shutdown. Every action taken must be documented, including tools used and people involved.
ng

Collected evidence is then stored securely in tamper-evident containers or encrypted storage.

3. Evidence Analysis: Once the data is preserved, forensic experts analyze it using specialized
E

tools. They recover deleted or hidden files, check for malware, and study system logs to trace user
actions. The goal is to reconstruct what happened, when, and who was responsible. This phase
ha

combines technical skills and investigative thinking to uncover and understand the digital activity
related to the incident.
st

4. Reporting and Presentation: In the final step, findings are compiled into a clear and factual
report. The report describes the tools used, evidence collected, and conclusions drawn. It must
ra

be understandable to both technical and non-technical audiences. If required, investigators may

present their findings in court or internal hearings as expert witnesses. Strong documentation and
rp

communication are vital to support legal or disciplinary actions.

de

9 Forensics and Social Networking Sites: The Security/Pri-

In

vacy Threats
Social networking sites such as Facebook, Instagram, Twitter, LinkedIn, and others
have become a major part of daily life, where people share personal information, photos, locations,
and opinions. While these platforms offer communication and connection, they also bring serious
security and privacy threats that can be exploited by cybercriminals and pose challenges for digital
forensics experts.
Personal Information Exposure: Users often share sensitive personal details such as full
names, dates of birth, phone numbers, addresses, job titles, and family information. This data, if not

13
Unit IV Cyber Security

properly protected, can be easily accessed by attackers. Example: A cybercriminal gathers personal
details from a social media profile to answer security questions and gain access to someone’s bank
account.
Identity Theft: Publicly available information can be used to impersonate someone online.
This is known as identity theft and can lead to financial fraud, reputational damage, or even criminal
framing. Example: Someone copies a user’s photos and information to create a fake profile, then
scams others by pretending to be that person.
Phishing and Social Engineering: Attackers may use social media to send messages that

ge
appear to come from trusted sources, tricking people into clicking harmful links or giving away
passwords. Example: A user receives a message that looks like it’s from a friend, asking them to

le
click a link. The link leads to a fake login page designed to steal credentials.

ol
Geolocation and Physical Security Risks: Posting real-time locations or vacation updates
can alert criminals to someone’s absence from home, increasing the risk of burglary or stalking.

C
Example: A person posts ”Just landed in Paris!” along with hotel check-in photos. A thief sees the
post and targets the person’s empty house.

g
Third-Party App Access: Many social media platforms allow third-party apps to access
user data. If these apps are not secure, they may leak or misuse the data. Example: A quiz app that

n
requires access to profile information may collect more data than necessary and sell it to marketing
companies or malicious actors. ri
ee
Digital Evidence in Social Media: Forensics experts often examine social media activity
to investigate crimes, track suspects, or find evidence. Even deleted messages or posts can sometimes
in

be recovered with the right tools. Example: In a cyberbullying case, investigators recover deleted
chats and comments from a victim’s account to trace the source of harassment.
ng

10 Challenges in Computer Forensics

E

Cyber forensics, also known as digital forensics, plays a crucial role in investigating
ha

cybercrimes and security breaches. However, forensic investigators face numerous challenges due to
the complex and constantly evolving nature of digital environments. Below are the key challenges in
st

cyber forensics explained in detail:

Rapidly Evolving Technology: Technology changes quickly, with new devices, operat-
ra

ing systems, and software being introduced regularly. Forensic tools and methods must keep pace to
remain effective. Investigators often encounter unfamiliar technologies, making it difficult to extract
rp

or interpret data accurately.

Encryption and Data Protection: Strong encryption is widely used to protect sensitive
de

information. While this is beneficial for privacy, it poses a significant obstacle for forensic experts.
Gaining access to encrypted data without the proper keys can be time-consuming or even impossible
In

without legal authorization or technical exploits.

Large Volume of Data: With the increasing use of digital systems, the volume of data
that needs to be analyzed in a forensic investigation can be overwhelming. Sorting through massive
datasets to find relevant evidence requires sophisticated tools and consumes a lot of time and re-
sources.
Cloud Computing and Remote Storage: Data stored in the cloud introduces chal-
lenges in terms of jurisdiction, access, and ownership. Investigators may face legal and logistical
hurdles when trying to obtain data stored on remote servers, especially when those servers are in
other countries with different laws.

