‭​‬ ‭computer forensics (cyber forensics)‬

‭​‬ ‭What is computer forensics?‬

‭ omputer forensics is the application of investigation and analysis techniques to gather‬
C
‭and preserve evidence from a particular computing device in a way that is suitable for‬
‭presentation in a court of law. The goal of computer forensics is to perform a structured‬
‭investigation and maintain a documented chain of evidence to find out exactly what‬
‭happened on a computing device and who was responsible for it‬

‭ igital evidence is information stored or transmitted in binary form that may be relied on in‬
D
‭court. It can be found on a computer hard drive, a mobile phone, a CD, and a flash card in‬
‭a digital camera, among other places. Digital evidence is commonly associated with‬
‭electronic crime, or e-crime, such as child pornography or credit card fraud. However,‬
‭digital evidence is now used to prosecute all types of crimes, not just e-crime. For‬
‭example, suspects’ email or mobile phone files might contain critical evidence regarding‬
‭their intent, their whereabouts at the time of a crime, and their relationship with other‬
‭suspects.‬

I‭n an effort to fight e-crime and to collect relevant digital evidence for all crimes, law‬
‭enforcement agencies are incorporating the collection and analysis of digital evidence into‬
‭their infrastructure.‬

‭Digital forensics essentially involves a three-step, sequential process:‬‭[1]‬

‭‬S
● ‭ eizing the media.‬
‭●‬ ‭Acquiring the media; that is, creating a forensic image of the media for examination.‬
‭●‬ ‭Analyzing the forensic image of the original media. This ensures that the original‬
‭media are not modified during analysis and helps preserve the probative value of‬
‭the evidence.‬

‭https://nij.ojp.gov/topics/articles/new-approaches-digital-evidence-acquisition-and-analysis‬

‭​‬ ‭Locations of Electronic Evidence‬

‭Examples of devices that may need to be collected for digital evidence:‬
‭‬
● ‭ martphones‬
S
‭●‬ ‭Tablets‬
‭●‬ ‭Laptops‬
‭●‬ ‭Desktops‬
 ‭‬
● ‭ xternal hard drives‬
E
‭●‬ ‭Flash/Thumb drives‬
‭●‬ ‭Camera cards‬
‭●‬ ‭Backup Tapes‬
‭●‬ ‭Servers & RAIDs‬
‭●‬ ‭DVRs & Surveillance systems‬
‭●‬ ‭MP3 players‬
‭●‬ ‭GPS devices‬
‭●‬ ‭Game stations (Xbox, PlayStation, etc.)‬

f‭ the device is already powered down,‬‭do not turn‬‭it on‬‭. Follow these steps for‬
‭forensically sound data collection:‬
‭1.‬‭Determine if the device is on or off:‬
‭●‬ ‭Look for lights‬
‭●‬ ‭Listen for sounds‬
‭●‬ ‭Feel for vibrations, haptic feedback and heat‬
‭●‬ ‭A smartphone, tablet or laptop may be in sleep mode and appear to be off‬
‭●‬ ‭If the device is a laptop or desktop, wiggle the mouse, but do not click any‬
‭buttons‬
‭●‬ ‭Is the smartphone or tablet’s screen greasy or dirty? Look for swipe patterns‬
‭●‬ ‭Press the Home button or swipe the screen‬
‭2.‬‭If the device is on, ask these questions and document the answers:‬
‭●‬ ‭Is the device locked?‬
‭●‬ ‭Is the user interface accessible?‬
‭●‬ ‭Is the device encrypted? Do you know the passcode?‬
‭●‬ ‭Is the battery charged?‬
‭3.‬‭If a smartphone, tablet or laptop is on, activate airplane mode‬
‭4.‬‭Record device model numbers, serial numbers and passcodes‬
‭5.‬‭Take pictures‬
‭6.‬‭Start a chain of custody document; DriveSavers will send you one‬
‭7.‬‭If a device‬‭must‬‭be shut down in order to preserve‬‭ESI (such as a computer), shut‬
‭the device down properly using the “shut down” command‬
‭8.‬‭If you suspect destructive software (formatting, deleting, removing or altering data)‬
‭is running, turn off the device immediately; pull the plug!‬
‭9.‬‭Check for any removable media‬

‭‬
● ‭ D/DVD trays‬
C
‭●‬ ‭SD card slots‬
‭●‬ ‭Flash drives‬
‭●‬ ‭Sticky notes‬
‭ nce a device is turned off, it can be delivered to a lab like DriveSavers for acquisition‬
O
‭and/or analysis. Package all components, clearly labeling all devices, preferably in‬
‭anti-static bags:‬

‭ .‬‭Label the bags or boxes containing devices‬

1
‭2.‬‭Package the device (anti-static bag whenever possible) tightly and securely in a box‬
‭or evidence bag with at least two inches of bubble wrap‬
‭●‬ ‭A local FedEx office can help you package the device‬
‭●‬ ‭DriveSavers has several drop off locations in major cities; assistance with‬
‭packaging is available here‬
‭3.‬‭Keep all media away from magnets, moisture, extreme temperature and other‬
‭potentially damaging elements‬
‭4.‬‭Do not place evidence in the trunk of a vehicle, especially overnight‬

‭ ometimes due to business requirements, company policy or geographic location, it may‬

S
‭not be feasible to send devices to a forensic lab or it may be financially prohibitive to shut‬
‭down a corporate system. In the case of malware or network intrusions, valuable‬
‭information may be lost if an electronic device is shut down. In this situation, an Incident‬
‭Response Team‬‭must‬‭be onsite in a timely manner.‬
‭https://drivesaversdatarecovery.com/digital-forensic-process-preservation-collections/‬

‭Evidence gathering from storage media‬

‭ isk forensics is the science of extracting forensic information from digital storage media‬
D
‭like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc..‬
‭The process of Disk Forensics are‬
‭1.‬‭Identify digital evidence‬
‭2.‬‭Seize & Acquire the evidence‬
‭3.‬‭Authenticate the evidence‬
‭4.‬‭Preserve the evidence‬
‭5.‬‭Analyze the evidence‬
‭6.‬‭Report the findings‬
‭7.‬‭Documenting‬

‭ irst‬ ‭step‬ ‭in‬ ‭Disk‬ ‭Forensics‬ ‭is‬ ‭identification‬ ‭of‬ ‭storage‬ ‭devices‬ ‭at‬‭the‬‭scene‬‭of‬‭crime‬‭like‬
F
‭hard‬ ‭disks‬ ‭with‬ ‭IDE/SATA/SCSI‬ ‭interfaces,‬ ‭CD,‬ ‭DVD,‬ ‭Floppy‬ ‭disk,‬ ‭Mobiles,‬ ‭PDAs,‬ ‭flash‬
‭cards,‬ ‭SIM,‬ ‭USB/‬ ‭Fire‬ ‭wire‬‭disks,‬‭Magnetic‬‭Tapes,‬‭Zip‬‭drives,‬‭Jazz‬‭drives‬‭etc.‬‭These‬‭are‬
‭some of the sources of digital evidence.‬

‭ ext‬ ‭step‬ ‭is‬ ‭seizing‬ ‭the‬ ‭storage‬ ‭media‬ ‭for‬ ‭digital‬ ‭evidence‬ ‭collection.‬ ‭This‬ ‭step‬ ‭is‬
N
‭performed‬ ‭at‬ ‭the‬ ‭scene‬ ‭of‬ ‭crime.‬ ‭In‬ ‭this‬ ‭step,‬ ‭a‬ ‭hash‬ ‭value‬ ‭of‬ ‭the‬ ‭storage‬ ‭media‬ ‭to‬ ‭be‬
‭seized‬ ‭is‬ ‭computed‬ ‭using‬ ‭appropriate‬ ‭cyber‬ ‭forensics‬ ‭tool.‬ ‭Hash‬ ‭value‬ ‭is‬ ‭a‬ ‭unique‬
‭signature‬ ‭generated‬ ‭by‬ ‭a‬ ‭mathematical‬ ‭hashing‬ ‭algorithm‬ ‭based‬ ‭on‬ ‭the‬ ‭content‬ ‭of‬ ‭the‬
 ‭storage‬‭media.‬‭After‬‭computing‬‭the‬‭hash‬‭value,‬‭the‬‭storage‬‭media‬‭is‬‭securely‬‭sealed‬‭and‬
t‭aken for further processing.‬

‭ ne‬ ‭of‬ ‭the‬ ‭cardinal‬ ‭rules‬ ‭of‬ ‭Cyber‬ ‭Forensics‬ ‭is‬ ‭“Never‬ ‭work‬ ‭on‬ ‭original‬ ‭evidence”.‬ ‭To‬
O
‭ensure‬ ‭this‬ ‭rule,‬ ‭an‬ ‭exact‬ ‭copy‬ ‭of‬ ‭the‬ ‭original‬ ‭evidence‬ ‭is‬‭to‬‭be‬‭created‬‭for‬‭analysis‬‭and‬
‭digital‬ ‭evidence‬ ‭collection.‬ ‭Acquisition‬ ‭is‬ ‭the‬ ‭process‬ ‭of‬ ‭creating‬ ‭this‬ ‭exact‬ ‭copy,‬ ‭where‬
‭original‬ ‭storage‬ ‭media‬ ‭will‬ ‭be‬ ‭write‬ ‭protected‬ ‭and‬ ‭bit‬ ‭stream‬ ‭copying‬ ‭is‬ ‭made‬ ‭to‬ ‭ensure‬
‭complete‬‭data‬‭is‬‭copied‬‭into‬‭the‬‭destination‬‭media.‬‭Acquisition‬‭of‬‭source‬‭media‬‭is‬‭usually‬
‭done in a Cyber Forensics laboratory.‬

