What is a cyber crime investigation?

Before jumping into the "investigation" part, let's go back to the basics: a digital
crime or cybercrime is a crime that involves the usage of a computer, phone or
any other digital device connected to a network.

These electronic devices can be used for two things: perform the cybercrime
(that is, launch a cyber attack), or act as the victim, by receiving the attack from
other malicious sources.

Therefore, a cybercrime investigation is the process of investigating, analyzing

and recovering critical forensic digital data from the networks involved in the
attack—this could be the Internet and/or a local network—in order to identify the
authors of the digital crime and their true intentions.

Cybercrime investigators must be experts in computer science, understanding

not only software, file systems and operating systems, but also how networks
and hardware work. They must be knowledgeable enough to determine how the
interactions between these components occur, to get a full picture of what
happened, why it happened, when it happened, who performed the cybercrime
itself, and how victims can protect themselves in the future against these types
of cyber threats.

Who conducts cybercrime investigations?

¶

Criminal justice agencies

¶

Criminal justice agencies are the operations behind cybercrime prevention

campaigns and the investigation, monitoring and prosecution of digital criminals.
Depending on your country of residence, a criminal justice agency will handle all
cases related to cybercrime.

For example, in the U.S. and depending on the case, a cybercrime can be
investigated by the FBI, U.S. Secret Service, Internet Crime Complaint Center,
U.S. Postal Inspection Service or the Federal Trade Commission.

In other countries such as Spain, the national police and the civil guard take care
of the entire process, no matter what type of cybercrime is being investigated.

National security agencies

¶

This also changes from one country to another, but in general, this type of
agency usually investigates cybercrime directly related to the agency.
For example, an intelligence agency should be in charge of investigating
cybercrimes that have some connection to their organization, such as against its
networks, employees or data; or have been performed by intelligence actors.

In the U.S., another good example is the military, which runs its own cybercrime
investigations by using trained internal staff instead of relying on federal
agencies.

Private security agencies

¶

Private security agencies are also important in the fight against cybercrime,
especially during the investigation process. While governments and national
agencies run their own networks, servers and applications, they make up only a
small fraction of the immense infrastructure and code kept running by private
companies, projects, organizations and individuals around the world.

With this in mind, it's no surprise that private cybersecurity experts, research
companies and blue teams play a critical role when it comes to preventing,
monitoring, mitigating and investigating any type of cybersecurity crime against
networks, systems or data running on 3rd party private data centers, networks,
servers or simple home-based computers.

The wide range of cybercrime investigated by private agencies knows no limits,

and includes, but is not limited to, hacking, cracking, virus and malware
distribution, DDoS attacks, online frauds, identity theft and social engineering.

Cybercrime investigation techniques

¶

While techniques may vary depending on the type of cybercrime being

investigated, as well as who is running the investigation, most digital crimes are
subject to some common techniques used during the investigation process.

 Background check: Creating and defining the background of the crime

with known facts will help investigators set a starting point to establish
what they are facing, and how much information they have when handling
the initial cybercrime report.

 Information gathering: One of the most important things any

cybersecurity researcher must do is grab as much information as possible
about the incident.
 Was it an automated attack, or a human-based targeted crime? Was there
any open opportunity for this attack to happen? What is the scope and
impact? Can this attack be performed by anyone, or by certain people with
specific skills? Who are the potential suspects? What digital crimes were
committed? Where can the evidence be found? Do we have access to
such evidence sources?

These and other questions are valuable considerations during

the information gathering process.

A lot of national and federal agencies use interviews and surveillance

reports to obtain proof of cybercrime. Surveillance involves not only
security cameras, videos and photos, but also electronic device
surveillance that details what's being used and when, how it's being used,
and all the digital behavior involved.

One of the most common ways to collect data from cybercriminals is to

configure a honeypot that will act as a victim while collecting evidence that
can be later be used against attacks, as we previously covered in our Top
20 Honeypots article.

 Tracking and identifying the authors: This next step is sometimes

performed during the information-gathering process, depending on how
much information is already in hand. In order to identify the criminals
behind the cyber attack, both private and public security agencies often
work with ISPs and networking companies to get valuable log information
about their connections, as well as historical service, websites and
protocols used during the time they were connected.

This is often the slowest phase, as it requires legal permission from

prosecutors and a court order to access the needed data.

 Digital forensics: Once researchers have collected enough data about

the cybercrime, it's time to examine the digital systems that were affected,
or those supposed to be involved in the origin of the attack. This process
involves analyzing network connection raw data, hard drives, file systems,
caching devices, RAM memory and more. Once the forensic work starts,
the involved researcher will follow up on all the involved trails looking for
fingerprints in system files, network and service logs, emails, web-
browsing history, etc.
Top 12 cybercrime investigation and forensic tools
¶

Cybercrime investigation tools include a lot of utilities, depending on the

techniques you're using and the phase you're transiting. However, know that
most of these tools are dedicated to the forensic analysis of data once you have
the evidence in hand.

There are thousands of tools for each type of cybercrime, therefore, this isn't
intended to be a comprehensive list, but a quick look at some of the best
resources available for performing forensic activity.

SIFT Workstation
¶

SIFT is a forensic tool collection created to help incident response teams and
forensic researchers examine digital forensic data on several systems.

It supports different types of file systems such as FAT 12/16/32 as well as NTFS,
HFS+, EXT2/3/4, UFS1/2v, vmdk, swap, RAM dta and RAW data.

When it comes to evidence image support, it works perfectly with single raw
image files, AFF (Advanced Forensic Format), EWF (Expert Witness Format,
EnCase), AFM (AFF with external metadata), and many others.

Other important features include: Ubuntu LTS 16.04 64 bit base system, latest
forensic tools, cross compatibility between Linux and Microsoft Windows, option
to install as a stand-alone system, and vast documentation to answer all your
forensic needs.

Best of all, it's open source and completely free.

The Sleuth Kit

¶

Written by Brian Carrier and known as TSK, The Sleuth Kit is an open source
collection of Unix- and Windows-based forensic tools that helps researchers
analyze disk images and recover files from those devices.

