Professional Documents
Culture Documents
Table of Contents
CYBER CRIME INVESTIGATION & CYBER FORENSIC...............................................................1
1. INTRODUCTION.........................................................................................................................2
2. DIGITAL FORENSIC PROCESS......................................................................................................3
3. DIGITAL EVIDENCE (ELECTRONIC EVIDENCE).............................................................................4
4. E-MAIL FORENSICS.....................................................................................................................5
5. BIBLIOGRAPHY...........................................................................................................................7
1|Page
CYBER CRIME INVESTIGATION & CYBER FORENSIC
1. INTRODUCTION
Before jumping into the “investigation” part, let’s go back to the basics: a digital crime or
cybercrime is a crime that involves the usage of a computer, phone or any other digital device
connected to a network.
These electronic devices can be used for two things: perform the cybercrime (that is, launch a
cyber attack), or act as the victim, by receiving the attack from other malicious sources.
Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computing device and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating
the device in question to make sure it cannot be accidentally contaminated, investigators
make a digital copy of the device's storage media. Once the original media has been copied, it
is locked in a safe or other secure facility to maintain its pristine condition. All investigation
is done on the digital copy.
2|Page
encrypted, or damaged files. Any evidence found on the digital copy is carefully documented
in a "finding report" and verified with the original in preparation for legal proceedings that
involve discovery, depositions, or actual litigation.
Computer forensics has become its own area of scientific expertise, with accompanying
coursework and certification.
Handling of evidence is the most important aspect in digital forensics. It is imperative that
nothing be done that may alter digital evidence. This is known as preservation: the isolation
and protection of digital evidence exactly as found without alteration so that it can later be
analyzed.
Dead box forensic collection (imaging a device after it is powered off in order to collect
digital evidence) still remains an essential part of the digital forensic process. It is growing
more and more important with today’s technology to conduct live box forensic collection or
simply a live collection (the collection of data from an active device prior to shutting it
down). For example, if the device is encrypted, without the passcode or encryption key, you
may never have another chance to acquire valuable evidence if that device powers off or
locks due to inactivity.
Relevant data will be permanently lost due to continued use of the device, such as when an
employee leaves a company and their computer remains in use. When a summons arrives six
months later, it might be too late to realize that you should have preserved their old computer.
Preserving a former employee’s electronic devices, especially C-level, may not be forensic
3|Page
best practices, but can surely be considered business best practice. I know it is tempting to log
onto a former employee’s device and see what they did, but Stop! The data must be preserved
for collection if it is to be considered for litigation. Time and date stamps will change, system
log files will rotate and valuable information can be lost.
A copy of digital evidence must be properly preserved and collected in accordance with
forensic best practices. Otherwise, the digital evidence may be inadmissible in court or
spoliation sanctions may be imposed. This might be a good time to go back and review
the Identification process.
A proper forensic image (sector copy) contains the operating system (OS) and deleted data, in
addition to user-generated data. There will be times when it is not possible to collect the OS
or deleted data due to time constraints, business operations or court order restrictions. A
focused and/or targeted approach to collection of ESI will be required. If deleted data is
suspected then a sector by sector copy of the entire computer will be necessary and could be
time consuming. If you have minutes not hours, 90% of relevant evidence can be acquired by
collecting user-generated data only; don’t forget the recycle bin.
One of the greatest and most revolutionary inventions of mankind has been the proliferation
of computers and digitalisation. As with other spheres of human life, the cyber space has not
been free from dangers and commission of crimes. This has resulted from diversity in the
content and information available along with the ease of accessibility and wide reach.
However, with the proliferation of the cyber space, there has been a tremendous increase in
its misuse. The authenticity of e-documents has always been debatable, considering how
prone they are to be tampered with. Investigation agencies are also increasingly facing issues
with regard to the admissibility of such electronic evidence.
4|Page
Since electronic evidence, as compared to conventional or traditional evidence, requires
specialised and expert training in the field of cyberspace, the method used to investigate and
analyse the data maintained on or retrieved from electronic media for the purposes of
presentation in a court of law is of prime importance.
The article analyses and examines the admissibility of electronic evidence in a court of law
based on judicial pronouncements and legislative intent.
4. E-MAIL FORENSICS
a) Web-based Email Clients: Web-based email clients save all their data to its web server.
Some web-based lients are Gmail, Yahoo Mail, Hotmail, etc. The benefit of using web-based
email clients is it can be accessed from anywhere in the world, using Username and
Password. One of its disadvantages is users do not know where their data is being stored.
5|Page
cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-
mails, distributing child pornography, and hate e-mails besides propagating viruses, worms,
hoaxes and Trojan horses. Further, Internet infrastructure misuse through denial of service,
waste of storage space and computational resources are costing every Internet user directly or
indirectly.
E-mail forensic analysis is used to study the source and content of e-mail message as
evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect
credible evidence to bring criminals to justice [1-5]. This paper is an attempt to illustrate e-
mail architecture from forensics perspective. It describes roles and responsibilities of
different e-mail actors and components, itemizes meta-data contained in e-mail headers, and
lists protocols and ports used in it. It further describes various tools and techniques currently
employed to carry out forensic investigation of an e-mail message. This paper projects the
need for e-mail forensic investigation and lists various methods and tools used for its
realization. A detailed header analysis of a multiple tactic spoofed e-mail message is carried
out in this paper.
It also discusses various possibilities for detection of spoofed headers and identification of its
originator. Further, difficulties that may be faced by investigators during forensic
investigation of an e-mail message have been discussed along with their possible solutions
[3,4].
Also, this paper will discuss tracing e-mail headers and issues associated with it. It will
address both HTTP & SMTP initiated e-mails. It will discuss different ways used by e-mail
senders to evade tracing and workarounds the 10th International Conference on Business
Information Security (BISEC-2018), 20th October 2018, Belgrade, Serbia used by
investigators to combat them. It will also discuss advanced measures and techniques used by
investigators to track emails [5]. In The paper we will discuss particular tools such as: Email
Tracker Pro and aid4mail in action.
6|Page
5. BIBLIOGRAPHY
7|Page