Computer Forensics — Unit 1 & Unit 2: Detailed, Simple Explanations for Exam

Preparation
Below is a detailed and simplified summary of every essential topic from both Unit 1 and Unit 2 of
Computer Forensics, based entirely on your provided materials. Assignment and important
questions are given high priority, and all possible exam questions are covered for maximum
readiness.

UNIT 1: COMPUTER FORENSICS BASICS

1. What is Computer Forensics?
Definition:
Computer Forensics is the process of collecting, preserving, analyzing, and presenting evidence
from computers or digital devices. It is also called digital forensics, electronic discovery, or
computer analysis.
Key Points:
Focuses on finding and analyzing digital evidence from various devices (hard disks, tapes,
USBs, servers, etc.).
Used in criminal cases (like fraud, child abuse), civil disputes (divorce, discrimination), HR
cases (misconduct), and insurance matters.
Main Tasks Involved:
Data recovery (finding deleted files)
Preserving data integrity (not altering evidence)
Analyzing user activities (what, when, and how things happened on a device)
Presenting findings clearly in court

2. Application Areas of Computer Forensics

Law Enforcement: To gather criminal evidence (drug records, financial fraud, pornography)
Civil Litigation: To resolve disputes using records of emails, contracts, etc.
Business/HR: To investigate employee misconduct, data theft, or policy violations
Insurance: To check for fraud in claims
Personal Cases: Individuals may use forensics in wrongful termination or harassment claims
3. Computer Forensics Services
Data Seizure: Taking control of devices involved in a case.
Data Duplication and Preservation: Making exact, unalterable copies of evidence.
Data Recovery: Finding files that were deleted or damaged.
Search & Analysis: Scanning for relevant files, keywords, emails, web activity.
Expert Witness: Testifying in court about findings and technical processes.

4. Steps Taken by Computer Forensics Specialists

1. Protection: Ensure the original device is not altered, damaged, or infected during
investigation.
2. Discovery: Identify all files, including hidden or deleted ones.
3. Recovery: Restore deleted files/data.
4. Access: Enter protected or encrypted files.
5. Analysis Report: Present findings and analysis comprehensibly.
6. Testimony: Provide expert consultation or court testimony about evidence.

5. Types of Computer Forensics Technology

a) Military Computer Forensics

Focus: Rapid evidence discovery, threat and impact estimation, tracking hidden or
destroyed info, identifying criminals.
Example: CFX-2000 framework — combines multiple forensic technologies for investigation.
Advanced features: Steganography detection (finding hidden messages in
images/audio/files).

b) Law Enforcement Forensics

Focus: Secure evidence from criminals while preventing data altering.
Uses special tools like SafeBack for data mirroring.
Documentation and proper processing standards are crucial.

c) Business Forensics
Remote monitoring: Track user activity remotely (DIRT tools).
Electronic document tracking: Traceable documents (BAIT tools).
Theft Recovery: Software to locate stolen devices (PC PhoneHome).
 Basic Tools: Evidence acquisition, email tracing, password cracking, internet usage
monitoring, etc.

6. Occurrence of Cybercrime
When it happens: When technology is used to commit offenses—fraud, data sabotage,
data theft, hacking, unauthorized access, use of viruses.
How detected: Companies use risk management, IT policies, vendor forensic tools, and
trained investigators.

7. Forensic Process Improvement

Goals: To improve steps in threat identification and response.
Tools: dig, nslookup, whois (for tracing IPs), ping, traceroute (for tracking attack paths),
finger command, anonymous surfing, and USENET checks.
Importance: Understanding the attacker helps improve security and defense.

UNIT 2: DIGITAL EVIDENCE & COLLECTION

1. Data Recovery — What, Why & How
Definition: Retrieving lost, deleted, or damaged data from devices.

Data Loss Causes

Crashes, accidental deletion, reformatting, viruses, overwriting, sabotage.

Solutions
Use advanced forensic tools for deep data recovery, even from damaged media.
Backups: Schedule and ensure proper backups to avoid loss.
Issues: Network bottlenecks, system limitations, costs, and constant data availability
challenges.

Best Practices
Automate backups and recovery where possible.
Use multiple, secure backups.
Plan for disaster recovery (floods, fire, hacking, etc.).
2. Evidence Collection: Methods & Tips

Why Collect Evidence?

Prevent future attacks, assign responsibility, collect proof for justice or compensation.

