20IT84-Cyber Security & Digital Forensics

B.Tech. (OPEN ELECTIVES)

By

​

Mrs.T. KARUNA LATHA,

,

Assistant Professor,

Dept. of IT,

LBRCE.

​

UNIT-IV Contents

• Introduction to Digital Evidence
• Evidence Collection Procedure
• Sources of Evidence
• Operating Systems and their Boot Processes
• File System
• Windows Registry
• Windows Artifacts, LINUX Artifact and Browser Artifact
• Digital Evidence on the Internet
• Challenges with Digital Evidence

What is Digital Evidence?

• Any information stored or transmitted electronically that can be used in a court of law.
• Includes data on computers, smartphones, tablets, external hard drives, and other digital devices.
• Can be used to prove or disprove a crime, or to support a civil case.

​

Characteristics of Digital Evidence�

Why is Digital Evidence Collection Important?�

Digital evidence can be broadly categorized into two groups based on its source:�

1. Evidence from Data at Rest: This type of evidence is obtained from any device that stores digital information. Examples include:
• Information stored on computers, mobile devices, or other storage media.
• Digital photographs, videos, documents, and files stored on electronic devices.
2. Data Intercepted While Being Transmitted: This category includes evidence obtained through the interception of data transmission and communications. Sources of this type of evidence include:
• Internet communications such as emails, message boards, chat rooms, and file sharing networks.
• Information collected from intercepted communications during transmission.

​

7

2 July 2025

8

2 July 2025

Handling Evidence from Specific Sources�

• Computers (hard drives, RAM, flash drives)
• Mobile Devices
• Network devices (routers, switches)
• Social media
• Internet of Things (IoT)
• Infotainment and Telematics Systems
• Email
• Peer to Peer (P2P) file sharing
• Embedded systems (cameras, gaming consoles)

​

​

​

​

Digital forensics tools

Digital forensics tools play a crucial role in investigations by aiding in the recovery, analysis, and preservation of digital evidence. Here are some commonly used tools in digital forensics:

• Cellebrite: Known for mobile forensics, offering support for various mobile devices and advanced data extraction capabilities.
• Magnet Axiom: Used for high-level analysis of computer, mobile, cloud, and vehicle data, featuring automation and an accessible user interface.
• Velociraptor: An open-source tool designed for internal security teams to gather evidence across all endpoints rapidly.

​

Digital forensics tools

• Wireshark: An open-source network analysis tool that can show network packets sent and received by a device, aiding in analyzing network traffic.
• X-Ways Forensics: A tool for in-depth manual analysis with advanced features for disk analysis and drive content examination.

Other notable digital forensics tools include Autopsy, FTK (Forensic Toolkit), Sleuth Kit, VIP 2.0 (Video Investigation Portable), and more.

​

​

Operating Systems and their Boot Processes in Digital Forensics�

• Operating systems play a crucial role in the digital forensics process, especially when dealing with evidence from computers, smartphones, or any other digital devices. Understanding the boot process of different operating systems is essential for forensic investigators to gather evidence effectively. Here's an overview of the boot processes for some common operating systems

​

Operating Systems and their Boot Processes in Digital Forensics

Understanding the boot process of different operating systems is crucial in digital forensics. It helps investigators:

• Preserve digital evidence: By understanding the sequence of events during boot up, investigators can ensure they acquire a complete and unaltered copy of the evidence.
• Identify potential tampering: The boot process can reveal signs of tampering, such as attempts to modify the system or hide evidence.
• Recover deleted or hidden data: The boot process can sometimes leave traces of data that has been deleted or hidden, which can be helpful in an investigation.

​

Common Boot Process Stages�

While the specifics may differ between operating systems, the general stages of the boot process are:

1. Power On Self Test (POST): The system performs a series of checks to ensure the hardware is functioning correctly.
2. BIOS/UEFI Initialization: The Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) initializes the hardware and locates the boot loader.
3. Boot Loader: The boot loader locates and loads the operating system kernel.
4. Kernel Initialization: The kernel initializes core system components like memory management, device drivers, and process management.
5. Init Process: The init process (or its equivalent) starts essential system services and user login.

​

Popular Operating Systems and their Boot Processes�

Windows:

• Utilizes BIOS or UEFI for hardware initialization.
• The Master Boot Record (MBR) or GPT (GUID Partition Table) on the storage device points to the boot loader.
• The boot loader (usually Boot Manager) locates and loads the Windows kernel.
• The kernel initializes device drivers and starts core services.
• The Services Control Manager (SCM) starts additional system services.
• The Winlogon process handles user login and session management.

