Computer Forensics Technology – Notes

Unit I: Overview of Computer Forensics Technology

Computer Forensics Fundamentals

What is Computer Forensics?

Computer Forensics is the process of identifying, preserving, analyzing, and presenting digital evidence
from electronic devices in a legally acceptable manner.

Use of Computer Forensics in Law Enforcement

– Investigating cybercrimes (fraud, hacking, identity theft)

– Retrieving deleted files and logs

– Supporting court evidence with technical proof

Computer Forensics Assistance to HR/Employment Proceedings

– Monitoring employee misuse

– Tracking data theft

– Investigating policy violations

Computer Forensics Services

– Data recovery

– Incident response

– Malware analysis

– Network forensics

– Expert witness services

Benefits of Professional Forensics Methodology

– Ensures evidence integrity

– Prevents contamination
– Legally acceptable procedures

– Accurate and scientific results

Steps Taken by Computer Forensics Specialists

1. Identification

2. Preservation

3. Collection

4. Examination

5. Analysis

6. Documentation

7. Presentation

Types of Computer Forensics Technology

– Business Computer Forensics

– Military Computer Forensics

– Law Enforcement Computer Forensics

Unit II: Computer Forensics Evidence and Capture

Data Recovery

Data Recovery Defined: Retrieving deleted, corrupted, or lost digital data.

Data Backup and Recovery: Backup supports restoration of lost information.

Role of Backup in Data Recovery: Ensures availability of older versions and prevents permanent
loss.

Data Recovery Solution: Using tools like FTK, EnCase, R-Studio for restoration.

Evidence Collection and Data Seizure

Collection Options: Live acquisition, static acquisition, disk imaging, network acquisition.
Obstacles: Encryption, passwords, damaged disks, remote wiping.

Types of Evidence: Direct, indirect, volatile, network evidence.

Rules of Evidence: Must be authentic, intact, reproducible.

Volatile Evidence: RAM data, running processes, live connections.

General Procedure:

– Secure scene

– Document setup

– Seize devices legally

– Package securely

Collection and Archiving: Forensic images, secure evidence vaults.

Methods of Collection: Disk imaging, memory dump, packet capture.

Artifacts: Logs, registry entries, browser history.

Chain of Custody: Documenting every handler of evidence to prevent tampering.

Unit IV: Computer Forensics Analysis

Discovery of Electronic Evidence

Electronic Document Discovery: A tool for retrieving emails, PDFs, hidden files for litigation.

Identification of Data

Time Travel: Recovering historical versions of data.

Forensic Identification: Detecting suspicious files and user activity.

Technical Surveillance Device Analysis: Detecting hidden cameras, keyloggers, spyware.

Unit V: Reconstructing Past Events & Network Forensics

Digital Detective Work: Using logs and timelines to trace actions.

Usable File Formats: .docx, .txt, .pdf

Unusable Formats: Corrupted or proprietary files

Converting Files: Using tools to restore readability.

Network Forensics

Network Forensics Scenario: Monitoring traffic, detecting intrusions.

Technical Approach: Packet sniffing, log analysis, IDS/IPS.

Destruction of Email: Manual deletion or wiping tools.

Damaging Computer Evidence: Overwriting, formatting, malware destruction.

Documenting Intrusion: Logs, screenshots, attack path diagrams.

System Testing: Verifying tools and analyzing attack responses.