Introduction – Forensics Investigation

The computer is being used by majority of the people living today. There are linked to the computer either directly or indirectly. The computer systems are gaining their implementations in different departments. Either it is education or the military, the computers are to be found everywhere. The computers are being used for performing different operations in different fields. It has produced much easier ways of performing different tasks easing human being lives. In the past, when the computer was not commercial and there was very limited use of it, it was hard to manage time. With the implementation of computer systems everywhere, many tasks can be completed within short span of time. It is being used by the banks, businesses and other government organizations as well. They have been using the computer systems for record keeping and producing much easier ways for the customers and the people to use their services whenever they want to. The businesses rely on the storage of information about their customers and other related information. They information is an asset for them and they cannot afford to lose it. As the computer systems are being used more, the risks and threats to the safety and security of the information stored are also increasing. The internet has created a large network that connects the millions of the computers around the world and the access to any of these computers is also very easy.

The threats to the computer systems are not new; the computer systems have been facing different attacks from the start. However, the nature of the attack on the computer systems has been changing with the advancements in the computer systems. Back in 1960’s when the people were not aware of how to operate a computer system, that time the computer systems were damaged physically. While later in 1980’s when the people got aware of the operating of the computer systems and got knowledge about it, they started writing different programs in order to damage them. Then the computer systems were being involved in different kinds of crimes like threatening, breaching information, fraudulent activities etc.

It was hard to find the answers to the questions related to the crime in which the computer systems were involved. Who has done it? When it was done? To find these answers the cyber forensics was implemented with the help of computer scientists and forensics practitioners. As Alphonse Bertillon has stated that the science and the logic should be used in order to investigate and solve the crime. In cyber forensics, digital computers and other digital devices collected from the crime scene are investigated and the data in them is analyzed. The computer forensics has roots in 1970’s. The first computer forensics technique was implemented by U.S. Military. As the cyber crimes have increased with the advent and usage of the computer systems, in the same way the cyber crimes investigation has got very complex as well. There are different threats to the computer systems in different ages. The cyber forensics can be defined as a process of identifying, preserving, analyzing and presenting digital evidence that is acceptable in the court (McKemmish, 1999). In other words it can be said that the cyber forensics is a way of extracting information from computer or any digital device and make it reliable with its relevance to the crime scene. Every digital device involved in the crime scene is the digital evidence. The digital evidence is identified, recovered, secured, examined, analysed and presented in the court. Conducting cyber forensics is not an easy task; there are threats and risks attached to the investigation of the digital evidence. The forensics investigator has to follow the rules and the guidelines in order to complete the investigation in a way that is acceptable in the court.

Digital Evidence

In Cyber Forensics Environment, the investigation process is to be carried out on the digital devices and the computers available at the crime scene. These digital devices are the main sources that can help in carrying out the investigation and leading towards the identification of the culprit (Kozushko, 2003). Every digital equipment is the digital evidence. The digital evidence can be defined as an electronic device that contains the information which can be helpful in supporting the hypothesis. The digital evidence may contain the information or clue to the cyber crime. The digital evidence may include computer, mobiles, camera, memory cards, USBs, printers any electronic instrument. It is important to work very carefully with the digital evidences; the reason is that the information in the digital evidences can be destroyed easily. But these digital evidences are very helpful as the information can be extracted from them even if they are not working. The use of gadgets has moved to a tremendous level so these evidences may contain the information that may be relevant to the crime. This is the job of the first responder, who goes to the crime scene, he must be aware of the rules that guide in the collection of the digital evidences from the crime scene. If the digital evidences are not collected following the rules and the laws, then the evidence will not be admissible in the court and will carry no value even if it contains the correct information about the crime. The digital evidence must be authenticated to be admissible in the court (Casey, and Turnbull).

There is not only one kind of the digital evidences, as the evidence collected at the time of investigation. The digital evidence can be in different forms. For example, the computer that was taken as digital evidence will contain information and will be analyzed for its authenticity. On the other hand, an email may have been sent using the same computer and some internet service, the email is also a form of the digital evidence containing information relevant to the case. The digital evidence must possess following properties so that it can be presented in the court: integrity, authenticity, reproductivity, non-interference, minimization and accuracy. If the digital evidence does not maintain even one of the above properties then the digital evidence will lose its weight.

