See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/358780840

Cyber Forensic -A Literature Review

Article · December 2019

DOI: 10.48165/tjmitm.2019.1002

CITATIONS READS

3 1,757

3 authors, including:

Surabhi Shanker
Trinity Institute of Professional Studies
19 PUBLICATIONS 10 CITATIONS

SEE PROFILE

All content following this page was uploaded by Surabhi Shanker on 22 February 2022.

The user has requested enhancement of the downloaded file.

 Review Article

Trinity Journal of Management, IT & Media ISSN 2320-6470 (Print)

www.acspublisher.com ISSN A/F (Online)
Year 2019, Volume-10, Issue-1 (Jan-Dec)
DOI: 10.48165/tjmitm.2019.1002

Cyber Forensic – A Literature Review

Aparna Chaturvedi1*, Ashish Awasthi2 and Surabhi Shanker3
1Department of Mathematics, AIAS, Amity University, Noida, India
2Department of Computer Applications, SRMGPC, Lucknow (UP) (India)
3Dept. Of Computer Applications, Trinity Institute of Professional Studies

ARTICLE INFO ABSTRACT

Key word: digital evidence,
digital forensics, cyber
forensics, digital forensic
science
Cyber Forensics is a branch of forensic science that is aimed to restore, collect and
examine the digital evidence of materials found in digital devices, in relation to
cybercrimes. With the advancement in cyber area, frequent use of internet and
technologies leads to cyber-attacks. Cyber forensic is opted for acquiring electronic
information and investigation of malicious evidence found in system or on network
in such a manner that makes it admissible in court. It is also used to recover lost
information in a system. The retrived information is used to prosecute a criminal.
Number of crimes committed against an internet and malware attacks over the
digital devices have increased. This paper contains a brief review of the literature
aimed to identify the relevant pieces of knowledge in the digital forensics field.

Introduction “Digital forensics is the discipline that combines elements

In our days, all digital devices such as cell phones, tablets,
laptops and desktop computers can be used for criminal
activities such as fraud, drug trafficking, homicide, hacking,
forgery, terrorism, etc. To fight against these criminal
activities, cyber forensics is used to help investigate
cybercrimes and to identify the device-assisted crime and
the authors of it Mithileysh Sathiyanarayanan, 2016.
Cyber forensics is the application of examination and
analysis techniques to gather and preserve evidence from
an appropriate computing device in a way that is suitable for
presentation in a court of law. The goal of cyber forensics
is to perform a careful investigation while maintaining a
documented chain of evidence to find out exactly what to
be found on a computing device and who was blamed for
it. Digital Forensics tools are now used on a daily basis by
examiners and analysts (Simon L, 2010).
of law and computer science to collect and analyze data from
computer systems, networks, wireless communications, and
storage devices in a way that is admissible as evidence in a
court of law” (National Cybersecurity and Communications
Integration Center – NCCIC).
Literature Review
Digital forensics can be divided in few steps as discussed:
Forensic Evidence and Crime Investigation:
e-evidence plays an important role in crime reconstruction.
Those crimes are not limited to cybercrimes because many
traditional crimes leave cyber trails. To ensure that the
evidence is admissible, the investigators must perform

Corresponding author.
*

E-mail address: chaturvedi.aparna.tirwa@gmail.com (Aparna Chaturvedi)

Received 05-02-2019; Accepted 15-12-2020
Copyright @ Trinity Journal of Management, IT & Media (https://acspublisher.com/journals/tjmitm/)