‭ uthentication‬‭of‬‭the‬‭evidence‬‭is‬‭carried‬‭out‬‭in‬‭Cyber‬‭Forensics‬‭laboratory.‬‭Hash‬‭values‬‭of‬
A
‭both‬‭source‬‭and‬‭destination‬‭media‬‭will‬‭be‬‭compared‬‭to‬‭make‬‭sure‬‭that‬‭both‬‭the‬‭values‬‭are‬
‭same,‬‭which‬‭ensures‬‭that‬‭the‬‭content‬‭of‬‭destination‬‭media‬‭is‬‭an‬‭exact‬‭copy‬‭of‬‭the‬‭source‬
‭media.‬

‭ lectronic‬‭evidences‬‭might‬‭be‬‭altered‬‭or‬‭tampered‬‭without‬‭trace.‬‭Once‬‭the‬‭acquisition‬‭and‬
E
‭authentication‬ ‭have‬ ‭been‬ ‭done,‬‭the‬‭original‬‭evidence‬‭should‬‭be‬‭placed‬‭in‬‭secure‬‭storage‬
‭keeping‬ ‭away‬ ‭from‬ ‭highly‬ ‭magnetic‬ ‭and‬ ‭radiation‬ ‭sources.‬ ‭One‬ ‭more‬ ‭copy‬ ‭of‬ ‭image‬
‭should‬‭be‬‭taken‬‭and‬‭it‬‭needs‬‭to‬‭be‬‭stored‬‭into‬‭appropriate‬‭media‬‭or‬‭reliable‬‭mass‬‭storage.‬
‭Optical‬ ‭media‬ ‭can‬ ‭be‬ ‭used‬ ‭as‬ ‭the‬ ‭mass‬ ‭storage.‬ ‭It‬ ‭is‬ ‭reliable,‬ ‭fast,‬ ‭longer‬ ‭life‬ ‭span‬‭and‬
‭reusable.‬

‭ erification‬ ‭of‬ ‭evidence‬ ‭before‬ ‭starting‬ ‭analysis‬ ‭is‬ ‭an‬ ‭important‬ ‭step‬ ‭in‬ ‭Cyber‬ ‭Forensics‬
V
‭process.‬ ‭This‬ ‭is‬ ‭done‬ ‭in‬ ‭Cyber‬ ‭Forensics‬ ‭laboratory‬ ‭before‬ ‭commencing‬ ‭analysis.‬ ‭Hash‬
‭value‬ ‭of‬‭the‬‭evidence‬‭is‬‭computed‬‭and‬‭compared‬‭it‬‭with‬‭the‬‭hash‬‭value‬‭taken‬‭at‬‭the‬‭time‬
‭of‬ ‭acquisition.‬ ‭If‬ ‭both‬ ‭the‬ ‭values‬ ‭are‬ ‭same,‬ ‭there‬ ‭is‬ ‭no‬ ‭change‬ ‭in‬ ‭the‬ ‭content‬ ‭of‬ ‭the‬
‭evidence.‬ ‭If‬ ‭both‬ ‭are‬ ‭different,‬ ‭there‬ ‭is‬ ‭some‬ ‭change‬ ‭in‬ ‭the‬ ‭content.‬ ‭The‬ ‭result‬ ‭of‬
‭verification should be properly documented.‬

‭ nalysis‬‭is‬‭the‬‭process‬‭of‬‭collecting‬‭digital‬‭evidence‬‭from‬‭the‬‭content‬‭of‬‭the‬‭storage‬‭media‬
A
‭depending‬ ‭upon‬ ‭the‬ ‭nature‬ ‭of‬ ‭the‬ ‭case‬ ‭being‬ ‭examined.‬ ‭This‬ ‭involves‬ ‭searching‬ ‭for‬
‭keywords,‬‭picture‬‭analysis,‬‭time‬‭line‬‭analysis,‬‭registry‬‭analysis,‬‭mailbox‬‭analysis,‬‭database‬
‭analysis,‬ ‭cookies,‬ ‭temporary‬ ‭and‬ ‭Internet‬ ‭history‬‭files‬‭analysis,‬‭recovery‬‭of‬‭deleted‬‭items‬
‭and‬ ‭analysis,‬ ‭data‬ ‭carving‬ ‭and‬ ‭analysis,‬ ‭format‬ ‭recovery‬ ‭and‬‭analysis,‬‭partition‬‭recovery‬
‭and analysis, etc.‬

‭ ase‬‭analysis‬‭report‬‭should‬‭be‬‭prepared‬‭based‬‭on‬‭the‬‭nature‬‭of‬‭examination‬‭requested‬‭by‬
C
‭a‬‭court‬‭or‬‭investigation‬‭agency.‬‭It‬‭should‬‭contain‬‭nature‬‭of‬‭the‬‭case,‬‭details‬‭of‬‭examination‬
‭requested,‬ ‭details‬ ‭of‬ ‭material‬ ‭objects‬ ‭and‬ ‭hash‬ ‭values,‬ ‭result‬ ‭of‬ ‭evidence‬ ‭verification,‬
‭details‬‭of‬‭analysis‬‭conducted‬‭and‬‭digital‬‭evidence‬‭collected,‬‭observations‬‭of‬‭the‬‭examiner‬
‭and‬ ‭conclusion.‬ ‭Presentation‬ ‭of‬ ‭the‬ ‭report‬‭should‬‭be‬‭in‬‭simple‬‭terms‬‭and‬‭precise‬‭way‬‭so‬
‭that non-technical persons should be able to understand the content of the report.‬

‭ ocumentation‬‭is‬‭very‬‭important‬‭in‬‭every‬‭step‬‭of‬‭the‬‭Cyber‬‭Forensics‬‭process.‬‭Everything‬
D
‭should‬ ‭be‬ ‭appropriately‬ ‭documented‬ ‭to‬ ‭make‬ ‭a‬ ‭case‬ ‭admissible‬ ‭in‬ ‭a‬ ‭court‬ ‭of‬ ‭law.‬
‭Documentation‬ ‭should‬ ‭be‬ ‭started‬ ‭from‬ ‭the‬ ‭planning‬ ‭of‬ ‭case‬ ‭investigation‬ ‭and‬ ‭continue‬
‭through‬ ‭searching‬ ‭in‬ ‭scene‬ ‭of‬ ‭crime,‬ ‭seizure‬ ‭of‬ ‭material‬ ‭objects,‬ ‭chain‬ ‭of‬ ‭custody,‬
‭authentication‬‭and‬‭acquisition‬‭of‬‭evidence,‬‭verification‬‭and‬‭analysis‬‭of‬‭evidence,‬‭collection‬
 ‭of‬‭digital‬‭evidence‬‭and‬‭reporting,‬‭preservation‬‭of‬‭material‬‭objects‬‭and‬‭up‬‭to‬‭the‬‭closing‬‭of‬‭a‬
c‭ ase.‬

‭ ttp://www.cyberforensics.in/(A(YFMf49VLzAEkAAAAMWE3NDQ2ZTEtNjg5MC00Mjc5LW‬
h
‭E0NjQtNTc2NDQxNjRlNTdhxwC8Rqlzd2-ICCb20r6htoqh1sI1))/Research/DiskForensics.a‬
‭spx?AspxAutoDetectCookieSupport=1‬

‭​‬ ‭Digital Forensics, Part 5: Analyzing the Windows Registry for Evidence‬

‭Although nearly all Microsoft Windows users are aware that their system has a registry,‬
‭few understand what it does, and even fewer understand how to manipulate it for their‬
‭purposes. As a forensic analyst, the registry can be a treasure trove of evidence of what,‬
‭where, when, and how something occurred on the system.‬

‭What Is the Registry?‬

‭The registry is a database of stored configuration information about the users, hardware,‬
‭and software on a Windows system. Although the registry was designed to configure the‬
‭system, to do so, it tracks such a plethora of information about the user's activities, the‬
‭devices connected to system, what software was used and when, etc. All of this can be‬
‭useful for the forensic investigator in tracking the who, what, where, and when of a forensic‬
‭investigation. The key is just knowing where to look.‬
‭Hives‬
‭Inside the registry, there are root folders. These root folders are referred to as hives. There‬
‭are five (5) registry hives.‬
‭●‬ ‭HKEY_USERS‬‭: contains all the loaded user profiles‬
‭●‬ ‭HKEYCURRENT_USER‬‭: profile of the currently logged-on‬‭user‬
‭●‬ ‭HKEYCLASSES_ROOT‬‭: configuration information on the‬‭application used to open files‬
‭●‬ ‭HKEYCURRENT_CONFIG‬‭: hardware profile of the system‬‭at startup‬
‭●‬ ‭HKEYLOCAL_MACHINE‬‭: configuration information including‬‭hardware and software‬
‭settings‬
‭​‬Registry Structure‬
‭The registry is structured very similarly to the Windows directory/subdirectory structure.‬
‭You have the five root keys or hives and then subkeys. In some cases, you have‬
‭sub-subkeys. These subkeys then have descriptions and values that are displayed in the‬
‭contents pane. Very often, the values are simply 0 or 1, meaning on or off, but also can‬
‭contain more complex information usually displayed in hexadecimal.‬