14
Unit IV Cyber Security

Anti-Forensic Techniques: Cybercriminals often use anti-forensic tools and techniques

to avoid detection or erase traces of their activity. These can include secure deletion tools, steganog-
raphy (hiding data within other data), or obfuscating logs. Such tactics make it difficult to recover
accurate and complete evidence.
Legal and Jurisdictional Issues: Cybercrimes often cross national borders, leading to
complex legal issues. Different countries have varying laws regarding privacy, data access, and evi-
dence handling. Coordinating international investigations requires cooperation between law enforce-
ment agencies and navigating different legal systems.

ge
Volatile and Ephemeral Data: Some types of digital evidence, such as data stored in RAM
or live network traffic, are volatile and disappear once a system is shut down or rebooted. Capturing

le
this type of evidence requires immediate action and specialized tools, making real-time response

ol
critical.
Lack of Skilled Personnel: There is a growing demand for skilled cyber forensic experts, but

C
the supply of professionals with deep technical knowledge and legal understanding is limited. This
skill gap can delay investigations or lead to missed evidence.

g
Maintaining Chain of Custody: Ensuring an unbroken and well-documented chain of cus-
tody is vital for presenting evidence in court. However, in complex digital environments with multiple

n
parties and systems, maintaining this chain without gaps or errors can be difficult.
ri
ee
Multiple Choice Questions
in
ng

1. What is the main goal of computer forensics?

A. Create computer programs
B. Develop social media apps
E

C. Identify, preserve, analyze, and present digital evidence

D. Monitor internet usage
ha

Answer: C
st

2. What does digital forensics primarily deal with?

A. Recovering printed documents
ra

B. Analyzing handwritten notes

C. Investigating and analyzing digital data
rp

D. Repairing damaged hard drives

Answer: C
de

3. Why is computer forensics needed?

In

A. To improve hardware design

B. To recover deleted files for entertainment
C. To investigate cybercrimes and support legal proceedings
D. To install new operating systems
Answer: C

4. Which of the following is considered digital evidence?

A. A newspaper
B. A USB flash drive containing malware logs

15
Unit IV Cyber Security

C. A printed receipt
D. A handwritten letter
Answer: B

5. What is the first step in the digital forensics life cycle?

A. Reporting
B. Preservation
C. Identification

ge
D. Analysis
Answer: C

le
ol
6. What does the “Chain of Custody” ensure in digital forensics?
A. That evidence is destroyed after use

C
B. That evidence is transferred anonymously
C. That evidence is handled, stored, and transferred properly without tampering

g
D. That evidence is shared on social media

n
Answer: C

ri
7. Which protocol is commonly used to send emails?
ee
A. FTP
B. SMTP
in

C. IMAP
D. DHCP
ng

Answer: B
E

8. What is examined during forensic email analysis?

A. Only the text in the email
B. Email headers, attachments, and transmission path
ha

C. Font style used in the email

D. Language used in replies
st

Answer: B
ra

9. What is the key challenge in cyber forensics?

rp

A. Simple software interfaces

B. Small data size
C. Rapidly changing technology and encryption
de

D. Too many skilled professionals

Answer: C
In

10. In which phase is digital evidence analyzed for patterns or anomalies?

A. Collection phase
B. Reporting phase
C. Analysis phase
D. Identification phase
Answer: C

16
Unit IV Cyber Security

11. What is the primary concern with social networking sites in forensics?
A. High storage space
B. Large font size
C. Security and privacy threats
D. Availability of movies
Answer: C

12. Which of these is a part of network forensics?

ge
A. Analyzing financial statements
B. Monitoring physical device temperature

le
C. Capturing and analyzing network traffic

ol
D. Printing documents remotely
Answer: C

C
13. Which of the following is not a phase in digital forensics life cycle?

g
A. Reporting

n
B. Identification
C. Downloading
D. Analysis ri
ee
Answer: C
in

14. What is cyber forensics mainly concerned with?

A. Physical evidence collection
ng

B. Biological samples
C. Investigating crimes involving computers and networks
E

D. Designing user interfaces

Answer: C
ha

15. What is the role of hashing in the chain of custody?

A. It compresses files
st

B. It decorates data
C. It verifies data integrity
ra

D. It deletes files securely

rp

Answer: C

16. Which type of forensics is used to investigate cloud-stored data?

de

A. Disk forensics
B. Mobile forensics
In

C. Cloud forensics
D. File forensics
Answer: C

17. Which tool is used for analyzing deleted or hidden partitions in disk forensics?
A. Word processor
B. Disk imaging software
C. Spreadsheet

17
Unit IV Cyber Security

D. Paint application
Answer: B

18. What is volatile data in computer forensics?

A. Data stored in long-term memory
B. Data stored in permanent storage
C. Data lost when a device is turned off
D. Data saved on DVDs

ge
Answer: C

le
19. Which email component is essential for tracing its origin?

ol
A. Subject line
B. Font color

C
C. Email header
D. Signature

g
Answer: C

n
20. Which step involves presenting digital evidence to legal authorities?
A. Examination ri
ee
B. Chain of custody
C. Presentation phase
in

D. Collection
Answer: C
ng
E

Short Answer Type Questions

ha

1. What is computer forensics?

Computer forensics is the process of collecting, analyzing, and preserving digital evidence from elec-
st

tronic devices to be used in legal or internal investigations. For example, investigators may retrieve
deleted files from a suspect’s hard drive to prove data theft.
ra

2. What is digital forensics science?

Digital forensics science applies scientific techniques to examine digital devices like computers, smart-
rp

phones, and cloud storage. For instance, it may be used to extract and analyze call logs and messages
from a seized mobile phone.
de

3. Why is computer forensics needed?

Computer forensics is crucial for solving cybercrimes, recovering lost or deleted data, and presenting
In

credible digital evidence in court. For example, it may be used in a financial fraud case to uncover
tampered transaction records.
4. What is cyber forensics?
Cyber forensics investigates crimes that occur over the internet or networks, such as hacking or
phishing. For example, tracking an IP address used to carry out a ransomware attack is a task under
cyber forensics.
5. What is digital evidence?
Digital evidence is any electronically stored data that can support or refute facts in a legal case. An
example is a chat log retrieved from a messaging app during a cyberbullying investigation.