24
Aparna Chaturvedi
an objective examination of the evidence and objectively
interpret the evidence.
Different types of evidence vary in their ability to prove a
fact about what has happened, when, how, and by whom.
Without evidence of an act or activity that violated
a statute, in effect, there is no crime. To guard against
wrongfully finding a person guilty of a crime, the processes
involved in gathering, searching, seizing, and admitting
evidence must follow rules of evidence and other official
procedures.
Electronic discovery, or e-discovery, refers to the
discovery of electronic documents, data, e-mail messages,
or other potential e-evidence. Technically, data or files are
electronic if they exist in a medium that can be read only
through the use of computers. E-discovery can be more
complex than traditional paper discovery, which refers to
the discovery of writings on paper that can be read without
the aid of some devices, because e-evidence is more volatile
and easily altered without obvious detection.
Many of the processes and tools used to discover and
recover e-evidence can also be applied to recover data lost
due to a disaster or sabotage. Like most electronic files and
e-mail messages, they are rarely ever gone because they
leave traces or backups.
Computer Forensics and Digital
Detective Work
Computer forensics is the science of acquiring,
preserving, retrieving, and presenting data that has been
processed electronically and stored on computer media
(Michael G, 2010).
We all know that that the widespread use of computers
and the Internet have contributed to traditional and
computer crimes (Garber Lee, 2012). Effective forensic
investigation of these offenses requires evidence gathered
from computers, storage media, digital devices, e-mail,
chat rooms, and the Internet—and any technology that
tracks what was done, who did it, and when.
Law enforcement and other investigators will produce,
during the discovery process, imaged or exact copies of the
digital media being investigated. These copies need to be
examined by trained professionals to ensure that the media
have been secured and examined in the correct manner
and all evidence has been recovered.
There are numerous legal and ethical issues of
evidence seizure, handling, and investigation. Updated and
new federal rules and laws regulate forensic investigations
25
Cyber Forensic – A Literature Review
and lead to challenges to the admissibility of e-evidence.
The need for e-evidence has led to a new area of criminal
investigation, namely computer forensics. This new field
is less than 15 years old and is evolving rapidly. Computer
forensics depends on an understanding of technical and
legal issues. The most consequential legal issue in computer
forensics is the admissibility of evidence in criminal cases.
Computer forensics investigators must identify, gather,
extract, protect, preserve, and document computer and
other e-evidence using acceptable methods to ensure
admissibility. An understanding of behavioral issues and
a grasp of the ethical problems that investigators face are
also valuable skills.
The law of search and seizure, as it relates to computers
and electronic equipment, must be followed. Failure to
follow proper legal procedure will result in evidence’s
being ruled inadmissible in court and a guilty criminal’s
going free. In addition, it is equally important to prevent
innocent people from being charged with crimes they did
not commit.
Tools, Environments, Equipment,
and Certifications
Nikita Rana,2017, The quality of e-evidence depends
on skilled investigators following standard procedures
and using trusted technology (Natarajan Meghanathan,
2019) throughout the lifecycle of a case or investigation.
Maintaining the integrity of e-evidence requires a defensible
approach to data handling and preservation. There can be
no weak links in the investigative process. With widespread
use of computers to plan, facilitate, or carry out violent and
nonviolent crimes, it is vital for a forensics investigator to
be able to extract and analyze data quickly and present the
evidence in an understandable format.
Frequently, investigators have to defend their
findings, processing methods, tools, and techniques
against challenges raised by the opposing side. Therefore,
e-evidence processing must be done correctly and
documented thoroughly or else any resulting court case
may be thrown out. A key principle is that the technologies
and methodologies used must be well documented and
repeatable.
Documentation, collection, authentication, analysis,
preservation, and production and reporting of the findings
require the use of specialized software and hardware tools
and equipment. Because of the complexity of many of the
tools, training in their use and certification is necessary.
Aparna Chaturvedi
There are also general training and certifications available
for computer forensics investigators.
Policies and Procedures
Alec Yasinsac, 2001, The key to a consistent and methodical
investigation is a good set of policies and procedures that
serve as guidelines or baselines for any investigation. These