Types of Evidence
Real Evidence: Direct data (logs, files, emails) that stand alone.
Testimonial Evidence: Statements from witnesses.
Hearsay: Indirect info (generally not accepted in court).

Rules for Digital Evidence (Admissibility)

Admissible: Legally allowed in court.
Authentic: Proven origin and link to crime.
Complete: Shows full context, not just part.
Reliable: Collected/analyzed using trustworthy methods.
Believable: Clear to average people, not just experts.

3. Tips for Collecting Digital Evidence

Don’t turn on or examine the computer before proper steps — it may destroy evidence.
Isolate/quarantine the device.
Secure all media (hard drives, USBs, network storage, backups).
Use forensically-sound tools (block altering evidence).
Work from most volatile evidence (RAM, cache) to least volatile (disk, backups).
Don’t use suspect system directly; work on copies.
Always document every step (photos, logs, dates, times).

4. Evidence Processing Steps

1. Shut down device (as required; speed is key).
2. Document hardware setup (take photos, label wires).
3. Transport to secure place (avoid tampering).
4. Take bit-stream backups (complete copy of storage at the binary level) using special
tools (SafeBack, SnapBack, IMDUMP).
5. Authenticate backups mathematically (use hash functions).
6. Document the system date/time (to match file timestamps).
7. Search for relevant keywords (to filter for case-specific evidence).
 8. Examine swap files, file slack, unallocated (deleted) space for extra traces.
9. List and review file names, creation dates.
10. Check encrypted, compressed, or unusual files manually when needed.
11. Document all findings clearly.
12. Retain copies of any tools/software versions used.

5. Preserving Digital Crime Scene

Don’t use or boot the computer — files could be overwritten.
Always make complete, bit-by-bit backups before checking content.
Use dedicated tools for backup. Avoid normal backup tools (they may miss hidden or
deleted data).

6. Legal Aspects of Collecting Evidence

Chain of Custody: Keep a log of exactly when, how, and by whom evidence was handled,
ensuring it wasn't altered.
Always ensure backups are complete, reliable, and not tampered with.
Document who reported the crime, when and why, as well as who handled evidence at
each stage.
All steps and transfers of evidence must be logged, preferably under dual control during
transport.

7. Methods of Evidence Collection

Freezing the Scene: Take a system snapshot and copy all important data to removable
media, verifying copies with cryptographic digests (hashes).
Honeypotting: Create dummy systems to lure attackers, observe their actions, and gather
info without risking real systems.

8. Artifacts & Collection Steps

Artifacts: Traces left by attackers (code fragments, trojans, logs).
When collecting, never analyze artifacts on a compromised system — always transfer
them to a clean system.
Steps to Follow:
1. Use a checklist to ensure all artifacts are collected
2. Filter out irrelevant data
3. Collect the most volatile data first
 4. Document everything (timestamps, collection tool versions, hashes)
5. Avoid changing originals (work with forensic copies)

Key Summary Table: For Quick Revision

Topic Key Points

Computer Forensics Digital evidence handling, analysis, presentation, used in legal/business/HR fields

Application Areas Law enforcement, litigation, business, insurance, individuals

Steps by Specialist Protect, discover, recover, access, analyze, report, testify

Military (rapid evidence, CFX-2000, steganography), Law enforcement, Business

Types of Forensics Tech
(monitoring)

Data Recovery Retrieving lost/deleted data, use of backups, advanced tools

Rules for Evidence Admissible, authentic, complete, reliable, believable

Tips for Collection Don’t turn on device, isolate, secure media, proper tools, document everything

Evidence Processing
Backup, authentication, keyword search, analyze volatile data first
Steps

Preserving Scene No booting or programs on target, full backups, minimal contamination

Legal Aspects Chain of custody, full documentation, adhere to national laws

Evidence Collection
Freezing, honeypotting, cryptographic checks, checklist
Methods

Artifacts Traces left by attacker, collect/analyze on clean systems, document all steps

Pro-Tips for Exam

Use diagrams/flowcharts to explain process steps (collection, analysis, legal chain).
Always mention documentation (photos, logs), backup methods, and legal compliance.
When asked about evidence, stress on “do not alter original,” hash verification, and chain of
custody.
Forensics covers both proactive (prevention, monitoring) and reactive (collect, analyze,
prosecute) steps.

This coverage will enable you to tackle any question from your assignment sheets, important
question sheets, or from your exam syllabus, in a clear, detailed, and easy-to-understand
manner. If you want diagrams or flowcharts for any specific topic, let me know!
⁂