18
Unit IV Cyber Security

6. What is the first phase in the digital forensics life cycle?

The first phase is Identification, where investigators locate possible sources of digital evidence. For
example, a laptop and a USB drive found at a crime scene may be identified for further examination.
7. What is the chain of custody?
The chain of custody is a documented process that ensures digital evidence is properly collected, pre-
served, and transferred without tampering. It includes recording who accessed the evidence, when,
and for what purpose.
8. Why is maintaining the chain of custody important?

ge
Maintaining the chain of custody helps prove that the evidence was not altered and remains legally
valid. For example, if a hard drive is submitted in court, its custody trail must be intact to be

le
accepted as proof.

ol
9. What is network forensics?
Network forensics involves monitoring and analyzing network traffic to detect security breaches or

C
malicious activity. For example, examining firewall logs can reveal attempts to access a system ille-
gally.

g
10. What kind of data is examined in email forensics?
Email forensics examines headers, subject lines, timestamps, IP addresses, and attachments to trace

n
the origin and content of emails. For example, an email with a suspicious link might be analyzed to
trace phishing attempts. ri
ee
11. What tool is commonly used to send emails?
SMTP (Simple Mail Transfer Protocol) is commonly used to send emails across the internet. For
in

example, when an email is sent from Gmail, SMTP is used behind the scenes to deliver it to the
recipient’s server.
ng

12. Give an example of digital evidence.

A security camera system that stores footage on a hard drive provides digital evidence in a theft
E

investigation. Another example is browser history showing access to restricted websites during work
hours.
13. What are some sources of digital evidence?
ha

Sources include hard drives, flash drives, smartphones, emails, cloud storage, and log files. For in-
stance, cloud backups might contain deleted chats or files crucial to an investigation.
st

14. What is one major challenge in computer forensics?

A major challenge is encrypted or password-protected data, which can slow down or block access to
ra

evidence. For example, a locked iPhone might require specialized tools or legal approval to bypass
security.
rp

15. What is the goal of approaching a computer forensics investigation?

The goal is to identify, preserve, and examine digital evidence without altering its integrity. For
de

instance, during a cybercrime probe, proper procedures are followed to clone a suspect’s hard drive
for analysis.
In

16. What is the purpose of social networking forensics?

It helps investigate criminal activity or disputes involving social media platforms like Facebook or
Instagram. For example, it can uncover threatening messages or fake profiles involved in online ha-
rassment.
17. Mention a privacy threat from social networking sites.
One major threat is oversharing personal information, which can lead to identity theft. For instance,
posting a phone number and address publicly on a profile can attract scammers. 18. What is
email spoofing?

19
Unit IV Cyber Security

Email spoofing occurs when the sender’s address is faked to appear as if it came from a trusted source.
For example, a scammer may send a fake email pretending to be a bank to steal login credentials.
19. What happens in the analysis phase of the digital forensics life cycle?
During the analysis phase, investigators study the extracted data to find patterns, timelines, or links
to criminal activity. For example, they might trace a data leak to a specific download at a particular
time.
20. Name one protocol used to retrieve emails.
IMAP (Internet Message Access Protocol) is used to retrieve emails while keeping them stored on the

ge
server. This allows users to access the same inbox across multiple devices like phones and laptops.

le
Long Answer Type Questions

ol
1.Explain the concept of computer forensics. Discuss its importance in modern-day investigations

C
and legal proceedings.
2.Describe the scope and application of digital forensics science. How does it differ from traditional

g
forensic methods?

n
3.Why is there a growing need for computer forensics in the digital age? Discuss the key factors
contributing to its importance.
ri
4.Define cyber forensics and digital evidence. How is digital evidence collected, preserved, and used
ee
in investigations?
5.Discuss the process and key techniques involved in the forensic analysis of email. Provide examples
in

of the types of information that can be recovered.

6.Explain the phases of the digital forensics life cycle. Why is each phase important in ensuring a
ng

successful forensic investigation?

7.What is the chain of custody concept in computer forensics? Describe each stage in detail and
E

explain its role in maintaining the integrity of digital evidence.

8.Describe the process of network forensics. What tools and techniques are used, and how does it
ha

help in identifying and preventing cybercrimes?

9.How should a digital forensics expert approach a computer forensics investigation? Discuss the
st

step-by-step process and key considerations.

10.Social networking sites pose various privacy and security threats. Explain these threats and how
ra

digital forensics can be used to investigate incidents involving social media.

rp
de
In

20