policies and procedures are designed not only to delineate
the process of an investigation but also to aid in the
management of a computer forensics lab. This is not to say
you cannot be flexible; to the contrary, your policies and
procedures should be designed to be flexible and adjust as
necessary for each case. Operating Systems and Data Transmission
The actual process of conducting a forensic Basics for Digital Investigations:
examination from the first phone call you receive to the
time when you turn over the final report. The four main
steps of any computer forensics investigation are planning,
acquisition, analysis, and reporting. Forensic investigation
is not an exact science, and steps will vary depending on the
case, so the processes outlined for each step provide broad
guidelines; however, these steps are generally accepted by
most computer forensics professionals and can be adapted
to your needs.
The science behind the technology is fairly well
understood, and the tools used by computer forensic
analysts are becoming much easier to use. The field of
computer forensics science will gradually give way to the
field of computer forensic art. The science of computer
forensics will always strive to keep up with the technology
of the day, but it is the computer forensic analyst, who
understands how people use this technology, who will be
able to solve the difficult cases. In essence, the scientist
must also be a psychologist with the ability to use high-
technology tools.
Data, PDA, and Cell Phone Forensics
The basic media types and devices that you will encounter
when doing a forensic examination. You are most likely
to encounter magnetic media devices such as hard drives
and optical media devices such as CDs, but electronic
devices such as USB drives are becoming more prevalent.
Your job as a forensic investigator may also require you to
know about data from PDAs and cellular phones (Greg
Gogolin, 2013).
After learning how data is stored in these various types
of devices, you learned specific methods for acquiring data
from each category. Some guidelines for data acquisition
are the same for any device, such as the importance of
26
Cyber Forensic – A Literature Review
making at least two copies of the data so that you can work
on one copy while safeguarding the original copy and the
suspect’s device. Other guidelines are specific to a device,
such as the importance of maintaining power to a PDA to
avoid data loss.
A number of suppliers such as Guidance, Paraben,
AccessData, and Logicube have developed tools for
capturing and analyzing data. Some of these tools are
designed to work with a specific type of data, such as that
acquired from PDAs, while others can be used for several
different types of data.
The operating system of a computer is the program that
controls the basic functions of a computer and acts as
the intermediary between the application programs and
hardware of a computer. The two types of interfaces used
to communicate with an operating system are command-
line interface (CLI) and graphical user interface (GUI).
The CLI interface consists of a text-based interface where
commands are entered via a prompt. A GUI interface
usually consists of a pointing device such as a mouse being
used to interface with graphical objects, such as icons or
menus, on a monitor.
The functions basic to an operating system are file
management, memory management, job management,
device management, and security management. Early
computers did not need an operating system because
applications handled all computer functions. Modern
computers have many applications and thus require a
centralized operating system to handle applications and
system information. DOS, Windows, UNIX/Linux, and
Macintosh OS X are all examples of operating systems used
on modern computer systems.
File systems manage the basic unit of data storage
called a file. Various file systems in use include FAT 16,
FAT 32, NTFS, efs, UFS, and OS X.
The OSI model standardized the methods used to
transmit data on a network. The OSI model consists
of a seven-layer approach. While the OSI model is the
theoretical model to follow, the TCP/IP model is the de
facto standard of the Internet. The TCP/IP model consists
of a four-layer approach.
The two address schemes used to transmit data across
networks are logical addressing and physical addressing.
Logical addressing usually consists of IP addressing,
Aparna Chaturvedi
and physical addressing consists of media access control
addressing.
Investigating Windows, Linux, and
Graphics Files
The evidence search times can be reduced by looking
in predictable areas, such as default folders and
operating systems artifacts, during the beginning of
the investigation before initiating intense and detailed
probes. The skill level of the user will more than likely
determine whether this is effective for your case. A savvy
user can hide data by using nonstandard file folders to
place information, renaming file types, using layered
graphics, and masquerading data with steganographic
techniques (Jun-Hyung Park, 2006).