​

Popular Operating Systems and their Boot Processes�

Linux:

• Similar to Windows, it uses BIOS or UEFI for hardware initialization.
• The boot loader (often GRUB) is located in the boot sector of the first partition.
• The boot loader displays a menu allowing the user to choose the kernel to boot.
• The chosen kernel initializes and loads essential system components.
• The init process (usually systemd) starts essential services and spawns a login shell.

​

File System in Digital Evidence

The file system is a critical component in digital forensics investigations. It acts as the organizer and keeper of digital evidence on storage devices like hard drives, solid-state drives, and memory cards. Understanding file systems empowers investigators to:

1. Locate and Analyze Evidence: The file system structures and stores data, allowing investigators to navigate and locate relevant files, folders, and digital artifacts like documents, pictures, videos, and emails.
2. Utilize Metadata: Each file and folder within the system holds metadata, which is like a digital record of its history. This metadata includes creation date, modification time, access timestamps, and ownership information. By analyzing this data, investigators can reconstruct timelines of activity, identify user interactions, and understand potential modifications.

​

File System in Digital Evidence

3. Uncover Hidden Traces: Even when attempts are made to erase data, the file system can still hold traces of its existence. Deleted files, fragmented data remnants, and changes to file attributes can leave behind footprints within the system. Analyzing these traces allows investigators to potentially recover deleted data or uncover hidden information that might be crucial for the investigation.
4. Prioritize Data Sources: Depending on the case, the file system might be the primary or secondary source of evidence. For instance, in situations involving data deletion or modification, the file system becomes the crucial source. However, for network intrusion investigations, network traffic and logs might take precedence.

​

Types of File Systems�

Challenges and Considerations:�

• Different operating systems utilize diverse file systems, each with its own structure and characteristics.
• Understanding the specific file system of the device under investigation is crucial for accurate analysis.
• File systems can be fragmented due to deletions and modifications, making data recovery and analysis more complex.

​

What is the Windows Registry?

​

• The Windows registry is an invaluable source of forensic artifacts for digital forensics examiners and analysts.
• It serves as a substitute for the .INI files used in Windows 3.1.
• The registry is a binary, hierarchical database that contains configuration settings and data for both the operating system (OS) and various applications that rely on it.
• While users typically don’t interact directly with the registry, it plays a crucial role in enhancing the user experience during interactions with the system.
• System administrators can directly interact with the registry using regedit.exe, the built-in registry editor in Windows.

​

Structure of the Windows Registry

• The registry appears as a familiar folder-based structure when viewed through the registry editor.
• However, this structure is an abstraction designed for ease of use.
• The actual registry is a complex hierarchy of keys, subkeys, and values.
• Some key components include:
• Hives: Logical groupings of keys (e.g., HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER).
• Keys: Containers for subkeys and values.
• Values: Data stored within keys (e.g., configuration settings, user-specific data).

​

Forensic Significance

• The registry holds critical information related to system configuration, user profiles, installed software, and more.
• Examiners can extract valuable evidence from the registry, including:
• User-specific data: User accounts, login history, and preferences.
• Software installations: Details about installed applications.
• Recent documents: Lists of recently accessed files.
• Network settings: Information about network connections.
• USB device history: Records of connected USB devices.

​

Tools

• In real-world cases, the registry has proven instrumental in prosecuting suspects.
• Open-source tools like RegRipper and Registry Explorer aid examiners in analysing registry artifacts.

​

Windows Artifacts: Uncovering Clues in Digital Investigations

​

Within the vast world of digital forensics, Windows artifacts play a critical role in uncovering evidence and piecing together the puzzle of an investigation. These artifacts are essentially digital traces left behind by various activities on a Windows system. They can be found in various locations and formats, offering valuable insights into:

• User activity: What applications were used, what files were accessed, and when?
• System changes: Were there hardware or software modifications?
• Potential malicious activity: Did any malware attempt to tamper with the system?
• System state: What was the configuration of the system at a specific point in time?

​

Key categories of Windows artifacts that investigators often examine

• Registry: As mentioned earlier, the Windows Registry serves as a treasure trove of information, storing configuration settings, user preferences, and system details. Analyzing registry keys and values can reveal user activity, system changes, and potential signs of malicious activity.
• Event Logs: The system logs various events related to security, applications, system startup, and shut down. These logs can provide a chronological record of activity and potential issues that occurred on the system.

​

Key categories of Windows artifacts that investigators often examine

• Recycle Bin and Deleted Files: While deleted files might not be readily visible, remnants and metadata can sometimes be retrieved from the Recycle Bin or unallocated space on the storage device, potentially revealing deleted information.
• Web Browsing History: Browsing history and associated cache files can offer insights into websites visited, searches conducted, and downloaded files, helping to understand user online activity.