Its features include full parsing support for different file systems such as
FAT/ExFAT, NTFS, Ext2/3/4, UFS 1/2, HFS, ISO 9660 and YAFFS2, which leads
in analyzing almost any kind of image or disk for Windows-, Linux- and Unix-
based operating systems.
Available from the command line or used as a library, The Sleuth Kit is the
perfect ally for any person interested in data recovery from file systems and raw-
based disk images.

X-Ways Forensics
¶

This software is one of the most complete forensic suites for Windows-based
operating systems. It's widely supported for almost any version of Windows,
making it one of the best in this particular market and letting you easily work with
versions such as Windows XP/2003/Vista/2008/7/8/8.1/2012/10*, supporting both
32 Bit/64 Bit. One of its coolest features is the fact that it's fully portable, making
it possible to run it from a memory stick and easily take it from one computer to
another.

Its main features include: ability to perform disk cloning and imaging, read
partitions from raw image files, HDDS, RAID arrays, LVM2 and much more.

It also offers advanced detection of deleted partitions on FAT12, FAT16, FAT32,

exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, etc., as well as advanced file carving, and
file and directory catalog creation.

CAINE
¶

CAINE is not a simple cybercrime investigation application or a suite, it's a full

Linux distribution used for digital forensic analysis.

It works from the live CD, and can help you extract data created on multiple
operating systems such as Linux, Unix and Windows.

File system, memory or network data extraction, CAINE can do it all by

combining the best forensic software that runs on both command-line and GUI-
based interfaces.

It includes popular digital crime investigation apps such as The Sleuth Kit,
Autopsy, Wireshark, PhotoRec, Tinfoleak and many others.

PALADIN
¶

PALADIN is a bootable Linux distribution based on Ubuntu and developed by

SUMURI.

The PALADIN Toolbox helps streamline numerous forensic tasks, truly offering
“forensic tools galore”—over 30+ categories with over 100 tools, including The
Sleuth Kit and Autopsy. This veritable forensic lab on a disk is available in both
64- and 32-bit versions, making it one of the most popular suites of its kind. Used
by law enforcement, military, federal, state and corporate agencies, PALADIN is
the perfect ally for any computer crime investigator.

ProDiscover Forensic
¶

Widely used in computer forensics and incident response, ProDiscover

Forensic has the capabilities needed to handle every aspect of a forensic
investigation. This digital forensic product helps investigators quickly and
efficiently uncover files and collect, process, protect and analyze data, as well as
create evidence reports.

ProDiscover’s product suite offers investigators a wide array of diagnostic and

evidence tools to explore evidence and extract relevant investigation artifacts. Its
features include extensive automation, cloud forensic, memory forensic, previews
of files without altering data on disk including metadata, and examining data at
the sector level.

Digital Forensics Framework

¶

Known as DFF, the Digital Forensics Framework is computer forensics open-

source software that allows digital forensics professionals to discover and save
system activity on both Windows and Linux operating systems.

It allows researchers to access local and remote devices such as removable

drives, local drives, remote server file systems, and also to reconstruct VMware
virtual disks. When it comes to file systems, it can extract data from
FAT12/16/32, EXT 2/3/4, and NTFS on both active and deleted files and
directories. And it even helps to inspect and recover data from memory sticks
including network connections, local files and processes.

Oxygen Forensic Detective

¶

This tool is one of the best multi-platform forensic applications used by security
researchers and forensic professionals to browse all the critical data in a single
place.

With Oxygen Forensic Detective you can easily extract data from multiple mobile
devices, drones and computer OS, including: grabbing passwords from
encrypted OS backups, bypassing screen lock on Android, getting critical call
data, extracting flight data from drones, user information from Linux, MacOS and
Windows computers. It also supports IoT device data extraction.
Open Computer Forensics Architecture
¶

Known as OCFA, Open Computer Forensics Architecture is a forensic analysis

framework written by the Dutch National Police Agency. They developed this
software in pursuing the main goal of speeding up their digital crime
investigations, allowing researchers to access data from a unified and UX-
friendly interface.

It has been integrated into or is part of the core of many other popular cybercrime
investigation tools such as The Sleuth Kit, Scalpel, PhotoRec and others.

While the official project was discontinued some time ago, this tool still being
used as one of the top forensic solutions by agencies from all over the world.
There are many other related projects that are still working with the OCFA code
base, those can be found at the official website at SourceForge.

Bulk Extractor
¶

Bulk Extractor is one of the most popular apps used for extracting critical
information from digital evidence data.

It works by extracting features like URLs, email addresses, credit card numbers
and much more from ISO disk images and directories or simply files—including
images, videos, office-based and compressed files.

It's a tool that serves not only for data extraction, but for analysis and collection
as well. And one of its best attributes is its wide support for almost any OS
platform, including Linux, Unix, Mac and Windows, all without problem.

ExifTool
¶

Written in Perl, this forensic tool developed by Phil Harvey is a command-line-

based utility that can read, write and manipulate metadata from several media
files such as images and videos.

ExifTool supports extracting EXIF from images and vídeos (common and specific
meta-data) such as GPS coordinates, thumbnail images, file type, permissions,
file size, camera type, etc.

It also allows you to save the results in a text-based format or plain HTML.

SurfaceBrowser™
¶
SurfaceBrowser™ is your perfect ally for detecting the full online infrastructure of
any company, and getting valuable intelligence data from DNS records, domain
names and their historical WHOIS records, exposed subdomains, SSL
certificates data and more.

Analyzing the surface of any company or domain name on the Internet is as

important as analyzing local drives or ram sticks—it can lead to finding critical
data that could be linked to cybercrimes.

What can you do with SurfaceBrowser?

 Get current DNS data

DNS records are an infinite source of intelligence when it comes to

cybersecurity. They hold the key to all publicly exposed internet assets for
web, email and other services.

SurfaceBrowser™allows you to view the current A, AAAA, MX, NS, SOA

and TXT records instantly:

What is electronic discovery (e-discovery)?