‭ ttps://www.hackers-arise.com/post/2016/10/21/digital-forensics-part-5-analyzing-the-wind‬
h
‭ows-registry-for-evidence‬
 ‭​‬ ‭Accessing the Registry‬
‭On our own system—not in a forensic mode—we can access the registry by using the‬
‭regedit utility built into Windows. Simply type regedit in the search window and then click‬
‭on it to open the registry editor like that below.‬

‭Information in the Registry with Forensic Value‬

‭As a forensic investigator, the registry can prove to be a treasure trove of information on‬
‭who, what, where, and when something took place on a system that can directly link the‬
‭perpetrator to the actions being called into question.‬
‭Information that can be found in the registry includes:‬
‭●‬ ‭Users and the time they last used the system‬

‭●‬ ‭Most recently used software‬

‭●‬ ‭Any devices mounted to the system including unique identifiers of flash drives, hard drives,‬
‭phones, tablets, etc.‬

‭●‬ ‭When the system connected to a specific wireless access point‬

‭●‬ ‭What and when files were accessed‬

‭●‬ ‭A list any searches done on the system‬

‭●‬ ‭And much, much more‬

‭Wireless Evidence in the Registry‬

‭Many hackers crack a local wireless access point and use it for their intrusions. In this way,‬
‭if the IP address is traced, it will lead back to the neighbor's or other wireless AP and not‬
‭them.‬

‭The RecentDocs Key‬

‭The Windows registry tracks so much information about the user's activities. In most‬
‭cases, these registry keys are designed to make Windows run more efficiently and‬
‭smoothly. As a forensic investigator, these keys are like a road map of the activities of the‬
‭user or attacker.‬
‭One of those keys is the "RecentDocs" key. It tracks the most recent documents used or‬
‭opened on the system by file extension. It can be found at:‬
‭●‬ ‭HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Rece‬
‭ntDocs‬
‭So, for instance, the most recently used Word documents would be found under .doc or‬
‭the .docx extension depending upon the version of Word they were created in (each key‬
‭can hold up to the last 10 documents). If we go to the .docx extension, we see the last 10‬
‭Word documents listed under this key.‬
‭When we click on one of those keys, it reveals information about the document as seen‬
‭below. We can view the document data in both hex, to the left, and ASCII, to the right. In‬
‭this case, it show that this document was a Metasploit course outline.‬

‭In some cases, an attacker will upload a .tar file, so that is a good place to look for breach‬
‭evidence. In general, you won't see a .tar file extension on a Windows machine, so the‬
‭presence of an entry here would be something that needs further investigation. Check the‬
‭files in the .tar key and see what they might reveal about the attack or attacker.‬
 ‭In civil or policy violation investigations, evidence might be found in the various graphic file‬
‭extensions such as .jpg, .gif, or .png.‬
‭TypedURLs Key‬

‭When the user types a URL in Internet Explorer, this value is stored in the registry at:‬
‭●‬ ‭HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs‬

‭●‬

‭When we open that key in the registry, it lists the last URLs that the user visited with IE.‬
‭This could reveal the source of malicious malware that was used in the breach, or in civil‬
‭or policy violation types of investigations, may reveal what the user was looking for/at.‬

‭The values will run from urI1 (the most recent) to urI25 (the oldest).‬
‭​‬IP Addresses‬
‭The registry also tracks the IP addresses of the user interfaces. Note that there may be‬
‭numerous interfaces and this registry key tracks each interface's IP address and related‬
‭information.‬
‭HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Param‬
‭eters\Interfaces‬
‭As we can see below, we can find the IP address assigned to the interface, the subnet‬
‭mask, and the time when the DHCP server leased the IP. In this way, we can tell whether‬
‭the suspect was using that particular IP at the time of the intrusion or crime.‬
 ‭Start Up Locations in the Registry‬
‭As a forensic investigator, we often need to find what applications or services were set to‬
‭start when the system starts. Malware is often set to start each time the system restarts to‬
‭keep the attacker connected. This information can be located in the registry in literally tens‬
‭of locations. We will look at a just a few of the most commonly set keys.‬
‭Probably the most used location is:‬
‭●‬ ‭HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run‬
 ‭Any software/locations designated in these subkeys will start every time the system starts.‬
‭Rootkits and other malicious software can often be found here and they will start each time‬
‭the system starts.‬
‭RunOnce Startup‬
‭If the hacker just wanted the software to run once at start up, the subkey may be set here.‬
‭●‬ ‭HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce‬
‭Start Up Services‬
‭The key below lists all the services that set to start at system startup. If the key is set to 2,‬
‭the service starts automatically; if it is set to 3, the service must be started manually; and if‬
‭the key is set to 4, the service is disabled.‬
‭●‬ ‭HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services‬
‭Start Legacy Applications‬
‭When legacy 16-bit applications are run, the program listed is run at:‬
‭●‬ ‭HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW‬
‭Start When a Particular User Logs On‬
‭In the following key, the values are run when the specific user logs in.‬
‭●‬ ‭HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run‬
‭Storage Artifacts in the Registry‬
‭Often, the suspect will use a Flash drive or hard drive for their malicious activities and then‬
‭remove them so as not to leave any evidence. The skilled forensic investigator, though,‬
‭can still find traces of evidence of those storage devices within the registry, if they know‬
‭where to look.‬
‭The registry on a Windows system varies a bit from version to version. A skilled,‬
‭professional digital forensic investigator needs to be able to work with nearly all versions of‬
‭Windows and other operating systems. Since Windows 7 is still the most widely used‬
‭operating system, by far, I will be demonstrating on it. Keep in mind, though, that this will‬
‭vary slightly between versions.‬
‭​‬USB Storage Devices‬
‭Imagine a case where we suspect that someone installed a keylogger or removed‬
‭confidential information with a USB drive. How would we find evidence that a USB storage‬
‭device was inserted and used? To find evidence of USB storage devices, we want to look‬
‭at the following key.‬
‭HK_Local_Machine\System\ControlSet00x\Enum\USBSTOR‬
‭In this key, we will find evidence of any USB storage device that has ever been connected‬
‭to this system. Expand USBSTOR to see a listing of every USB storage device ever‬
‭connected to this system.‬

‭In the screenshot above, I have circled one suspicious looking USB device. When we‬
‭expand it, it reveals a unique identifier for that device. By clicking on this identifier, we can‬
‭find much more information about the device.‬

‭As you can see in the screenshot above, when we click on the USB storage identifier, it‬
‭reveals in the right-hand window the Global Unique Identifier (GUID), the friendly name,‬
‭and the hardware ID, among other things. This may be exactly the evidence we need to tie‬
‭the suspect to their activity on this system!‬
‭​‬Mounted Devices‬
‭If the suspect used any hardware device that must be mounted to either read or write data‬
‭(CD-ROM, DVD, hard drive, flash drive, etc.), the registry will record the mounted device.‬
‭This information is stored at:‬
‭HKEY_LOCAL_MACHINE\System\MountedDevices‬
‭As you can see below, when we click on this key, it provides us a long list of every device‬
‭ever mounted on that machine.‬

‭If we need further information on any of those mounted devices, we cansimply click on it,‬
‭and it will open a small app that will enable us to read the data in ASCII. As you can see,‬
‭this device was an IDE CD-ROM manufactured by Teac.‬

‭If there is not a TEAC CD_ROM on the system, the forensic investigator now knows that‬
‭they need to find this piece of hardware to find further evidence of the crime.‬
‭The registry is a depository of volumes of information on what happened on a Windows‬
‭system, and by learning our way around it, we can reconstruct the elements of a crime that‬
‭it was used for.‬
‭ ttps://resources.infosecinstitute.com/topic/windows-systems-and-artifacts-in-digital-forens‬
h
‭ics-part-i-registry/‬

‭​‬ ‭Computer Event Log Files Provide Valuable Evidence‬

‭ omputer log files provide concrete evidence of a user’s computer activity both on and offline.‬
C
‭Event log files are automatically generated and may be found in operating systems, web‬
‭browsers, or computer applications. Even deleting specific documents will not delete the‬
‭associated computer log file data. Here is a list of the types of evidence that could provide‬
‭crucial evidence in your case:‬

‭‬
● ‭Websites accessed, when, and for how long.‬
‭●‬ ‭USB devices inserted and removed from the computer.‬
‭●‬ ‭Which wireless networks the machine has seen, and when connected and‬
‭disconnected.‬
‭●‬ ‭When the defendant booted up or shut down their work computer.‬
‭●‬ ‭User profiles accessing the machine, when, and for how long.‬
‭●‬ ‭New and deleted user profiles.‬
‭●‬ ‭User access to the machine whether directly or remotely.‬
‭●‬ ‭Email communications content and from and to whom they are being received and‬
‭sent.‬
‭●‬ ‭Computer application use and frequency.‬
‭●‬ ‭Contraband photos downloaded from the internet, when accessed, how re-named if‬
‭applicable.‬
‭●‬ ‭Deleted files, emails, documents, and more.‬
‭https://www.howelawfirm.com/e-discovery-and-forensics/computer-evidence/computer-log-‬
‭files/‬