E-Mail and Webmail Forensics:
Electronic mail and instant messages can be important
evidence to find. They provide a more realistic view of
the candor of a person because of their ubiquitous use
and informality. For both of these technologies, a client
program and a server are required. The client program
may be resident on a user’s PC and store data on the hard
drive, or the client may be Web-based. Web-based clients
often do not leave a complete data trail on the PC itself
and may require an investigator to harvest this data from
the server or servers involved in the transmission of the
message. When trying to recover data from a server, you
must determine the data storage structure being used and
the size of the composite data storage pool, plus you need
to ensure that you have appropriate authorization to work
on the server. You must compose a good plan with realistic
values for time and storage requirements before beginning
a forensic review of a server.
Using e-mail headers and IM logs can provide
additional sources of possible data locations, such as
recipient/sender PCs and intermediate servers. Tracing
the IP addresses may involve the use of regional Internet
registries, such as ARIN, to determine the registered owner
of an IP address range and a contact address for that owner.
IM has become a mechanism that users believe to be
inherent in daily life. Like e-mail, it is a client/server–based
technology; however, with today’s clients, the messages
may not be saved to any hard drive. Because of the volume
of IM, public servers such as AOL and Google typically
do not keep logs of message content and may not even
keep transaction logs. IM may be as intangible as a phone
27
Cyber Forensic – A Literature Review
conversation. However, if IM messages can be found, they
often contain very powerful evidence because most people
use them with unguarded attitudes.
Internet and Network Forensics and
Intrusion Detection
This area of computer forensics is just beginning to expand
to the point where the technology is robust and reliable
enough to be accepted in a court of law. Additionally, the
sheer power to collect wide ranges of data from networks
is now well within the computational and storage power
of most organizations. This factor, coupled with the fact
that NFAT systems can enable an organization to deal in
real time with internal and external network threats and
to recreate what happened for future use, make this type of
software extremely versatile. This chapter only covered the
surface possibilities and uses for the forensic use of such
software. More and more organizations will eventually
move to this forensic model because it uses the power of
the network to accomplish forensic tasks that at present are
done in a more labor intensive and costly way.
Tracking Down Those Who Intend to
Do Harm on a Large Scale
The methods used by those intent on causing harm on a
large scale. The same challenges that face investigators of
small cases involving one or a few individuals apply to large-
scale cases. Each type of forensics, namely e-mail, network,
data, cell phone, and IRC forensics, come into play when
investigating terrorists, cyberextortionists, hackers, and
botmasters. It is critical to understand their motives and
methods, intelligence activities, and concealment tactics.
Investigations of these criminals require the resources and
cooperation of the FBI, other federal agencies, and foreign
governments. Computer forensics experts may be called
upon to support these agencies and defend against crimes
aimed at destroying human life, critical infrastructures, or
private property.
Fraud and Forensic Accounting
Investigation:
In this Internet era, more and more frauds will be
perpetrated using computers and networks. Whether
the potential fraudster is a disgruntled employee, greedy
executive, or unethical business partner, there are many
opportunities to defraud a company or organization.
Aparna Chaturvedi
Pressure, opportunity, and rationalization are the
three elements of every fraud. Investigators should look
for evidence of each of these factors—and not focus solely
on opportunity. In order to prove fraud, the prosecutor
must show intent and deceit. E-mail and other electronic
communication media often contain evidence of deceit
and intent as well as pressures or rationalization for stealing
from a company.
The purpose of a fraud or forensic accounting
investigation is to detect ongoing fraud or to investigate
it after it has occurred. The word forensic in financial
investigations implies that the information that is uncovered
is capable of being used in court. Forensic accounting is the
investigation and analysis of financial evidence that, like
other forensic investigations, requires proper procedures
and detailed evidence to ensure its admissibility.
Federal Rules and Criminal Codes
The Federal Rules of Evidence and Procedure that directly
impact investigative procedures and the admissibility
of evidence. Actual federal cases and court decisions
were presented to illustrate the tough challenges to an