Electronic discovery -- also called e-discovery or ediscovery -- is the process of
obtaining and exchanging evidence in a legal case or investigation. E-discovery is
used in the initial phases of litigation when involved parties are required to provide
relevant records and evidence related to a case. This process includes obtaining and
exchanging electronic data that is sought, located, secured and searched for with the
intent of using it as evidence.

E-discovery can be conducted offline on a specific computer, or it can be done on a

network. The data collected in the e-discovery process includes any information that
is in an electronic format, including emails, texts and social media posts.

Digital data is extremely well suited for investigation. It can be electronically

searched versus paper documents, which must be reviewed manually. Digital data
contains metadata, including timestamps, file properties, and information on the
author and recipient. Digital data is also difficult or impossible to completely destroy,
particularly once it gets into a network where it is resides on multiple hard drives and
digital files. The most reliable way to ensure a computer file is destroyed is to
physically destroy every hard drive where the file has been stored.

Types of electronically stored information

In the process of electronic discovery, all types of data can serve as evidence. This can
include electronic documents, such as text, images, audio, video, calendars, instant
messages, cellphone data, databases, spreadsheets, animation, websites and computer
programs. Email can be an especially valuable source of evidence in civil or criminal
litigation because people are often less careful in these exchanges than in hard-copy
correspondence, such as written memos and postal letters.

What is e-discovery used for?

E-discovery is used in civil procedures and legal processes in areas such as the U.S.
federal court system. Other court systems throughout the world also have rules
pertaining to electronic discovery. For example, in England, it is a civil procedure and
has an agreed-upon process.

Before e-discovery, parties in litigation exchange relevant information in physical

documents. E-discovery broadened this process to include electronically stored
information (ESI). Counsel from both sides find and preserve relevant ESI, making e-
discovery requests and challenges throughout the litigation process.

How does the e-discovery process work?

The process of discovery begins when a lawsuit appears imminent, up to when digital
evidence is presented in court. Attorneys from both sides will determine the scope of
e-discovery. The following is a simple description of the e-discovery process:

1. Identification. ESI is identified by attorneys. E-discovery requests and challenges

are made.
2. Preservation. Data that is identified as potentially relevant is placed under legal
hold so it cannot be destroyed. Failure to preserve data will lead to sanctions and
fines if the lost data puts the defense at a disadvantage.

3. Collection. Data is transferred from a company to legal counsel. The legal counsel
determines the data's relevance.

4. Processing. Files are loaded into a review platform. Data is usually converted into
a PDF (Portable Document Format) or TIFF (Tag Image File Format) for court.

5. Review. The review process assesses documents for privilege and responsiveness
to discovery requests.

6. Production. Documents are exchanged with opposing counsels.

This
chart shows the 6 steps in the e-discovery process.
Legal issues with e-discovery
E-discovery is an evolving field that goes far beyond just technology. It gives rise to
many legal, constitutional, political, security and personal data privacy issues, many
of which have yet to be resolved. For example, the timeline for e-discovery is
relatively short, and parties can face penalties if they fail to meet deadlines to provide
ESI.

In the past, data has also been leaked unintentionally due to the e-discovery process.
In 2017, an attorney for Wells Fargo accidently sent opposing counsel confidential
information about the bank's clientele. The information included customer names,
Social Security numbers and financial details.

Two other issues with e-discovery include collection of new data types and reduction
of cost. The cost of e-discovery is directly related to how much data needs to be
collected and retained. As more and new types of data are collected, more money
needs to be spent on storage, information technology and management. The review
phase is also typically expensive, as individual documents need to be reviewed for
relevance and privilege. The lawyers and managers who make up in-house counsel
and are typically in charge of costs are pressured to reduce costs where possible,
including in data management. This may lead to further complications and fines if an
organization cannot properly manage all its collected data.

Emerging trends in e-discovery

One of the recent shifts in e-discovery is the larger-scale adoption of video
conferencing and collaboration tools. Due to the COVID-19 pandemic, more
organizations and individuals worked remotely. Document reviews that did not need
reviewers sitting in close proximity could be hosted over platforms such as Zoom
or Microsoft Teams. Virtual managed reviews have become a more popular trend that
may stay as a practice.

Technology-assisted review and predictive coding are other trends that use supervised
machine learning and rules-based approaches in order to find relevance,
responsiveness and privileges of ESI.

Differences between e-discovery and digital forensics

Computer forensics, also called cyber forensics, is a specialized form of e-discovery
in which an investigation is carried out on the contents of the hard drive of a specific
computer. After physically isolating the computer, investigators make a digital copy
of the hard drive. Then, the original computer is locked in a secure facility to maintain
its pristine condition. All investigation is done on the digital copy.
 E-discovery and digital forensics are similar processes, as both involve
identifying, collecting and preserving data. However, the main differences between
the terms are in how the data is presented and who is analyzing it.

In computer forensics, a forensics expert is in charge of protecting data integrity and

bringing forth stored data. In e-discovery, attorneys handle these processes. Digital
forensics also uses different software applications.

E-discovery firms also do not analyze the data they collect, nor do they determine the
intent of a user or provide legal advice -- as forensic experts do. Rather, e-discovery
gathers and organizes information for others to view.

