Cyber Forensics
π― Key Takeaways & Definition
Definition: Cyber Forensics (or Digital Forensics) is the application of investigation and analysis techniques to gather and preserve evidence from a computing device in a way that is suitable for presentation in a court of law.
Core Concept: It is the "CSI" of the digital world. The goal is to answer: Who did it, When did they do it, and How did they do it?
The Golden Rule: Preserve the Evidence. Never alter the original data during the investigation.
1. Definition of Cyber Forensics
Cyber forensics is the scientific process of identifying, preserving, extracting, and documenting computer evidence. Unlike standard troubleshooting, forensics focuses on legal admissibility. If you find a hacker's file but change the "Last Modified" date by opening it, that evidence might be thrown out of court.
Why Cyber Forensics Matters:
Legal Prosecutions:
- β’ Criminal cases: Hacking, fraud, child exploitation
- β’ Civil cases: Intellectual property theft, contract disputes
- β’ Evidence standards: Must meet legal requirements (Daubert/Frye standards)
Incident Investigation:
- β’ Determine attack timeline
- β’ Identify attacker tactics, techniques, procedures (TTPs)
- β’ Support incident response decisions
Statistics:
- β’ 73% of organizations conduct forensic investigations post-breach
- β’ Average investigation cost: $1.5M for large breach
- β’ Evidence rejection rate: 15% due to poor chain of custody
2. Objectives of Cyber Forensics
Recover Data πΎ
Finding deleted, encrypted, or damaged files.
Techniques:
- β’ Undelete recovery: Files marked deleted but data remains
- β’ Carving: Extract files from raw disk sectors
- β’ Decryption: Break weak encryption, use known passwords
- β’ Data recovery: Repair corrupted file systems
Identify the Culprit Γ°ΕΈβΒ
Tracing the IP address or user account responsible for the attack.
Methods:
- β’ Log analysis: Track user actions (login times, file access)
- β’ Network forensics: Follow IP addresses through routers
- β’ Metadata analysis: Document author, creation timestamps
- β’ Attribution: Link evidence to specific person
Prosecute βοΈ
Producing a report that stands up to legal scrutiny in criminal or civil court.
Requirements:
- β’ Chain of custody: Unbroken evidence tracking
- β’ Expert testimony: Forensic analyst explains findings
- β’ Admissibility: Follows legal standards (Federal Rules of Evidence)
- β’ Reproducibility: Another expert can verify findings
Fix Loopholes π§
Understanding how the breach happened to prevent it from recurring.
Outcomes:
- β’ Patch vulnerabilities
- β’ Update security policies
- β’ Improve detection mechanisms
- β’ Security awareness training
3. The Cyber Forensics Lifecycle (The 5 Phases)
This is the standard process used by law enforcement and corporate investigators.
Phase 1: Identification π
Goal: Determining what evidence exists and where it is stored.
Action: Is the evidence on a laptop? A server? A cloud account? A USB stick?
Key Questions:
- β’ What type of incident occurred?
- β’ What devices are involved?
- β’ What time period is relevant?
- β’ Who had access?
Evidence Sources:
- β’ Endpoints: Laptops, desktops, servers
- β’ Mobile devices: Smartphones, tablets
- β’ Network devices: Routers, firewalls, switches
- β’ Cloud services: AWS, Google Drive, Office 365
- β’ Physical media: USB drives, external HDDs, backup tapes
Documentation:
- β’ Device make/model/serial numbers
- β’ Physical location
- β’ Who owns device
- β’ Network configuration
Phase 2: Preservation π (CRITICAL STEP)
Goal: Securing the data so it cannot be tampered with.
Action: Using a Write Blocker to make an exact "Bit-by-Bit" copy (Forensic Image) of the hard drive. Investigators never work on the original drive.