‭​‬ ‭What are Benefits of Log Analysis?‬

‭●‬ C
‭ ompliance. Many governmental or regulatory bodies require organizations to‬
‭demonstrate their compliance with the myriad of regulations that impact nearly‬
‭every entity. Log file analysis can demonstrate that HIPAA, PCI, GDPR or other‬
‭regulation’s mandates are in fact being met by the organization.‬
‭●‬ S
‭ ecurity enhancements. As cybercrime becomes increasingly organized the need‬
‭for stronger countermeasures also grows. Event log analysis provides powerful‬
‭tools for taking proactive measures and enables forensic examinations after the fact‬
‭if a breach or data loss does occur. Log analysis can utilize ‭n
‬ etwork monitoring‬‭data‬
‭to uncover unauthorized access attempts and ensure security operations and‬
‭firewalls are optimally configured.‬
 ‭●‬ E
‭ fficiency. A log analysis framework helps improve efficiency across the‬
‭organization. IT resources in every department can share a single log repository,‬
‭and analysis of an organization’s log data can help spot errors or trends in every‬
‭business unit and department, enabling rapid remediation.‬

‭●‬ H
‭ igh availability. Timely action that occurs based on information uncovered by log‬
‭analysis can prevent an issue from causing downtime. This in turn can help ensure‬
‭that the organization meets its business goals, and that the IT organization meets‬
‭its commitments to provide services with a given uptime guarantee.‬
‭●‬ A
‭ voiding over- or under-provisioning. While organizations must plan to meet peak‬
‭demands, log analysis can help project whether there is sufficient CPU, memory,‬
‭disk, and network bandwidth to meet current demands – and projected trends.‬
‭Overprovisioning wastes precious IT dollars, and under-provisioning can lead to‬
‭service outages as organizations scramble to either purchase additional resources‬
‭or utilize cloud resources to meet flexes in demand.‬
‭●‬ S
‭ ales and Marketing Effectiveness. By tracking metrics such as traffic volume and‬
‭the pages that customers visit, log analysis can help sales and marketing‬
‭professionals understand what programs are effective, and what should be‬
‭changed. Traffic patterns can also help with retooling an organization’s website to‬
‭make it easier for users to navigate to the most frequently accessed information.‬

‭​‬ ‭How to Perform Log Analysis?‬

‭ ogs are time-series records of actions and activities generated by applications, networks,‬
L
‭devices (including programmable and IoT devices), and operating systems. They are‬
‭typically stored in a file or database or in a dedicated application called a log collector for‬
‭real-time log analysis.‬

‭ log analysts task is to help interpret the full range of log data and messages in context,‬
A
‭which requires normalization of the log data to ensure use of a common set of terminology.‬
‭This prevents confusion that might arise if one function signals ‘normal’ and other function‬
‭signals ‘green’ when they both mean that there is no action required.‬
‭ enerally, log data is collected for the log analysis program, cleansed, structured or‬
G
‭normalized and then offered for analysis for the experts to detect patterns or uncover‬
‭anomalies such as a cyber-attack or data exfiltration. Performing log file analysis generally‬
‭follows these steps:‬
‭1.‬‭Data collection‬‭: Data from hardware and software probes‬‭is collected to a central‬
‭database‬
‭2.‬‭Data indexing‬‭: Data from all sources is centralize‬‭and indexed to speed‬
‭searchability, enhancing IT professionals ability to rapidly uncover problems or‬
‭patterns‬
 ‭3.‬‭Analysis‬‭: Log analysis tools including normalization, pattern recognition,‬
‭correlation, and tagging can be done either automatically using machine learning‬
‭tools or manually where needed.‬
‭4.‬‭Monitoring‬‭: A Real-time, autonomous log analysis platform‬‭can generate alerts‬
‭when anomalies are detected. This type of automated log analysis is the‬
‭underpinning for most continuous monitoring of the full IT stack‬
‭5.‬‭Reports‬‭: Both traditional reports and dashboards are‬‭part of a log analysis platform,‬
‭providing either at-a-glance or historical views of metrics for operations,‬
‭development, and management stakeholders‬

‭https://www.vmware.com/topics/glossary/content/log-analysis.html‬

‭​‬ ‭Log Analysis Methods‬

‭ iven the massive amount of data being created in today’s digital world, it has become‬
G
‭impossible for IT professionals to manually manage and analyze logs across a sprawling‬
‭tech environment. As such, they require an advanced log management system and‬
‭techniques that automate key aspects of the data collection, formatting and analysis‬
‭processes.‬

‭These techniques include:‬

‭Normalization‬

‭ ormalization is a data management technique that ensures all data and attributes, such‬
N
‭as IP addresses and timestamps, within the transaction log are formatted in a consistent‬
‭way.‬
‭Pattern recognition‬
‭ attern recognition refers to filtering events based on a pattern book in order to separate‬
P
‭routine events from anomalies.‬
‭Classification and tagging‬

‭ lassification and tagging is the process of tagging events with key words and classifying‬
C
‭them by group so that similar or related events can be reviewed together.‬
‭Correlation analysis‬

‭ orrelation analysis is a technique that gathers log data from several different sources and‬
C
‭reviews the information as a whole using log analytics.‬

‭Artificial ignorance‬
‭ rtificial ignorance refers to the active disregard for entries that are not material to system‬
A
‭health or performance.‬

‭https://www.humio.com/glossary/log-analysis/‬
‭Email forensics‬

‭​‬ ‭1. Email Header Analysis‬

‭ mail headers contain important information including name of the sender and receiver,‬
E
‭the path (servers and other devices) through which the message has traversed, etc. Some‬
‭of the important email header fields are highlighted below.‬

‭●‬
‭ he vital details in email headers can help investigators and forensics experts in email‬
T
‭investigation. For instance, the‬‭Delivered-To‬‭field‬‭contains email address of recipient and‬
‭the‬‭Received-By‬‭field contains last visited SMTP server’s‬‭IP address, its SMTP ID, and‬
‭the date and time at which the email is received. Similarly, the‬‭Received: from‬‭field may‬
‭provide key details like IP address of sender and host name. Such information can be‬
‭instrumental in identifying the culprit and collecting evidence.‬
‭​‬
‭​‬
‭​‬
‭​‬
‭​‬ ‭2. Email Server Investigation‬
‭ mail servers are investigated to locate the source of an email. If an email is deleted from‬
E
‭client application, sender’s or receiver’s, then related ISP or Proxy servers are scanned as‬
‭they usually save copies of emails after delivery. Servers also maintain logs that can be‬
‭analyzed to identify address of the computer from which the email is originated.‬

I‭t’s worth noting that HTTP and SMTP (common messaging initiation protocol) logs are‬
‭archived frequently by large ISPs. If a log is archived then tracing relevant emails can take‬
‭a lot of time and effort, as it requires decompressing and extraction techniques. So, it’s‬
‭best to examine the logs as soon as possible lest they are archived.‬

‭​‬ ‭3. Investigation of Network Devices‬

I‭n some cases, logs of servers aren’t available. This can happen due to many reasons‬
‭such as when servers aren’t configured to maintain logs or when an ISP refuses to share‬
‭the log files. In such an‬
‭ vent, investigators can refer to the logs maintained by network devices such as switches,‬
e
‭firewalls, and routers to trace the source of email message.‬

‭​‬ ‭4. Sender Mailer Fingerprints‬

‭ -headers are email headers that are added to messages along with standard headers‬
X
‭like‬‭Subject‬‭and‬‭To‬‭. These are often added for spam‬‭filter information, authentication‬
‭results, etc. and can be used to identify the software that’s handling the email at the client‬
‭such as Outlook or Opera Mail. X-originating-IP header can be used to find the original‬
‭sender, i.e. IP address of the sender’s computer.‬

‭​‬ ‭5. Software Embedded Identifiers‬

‭ ometimes, the email software used by a sender can include additional information about‬
S
‭the message and attached files in the email. It can be found in MIME content as a‬
‭Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth analysis of‬
‭these sections can reveal vital details related to sender like MAC addresses, Windows‬
‭logon username of the sender, PST file names, and more.‬

‭​‬ ‭6. Bait Tactics‬

‭ ait tactic is an email investigation technique that’s used when the location of a suspect or‬
B
‭cybercriminal is unknown. In this, the investigators send an email that contains a‬‭http:‬
‭“<img src>”‬‭tag to the suspect. The image source is‬‭at a computer that’s monitored by the‬
‭investigators. When the suspect opens the email, the computer’s IP address is registered‬
‭in a log entry on the HTTP server that hosts the image. The investigators can use the IP‬
‭address to track the suspect.‬

‭ ometimes, suspects take precautionary measures like using a proxy server to protect‬
S
‭their identity. In that case, the IP address of the proxy server is recorded. However, the log‬
‭on the proxy server can be analyzed to track the suspect. If the log isn’t available either,‬
‭then the investors can send an email that contains either of the following:‬

‭‬H
● ‭ TML page with an Active X Object‬
‭●‬ ‭Embedded Java Applet that’s configured to run on the recipient’s computer‬
‭ oth of these can record the IP address of the suspect’s computer and send the same to‬
B
‭the email address of the investigators.‬