Digital Evidence Collection in Cybersecurity


In the early 80s PCs became more popular and easily accessible to the general
population, this also led to the increased use of computers in all fields and criminal
activities were no exception to this. As more and more computer-related crimes began to
surface like computer frauds, software cracking, etc. the computer forensics discipline
emerged along with it. Today digital evidence collection is used in the investigation of a
wide variety of crimes such as fraud, espionage, cyberstalking, etc. The knowledge of
forensic experts and techniques are used to explain the contemporaneous state of the
digital artifacts from the seized evidence such as computer systems, storage devices (like
SSDs, hard disks, CD-ROM, USB flash drives, etc.), or electronic documents such as
emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected
evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they
can be submitted in court.
Types of Collectible Data:
The computer investigator and experts who investigate the seized devices have to
understand what kind of potential shreds of evidence could there be and what type of
shreds of evidence they are looking for. So, that they could structure their search pattern.
Crimes and criminal activities that involve computers can range across a wide spectrum;
they could go from trading illegal things such as rare and endangered animals, damaging
intellectual property, to personal data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been
deleted from the computer, they could be damaged or may even be encrypted, So the
investigator should be familiar with a variety of tools, methods, and also the software to
prevent the data from damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage
device such as a local hard drive, external storage devices like SSDs, HDDs, pen
drives, CDs, etc. the data on these devices is preserved even when the computer is
turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as
memory, registers, cache, RAM, or it exists in transit, that will be lost once the
computer is turned off or it loses power. Since volatile data is evanescent, it is crucial
that an investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the
claims in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such
as flash drives, hard drives, documents, etc. an eyewitness can also be considered as a
shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court
statements. These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a
person who is not a testifying witness. It is done in order to prove that the statement
was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their
statement in court. The shreds of evidence presented should be authentic, accurate,
reliable, and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic media and
it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation
are becoming the fundamental ground for law enforcement and courts all around the
world. The methods used to extract information and shreds of evidence should be robust
to ensure that all the related information and data are recovered and is reliable. The
methods must also be legally defensible to ensure that original pieces of evidence and
data have not been altered in any way and that no data was deleted or added from the
original evidence.
EVIDENCE PRESEVATION

As the realm of the Internet, Technology, and Digital Forensics constantly

expand, there is a need for you to become familiar with the ways they contribute
to preserving digital evidence. The fundamental importance of digital evidence
preservation is quite clear. Through this article, we want to highlight the
necessity to follow a series of steps in order to preserve digital evidence, as
even a small inattentive move could lead to a loss of evidence and the break of
a case.
In this article, we will be covering the following topics:
1. Top 11 Critical Steps in Preserving Digital Evidence.
2. Details You Should Plan To Share.
3. Three Methods to Preserve Digital Evidence.
4. Problems in Preserving Digital Evidence.
Let’s start discussing each section in detail.
Top 11 Critical Steps in Preserving Digital Evidence
In this section, we will be discussing the critical steps that need to be followed
to prevent loss of data before bringing to the forensic experts. Time is highly
important in preserving digital evidence.
1. Do not change the current state of the device: If the device is OFF, it
must be kept OFF and if the device is ON, it must be kept ON. Call a
forensics expert before doing anything.
2. Power down the device: In the case of mobile phones, If it is not charged,
do not charge it. In case, the mobile phone is ON power it down to prevent
any data wiping or data overwriting due to automatic booting.
3. Do not leave the device in an open area or unsecured place: Ensure that
the device is not left unattended in an open area or unsecured area. You
need to document things like- where the device is, who has access to the
device, and when it is moved.
4. Do not plug any external storage media in the device: Memory cards,
USB thumb drives, or any other storage media that you might have, should
not be plugged into the device.
5. Do not copy anything to or from the device: Copying anything to or from
the device will cause changes in the slack space of the memory.
6. Take a picture of the piece of the evidence: Ensure to take the picture of
the evidence from all the sides. If it is a mobile phone, capture pictures from
all the sides, to ensure the device has not tampered till the time forensic
experts arrive.
7. Make sure you know the PIN/ Password Pattern of the device: It is very
important for you to know the login credentials of the device and share it with
the forensic experts, for them to carry their job seamlessly.
8. Do not open anything like pictures, applications, or files on the
device: Opening any application, file, or picture on the device may cause
losing the data or memory being overwritten.
9. Do not trust anyone without forensics training: Only a certified Forensics
expert should be allowed to investigate or view the files on the original
device. Untrained Persons may cause the deletion of data or the corruption
of important information.
10. Make sure you do not Shut down the computer, If required Hibernate
it: Since the digital evidence can be extracted from both the disk drives and
the volatile memory. Hibernation mode will preserve the contents of the
volatile memory until the next system boot.
Details You Should Plan To Share
For the evidence to be professionally acquired by forensics investigators, the
device is either seized or a forensic copy is created at the site of the “crime”
scene. Key Points to remember to speed up the process of preserving digital
evidence and ease out the process for the authorities:
 Prepare your self to share your authentication codes like screen patterns
and passwords.
 You may also need to share the device manuals, chargers, cables.
 Device interactions will the Internet can also be analyzed to build a complete
and most appropriate picture of overall activity.
 Have ownership of the device that you plan to submit to the police. In case
you do not have the authority or you’re not voluntarily submitting the device,
then, in that case, Police may need to seize the device under their lawful
powers.
 It is easier to share external memory storage than your devices with the
police instead of giving your phone away every time, so it is recommended
that you have an external memory configured for your phone.
 Regularly back-up your phone data and retain copies of these back-ups for
future use. These will help you restore another handset or your phone if
needs be at a later today, and also can help to log a trail of incidence.
Three Methods To Preserve a Digital Evidence
In this section, we will discuss three methods that can be used by forensics
experts to preserve any evidence before starting the analysis phase.
1. Drive Imaging: Before forensic investigators begin analyzing evidence from
a source, they need to create an image of the evidence. Imaging a drive is a
forensic process in which an analyst will create a bit-by-bit duplicate of the
drive. When analyzing an image forensic experts need to keep in mind the
following points:
 Even wiped drives can retain important and recoverable data to identify.
 Forensic experts can recover all deleted files using forensic techniques.
 Never perform forensic analysis on the original media. Always Operate on
the duplicate image.
A piece of hardware or software that helps facilitate the legal defensibility of
a forensic image is a “write blocker”, which forensic investigators should use
to create the image for analysis.
2. Hash Values: When a forensic investigator creates an image of the
evidence for analysis, the process generates cryptographic hash values like
MD5, SHA1, etc. Hash Values are critical as:
 They are used to verify the Authenticity and Integrity of the image as an
exact replica of the original media.
 When admitting evidence in the court, hash values are critical as altering
even the smallest bit of data will generate a completely new hash value.
 When you perform any modifications like creating a new file or editing an
existing file on your computer, a new hash value is generated for that file.
  Hash value and other file metadata are not visible in a normal file explorer
window but analysts can access this information using special software.
If the hash values of the image and the original evidence do not match, it
may raise concerns in court that the evidence has been tampered with.
3. Chain of Custody: As forensic investigators collect media from the client
and transfer it, they should document all the steps conducted during the
transfer of media and the evidence on the Chain of Custody (CoC) forms
and capture signatures, date, and time upon the media handoff. It is
essential to conduct CoC paperwork due to the following reasons:
 CoC demonstrates that the image has been under known possession
since the time the image was created.
 Any lapse in the CoC nullifies the legal value of the image, and thus the
analysis.
 Any gaps in the procession record like any time the evidence was left
unattended in an open space or an unsecured location are problematic.
Problems in Preserving Digital Evidence
In this section, we will discuss a few problems that are encountered while
preserving evidence.
 Legal Admissibility: The highest risk is legal admissibility, If the evidence
of a crime is a piece of digital media, it should be immediately quarantined
and put under the CoC – an investigator can create an image later.
 Evidence Destruction: If in case, threat actors have installed an application
on a server, the future forensic analysis will rely on the application being
available and not deleted from the system.
 Media is still in Service: If the media is still in service, the risk of vital
evidence destruction grows with the amount of time that has elapsed since
the incident took place.