The digital evidence can be found normally in two forms, the original digital evidence and the duplicate digital evidence. The original digital evidences are those physical items that were collected at the time of acquisition. There are other data objects that are also associated with the physical digital evidence are also the original digital evidence. On the other hand, the duplicate digital evidences are those which contain the replication of the data obtained from the original physical item. The original digital evidences are never used in the investigation process for their authenticity and admissibility in the court. The duplicate digital evidences are to be worked on in the investigation procedure so that no changes are done in the original digital evidence. Along with the digital evidence, there are data objects, which are valuable to the digital evidence. There is no specific format for the information of the data objects. The digital evidence is very important so there should be no change in the information stored in it. Moreover, the Meta data of the digital evidence should be not changed as well. Meta data is the data within the data, which contains the information about the file. The information about the file shows that when the file was created in the computer system, when the file was changes and more information about the file. Once the master copy of the evidence is created, the information stored in it analyzed (Ashcroft, Daniels and Hart, 2004). If the copy of the digital evidence is not made, then working on the original digital evidence may cause to change the Meta data of the files on the computer systems. If the dates of the files and the information in the computer system are changed, then there will be no relevance of the digital evidence with the crime. In this way the digital evidence will lose its weight.

There are two kinds of the digital evidence, one is the born digital and the other one is the made digital. The born digital evidence is the one that is digital in its original form. There is no other source of this information. On the other hand, there are documents that are not in the digital form while are available in the physical form. Later on, these documents are converted into the digital form. Such evidences are called the made digital evidence.

Key Principles of Cyber Forensics

Cyber forensics is a vast field and there are certain principals involved in carrying out the investigation. These roles are the backbones for making the digital evidence admissible in the court. Without following these principals, it is not possible to present the digital evidence in the court.


In the cyber forensics, it is the duty of the investigator to take care of the digital evidence. The digital evidence and the information stored in it is fragile and it can be easily corrupted or destroyed. While conducting the investigation the evidence should be handled very carefully. The investigator should ensure that his actions should not cause any change in the digital evidence. If there is a change in the digital evidence, then the evidence will be of no use to the cyber forensics process. This principle is the same as in the real world documentation (Katz, 2008). The investigator will have to prove that the evidence is in the same condition as it was when acquired from the crime scene. For this purpose, the investigator should follow all the laws related to the handling of the digital evidence in the cyber forensics. The rules and the laws also differ in different countries, so the investigator must know all the rules and conduct investigation process accordingly. The investigator should follow all the cyber forensics principles while dealing with the cyber forensics and digital evidences.

Evidence gathering

It is the duty of the first responder at the crime scene to look for the digital evidence available. He must gather all the digital evidences as there will be some related information to the crime. The digital devices available at the crime scene may have some relation to the crime or the victim. The investigator must keep some of the following guidelines while dealing with the digital evidences specially computer systems. If the computer is turned on then it must not be turned off at that time. While the investigator must try to extract the information as much as he can. Because shutting down the computer may remove information that is necessary. If there is need to access the computer system at the crime scene, then the investigator must be aware and eligible enough that his actions will not cause any change in the information stored. The computer operator may change the information stored on the computer unwillingly (Katz, 2008). The investigator should also avoid running any application on the suspect computer system. The running of the application may cause change in the log file relevant to the information. In the same way, if the computer is turned off, then it must not be turned on. There are chances that when the computer is turned on it may remove files and data stored on the computer. The other rule that the investigator should follow that he should never get help from the owner of the computer. The owner may get time and chance to delete the important data and information that can be useful for the crime investigation. Many computers have anti-virus programs; the investigator should not run the anti-virus program on the computer system. The reason is that, the anti-virus programs mostly change the date and time of the file during scanning process. The investigator should also not try to open any file on the computer system. Because when the file is accessed on the computer system, the time and date is changes in the folder.

The best thing to gather digital evidence is to make secure the digital evidence. The other things to do while gathering the digital evidence; are to take the pictures of the crime scene. The full specifications of the computer system should be documented as well and made secure. If the system is running, then the system should not be switched off, but the power plug should be pulled to disconnect the power supple to the computer system. After doing this, the components of the computer should be disassembled. The components of the computer must be documented.