Why This Matters:
- β’ Original = Evidence: Must remain untouched
- β’ OS modifies files: Even viewing files changes metadata
- β’ Court requirement: Prove data not altered
Write Blocker:
Suspect Hard Drive β Write Blocker β Forensic Workstation
β
Blocks ALL write commands
Allows only read operationsTypes:
- β’ Hardware write blocker: Physical device (Tableau, CRU WiebeTech)
- β’ Software write blocker: OS-level protection (less reliable)
Forensic Imaging:
1. Connect suspect drive via write blocker
2. Use imaging tool (FTK Imager, dd, EnCase)
3. Create bit-by-bit copy (every sector, including deleted data)
4. Generate hash (MD5, SHA-256) of original
5. Generate hash of copy
6. Hashes must match (proves exact copy)
7. Store original in evidence locker (never touched again)
8. Work only on the copyHash Verification:
Original Drive: SHA-256 = abc123def456...
Forensic Copy: SHA-256 = abc123def456...
Match = Verified Exact Copy βLive System Considerations:
- β’ Running system? Consider memory capture before shutdown
- β’ Encryption? May need to image while powered on (encryption keys in RAM)
- β’ Remote system? Network-based acquisition
Phase 3: Analysis π¬
Goal: Extracting meaningful data from the forensic image.
Action: Recovering deleted files, cracking passwords, and analyzing web history and email headers using tools like EnCase or Autopsy.
Analysis Techniques:
File System Analysis:
- β’ Browse directory structure
- β’ Recover deleted files (unallocated space)
- β’ Timeline creation (when files created/modified/accessed)
- β’ Identify file types (by signature, not extension)
Registry Analysis (Windows):
- β’ User accounts (SAM hive)
- β’ Recently opened files (RecentDocs)
- β’ USB device history (USBSTOR)
- β’ Installed programs
Browser History:
- β’ Visited websites (Chrome/Firefox history databases)
- β’ Cookies (session tracking)
- β’ Cache (images, HTML)
- β’ Downloads
Email Analysis:
- β’ Email headers (trace sender IP)
- β’ Attachments
- β’ Deleted emails (PST/OST recovery)
Network Artifacts:
- β’ IP addresses contacted
- β’ Network shares accessed
- β’ VPN connections
Malware Analysis:
- β’ Identify malicious files (hash comparison with known malware)
- β’ Analyze suspicious processes
- β’ Reverse engineering (advanced)
Keyword Searching:
- β’ Search for relevant terms (company secrets, profanity, etc.)
- β’ Regular expressions (credit card patterns)
Tools:
- β’ Commercial: EnCase, FTK (Forensic Toolkit), X-Ways
- β’ Open-source: Autopsy, Sleuth Kit, Volatility (memory)
Phase 4: Documentation Γ°ΕΈβΒ
Goal: Keeping a detailed log of every action taken.
Action: "I connected Drive A at 10:00 AM using Cable B." If you don't document it, it didn't happen.
What to Document:
Chain of Custody:
- β’ Who collected evidence
- β’ Date/time collected
- β’ Where stored
- β’ Who accessed it
- β’ Every transfer of custody
Investigation Actions:
- β’ Every tool used (name, version)
- β’ Every command executed
- β’ Every file examined
- β’ Every finding
Technical Details:
- β’ Hardware specifications
- β’ Software versions
- β’ Hash values
- β’ Screenshots
Timeline:
- β’ Chronological sequence of events
- β’ User actions
- β’ System events
Notes:
- β’ Observations
- β’ Interpretations
- β’ Questions for follow-up
Why Critical:
- β’ Legal requirement: Evidence trail must be complete
- β’ Reproducibility: Another expert can verify
- β’ Cross-examination: Withstand attorney questioning
Phase 5: Presentation π
Goal: Presenting findings to a non-technical audience (Judge/Jury).
Action: Writing a final report that explains the technical data in simple English.
Report Structure:
1. Executive Summary:
- β’ Key findings in plain language
- β’ Who, what, when, where, how
2. Scope:
- β’ What was examined
- β’ What was not examined
- β’ Limitations
3. Methodology:
- β’ Tools used
- β’ Processes followed
- β’ Standards applied (NIST, ISO)
4. Findings:
- β’ Evidence discovered
- β’ Timeline of events
- β’ Attribution (who did it)
5. Conclusions:
- β’ Expert opinion
- β’ Answers to investigative questions
6. Appendices:
- β’ Technical details
- β’ Screenshots
- β’ Log extracts
- β’ Chain of custody
Presentation Tips:
- β’ Avoid jargon: "The suspect accessed..." not "The UID traversed..."