E-MAIL INVESTIGATION

Role of Email in Investigation

Emails play a very important role in business communications and have emerged as
one of the most important applications on internet. They are a convenient mode for
sending messages as well as documents, not only from computers but also from other
electronic gadgets such as mobile phones and tablets.
The negative side of emails is that criminals may leak important information about their
company. Hence, the role of emails in digital forensics has been increased in recent
years. In digital forensics, emails are considered as crucial evidences and Email Header
Analysis has become important to collect evidence during forensic process.
An investigator has the following goals while performing email forensics −
  To identify the main criminal
 To collect necessary evidences
 To presenting the findings
 To build the case
Challenges in Email Forensics
Email forensics play a very important role in investigation as most of the communication
in present era relies on emails. However, an email forensic investigator may face the
following challenges during the investigation −

Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary
email which is a service that allows a registered user to receive email at a temporary
address that expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an
email as someone else’s. In this case the machine will receive both fake as well as
original IP address.

Anonymous Re-emailing
Here, the Email server strips identifying information from the email message before
forwarding it further. This leads to another big challenge for email investigations.

Techniques Used in Email Forensic Investigation

Email forensics is the study of source and content of email as evidence to identify the
actual sender and recipient of a message along with some other information such as
date/time of transmission and intention of sender. It involves investigating metadata,
port scanning as well as keyword searching.
Some of the common techniques which can be used for email forensic investigation are

 Header Analysis
 Server investigation
 Network Device Investigation
 Sender Mailer Fingerprints
 Software Embedded Identifiers
In the following sections, we are going to learn how to fetch information using Python for
the purpose of email investigation.
Extraction of Information from EML files
EML files are basically emails in file format which are widely used for storing email
messages. They are structured text files that are compatible across multiple email
clients such as Microsoft Outlook, Outlook Express, and Windows Live Mail.

What is email tracking?

Email tracking is an effective tool that allows you to evaluate the effectiveness of emails.
This allows professionals to measure the reaction of subscribers to specific messages and
the communication channel as a whole.

Imagine that you have been invited to give a lecture at a professional conference. But the
audience was behind the curtain. In such a situation, it is impossible to assess the
audience’s reaction.

The situation is similar with email. If you keep sending out emails and not seeing a
response from your subscribers, you’re not going to get anywhere.

Conversions may still happen, but using email tracking tools can be a much more
effective marketing process. You can see how customers respond to your emails using the
tools and services of your email service provider.

This will allow you to adjust your marketing strategy, increase the number of potential
customers, and create a stable and growing trend of exchanging orders through this
channel.

It’s important to understand that your email list is more than just a string of letters and
numbers. Some potential customers can make money for your business.

If they care about your product or service, you just have to inspire them more. If you
open the email tracking feature in your email, you can see what percentage of your email
subscribers are responding positively to your content.

For example, if only 5% of people open your email, you need to change your email
marketing strategy and maybe the content you put in your messages (the content should
be authentic and engaging).
It is important to pay attention to the key useful tools that can improve your email and the
speed of mail delivery.

Important benefits of the email tracking

process
The biggest advantage of tracking is that it provides a complete picture of subscriber
behavior.

You can see how many users opened an email, when exactly they opened it, and how
their interaction changes with subsequent emails they receive from you.

The email tracking process allows you to create effective marketing templates that can be
used consistently to achieve specific business goals.

Marketers and entrepreneurs can send 3-5 welcome emails to new subscribers and see
which emails they respond to and which emails are opened the most.

This information can be used to improve your marketing strategy. Key benefits of
email tracking include:

 Track key metrics. This will allow you to see how loyal your emails are to your
subscribers. If you use this information correctly, you will be able to work with
your marketing channel much more effectively;

 A complete history of customer relations. For certain emails, you can monitor
changes in user behavior in relation to the marketing technique employed.

 Modern email tracking software saves time. Thanks to observation, you can
determine the best marketing business model and use it constantly to improve
the results of business activity;

 Space for experiments. You can try different ways to spread the word about
promotions, new product offers, or price reductions;

 Business growth indicators Improving the effectiveness of your marketing

strategy leads to increased conversions, more orders received from customers,
and other important marketing indicators.
It is no exaggeration to say that without email tracking, certain marketing activities will
not be effective. Therefore, before starting active work, it is necessary to pay attention to
various important technical details.

How does the email tracking process work?

Not all marketers and managers take the time to understand exactly how the email
tracking process works. It is justified when there is no time and everything is fine, but
knowledge is needed for general development.

The essence of the email tracking process is to use visitor identification tool. They are
integrated into the text of the letter and help to record important information.