investigator’s experience, evidence handling, hardware,
and procedures. Clearly, investigators need a working
knowledge of what constitutes a legal search so as not
to compromise cases, convict innocent people, or let
guilty people go free. Before seizing computers, Fourth
Amendment search warrant requirements need to be
met. Before accessing stored data, the requirements of
the Electronic Communication Privacy Act must be
considered. Conducting real-time electronic surveillance
may require a wiretap order from a judge. In the next
chapter, you will learn how to present testimony about
evidence and methods in court or legal action.
Amendments to anticrime legislation, particularly the
USA PATRIOT Act, have given greater search and seizure
authority to law officials and investigators— at the expense
of privacy. The next chapter also examines ethical issues
and dilemmas.
Ethical and Professional Responsibility
in Testimony
Working in the legal system imposes a huge responsibility
on you to perform your work with diligence, competence,
and good judgment. Computer crimes do not have
eyewitnesses, so juries rely on forensics experts to help
them understand the meaning of the e-evidence. Jurors
are not required to hold any professional qualifications,
28
Cyber Forensic – A Literature Review
and there are no technical jury qualification guidelines
for cases involving complex computer data. Working as an
expert witness can be as challenging as the investigation
and perhaps more demanding. You may need to critically
review and then validate or refute the testimony of other
investigators—or be the subject of another expert’s critique
of your methods and opinions. Witnesses need to be
prepared to be able to withstand scrutiny from judges,
jurors, and attorneys who may know very little about
e-evidence (Computer Forensics US-CERT.).
To provide testimony as an expert witness. Given
what is at stake, witnesses have ethical responsibilities that
cannot be compromised. In addition to understanding
the technologies that may be at issue in a given case, to be
an effective expert witness you must understand the legal
system, specific courtroom communication skills, skills for
enduring cross-examination, and how to prepare for legal
testimony.
Conclusion
This paper, is a literature review of cyber forensics. Cyber
forensics has many challenges for investigators. These
challenges become more and more complex because
criminals also learn to hide evidences or have advanced
computers knowledge. we examined distinctive forensic
tools used for analysing security flaws in digital forensics
and also the detailed review of cyber forensics. Due to rapid
increase in the number of Internet users across the world,
the frequency of digital attacks has increased. Therefore,
the need to devise effective methodologies and develop
efficient tools to detect these attacks timely. In this paper,
we have examined different tools for performing digital
forensic analysis. This research provides a provisional
study of the tools regarding cyber forensic analysis.
References
Mithileysh Sathiyanarayanan, Introduction to Digital Forensics,
2016. https://www.academia.edu/download/61723117/Intro-
duction_to_Digital_Forensics20200108-92193-k0ho5z.pdf
Garfinkel SL. Digital forensics research: The next 10 years. digital
investigation. 2010 Aug 1;7:S64-73.
Noblett MG, Pollitt MM, Presley LA. Recovering and
examining computer forensic evidence. Forensic Science
Communications. 2000 Oct 1;2(4).
Park JH, Kim M, Noh BN, Joshi JB. A similarity based technique
for detecting malicious executable files for computer
forensics. In2006 IEEE International Conference on
Aparna Chaturvedi
Information Reuse & Integration 2006 Sep 16 (pp. 188-
193). IEEE..
Computer Forensics US-CERT. https://www.us-cert .gov/
security-publications/computer-forensics, National Cyber-
security and Communications Integration Center –
NCCIC, US.
Gogolin G, editor. Digital forensics explained. CRC Press; 2021
Apr 11.
U.S. Department of Justice, Forensic Examination of Digital
Evidence: A Guide for Law Enforcement, https://www.
ncjrs.gov/.
Nikita Rana1, Gunjan Sansanwal, Kiran Khatter1, Sukhdev
Singh, Taxonomy of Digital Forensics: Investigation Tools
and Challenges, 2017, https://arxiv.org.
The Importance of Memory Forensics Tools, https://lifars.
com/2017/06/memory-forensics- tools/, 2017.
29
View publication stats
Cyber Forensic – A Literature Review
Meghanathan N, Allam SR, Moore LA. Tools and techniques for
network forensics. arXiv preprint arXiv:1004.0570. 2010
Apr 5.
Infosec, https://resources.infosecinstitute.com/ computer-
forensics-tools/, 2019.
Garber L. Encase: A case study in computer-forensic technology.
IEEE Computer Magazine January. 2001 Jan.
Yasinsac A, Manzano Y. Policies to enhance computer and
network forensics. InProceedings of the 2001 IEEE
workshop on information assurance and security 2001 Jun
5 (pp. 289-295).
Raghavan S, Raghavan SV. A study of forensic & analysis
tools. In2013 8th International Workshop on Systematic
Approaches to Digital Forensics Engineering (SADFE)
2013 Nov 21 (pp. 1-5). IEEE.