‭​‬ ‭Role of Email Forensic Tools‬

‭ mail forensic investigation can be a complicated task when there are many suspects‬
E
‭involved and required analysis of a large number of email mailboxes. Even though the‬
‭techniques above are quite effective, implementing them accurately can consume a lot of‬
‭time. That’s why professionals use enterprise-grade email forensic tools such as‬‭Stellar‬
‭Email Forensic‬‭for fast and accurate analysis. These‬‭tools come equipped with features‬
‭like multiple email views, advanced keyword search filters, deleted email recovery, etc.‬
‭ hese programs also generate evidence reports and offer case management tools for‬
T
‭easy management of multiple cases.‬

‭https://www.stellarinfo.com/blog/email-forensics-investigation-guide-for-security-experts/‬

‭​‬ ‭Web‬‭Browsers Forensics‬

‭ hen‬ ‭doing‬ ‭forensics‬ ‭analysis,‬ ‭browsers‬ ‭are‬ ‭a‬‭gold‬‭mine‬‭with‬‭the‬‭amount‬‭of‬‭information‬
W
‭they contain.‬
‭ ften the source of incidents and malware can be traced down using the artifacts found‬
O
‭inside of browsers. From the navigation history to downloaded files, browsers are a critical‬
‭piece in any forensics analysis.‬
I‭n this article, we’ll talk about the different browsers available today, where each one of‬
‭them stores these artifacts and how to extract, understand and make sense of them.‬

‭​‬ ‭Browsers Artifacts‬

‭ hen we talk about browser artifacts we talk about, navigation history, bookmarks, list of‬
W
‭downloaded files, cache data…etc.‬

‭These artifacts are files stored inside of specific folders in the operating system.‬

‭ ach browser stores its files in a different place than other browsers and they all have‬
E
‭different names, but they all store (most of the time) the same type of data (artifacts).‬

‭Let us take a look at the most common artifacts stored by browsers.‬

‭●‬ N ‭ avigation History :‬‭Contains data about the navigation‬‭history of the user. Can be‬
‭used to track down if the user has visited some malicious sites for example‬
‭●‬ ‭Autocomplete Data :‬‭This is the data that the browser‬‭suggest based on what you‬
‭search the most. Can be used in tandem with the navigation history to get more‬
‭insight.‬
‭●‬ ‭Bookmarks :‬‭Self Explanatory.‬
‭●‬ ‭Extensions and Addons :‬‭Self Explanatory.‬
‭●‬ ‭Cache :‬‭When navigating websites, the browser creates‬‭all sortes of cache data‬
‭(images, javascript files…etc) for many reasons. For example to speed loading time‬
‭of websites. These cache files can be a great source of data during a forensic‬
‭investigation.‬
‭●‬ ‭Logins :‬‭Self Explanatory.‬
‭●‬ ‭Favicons :‬‭They are the little icons found in tabs,‬‭urls, bookmarks and the such.‬
‭They can be used as another source to get more information about the website or‬
‭places the user visited.‬
‭●‬ ‭Browser Sessions :‬‭Self Explanatory.‬
‭●‬ ‭Downloads :‬‭Self Explanatory.‬
 ‭●‬ F ‭ orm Data :‬‭Anything typed inside forms is often times stored by the browser, so‬
‭the next time the user enters something inside of a form the browser can suggest‬
‭previously entered data.‬
‭●‬ ‭Thumbnails :‬‭Self Explanatory.‬

‭With that said, let us dive right in.‬

‭​‬ ‭Mozilla Firefox‬

‭●‬ ‭Profile Path :‬‭Contains the profile data and the majority‬‭of the artifacts.‬
‭ :\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\C:\Users\XXX\AppData\Local\Mo‬
C
‭zilla\Firefox\Profiles\[profileID].default\‬

‭●‬ ‭Navigation History + Bookmarks [SQLite Database]‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\places.sqlite‬

‭●‬ ‭Bookmarks Backups [Folder / .jsonlz4 Files]‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\bookmarkbackups\‬

‭●‬ ‭Cookies [SQLite Database]‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\cookies.sqlite‬

‭●‬ ‭Cache [Multiple Types Of Data]‬

‭ :\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\cache2\entriesC:\Users\XXX\AppDat‬
C
‭a\Local\Mozilla\Firefox\Profiles\[profileID].default\startupCache‬

‭●‬ ‭Form History [SQLite Database]‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\formhistory.sqlite‬

‭●‬ A
‭ ddons + Extensions [SQLite Database] :‬‭Contains data‬‭about the installed‬
‭addons in the browser.‬
‭ :\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\addons.sqliteC:\Users\XXX\AppD‬
C
‭ata\Roaming\Mozilla\Firefox\Profiles\[profileID].default\extensions.sqlite‬

‭●‬ ‭Favicons [SQLite Database]‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\favicons.sqlite‬

‭●‬ ‭Settings And Preferences‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\prefs.js‬

‭●‬ ‭Logins + Passwords [JSON File]‬

-‭ Logins‬‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\logins.json‬‭-‬
‭Passwords‬‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key4.dbC:\Users\XXX‬
‭\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\key3.db (Older Version)‬
 ‭●‬ S
‭ essions Data [jsonlz4 File] :‬‭A file that contain data about the current session‬
‭(Tabs and Websites opened).‬
‭ :\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore.jsonlz4C:\Users\XX‬
C
‭X\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\sessionstore-backups\‬

‭●‬ ‭Downloads [SQLite Database] :‬‭List of downloaded files‬‭from Firefox‬

‭C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\[profileID].default\downloads.sqlite‬

‭●‬ T
‭ humbnails:‬‭Folder containing the images shown when‬‭we open the‬
‭“about:newtab” page.‬
‭C:\Users\XXX\AppData\Local\Mozilla\Firefox\Profiles\[profileID].default\thumbnails‬

‭​‬ ‭Google Chrome‬

‭●‬ ‭Profile Path :‬‭Contains the profile data and the majority‬‭of the artifacts.‬
‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\DefaultC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData‬

‭●‬ ‭Navigation History + Downloads + Search History [SQLite Database]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\HistoryC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\History‬

‭●‬ ‭Cookies [SQLite Database]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\CookiesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cookies‬

‭●‬ ‭Cache [Multiple Types]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\CacheC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Cache‬

‭●‬ ‭Bookmarks [JSON]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\BookmarksC:\Users\XXX\AppData\Local\Google\Chrome\User‬
‭Data\ChromeDefaultData\Bookmarks‬

‭●‬ ‭Form History [SQLite Database]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Web‬
C
‭DataC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Web Data‬

‭●‬ ‭Favicons [SQLite Database]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\FaviconsC:\Users\XXX\AppData\Local\Google\Chrome\User‬
‭Data\ChromeDefaultData\Favicons‬

‭●‬ ‭Logins [SQLite Database]‬

‭C:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Login Data‬

‭●‬ ‭Sessions Data‬

-‭ Current Sessions / Tabs‬‭C:\Users\XXX\AppData\Local\Google\Chrome\User‬‭Data\Default\Current‬
‭SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current‬
‭SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Current‬
‭TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Current Tabs‬‭- Last‬
‭(Previous) Sessions / Tabs‬‭C:\Users\XXX\AppData\Local\Google\Chrome\User‬‭Data\Default\Last‬
‭SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last‬
‭SessionC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Last‬
‭TabsC:\Users\XXX\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Last Tabs‬

‭●‬ ‭Addons + Extensions [Folders]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User‬
C
‭Data\Default\Extensions\C:\Users\XXX\AppData\Local\Google\Chrome\User‬
‭Data\ChromeDefaultData\Extensions\‬

‭●‬ ‭Thumbnails [SQLite Database]‬

‭ :\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Top‬
C
‭SitesC:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\Thumbnails (Older versions)‬

‭​‬ ‭Microsoft Edge‬

‭●‬ ‭Profile Path‬
‭C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC‬

‭●‬ ‭History + Cookies + Downloads [ESE Database]‬

‭C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat‬

‭●‬ ‭Settings + Bookmarks + Reading List [ESE Database]‬

‭ :\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataSt‬
C
‭ore\Data\nouser1\XXX\DBStore\spartan.edb‬

‭●‬ ‭Cache‬
‭C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\#!XXX\MicrosoftEdge\Cache‬

‭●‬ ‭Sessions‬
-‭ Last Active‬
‭Session‬‭C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Defau‬
‭lt\Recovery\Active‬
‭​‬ ‭Internet Explorer [Coming Soon]‬
‭​‬ ‭Opera [Coming Soon]‬
‭​‬ ‭Safari [Coming Soon]‬
‭​‬ ‭Tools‬
‭ ow that we’ve seen the different artifacts that we can collect from a forensics point of‬
N
‭view.‬
‭Let’s take a look at some of the tools that can help us make sens of this data.‬