- β’ Visual aids: Screenshots, timelines, diagrams
- β’ Tell a story: Connect evidence into narrative
- β’ Anticipate questions: Be prepared for cross-examination
Expert Witness Role:
- β’ Explain technical concepts
- β’ Defend methodology
- β’ Withstand cross-examination
- β’ Remain neutral (facts, not opinions)
4. Types of Cyber Forensics
A. Disk Forensics π½
Extracting data from storage media (Hard drives, SSDs, USBs).
Focus:
- β’ File system analysis
- β’ Deleted file recovery
- β’ Timeline reconstruction
- β’ Partition analysis
Challenges:
- β’ Encryption: BitLocker, FileVault (need keys)
- β’ SSDs: TRIM command erases deleted data
- β’ Large capacity: TB-sized drives take hours to image
B. Network Forensics Γ°ΕΈΕΒ
Monitoring and analyzing network traffic (Packet Sniffing) to find intrusion attempts.
Data Sources:
- β’ Packet captures (PCAP): Wireshark, tcpdump
- β’ Firewall logs: Allowed/blocked connections
- β’ IDS/IPS alerts: Snort, Suricata
- β’ DNS logs: Domain name lookups
- β’ Proxy logs: Web requests
Analysis:
- β’ Identify attacker IP addresses
- β’ Reconstruct attack timeline
- β’ Extract files transferred
- β’ Detect command-and-control (C2) traffic
Challenges:
- β’ Volume: Massive data (TB per day)
- β’ Encryption: HTTPS/TLS hides content
- β’ Ephemeral: Traffic disappears if not captured
C. Mobile Forensics π±
Recovering data from smartphones (SMS, Call Logs, GPS).
Data Types:
- β’ Call logs: Incoming/outgoing calls
- β’ SMS/MMS: Text messages, pictures
- β’ Contacts: Address book
- β’ Location: GPS history, cell tower data
- β’ Apps: WhatsApp, Snapchat, dating apps
- β’ Photos/videos: Gallery, deleted images
Extraction Methods:
- β’ Logical: Access file system (like USB drive)
- β’ Physical: Bit-by-bit dump (root/jailbreak needed)
- β’ Cloud: iCloud, Google backup
Tools:
Cellebrite, Oxygen Forensics, XRY
Challenges:
- β’ Encryption: iOS Secure Enclave, Android FDE
- β’ Pattern locks: Brute force or bypass
- β’ App sandboxing: Can't access without root
- β’ Updates: New OS versions break tools
D. Memory Forensics π§
Analyzing the computer's RAM (Volatile Memory) to find malware that doesn't save itself to the hard disk.
Why RAM?
- β’ Malware hides in memory: Fileless attacks
- β’ Encryption keys: Stored in RAM while system running
- β’ Running processes: What's executing right now
- β’ Network connections: Active communications
- β’ Passwords: Typed recently
Process:
- Capture RAM dump (DumpIt, FTK Imager, WinPMEM)
- Analyze with Volatility Framework
- Extract processes, network connections, registry keys
What's Found:
- β’ Hidden malware processes
- β’ Injected code
- β’ Encryption keys (before shutdown)
- β’ Open network sockets
- β’ Recently typed text
Challenge: RAM is volatile - power loss = data gone forever
β οΈ Chain of Custody (The Legal Backbone)
The Chain of Custody is a legal document that tracks the movement of evidence.
It records:
- β Who collected the evidence
- β When they collected it
- β Where it was stored
- β Who handled it (every person)
Why It Matters:
If there is a 1-hour gap in the log where the hard drive is unaccounted for, the defense lawyer will argue that someone could have planted false evidence during that time.
