Refresher Course on Cyber Forensic Investigation

for Law Enforcement

By: Rajaram Thakur

Digital Forensic Professional
 Digital Forensic/Cyber Forensic Investigation is an
POST-INCIDENT Activity

Cyber Forensics Incident Response

 e-Discovery
It is the electronic aspect of identifying,
collecting and producing electronically
stored information in response to a request
for production in a lawsuit or investigation.
CYBER FORENSIC ACTIVITIES

Secure Collection
Identification
Examination
Presentation
Application
Cyber Forensic Investigation Process:

• Identification
• Seizure / Acquisition
- Imaging
- Integrity verification
• Analysis
• Documentation
- Report preparation
Digital Evidence Collection

To minimize the risk of contamination Care must be taken.

Collect or seize the system(s)
Create forensic image -
Live or Static ?
Do you own the system ?
What does your policy say ?
Collecting Evidences:

• Always take detailed photos and notes

of the Evidence found.
• If the computer is “on”, take photos of
what is displayed on the monitor
– DO NOT ALTER THE SCENE

Make sure to take photos and notes of all

connections to the computer/other devices
Rule of Thumb: Always make 2 copies and don’t
work from the original (if possible)
 INTANGIBLE

REQUIRES
SPECIAL TOOLS
FOR COLLECTION, DIGITAL EVIDENCE VOLATILE
EXTRACTION AND
PRESERVATION

FRAGILE
There are some special problems too:

Computer data changes moment by moment, even a single action on the

system can change the data.
Computer data can only be viewed after few procedures.
The process of collecting computer data may change it—in significant
ways.
Processes of opening a file or printing it out are not always
neutral.
Computer and telecommunications technologies are always changing
so Cyber/Digital forensic processes can seldom be fixed for very long.
Email Investigation
Email Architecture
Email Investigation (Contd.)

Email Header Fields

Email Header
Senders Email software and version used in creating a message
 The steps - Email IP track

1. Go to View Menu » Message » Header.

2. When you click on the header it will show you all the info related to the sender,
as you can see the IP of the sender "66.220.144.152".
3. Copy that IP and Open the command prompt: Type Whois 66.220.155.165.4.
When you enter, All the information about the IP comes out.
 Case Study

“One of the Senior Service Manager working with the MNC received an email
message from one of this client who requested an immediate financial transaction
to send 1.25 Cr for vendor payment. In the received email, the client was
holding exactly his original email address. As the client who holds a prestigious
designation running several business organizations used to send frequent such
emails. Because of which, the official’s started the procedure to send the amount
to the concerned recipient wherein it was proved fatal. The situation became
worse when the client was found unknown who was asked to send the amount as
a vendor payment. After further analysis, it was clear that the suspect has carried
out the whaling attack, wherein they created the same email address so that the
examiners will be doubtless while investigating the case.”
 Thank You !

Connect with me on LinkedIn

https://www.linkedin.com/sudorat