Most popular messaging platforms use this method. You can enable the tracking of open
letters in the settings of Gmail and Outlook mail services.

In addition to regular e-mails, analysis of mail services, and tracking tools, there is the
possibility of using Google Analytics and similar solutions.

This allows you to track clicks on links that are present in e-mails, in the text of the e-
mail.

All modern tracking technologies have their own complex advantages and disadvantages,
so you need to choose the right solution for you.

You don’t need to contact the analytics service to check whether the recipient opened the
email or not. For almost any email, the basics are enough to give you email tracking
options.

If marketers and business owners don’t know what percentage of their subscribers are
using email, time is wasted. It should be noted that reading the email is important given
the current level of spam and other marketing emails.

Open tracking can be done via email, but it’s not an ideal solution for mass email
marketing. Professional email open-tracking software is recommended for such tasks.

There are other metrics to track. Focusing on just one metric doesn’t give you the full
picture of how effective your marketing channel is. Clicks are tracked with a special tag
attached to the URL.
If you have 5–10 links in your email, you can see which links your customers click on the
most and adjust your email accordingly to make your marketing strategy work
effectively.

Even if the email contains no products or offers, it still contains more than one URL. It
can be a review of transactions, an unsubscribe from a newsletter, or something else.

Activity monitoring
Activity tracking refers to additional activities that allow you to receive additional signals
about the behavior of potential customers. This information can help you improve your
email marketing strategy.

For example, analytics systems can determine which devices are most often used to send
emails to customers. Since 95% of people use smartphones, it makes sense to focus on
mobile devices.

Today’s email-tracking services are constantly improving their key technical capabilities
and providing users with more email-tracking tools. Your mail delivery will be more
efficient.

Some trackers can monitor downloads and send notifications when subscribers perform
certain actions.

Most analytical services perform their work 100%, but it should be taken into account
that the reports may contain errors. The size of the possible error depends on how
correctly the tracking technology is implemented.

The bug also affects the percentage of users who have third-party tracking blocked.
Tracking clicks is real, but other metrics get tricky.

IP TRACKING

What is an IP address?
First things first, we need to understand what an IP address actually is, or how will we
know how to track it?
IP stands for internet protocol, which is basically a set of rules that dictates how data is
sent across the internet. This might sound complicated, but honestly, it’s just a posh
way of explaining how different devices (like your computer or mine) communicate.

To be able to communicate, the internet will identify the IP address of your device. Your
IP address is the number assigned to your piece of hardware that allows other devices
to identify it. This works the same whether you’re using a laptop, mobile or tablet.

Websites also have IP addresses. This means that when you’re visiting a website, your
device will exchange its own IP address with that of the site to ensure data can be sent
and received between the two. It’s just the same as when you’re making a phone call or
sending an email, you need to have the necessary data in place for it to work.

But don’t worry, there’s nothing you need to do or set up. All devices that use the
internet are already programmed to follow internet protocol so they know how to engage
with each other. This keeps the internet functioning the way we need it to. Clever.

This is also what makes IP tracking possible. Since IP addresses are fully accessible in
order to facilitate communication between devices, tracking tools can gather the
information they need to analyse and record future movements. In other words, identify
who you are as a visitor and recognise you as you move through your journey on a
website.

How does IP tracking work?

Now we know what makes IP tracking possible, how does it actually work?

For the best results we recommend using a strong tracking tool (like CANDDi, of
course) who can record, extract and analyse IP address data.
Identifying IP Addresses

As mentioned earlier, IP addresses are automatically identified everytime you engage

with something on the internet. This allows IP trackers to easily collect data they need
and record it for recognition of any further movements.

Recording is usually done through a JavaScript code that attaches onto the website’s IP
address. In doing so, the tracking tool can learn relevant information for website
analytics, as well as gathering the IP address data.

Extracting data

The next step is putting this recorded data to good use. Once the tracking tool has
identified and recorded the IP address of the website, it’s ready to start extracting and
analysing valuable, actionable data. Obviously, the validity of the data gained from a
tracking tool depends on their capabilities. If you’re using an advanced tool like
CANDDi, you’ll be able to monitor location, company name, individual visitor
information, key contact details and other firmographic information.

How? Well IP tracking tools tend to draw on information from various public databases.
This is something us techies like to call IP lookup.

IP lookup is a process that runs a reverse DNS lookup to find information related to the
IP address in question. DNS stands for Domain Name System, a system that essentially
translates domain names into IP addresses so internet browsers can load the relevant
resources. A reverse DNS does the opposite. It extracts the domain name or hostname
from an IP address.

So, how does this provide the tracking information? When a company registers a new
domain name, they have to provide the registrar with their contact details. This includes
business name, location, phone number, etc. This allows IP tracking tools to pull more
information on each IP address as it scours the internet’s databases. Since all domain
registrars have to maintain the information of their registrants, you’ll always be able to
figure out their domain name, their company, and their contact info! (as long as you
have their IP address).

Cookies

So, you’ve now managed to figure out what an IP address is, how they can be tracked,
and what information you can get out of it. But what if you’re not ready for your tracking
to end there? If that’s the case, you need a tracking tool like CANDDi, that also uses
cookies.

If your IP tracking tool uses cookies, which are little nuggets of data that can store
information on your website behavior for a better user experience, then they’ll also be
able to link a website visitor’s browsing history to other data about you. This doesn’t
mean they’ll find out your dog’s name or what you had for dinner, but cookie tracking
does mean they recognise if you’re visiting a website for the first time or if you’re
returning for the fourth, fifth or hundredth time. Oh, as well as which specific pages you
visited

E MAIL RECOVERY

Where Do Emails Go After Deletion?

There are two types of email clients present which include web-based (Gmail, Yahoo,
Hotmail, etc.) and desktop-based (Thunderbird, Outlook, etc.). These email services
provide the functionality wherein the soft-deleted emails will be placed in the trash
folder. However, make sure to not leave an email in the trash folder for a long time.
Because after 30 days, these emails get permanently removed from the trash folder by
the Gmail email service provider.