‭‬D
● ‭ B Browser for SQLite‬‭(Open “.sqlite” files)‬
‭●‬ ‭Nirsoft Web Browsers Tools‬‭(Contains a multitude of‬‭tools to open cache files,‬
‭cookies and history data)‬
‭●‬ ‭BrowsingHistoryView‬
‭●‬ ‭ESEDatabaseView‬
‭●‬ ‭Session History Scrounger for Firefox‬‭(Opens “.jsonlz4”‬‭files)‬
‭●‬ ‭Sysinternals Strings‬
‭●‬ ‭OS Forensics‬
‭●‬ ‭Magnet IEF‬‭(Internet Evidence Finder)‬
‭●‬ ‭Browser History Viewer‬
‭●‬ ‭Browser History Examiner‬‭(Free Trial)‬
‭●‬ ‭Hindsight‬
‭●‬ ‭libsedb‬‭(Library to access the Extensible Storage‬‭Engine (ESE) Database File‬
‭(EDB) format)‬
‭●‬ ‭Web Browser Addons View‬‭(Use to view installed extensions‬‭and addons)‬
‭●‬ ‭The LaZagne Project‬
‭●‬ ‭firepwd.py (open source tool to decrypt Mozilla protected passwords)‬
‭●‬ ‭Firefox Search Engine Extractor‬‭(Open ‘search.json.mozlz4’‬‭files)‬
‭●‬ ‭Firefox Bookmark Backup Reader/Decompressor‬‭(Open‬‭‘ jsonlz4’ files)‬

‭https://nasbench.medium.com/web-browsers-forensics-7e99940c579a‬

‭Malware Forensics‬
‭ alware‬ ‭is‬ ‭brief‬ ‭for‬ ‭Malicious‬ ‭Software.‬ ‭it’s‬ ‭software‬ ‭that’s‬ ‭specially‬ ‭designed‬ ‭to‬ ‭harm‬
M
‭computer‬‭data‬‭in‬‭how‬‭or‬‭the‬‭opposite.‬‭Malware‬‭have‬‭evolved‬‭with‬‭technology‬‭&‬‭has‬‭taken‬
‭full advantage of latest technological developments .‬
‭ alware‬ ‭consists‬ ‭of‬ ‭programming‬ ‭(code,‬ ‭scripts,‬ ‭active‬ ‭content,‬ ‭and‬ ‭other‬ ‭software)‬
M
‭designed‬ ‭to‬ ‭disrupt‬ ‭or‬ ‭deny‬ ‭operations,‬‭gather‬‭information‬‭that‬‭results‬‭in‬‭loss‬‭of‬‭privacy‬
 ‭ r‬‭exploitation,‬‭gain‬‭unauthorized‬‭access‬‭to‬‭system‬‭resources‬‭and‬‭other‬‭abusive‬‭behavior‬
o
‭.‬

‭​‬ ‭What is Malware Forensics?‬

I‭t‬‭is‬‭a‬‭way‬‭of‬‭finding,‬‭analyzing‬‭&‬‭investigating‬‭various‬‭properties‬‭of‬‭malware‬‭to‬‭seek‬‭out‬
‭the‬ ‭culprits‬ ‭and‬ ‭reason‬ ‭for‬ ‭the‬ ‭attack.‬ ‭the‬ ‭method‬ ‭also‬‭includes‬‭tasks‬‭like‬‭checking‬‭out‬
‭the‬‭malicious‬‭code,‬‭determining‬‭its‬‭entry,‬‭method‬‭of‬‭propagation,‬‭impact‬‭on‬‭the‬‭system,‬
‭ports‬ ‭it‬ ‭tries‬ ‭to‬ ‭use‬ ‭etc.‬ ‭investigators‬ ‭conduct‬ ‭forensic‬ ‭investigation‬ ‭using‬ ‭different‬
‭techniques and tools.‬

‭​‬ ‭Types of Malware:‬

‭ he‬ ‭category‬ ‭of‬ ‭malware‬ ‭is‬ ‭predicated‬ ‭upon‬ ‭different‬ ‭parameters‬ ‭like‬ ‭how‬ ‭it‬‭affects‬‭the‬
T
‭system,‬‭functionality‬‭or‬‭the‬‭intent‬‭of‬‭the‬‭program,‬‭spreading‬‭mechanism,‬‭and‬‭whether‬‭the‬
‭program‬ ‭asks‬ ‭for‬ ‭user’s‬ ‭permission‬ ‭or‬ ‭consent‬ ‭before‬ ‭performing‬ ‭certain‬ ‭operations.‬ ‭a‬
‭number of the commonly encountered malwares are:‬

‭‬
● ‭ ackdoor‬
B
‭●‬ ‭Botnet‬
‭●‬ ‭Downloader‬
‭●‬ ‭Launcher‬
‭●‬ ‭Rootkit‬
‭●‬ ‭HackTool‬
‭●‬ ‭Rogue application‬
‭●‬ ‭Scareware‬
‭●‬ ‭Worm or Virus‬
‭●‬ ‭Credential-stealing program, etc.‬

‭Symptoms of Infected Systems:‬

‭​‬ ‭Following are some symptoms of an infected system-‬
‭●‬ S ‭ ystem‬‭could‬‭be‬‭come‬‭unstable‬‭and‬‭respond‬‭slowly‬‭as‬‭malware‬‭might‬‭be‬‭utilizing‬
‭system resources.‬
‭●‬ ‭Unknown new executables found on the system.‬
‭●‬ ‭Unexpected network traffic to the sites that you simply don’t expect to attach with.‬
‭●‬ ‭Altered system settings like browser homepage without your consent.‬
‭●‬ ‭Random pop-ups are shown as advertisement.‬
‭ ecent‬ ‭additions‬ ‭to‬ ‭the‬ ‭set‬ ‭are‬ ‭alerts‬ ‭shown‬ ‭by‬ ‭fake‬ ‭security‬ ‭applications‬ ‭which‬ ‭you‬
R
‭never‬ ‭installed.‬ ‭Messages‬ ‭like‬ ‭“Your‬ ‭computer‬ ‭is‬‭infected”‬‭are‬‭displayed‬‭and‬‭it‬‭asks‬‭the‬
‭user‬ ‭to‬ ‭register‬ ‭the‬ ‭program‬ ‭to‬ ‭get‬ ‭rid‬ ‭of‬ ‭the‬ ‭detected‬ ‭threat.‬ ‭Overall,‬ ‭your‬ ‭system‬ ‭will‬
‭showcase unexpected & unpredictable behavior.‬
‭​‬ ‭Different ways Malware can get into system:‬
‭‬
● I‭nstant messenger applications‬
‭●‬ ‭Internet relay chat‬
‭●‬ ‭Removable devices‬
‭●‬ ‭Links and attachments in emails‬
‭●‬ ‭Legitimate “shrink-wrapped” software packaged by disgruntled employee‬
‭●‬ ‭Browser and email software bugs‬
‭●‬ ‭NetBIOS (File sharing)‬
‭●‬ ‭Fake programs‬
‭●‬ ‭Untrusted sites & freeware software‬
‭●‬ ‭Downloading files, games screensavers from websites .‬

‭Prerequisites for Malware Analysis:‬

‭ rerequisites‬‭for‬‭malware‬‭analysis‬‭include‬‭understanding‬‭malware‬‭classification,‬‭essential‬
P
‭x86‬ ‭programming‬ ‭language‬ ‭concepts,‬ ‭file‬ ‭formats‬ ‭like‬ ‭portable‬ ‭executable‬ ‭file‬ ‭format,‬
‭windows APIs, expertise in using monitoring tools, disassemblers and debuggers .‬
‭​‬ ‭Types of Malware Analysis:‬
‭The two of the malware analysis types supported the approach methodology include:‬

‭ tatic‬ ‭Malware‬ ‭Analysis:‬ ‭it’s‬‭a‬‭basic‬‭analysis‬‭of‬‭code‬‭&‬‭comprehension‬‭of‬‭the‬‭malware‬

S
‭that explains its functions.‬
‭ ynamic‬ ‭Malware‬ ‭Analysis:‬ ‭It‬ ‭involves‬ ‭execution‬ ‭of‬ ‭malware‬ ‭to‬ ‭look‬ ‭at‬ ‭its‬ ‭conduct,‬
D
‭operations and identifies technical signatures that confirm the malicious intent.‬

‭​‬ ‭Online Malware Analysis Services:‬

‭‬
● ‭ irusTotal‬
V
‭●‬ ‭Metascan Online‬
‭●‬ ‭Malware Protection Center‬
‭●‬ ‭Web Online Scanners‬
‭●‬ ‭Payload Security‬
‭●‬ ‭Jotti‬
‭●‬ ‭Valkyrie, etc.‬