Broken Chain = Case Dismissed βοΈ
Example Chain of Custody Log:
Date/Time | Person | Action | Location
----------------|---------------|---------------------|------------------
2026-02-09 10:00| Det. Smith | Seized laptop | 123 Main St
2026-02-09 10:30| Det. Smith | Transport to lab | Evidence Room A
2026-02-09 11:00| Analyst Jones | Received for imaging| Lab B
2026-02-09 14:00| Analyst Jones | Imaging complete | Lab B
2026-02-09 14:15| Analyst Jones | Stored in locker | Evidence Vault 5
2026-02-09 15:00| Lt. Williams | Retrieved for court | Evidence Vault 5Every gap must be explained:
- β’ Lunch break? Document it.
- β’ Overnight? Evidence locker secured.
- β’ Weekend? Explain who had access.
Signature Required: Each person signs when receiving/transferring evidence.
5. Order of Volatility β±οΈ (EXAM TOPIC)
When arriving at a crime scene, what do you collect first? You must collect the data that disappears the fastest.
The RFC 3227 Order (Most to Least Volatile):
1. CPU Registers / Cache β‘
- β’ Lifespan: Microseconds
- β’ Action: Usually not captured (too fast, requires specialized tools)
2. RAM (Main Memory) π§
- β’ Lifespan: Lost when power off
- β’ Action: CAPTURE IMMEDIATELY before shutdown
Critical Data in RAM:
- β’ Running processes
- β’ Open network connections
- β’ Encryption keys
- β’ Recently typed passwords
- β’ Clipboard contents
- β’ Malware in memory (fileless)
Tools: DumpIt, FTK Imager Memory, WinPMEM
3. Network State Γ°ΕΈΕΒ
- β’ Lifespan: Changes constantly
- β’ Action: Capture active connections
Commands:
netstat -ano # Windows: Active connections
ss -tulpn # Linux: Socket statistics
arp -a # ARP cache (MAC addresses)4. Running Processes Γ°ΕΈΖ
- β’ Lifespan: Can terminate any moment
- β’ Action: List all processes
Commands:
tasklist # Windows
ps aux # Linux5. Hard Drive (Data at Rest) π½
- β’ Lifespan: Persistent (until overwritten)
- β’ Action: Create forensic image
Less urgent (data doesn't disappear), but still important.
6. Backups / Removable Media πΎ
- β’ Lifespan: Very stable
- β’ Action: Secure and image
Least volatile - can be collected last.
RULE:
Always capture RAM (Memory) before pulling the power plug, because RAM contains a "snapshot" of running malware. Once power is lost, RAM is gone forever.
Live vs Dead Acquisition:
Live Acquisition (System Running):
- β Capture RAM (encryption keys, malware)
- β Network connections visible
- Γ’ΒΕ Modifies system (some changes inevitable)
Dead Acquisition (System Off):
- β No further changes to system
- β Clean forensic image
- Γ’ΒΕ RAM lost
- Γ’ΒΕ Encryption may lock data
Best Practice: Live capture RAM first, then power down and image disk.
Conclusion
Cyber Forensics bridges the gap between Technology and Law. While Incident Response focuses on survival (getting the business back online), Forensics focuses on justice (proving who did it).
Key Takeaways:
- β 5-Phase Process: Identification β Preservation β Analysis β Documentation β Presentation
- β Golden Rule: Never alter original evidence (work on forensic copies)
- β Write Blocker: Hardware device prevents modifications
- β Chain of Custody: Unbroken evidence tracking (legal requirement)
- β Order of Volatility: RAM first, disk second (most to least volatile)
- β Hash Verification: MD5/SHA-256 proves data integrity
- β Legal Admissibility: Evidence must meet court standards
- β Expert Testimony: Forensic analyst explains findings in court
For a forensic investigator, the integrity of the data is more important than the speed of recovery.
The Future:
- β’ AI-powered forensics
- β’ Cloud forensics challenges
- β’ IoT device analysis
- β’ Quantum computing threats
These technologies will reshape digital investigations! Γ°ΕΈβΒ