​

​

​

Key categories of Windows artifacts that investigators often examine

• Temporary Files and Internet Cache: Temporary files and internet cache can hold remnants of downloaded data, web pages visited, and other online activities, even if the user attempted to clear their browsing history.
• Scheduled Tasks: Scheduled tasks can reveal automated actions intended to run at specific times, potentially providing clues about system administration, malware persistence, or other automated activities.
• User Accounts and Profiles: User accounts and associated profiles contain information about user activities, preferences, and potentially accessed files, offering further insights into user behavior.

​

​

​

Other Windows Artifacts:

​

• RAM Artifacts: Dumped RAM contains evidence like usernames, passwords, and visited URLs.
• Hiber File: Provides data on played songs, opened images, and movies.
• Page File and Swap File: Also yield valuable information during investigations

​

​

​

​

Browser artifacts

Browser artifacts are significant sources of digital evidence in forensic investigations, as web browsers are among the most frequently used applications on computing devices. They store a wealth of information about user activities, including browsing history, bookmarks, cookies, download history, form data, and cached web content. Analyzing browser artifacts can provide valuable insights into user behavior, online activities, visited websites, and interactions with web-based services. Here are some common types of browser artifacts and their relevance in digital evidence analysis:

• Browsing History: Browsers maintain a record of URLs visited by the user, along with timestamps and visit frequencies. Examining browsing history can reveal websites accessed by the user, search queries entered, and the chronological sequence of web browsing activities.

​

Browser artifacts

• Bookmarks/Favorites: Users often bookmark web pages of interest for future reference. Bookmark data stored by browsers can provide insights into the user's preferences, interests, and frequently visited websites.
• Cookies: Cookies are small pieces of data stored by websites on the user's device to track user sessions, preferences, and authentication tokens. Analyzing cookies can reveal websites visited, user logins, online purchases, and interactions with web applications.
• Download History: Browsers maintain a log of files downloaded by the user, including file names, download sources, and download timestamps. Download history can help investigators identify downloaded files, sources of potentially malicious content, and activities related to file sharing.

​

​

​

Browser artifacts

• Form Autofill Data: Browsers may store autofill data for web forms, including login credentials, contact information, and payment details. Analyzing autofill data can provide insights into the user's online accounts, identities, and transactions.
• Cache: Browsers cache web content, such as images, scripts, and HTML files, to improve performance and reduce load times. Cached content can contain remnants of visited websites, including text, images, and multimedia files, even after the user has cleared their browsing history.
• Session Restore Data: Some browsers store session restore data, allowing users to reopen previously opened tabs or windows after a browser restart or system crash. Session restore data can provide information about active browsing sessions, open web pages, and user interactions at the time of the event.

​

​

​

​

Browser artifacts

• Extensions/Add-ons: Browser extensions and add-ons may store configuration settings, usage statistics, and user preferences. Analyzing extension artifacts can reveal installed browser extensions, their functionalities, and user interactions with extension features.
• Sync Data: Modern browsers often offer synchronization features that allow users to sync their browsing data across multiple devices. Synced data may include browsing history, bookmarks, passwords, and open tabs, providing a comprehensive view of the user's online activities.

​

​

​

​

Top Web Browser Activity Artifacts for Android

Chrome Browser Data:

• /data/data/com.android.chrome/app_chrome/Default/Web Data
• /data/data/com.android.chrome/app_chrome/Default/Cookies
• /data/data/com.android.chrome/app_chrome/Default/Favicons
• /data/data/com.android.chrome/app_chrome/Default/History
• /data/data/com.android.chrome/cache/Cache/
• /data/data/com.android.chrome/app_chrome/Default/Top Sites
• /data/data/com.android.chrome/app_chrome/Default/Sync Data/SyncData.sqlite3
• /data/data/com.android.chrome/app_tabs/custom_tabs/
• /data/data/com.google.android.captiveportallogin/app_webview/Default/Cookies
• /data/com.android.browser/browser.db/dbdata/databases/com.android.browser/browser.db

​

Linux artifacts 

Linux artifacts serve as vital pieces of evidence scattered across a Linux system, providing valuable insights into user activity, system configuration, and potential security concerns. These digital traces hold the key to reconstructing events and uncovering information that might otherwise remain hidden.

Here are some key categories of Linux artifacts frequently examined by investigators:

1. User and Group Information:

• /etc/passwd and /etc/shadow: These files contain information about user accounts, including usernames, encrypted password hashes, and group memberships. This information is crucial for identifying users, understanding their access privileges, and potentially detecting unauthorized accounts.

