16FLICDDN01021 | BBA LLB 5TH YEAR

Table of Contents
CYBER CRIME INVESTIGATION & CYBER FORENSIC...............................................................1
1. INTRODUCTION.........................................................................................................................2
2. DIGITAL FORENSIC PROCESS......................................................................................................3
3. DIGITAL EVIDENCE (ELECTRONIC EVIDENCE).............................................................................4
4. E-MAIL FORENSICS.....................................................................................................................5
5. BIBLIOGRAPHY...........................................................................................................................7

1|Page
 CYBER CRIME INVESTIGATION & CYBER FORENSIC

1. INTRODUCTION

Before jumping into the “investigation” part, let’s go back to the basics: a digital crime or
cybercrime is a crime that involves the usage of a computer, phone or any other digital device
connected to a network.

These electronic devices can be used for two things: perform the cybercrime (that is, launch a
cyber attack), or act as the victim, by receiving the attack from other malicious sources.

Therefore, a cybercrime investigation is the process of investigating, analyzing and

recovering critical forensic digital data from the networks involved in the attack—this could
be the Internet and/or a local network—in order to identify the authors of the digital crime
and their true intentions.

Cybercrime investigators must be experts in computer science, understanding not only

software, file systems and operating systems, but also how networks and hardware work.
They must be knowledgeable enough to determine how the interactions between these
components occur, to get a full picture of what happened, why it happened, when it
happened, who performed the cybercrime itself, and how victims can protect themselves in
the future against these types of cyber threats.

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computing device and who was responsible for it.

Forensic investigators typically follow a standard set of procedures: After physically isolating
the device in question to make sure it cannot be accidentally contaminated, investigators
make a digital copy of the device's storage media. Once the original media has been copied, it
is locked in a safe or other secure facility to maintain its pristine condition. All investigation
is done on the digital copy.

Investigators use a variety of techniques and proprietary software forensic applications to

examine the copy, searching hidden folders and unallocated disk space for copies of deleted,

2|Page
encrypted, or damaged files. Any evidence found on the digital copy is carefully documented
in a "finding report" and verified with the original in preparation for legal proceedings that
involve discovery, depositions, or actual litigation.

Computer forensics has become its own area of scientific expertise, with accompanying
coursework and certification.

2. DIGITAL FORENSIC PROCESS

Handling of evidence is the most important aspect in digital forensics. It is imperative that
nothing be done that may alter digital evidence. This is known as preservation: the isolation
and protection of digital evidence exactly as found without alteration so that it can later be
analyzed.

Collection is the gathering of devices and duplication of electronically stored information

(ESI) for the purpose of preserving digital evidence (exact copy of the original) that remains
untouched while digital forensics is performed. Here at Drive Savers, we never work on the
original copy. Historically, the collection of data for forensics literally involved pulling the
plug from a computer and sending it to a forensic team. However, depending on the situation,
this is no longer acceptable in some cases. In fact, in certain cases this is a sure way to lose
valuable evidence. On the other hand, you may have to turn off the device or isolate ESI in a
way that will not alter evidence, such as with some Smartphones. For example, a wipe
command can be sent remotely erasing everything. Careful consideration of the situation is
necessary.

Dead box forensic collection (imaging a device after it is powered off in order to collect
digital evidence) still remains an essential part of the digital forensic process. It is growing
more and more important with today’s technology to conduct live box forensic collection or
simply a live collection (the collection of data from an active device prior to shutting it
down). For example, if the device is encrypted, without the passcode or encryption key, you
may never have another chance to acquire valuable evidence if that device powers off or
locks due to inactivity.

Relevant data will be permanently lost due to continued use of the device, such as when an
employee leaves a company and their computer remains in use. When a summons arrives six
months later, it might be too late to realize that you should have preserved their old computer.
Preserving a former employee’s electronic devices, especially C-level, may not be forensic

3|Page
best practices, but can surely be considered business best practice. I know it is tempting to log
onto a former employee’s device and see what they did, but Stop! The data must be preserved
for collection if it is to be considered for litigation. Time and date stamps will change, system
log files will rotate and valuable information can be lost.

A copy of digital evidence must be properly preserved and collected in accordance with
forensic best practices. Otherwise, the digital evidence may be inadmissible in court or
spoliation sanctions may be imposed. This might be a good time to go back and review
the Identification process.

A proper forensic image (sector copy) contains the operating system (OS) and deleted data, in
addition to user-generated data. There will be times when it is not possible to collect the OS
or deleted data due to time constraints, business operations or court order restrictions. A
focused and/or targeted approach to collection of ESI will be required. If deleted data is
suspected then a sector by sector copy of the entire computer will be necessary and could be
time consuming. If you have minutes not hours, 90% of relevant evidence can be acquired by
collecting user-generated data only; don’t forget the recycle bin.