But, the hard-deleted emails or Shift + Delete emails will not remain in the trash folder,
instead, this will delete the data permanently. In such instances, it’s difficult to recover
emails from the trash folder.

Thus, the location of deleted emails solely depends on the way you deleted them.
However, the question here is, can you recover them? If yes, then how?

Let’s have a look at some methods to restore or deleted emails.

Manual Method for Email Recovery in Cyber Forensics
If the emails are deleted through soft deletion, then there’s a high chance of them being
in the trash folder. So, look into that folder first for recovering deleted emails. Here is an
example of how you can recover deleted emails from the trash folder in the Gmail email
client.

Step-1. Click on the “Trash folder” option in your email application.

Step-2. “Select” the desired message you want to restore.

Step-3. Click on the “Move” button.
Step-4. Select the desired location where you want to restore the deleted message.
So, if you have deleted your important Gmail emails accidentally, and haven’t cleared
the trash folder or if it has not been passed 30 days yet, then, you can easily recover
your emails from the trash folder of the Gmail application by following the above
method.

But, in case you deleted your emails from the trash permanently, or 30 days have
passed since you deleted the emails, then, it’s a matter of concern. But, don’t worry,
there is a Professional Email Forensics Tool available that can recover
deleted/permanently deleted emails effortlessly. Let’s find out what’s this tool and how
you can use it.

Best Solution for Email Recovery in Cyber Forensics

Sometimes, users who have accidentally deleted their important emails from the Gmail
application or any other email platform should know that their emails are not deleted
permanently. Instead, those emails are relocated to the trash folder or bin folder which
can be recovered easily.

But if the emails are permanently gone then the above-mentioned software comes to
the rescue.

This tool is specially designed to properly track emails and investigate email crimes.
And, recovering permanently deleted files is an integral part of the tool. That’s why, we
recommend you use MailXaminer software for the email recovery process in cyber
forensics.

The tool offers countless features to analyze emails. This email forensic tool supports
20+ email clients and 80+ email file types. In the next section, we will discuss how to
recover deleted or lost emails with the help of the most trusted tool for email
analysis/investigation.

Email Recovery in Cyber Forensics Using The Automated Software

To learn how to recover emails that have been lost or deleted, follow these steps using
the forensic tool. First, download and launch the software on your Desktop/Laptop. After
that, for forensic recovery of evidence, follow these simple steps:

Step-1. Create a new case to begin the investigation. For that, in the Cases screen
choose the option Create Case and fill in the required details related to the case.

Step-2. Now, add the evidential file into the software for scanning by clicking on
the Add New Evidence button.
Step-3. An Add Evidence window will then appear. Here, choose the email client.
Step-4. Then browse the evidence file using the Add File button and click Finish.
Step-5. After the file is scanned, go to the “Search” tab. Here, the software will preview
all the emails along with the deleted ones. The deleted emails will be highlighted in red
color through which users can easily find the deleted items.
Step-6. After adding the suspected file to the software, and identifying the deleted
emails, you can view the emails in different preview modes. Moreover, it allows
investigators to find precise information from the emails that helps in extracting the
evidence.
Step-7. Moreover, to view the deleted files separately, select the Deleted option from
the Standard Filters. It will show you all the recovered files separately.
Step-8. Further, if you want to save the data in your local system, select the emails and
click on the Export Selected Items option and choose the desired file format in which
you want to export the recovered lost emails.
Some Additional Features of the Tried and Tested Tool for Email Recovery

The software is proven to be one of the best tools in the market for email recovery in
cyber forensics. Here are some of the prime features of the tool.

 Capable to scan and add data files of 20+ Email Clients.

  Support Forensic Hash Algorithm Analysis using MD5, SHA-1, and SHA-256
hash values.
 Facilitates a powerful search mechanism for a Systematic Email Search of
suspected emails.
 It gives Multiple Export Options to save files in different file formats.
 Magnificent link analysis can be performed to solve complex cases.

Time to Wind Up!

As you can see, there are manual as well as automated methods available to recover
lost or deleted emails. However, the manual method can recover only soft-deleted
emails which are present in the trash folder. But for the recovery of hard deleted emails
(SHIFT+DELETE), trustworthy forensic email recovery software is the relevant option
for you.

So, if you are one of those who lost their emails permanently or belong to the digital
forensics domain, try the software now and experience a smooth process.

Encryption is the process of converting normal message (plaintext) into

meaningless message (Ciphertext). Whereas Decryption is the process of
converting meaningless message (Ciphertext) into its original form (Plaintext).
The major distinction between secret writing associated secret writing is that the
conversion of a message into an unintelligible kind that’s undecipherable unless
decrypted. whereas secret writing is that the recovery of the first message from
the encrypted information.

Let’s see that the difference between encryption and decryption:

S.NO Encryption Decryption

1. Encryption is the process of converting While decryption is the process of

S.NO Encryption Decryption

normal message into meaningless converting meaningless message into its

message. original form.

Encryption is the process which take While decryption is the process which
2. place at sender’s end. take place at receiver’s end.

Its major task is to convert the plain text While its main task is to convert the
3. into cipher text. cipher text into plain text.

Whereas the encrypted message can be

Any message can be encrypted with
decrypted with either secret key
either secret key or public key.
4. or private key.

Whereas in decryption process, receiver

In encryption process, sender sends the
receives the information(Cipher text) and
data to receiver after encrypted it.
5. convert into plain text.

The only single algorithm is used for

The same algorithm with the same key
encryption-decryption with a pair of keys
is used for the encryption-decryption
where each use for encryption and
process.
6. decryption.

Encryption is used to protect the

Decryption is used to reverse the
confidentiality of data by converting it
encryption process and convert the
into an unreadable form that can only be
ciphertext back into plaintext.
read by authorized parties.