‭Malware Analysis Tools:‬

‭‬
● I‭DA Pro‬
‭●‬ ‭What’s Running‬
‭●‬ ‭Process Explorer‬
‭●‬ ‭Directory Monitor‬
‭●‬ ‭RegScanner‬
‭●‬ ‭Capsa Network Analyzer‬
‭●‬ ‭API Monitor .‬
 I‭t‬ ‭is‬ ‭an‬ ‭enormous‬ ‭concern‬‭to‬‭supply‬‭the‬‭safety‬‭to‬‭computing‬‭system‬‭against‬‭malware.‬‭a‬
‭day‬‭many‬‭malwares‬‭are‬‭being‬‭created‬‭and‬‭therefore‬‭the‬‭worse‬‭thing‬‭is‬‭that‬‭new‬‭malwares‬
‭are‬ ‭highly‬ ‭sophisticated‬ ‭which‬ ‭are‬ ‭very‬ ‭difficult‬ ‭to‬ ‭detect.‬ ‭Because‬ ‭the‬ ‭malware‬
‭developers‬ ‭use‬ ‭the‬ ‭varied‬ ‭advanced‬ ‭techniques‬ ‭to‬ ‭cover‬ ‭the‬ ‭particular‬ ‭code‬ ‭or‬ ‭the‬
‭behavior‬ ‭of‬ ‭malware.‬ ‭Thereby,‬ ‭it‬ ‭becomes‬‭very‬‭hard‬‭to‬‭research‬‭the‬‭malware‬‭for‬‭getting‬
‭the‬‭useful‬‭information‬‭so‬‭as‬‭to‬‭style‬‭the‬‭malware‬‭detection‬‭system‬‭due‬‭to‬‭anti-static‬‭and‬
‭anti-dynamic‬ ‭analysis‬ ‭technique.‬ ‭Therefore,‬ ‭it’s‬ ‭crucial‬ ‭for‬ ‭the‬ ‭forensic‬ ‭analysts‬ ‭to‬
‭possess‬‭sound‬‭knowledge‬‭of‬‭various‬‭malware‬‭programs,‬‭their‬‭working,‬‭and‬‭propagation,‬
‭site‬‭of‬‭impact‬‭also‬‭as‬‭methods‬‭of‬‭detection‬‭and‬‭analysis‬‭and‬‭continuous‬‭advancement‬‭of‬
‭an equivalent .‬

‭https://info-savvy.com/what-is-malware-forensics/‬

‭Challenges in Computer Forensics‬

‭ igital‬‭forensics‬‭has‬‭been‬‭defined‬‭as‬‭the‬‭use‬‭of‬‭scientifically‬‭derived‬‭and‬‭proven‬‭methods‬
D
‭towards‬ ‭the‬ ‭identification,‬ ‭collection,‬ ‭preservation,‬‭validation,‬‭analysis,‬‭interpretation,‬‭and‬
‭presentation‬ ‭of‬ ‭digital‬ ‭evidence‬ ‭derivative‬ ‭from‬ ‭digital‬ ‭sources‬ ‭to‬ ‭facilitate‬ ‭the‬
‭reconstruction‬ ‭of‬ ‭events‬ ‭found‬ ‭to‬ ‭be‬ ‭criminal.‬ ‭But‬ ‭these‬ ‭digital‬ ‭forensics‬ ‭investigation‬
‭methods‬ ‭face‬ ‭some‬ ‭major‬ ‭challenges‬ ‭at‬ ‭the‬ ‭time‬ ‭of‬ ‭practical‬ ‭implementation.‬ ‭Digital‬
‭forensic‬ ‭challenges‬ ‭are‬ ‭categorized‬ ‭into‬ ‭three‬ ‭major‬ ‭heads‬ ‭as‬ ‭per‬ ‭Fahdi,‬ ‭Clark,‬ ‭and‬
‭Furnell (2013) these are:-‬

‭‬ T
● ‭ echnical challenges,‬
‭●‬ ‭Legal challenges,‬
‭●‬ ‭Resource Challenges‬

‭TECHNICAL CHALLENGES‬

‭ s‬ ‭technology‬ ‭develops‬ ‭crimes‬ ‭and‬ ‭criminals‬ ‭are‬ ‭also‬ ‭developed‬ ‭with‬ ‭it.‬ ‭Digital‬ ‭forensic‬
A
‭experts‬‭use‬‭forensic‬‭tools‬‭for‬‭collecting‬‭shreds‬‭of‬‭evidence‬‭against‬‭criminals‬‭and‬‭criminals‬
‭use‬ ‭such‬ ‭tools‬ ‭for‬ ‭hiding,‬‭altering‬‭or‬‭removing‬‭the‬‭traces‬‭of‬‭their‬‭crime,‬‭in‬‭digital‬‭forensic‬
‭this‬‭process‬‭is‬‭called‬‭Anti-‬‭forensics‬‭technique‬‭which‬‭is‬‭considered‬‭as‬‭a‬‭major‬‭challenge‬‭in‬
‭digital‬ ‭forensics‬ ‭world.‬ ‭Anti-forensics‬ ‭techniques‬ ‭are‬ ‭categorized‬ ‭into‬ ‭the‬ ‭following‬
‭types:-‬
 ‭S. No.‬ ‭Type‬ ‭Description‬

I‭t‬ ‭is‬ ‭legitimately‬ ‭used‬ ‭for‬ ‭ensuring‬‭the‬‭privacy‬‭of‬

‭information‬ ‭by‬ ‭keeping‬ ‭it‬ ‭hidden‬ ‭from‬ ‭an‬
‭1‬ ‭Encryption‬ ‭unauthorized‬ ‭user/person.‬ ‭Unfortunately,‬ ‭it‬ ‭can‬
‭also be used by criminals to hide their crimes.‬

‭ ata‬ ‭hiding‬ ‭in‬ ‭storage‬ C

D ‭ riminals usually hide chunks of data inside the‬
‭space‬ ‭storage medium in invisible form by using system‬
‭2‬ ‭commands, and programs.‬

‭ ‬ ‭covert‬ ‭channel‬ ‭is‬ ‭a‬ ‭communication‬ ‭protocol‬

A
‭which‬ ‭allows‬ ‭an‬ ‭attacker‬ ‭to‬ ‭bypass‬ ‭intrusion‬
‭3‬ ‭Covert Channel‬ ‭detection‬ ‭technique‬ ‭and‬ ‭hide‬ ‭data‬ ‭over‬ ‭the‬
‭network.‬ ‭The‬ ‭attacker‬ ‭used‬ ‭it‬ ‭for‬ ‭hiding‬ ‭the‬
‭connection‬ ‭between‬ ‭him‬ ‭and‬ ‭the‬ ‭compromised‬
‭system.‬

‭Other Technical challenges are‬‭:‬

‭‬
● ‭ perating in the cloud‬
O
‭●‬ ‭Time to archive data‬
‭●‬ ‭Skill gap‬
‭●‬ ‭Steganography‬

‭LEGAL CHALLENGES‬

‭ he‬ ‭presentation‬ ‭of‬ ‭digital‬ ‭evidence‬ ‭is‬‭more‬‭difficult‬‭than‬‭its‬‭collection‬‭because‬‭there‬‭are‬

T
‭many‬ ‭instances‬ ‭where‬ ‭the‬ ‭legal‬ ‭framework‬ ‭acquires‬ ‭a‬ ‭soft‬ ‭approach‬ ‭and‬ ‭does‬ ‭not‬
‭recognize‬ ‭every‬ ‭aspect‬ ‭of‬ ‭cyber‬ ‭forensics,‬ ‭as‬ ‭in‬ ‭Jagdeo‬ ‭Singh‬ ‭V.‬ ‭The‬ ‭State‬‭and‬‭Ors‬‭[‬‭,‬
‭case‬ ‭Hon’ble‬ ‭High‬ ‭Court‬ ‭of‬ ‭Delhi‬ ‭held‬ ‭that‬ ‭“while‬ ‭dealing‬ ‭with‬ ‭the‬ ‭admissibility‬ ‭of‬ ‭an‬
‭intercepted‬ ‭telephone‬ ‭call‬ ‭in‬ ‭a‬ ‭CD‬ ‭and‬ ‭CDR‬ ‭which‬ ‭was‬ ‭without‬ ‭a‬ ‭certificate‬ ‭under‬ ‭Sec.‬
‭65B‬ ‭of‬ ‭the‬ ‭Indian‬ ‭Evidence‬ ‭Act,‬ ‭1872‬ ‭the‬ ‭court‬ ‭observed‬ ‭that‬ ‭the‬ ‭secondary‬ ‭electronic‬
‭evidence‬ ‭without‬ ‭certificate‬ ‭u/s.‬ ‭65B‬ ‭of‬ ‭Indian‬ ‭Evidence‬ ‭Act,‬ ‭1872‬ ‭is‬ ‭not‬ ‭admissible‬‭and‬
‭cannot‬ ‭be‬‭looked‬‭into‬‭by‬‭the‬‭court‬‭for‬‭any‬‭purpose‬‭whatsoever.”‬‭This‬‭happens‬‭in‬‭most‬‭of‬
‭the‬ ‭cases‬ ‭as‬ ‭the‬ ‭cyber‬ ‭police‬ ‭lack‬ ‭the‬ ‭necessary‬ ‭qualification‬ ‭and‬ ‭ability‬ ‭to‬ ‭identify‬ ‭a‬
‭possible‬‭source‬‭of‬‭evidence‬‭and‬‭prove‬‭it.‬‭Besides,‬‭most‬‭of‬‭the‬‭time‬‭electronic‬‭evidence‬‭is‬
‭challenged‬ ‭in‬ ‭the‬ ‭court‬ ‭due‬ ‭to‬ ‭its‬ ‭integrity.‬ ‭In‬ ‭the‬ ‭absence‬ ‭of‬ ‭proper‬ ‭guidelines‬ ‭and‬ ‭the‬
‭nonexistence‬‭of‬‭proper‬‭explanation‬‭of‬‭the‬‭collection,‬‭and‬‭acquisition‬‭of‬‭electronic‬‭evidence‬
‭gets dismissed in itself.‬
‭Legal Challenges‬