3. DIGITAL EVIDENCE (ELECTRONIC EVIDENCE)

Digital evidence or electronic evidence is any probative information stored or transmitted

in digital form that a party to a court case may use at trial. Before accepting digital evidence a
court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and
whether a copy is acceptable or the original is required.

 Use Of Electronic Evidence In Judicial Proceedings

One of the greatest and most revolutionary inventions of mankind has been the proliferation
of computers and digitalisation. As with other spheres of human life, the cyber space has not
been free from dangers and commission of crimes. This has resulted from diversity in the
content and information available along with the ease of accessibility and wide reach.
However, with the proliferation of the cyber space, there has been a tremendous increase in
its misuse. The authenticity of e-documents has always been debatable, considering how
prone they are to be tampered with. Investigation agencies are also increasingly facing issues
with regard to the admissibility of such electronic evidence.

4|Page
Since electronic evidence, as compared to conventional or traditional evidence, requires
specialised and expert training in the field of cyberspace, the method used to investigate and
analyse the data maintained on or retrieved from electronic media for the purposes of
presentation in a court of law is of prime importance.

The article analyses and examines the admissibility of electronic evidence in a court of law
based on judicial pronouncements and legislative intent.

4. E-MAIL FORENSICS

Modern time communication is impossible without emails. In the field of business

communication, emails are considered as its integral part. At the same time, emails are also
being used by criminals [1,3,5]. In digital forensics, emails are considered as evidence and
Email Header Analysis has become important to collect evidence during forensics process
[1,2]. Email clients are computer programs that allow users to send and receive emails. Over
time, different types of email clients have been invented for the convenience of email users.
We will discuss different types of email clients now. Broadly, email clients are divided into
two types based on email saving location. They are web-based email clients and desktop-
based email clients.

a) Web-based Email Clients: Web-based email clients save all their data to its web server.
Some web-based lients are Gmail, Yahoo Mail, Hotmail, etc. The benefit of using web-based
email clients is it can be accessed from anywhere in the world, using Username and
Password. One of its disadvantages is users do not know where their data is being stored.

b) Desktop-based Email Clients: Desktop-based email clients are opposite of web-based

clients. Outlook, Thunderbird, Mail Bird are some examples of desktop-based email clients.
All data of desktop-based web browser is stored in the system of its users. Thus, users do not
have to worry about data security. The same point can be considered as a disadvantage in
some cases. Especially, when it is used in criminal activities, and the evidence cannot be
collected from the server [3,5]. E-mail messages include transit handling envelope and trace
information in the form of structured fields which are not stripped after messages are
delivered, leaving a detailed record of e-mail transactions. A detailed header analysis can be
used to map the networks traversed by messages, including information on the messaging
software and patching policies of clients and gateways, etc. Over a period of year’s e-mail
protocols have been secured through several security extensions and producers, however,

5|Page
cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-
mails, distributing child pornography, and hate e-mails besides propagating viruses, worms,
hoaxes and Trojan horses. Further, Internet infrastructure misuse through denial of service,
waste of storage space and computational resources are costing every Internet user directly or
indirectly.

E-mail forensic analysis is used to study the source and content of e-mail message as
evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect
credible evidence to bring criminals to justice [1-5]. This paper is an attempt to illustrate e-
mail architecture from forensics perspective. It describes roles and responsibilities of
different e-mail actors and components, itemizes meta-data contained in e-mail headers, and
lists protocols and ports used in it. It further describes various tools and techniques currently
employed to carry out forensic investigation of an e-mail message. This paper projects the
need for e-mail forensic investigation and lists various methods and tools used for its
realization. A detailed header analysis of a multiple tactic spoofed e-mail message is carried
out in this paper.

It also discusses various possibilities for detection of spoofed headers and identification of its
originator. Further, difficulties that may be faced by investigators during forensic
investigation of an e-mail message have been discussed along with their possible solutions
[3,4].

Also, this paper will discuss tracing e-mail headers and issues associated with it. It will
address both HTTP & SMTP initiated e-mails. It will discuss different ways used by e-mail
senders to evade tracing and workarounds the 10th International Conference on Business
Information Security (BISEC-2018), 20th October 2018, Belgrade, Serbia used by
investigators to combat them. It will also discuss advanced measures and techniques used by
investigators to track emails [5]. In The paper we will discuss particular tools such as: Email
Tracker Pro and aid4mail in action.

6|Page
5. BIBLIOGRAPHY

7|Page