The output of encryption is a ciphertext

The output of decryption is the original
that is unintelligible to anyone who does
plaintext message.
not have the decryption key.
Search and seizure orders along with preservation of evidence orders are often
approved by the court to ensure critical evidence is not destroyed. Using the element of
surprise, digital devices and data can be captured by forensic experts and preserved for
future proceedings.
 Search orders within data theft investigations
Company data theft is a rising issue, and many companies have a zero-tolerance policy
to data theft and how this information is misused by an existing or newly formed
competitor. Companies have the power to go to court and request a search and seizure
order to retrieve digital evidence. These can be executed at both private properties and
the commercial premises of the new or existing competitor to determine what has been
stolen and ultimately how that stolen information may have been used.

The takeaway point is that individuals believe they can get away with copying files onto
a device, such as a USB stick, having no idea that it could lead to a number of forensic
professionals, backed with a court order, surprising you at your personal address to
seize and capture data from all your household devices. Upon further court
proceedings, the preserved data is then typically investigated to see if and how it has
been used for any potential competitive advantage within the marketplace.

If you are a company employing a new member of staff from a competitor who has
potentially stolen data, you as the business could find yourself as the respondent of a
court order for unknowingly using stolen data. It’s worth noting, however, that there
must be clear signs of data theft for a judge to approve the search order due to its
invasive process. Ultimately, it is the shock and awe of the search order experts which
stops the respondents’ from destroying incriminating data.

Stolen proprietary data could include:

 Client data lists

 Sales pipelines
 Tender applications
 Financial information
 Marketing collateral designs
 Blueprints and drawings
 Patents

Search and seizure experience

CYFOR are search and seizure experts with 20 years of experience in the collection of
data in such a manner. Due to the size and experience of our forensic team, we are
often instructed to collect all data onsite, typically at multiple locations concurrently.
Upon further instruction, we usually then process this data and set up the data for online
review.

Some examples of preservation and collection of data:

 CYFOR recently executed the search and seizure of over 200 exhibits, in a coordinated
operation involving 7 investigators across 5 locations for the duration of one week. The
 forensically collected data was then processed and hosted for online review by the
relevant parties.
 CYFOR were instructed for the search and seizure of digital evidence relating to 75
custodians, as part of a £50M dispute between a local government body and a
construction firm.
 CYFOR were instructed to attend a commercial and private property relating to a new
business set up to compete with the individual’s ex-employer. Later court proceedings
demonstrated mass data theft.

Once a search and seizure order is issued, time is of the

essence.
CYFOR’s search and seizure team are comprised of internationally experienced,
security-cleared digital forensic investigators. We have the ability to be onsite at multiple
premises, with a team in the lab remotely accessing storage devices and email
accounts concurrently. Adhering to the Association of Chief Police Officers (ACPO)
Guidelines, all exhibits are retained in our forensic chain of custody with sealed
evidence bags and evidence listing forms. Our team provide a rapid response and
efficient service, ensuring the extraction, preservation and analysis of evidence is to the
highest standards in even the most pressurised situations, remaining on site until all
data is acquired.

Password cracking is one of the imperative phases of the hacking framework.

Password cracking is a way to recuperate passwords from the information
stored or sent by a PC or mainframe. The motivation behind password cracking
is to assist a client with recuperating a failed authentication or recovering a
password, as a preventive measure by framework chairmen to check for
effectively weak passwords, or an assailant can utilize this cycle to acquire
unapproved framework access.
Types of Password Attacks :
Password cracking is consistently violated regardless of the legal aspects to
secure from unapproved framework access, for instance, recovering a
password the customer had forgotten etc. This hack arrangement depends
upon aggressors exercises, which are ordinarily one of the four types:
1. Non-Electronic Attacks –
This is most likely the hacker’s first go-to to acquire the target system
password. These sorts of password cracking hacks don’t need any
specialized ability or information about hacking or misuse of frameworks.
Along these lines, this is a non-electronic hack. A few strategies used for
actualizing these sorts of hacks are social engineering, dumpster diving,
shoulder surfing, and so forth.
2. Active Online Attacks –
This is perhaps the most straightforward approach to acquire unapproved
manager-level mainframe access. To crack the passwords, a hacker needs
 to have correspondence with the objective machines as it is obligatory for
password access. A few techniques used for actualizing these sorts of hacks
are word reference, brute-forcing, password speculating, hash infusion,
phishing, LLMNR/NBT-NS Poisoning, utilizing Trojan/spyware/keyloggers,
and so forth.
3. Passive Online Attacks –
An uninvolved hack is a deliberate attack that doesn’t bring about a change
to the framework in any capacity. In these sorts of hacks, the hacker doesn’t
have to deal with the framework. In light of everything, he/she idly screens or
records the data ignoring the correspondence channel to and from the
mainframe. The attacker then uses the critical data to break into the system.
Techniques used to perform passive online hacks incorporate replay attacks,
wire-sniffing, man-in-the-middle attack, and so on.
4. Offline Attacks –
Disconnected hacks allude to password attacks where an aggressor
attempts to recuperate clear content passwords from a password hash
dump. These sorts of hacks are habitually dreary yet can be viable, as
password hashes can be changed due to their more modest keyspace and
more restricted length. Aggressors utilize preprocessed hashes from rainbow
tables to perform disconnected and conveyed network hacks.
Some of the best practices protecting against password cracking include :
1. Perform data security reviews to screen and track password assaults.
2. Try not to utilize a similar password during the password change.
3. Try not to share passwords.
4. Do whatever it takes not to use passwords that can be found in a word
reference.
5. Make an effort not to use clear content shows and shows with weak
encryption.
6. Set the password change technique to 30 days.
7. Try not to store passwords in an unstable area.
8. Try not to utilize any mainframe’s or PC’s default passwords.
9. Unpatched computers can reset passwords during cradle flood or Denial of
Service assaults. Try to refresh the framework.
10. Empower account lockout with a specific number of endeavors, counter
time, and lockout span. One of the best approaches to oversee passwords in
associations is to set a computerized password reset.
11. Ensure that the computer or server’s BIOS is scrambled with a password,
particularly on devices that are unprotected from real perils, for instance,
centralized servers and PCs.