‭S. no‬ ‭Type‬ ‭Description‬

I‭n‬ ‭India,‬ ‭there‬ ‭are‬ ‭no‬ ‭proper‬ ‭guidelines‬ ‭for‬ ‭the‬

‭collection‬ ‭and‬ ‭acquisition‬ ‭of‬ ‭digital‬ ‭evidence.‬ ‭The‬
‭Absence‬ ‭of‬ ‭guidelines‬ ‭investigating‬ ‭agencies‬ ‭and‬ ‭forensic‬ ‭laboratories‬
‭1‬ ‭and standards‬ ‭are‬‭working‬‭on‬‭the‬‭guidelines‬‭of‬‭their‬‭own.‬‭Due‬‭to‬
‭this,‬ ‭the‬ ‭potential‬ ‭of‬ ‭digital‬ ‭evidence‬ ‭has‬ ‭been‬
‭destroyed.‬

‭ he‬ ‭Indian‬ ‭Evidence‬ ‭Act,‬ ‭1872‬ ‭have‬ ‭limited‬

T
‭approach,‬‭it‬‭is‬‭not‬‭able‬‭to‬‭evolve‬‭with‬‭the‬‭time‬‭and‬
‭Limitation‬‭of‬‭the‬‭Indian‬ ‭address‬ ‭the‬ ‭E-evidence‬ ‭are‬ ‭more‬ ‭susceptible‬ ‭to‬
‭2‬ ‭Evidence Act, 1872‬ ‭tampering,‬ ‭alteration,‬ ‭transposition,‬ ‭etc.‬‭the‬‭Act‬‭is‬
‭silent‬ ‭on‬ ‭the‬ ‭method‬ ‭of‬ ‭collection‬ ‭of‬‭e-evidence‬‭it‬
‭only‬ ‭focuses‬ ‭on‬ ‭the‬ ‭presentation‬ ‭of‬ ‭electronic‬
‭evidence‬ ‭in‬ ‭the‬ ‭court‬ ‭by‬ ‭accompanying‬ ‭a‬
‭certificate‬ ‭as‬ ‭per‬ ‭subsection‬ ‭4‬ ‭of‬ ‭Sec.‬ ‭65B.‬ ‭This‬
‭means‬ ‭no‬ ‭matter‬ ‭what‬ ‭procedure‬ ‭is‬ ‭followed‬ ‭it‬
‭must be proved with the help of a certificate.‬

‭Other Legal Challenges‬

‭‬
● ‭ rivacy Issues‬
P
‭●‬ ‭Admissibility in Courts‬
‭●‬ ‭Preservation of electronic evidence‬
‭●‬ ‭Power for gathering digital evidence‬
‭●‬ ‭Analyzing a running computer‬
‭Resource Challenges‬

‭ s‬ ‭the‬ ‭rate‬ ‭of‬ ‭crime‬ ‭increases‬ ‭the‬ ‭number‬ ‭of‬ ‭data‬ ‭increases‬ ‭and‬ ‭the‬ ‭burden‬ ‭to‬‭analyze‬
A
‭such‬ ‭huge‬ ‭data‬ ‭is‬ ‭also‬ ‭increases‬ ‭on‬ ‭a‬ ‭digital‬ ‭forensic‬‭expert‬‭because‬‭digital‬‭evidence‬‭is‬
‭more‬ ‭sensitive‬ ‭as‬ ‭compared‬‭to‬‭physical‬‭evidence‬‭it‬‭can‬‭easily‬‭disappear.‬‭For‬‭making‬‭the‬
‭investigation‬ ‭process‬ ‭fast‬ ‭and‬ ‭useful‬ ‭forensic‬ ‭experts‬ ‭use‬ ‭various‬ ‭tools‬ ‭to‬ ‭check‬ ‭the‬
‭authenticity of the data but dealing with these tools is also a challenge in itself.‬

‭Types of Resource Challenges are:-‬

‭●‬ ‭Change in technology‬

‭ ue‬ ‭to‬ ‭rapid‬ ‭change‬ ‭in‬ ‭technology‬ ‭like‬ ‭operating‬ ‭systems,‬ ‭application‬ ‭software‬ ‭and‬
D
‭hardware,‬ ‭reading‬ ‭of‬ ‭digital‬ ‭evidence‬ ‭becoming‬ ‭more‬ ‭difficult‬ ‭because‬ ‭new‬ ‭version‬
‭software’s‬ ‭are‬ ‭not‬ ‭supported‬ ‭to‬ ‭an‬ ‭older‬‭version‬‭and‬‭the‬‭software‬‭developing‬‭companies‬
‭did provide any backward compatible’s which also affects legally.‬

‭●‬ ‭Volume and replication‬

‭ he‬ ‭confidentiality,‬ ‭availability,‬ ‭and‬ ‭integrity‬ ‭of‬ ‭electronic‬ ‭documents‬ ‭are‬ ‭easily‬ ‭get‬
T
‭manipulated.‬ ‭The‬‭combination‬‭of‬‭wide-area‬‭networks‬‭and‬‭the‬‭internet‬‭form‬‭a‬‭big‬‭network‬
‭that‬‭allows‬‭flowing‬‭data‬‭beyond‬‭the‬‭physical‬‭boundaries.‬‭Such‬‭easiness‬‭of‬‭communication‬
‭and‬ ‭availability‬ ‭of‬ ‭electronic‬ ‭document‬ ‭increases‬ ‭the‬ ‭volume‬ ‭of‬ ‭data‬ ‭which‬ ‭also‬ ‭create‬
‭difficulty in the identification of original and relevant data.‬

‭CONCLUSION & SUGGESTION‬

‭ he‬‭scope‬‭of‬‭cyber‬‭forensics‬‭is‬‭wider‬‭in‬‭itself‬‭and‬‭the‬‭use‬‭of‬‭various‬‭tools‬‭and‬‭techniques‬
T
‭and‬ ‭their‬ ‭different‬ ‭way‬‭of‬‭working‬‭raise‬‭lots‬‭of‬‭issues‬‭in‬‭front‬‭of‬‭legal‬‭as‬‭well‬‭as‬‭technical‬
‭experts.‬ ‭Some‬ ‭common‬ ‭challenges‬ ‭are‬ ‭lack‬ ‭of‬ ‭availability‬ ‭of‬ ‭proper‬ ‭guidelines‬ ‭for‬
‭collection‬‭acquisition‬‭and‬‭presentation‬‭of‬‭electronic‬‭evidence,‬‭rapid‬‭change‬‭in‬‭technology,‬
‭big‬ ‭data,‬ ‭use‬ ‭of‬ ‭anti-forensic‬ ‭techniques‬ ‭by‬ ‭criminals,‬ ‭use‬ ‭of‬ ‭free‬ ‭online‬ ‭tools‬ ‭for‬
‭investigation,‬ ‭etc.‬ ‭are‬ ‭pointing‬ ‭towards‬ ‭the‬ ‭need‬ ‭of‬‭new‬‭enactments‬‭and‬‭amendments‬‭in‬
‭present law and technologies with patches.‬

‭ o‬ ‭deal‬ ‭with‬ ‭the‬ ‭above-mentioned‬ ‭issues‬ ‭we‬ ‭must‬ ‭have‬ ‭a‬ ‭specific‬ ‭national‬ ‭law‬ ‭which‬ ‭is‬
T
‭applicable‬‭on‬‭every‬‭person‬‭who‬‭is‬‭involved‬‭in‬‭a‬‭digital‬‭forensic‬‭investigation‬‭or‬‭dealing‬‭with‬
‭it‬ ‭or‬ ‭provide‬ ‭any‬ ‭service,‬ ‭tool‬ ‭or‬ ‭software‬ ‭which‬ ‭is‬ ‭used‬ ‭for‬ ‭investigation‬ ‭purpose.‬ ‭The‬
‭investigation‬‭organizations‬‭need‬‭to‬‭conduct‬‭training‬‭and‬‭awareness‬‭programmers‬‭for‬‭their‬
‭digital‬ ‭forensics‬ ‭officers‬ ‭so‬ ‭that‬ ‭they‬ ‭will‬ ‭be‬ ‭familiar‬ ‭with‬ ‭new‬ ‭technologies‬ ‭and‬ ‭also‬ ‭the‬
‭companies‬‭who‬‭made‬‭tools‬‭for‬‭digital‬‭forensic‬‭investigation‬‭must‬‭provide‬‭proper‬‭instruction‬
‭manuals‬‭that‬‭have‬‭a‬‭proper‬‭explanation,‬‭pros,‬‭and‬‭cons‬‭regarding‬‭the‬‭tools.‬‭The‬‭mobile‬‭or‬
‭software‬‭developing‬‭companies‬‭need‬‭to‬‭provide‬‭patches‬‭related‬‭to‬‭outdated‬‭technology‬‭so‬
‭the‬‭experts‬‭can‬‭easily‬‭analyze‬‭and‬‭preserve‬‭data‬‭for‬‭evidence‬‭purposes‬‭if‬‭they‬‭found‬‭any‬
‭old‬ ‭mobile‬ ‭model‬ ‭or‬ ‭old‬ ‭computer‬ ‭system‬ ‭on‬ ‭the‬ ‭crime‬ ‭scene.‬ ‭Investigating‬ ‭offices‬ ‭also‬
‭need to take due diligence during an investigation.‬

‭https://legaldesire.com/challenges-faced-by-digital-forensics/‬