2. System Logs:

• /var/log/ directory: This directory houses various system logs, including security logs (e.g., /var/log/auth.log), application logs (specific to individual applications), and system logs (e.g., /var/log/syslog). Analyzing these logs can reveal system events, login attempts, security incidents, application errors, and potential malicious activity.

​

Linux artifacts 

3. Shell History:

• User home directories (e.g., ~/.bash_history, ~/.zsh_history): These files record the history of commands executed by the user. Examining the shell history can provide insights into user activity, identify frequently used commands, and potentially reveal attempts to conceal commands by deleting entries.

4. Process Information:

• /proc directory: This virtual directory offers real-time information about running processes on the system. Analyzing processes can reveal resource usage, identify running applications, and potentially detect suspicious processes related to malware or unauthorized activity.

5. File System Metadata:

• Tools like df and mount: These tools provide information about mounted file systems, including disk space usage, file system type, and mount points. This information can help investigators identify connected storage devices, understand file system organization, and potentially locate hidden partitions or data.

​

​

Linux artifacts 

6. Network Artifacts:

• Network configuration files (e.g., /etc/network/interfaces): These files configure network settings like IP address, subnet mask, and gateway. Analyzing these files can reveal the system's network configuration, identify connected networks, and potentially detect attempts to modify network settings for malicious purposes.

7. Scheduled Tasks:

• Cron jobs and systemd timers: These mechanisms schedule tasks to run automatically at specific times or under certain conditions. Examining scheduled tasks can reveal routine system maintenance activities, potential malware persistence mechanisms, or unauthorized automated actions.

8. User Data:

• User home directories: These directories contain user-specific files and folders, such as documents, emails, browsing history, and downloaded files. Examining user data can reveal user activity, interests, and potentially uncover evidence related to the investigation.

​

​

​

Digital Evidence on the Internet

The internet presents a unique challenge for digital forensics due to its vastness, dynamism, and inherent complexities. While it may seem like online activity is ephemeral, digital traces can linger in various forms, potentially serving as valuable evidence in investigations. Here's an overview of digital evidence on the internet:

Types of Digital Evidence:

• Social media activity: Posts, comments, messages, and account information on social media platforms can reveal user opinions, associations, and potentially incriminating content.
• Cloud storage: Files, documents, pictures, and other data stored on cloud platforms can provide insights into user activity and potentially hold deleted or hidden information.
• Email communications: Emails, including sent, received, and drafts, can offer a chronological record of communication, potentially revealing evidence of collaboration, planning, or illegal activities.

​

Types of Digital Evidence

• Website content: Websites can hold evidence of illegal activity, such as malware distribution, phishing attempts, or copyright infringement.
• Online transactions: Financial transactions, purchase history, and online banking records can reveal financial activity and potentially be linked to illegal transactions or money laundering.
• Internet forums and chat logs: Online forums and chat platforms can reveal user discussions, opinions, and potentially incriminating statements or plans.
• IP addresses and network logs: While not directly identifying individuals, IP addresses and associated logs can provide context about location, internet service provider, and potential connections to illegal activity.

​

Challenges and impediments faced during the collection of digital evidence 

Challenges and impediments faced during the collection of digital evidence in the field of digital forensics:

• Data Encryption:
• Encryption can significantly hinder access to data on a device or network.
• Encrypted data requires specialized decryption tools and techniques to retrieve meaningful evidence.
• Criminals often use encryption to protect sensitive information, making it harder for forensic investigators to collect evidence.
• Data Destruction:
• Perpetrators may deliberately attempt to destroy digital evidence by wiping or physically damaging devices.
• Techniques like secure erasure or physical destruction can render data irretrievable.
• Forensic experts must employ specialized data recovery techniques to salvage evidence from damaged or wiped devices.

​

Challenges and impediments faced during the collection of digital evidence 

​

• Data Storage Volume:
• The sheer amount of data stored on modern digital devices poses a challenge.
• Sorting through vast volumes of data to locate relevant information can be time-consuming.
• Specialized techniques, such as data carving, are used to extract relevant evidence from large datasets.
• Volatility of Evidence:
• Digital evidence is volatile, especially in live systems.
• RAM (volatile memory) contains valuable artifacts, but it disappears once the system is powered off.

​

Challenges and impediments faced during the collection of digital evidence 

• Legal and Ethical Considerations:
• Adhering to legal procedures and privacy rights is critical.
• Obtaining proper search warrants, ensuring chain of custody, and respecting privacy laws are essential.
• Balancing investigative needs with individual rights can be challenging.

​