      Evidence Handling

The digital evidence in cyber forensics is very important and it must be handled with extra care to avoid any damage to the information stored in it. The investigator will be responsible for the security and data integrity of the information stored in it (Katz, 2008). The digital evidence should be kept away from the unauthorized person who will try to access the information or the digital evidence. The investigator needs to follow all the guidelines in order to keep it safe and secure. Before start to work with the digital evidence, an exact copy of the image must be created and the original digital evidence should be deposited. While doing all these procedure, proper documentation must be created starting from the collection of the digital evidence till the deposit process. If there is any problem while handling the digital evidence, that should be also reported. The original digital evidence must be intact and away from the unauthorized persons.

      Evidence Access

Once the digital evidence is deposited, then it should be not be accessed by any unauthorized persons. The investigator must ensure that the evidence is secure and there is no change in it. If the digital evidence is worked with, then the information stored in it may change or deleted. In either of the cases, there will be no use of the digital evidence. The agency will be responsible for the security of the digital evidence (Katz, 2008). Only authorized persons must be allowed to the digital evidence, the investigator should also document the procedures that he has followed while submitting the digital evidence.

Investigation Processes

Cyber forensics investigation is a very long and complicated process. It may require long time, depending upon the nature of the case. However, the investigation must be done in a systematic way. IN cyber forensics, while conducting investigation on data means that the investigation is being on the computer system. In this way, the evidence in worked on and the clues and the information extracted from the digital evidence (Stephenson, 2000). This is the deciding step in cyber forensics. IN cyber crime it is very hard to find the evidence and extract the desired information from that evidence. It is quite complicated from the real life crime scenes. If the investigation is not done in a systematic way, then the case will not be admissible in the court. The successful cyber forensics depends on the integrity of the evidence (Sommer, 1998). It also depends on the integrity of the investigation process being carried out for the cyber forensics. Working with the digital evidence is not an easy task, if digital evidence is found then there are many unbroken chains in the digital evidence. In digital evidence, it is hard to identify the persons who have created, edited or updated the information. If the broken chains are not linked, then the evidence will not be acceptable in the court. Here are the processes included in the cyber forensics.


The integrity of the digital evidence is very important in the cyber forensics process. At the time of the collection of the evidence, all the processes are to be described showing that all the processes were followed. The digital evidence must remain uncontaminated at the time when it was gathered and analyzed. The authentication of the evidence is also need to be preserved. The digital evidence must be preserved by following the guidelines. The original digital evidence must be kept intact and an exact image of the evidence is created. There are cases when some important files need to be copied from the digital evidence. The copy of the digital evidence should be analyzed as well to ensure that the exact image of the evidence is created. The copy of the digital evidence must be created by the use of write blocking services. There are certain risks associated in preserving the evidence. Those risks should be minimized using risk assessment. The evidence gathering guidelines should be followed.


In cyber forensics, there are number of digital evidences that are collected during the collection phase. It is important to make an exact copy of each of the evidence and then work on the copy digital evidence. The investigator should have knowledge of different operating systems. As there is a lot of information in the digital evidences, all of the information is not always relevant to the cyber crime. It is challenging for the investigator to locate the information that is relevant to the case. There are certain issues in locating the exact information.  The larger the information stored in a computer system, more time will be consumed in locating the information. The information may be encrypted as well so that no person can access that. The encrypted information needs to be decrypted as well. More over hidden information also needs to be discovered. Different searching techniques are applied in this process and the hidden information is then analyzed and selected in the later processes.



Once the whole data is located from different digital evidences, the next step is the selection of the information that may be needed for the cyber forensics. The selected information is then used for the forensics, while the other irrelevant information is deleted. The information is selected following some rules and regulations. The information is categorized on different basis. The information is categorized on the basis of files system, applications, content, Meta data and other file extensions. The information is then investigated and analyzed. It is also a very long process and it is very complex as well. The information needs to be separated and then worked on.


After the information has been located and selected, the information needs to be analyzed in order to show its relevance with the crime. The information or the data extracted from the above processes is analyzed. There two main types of data analysis process.

  1. Timeframe Analysis
  2. Hidden Data Analysis

Timeframe Analysis

In timeframe analysis, time and data of the files in the computer systems is analyzed. The time and date related to the files in the computer system is very important as it can help in identifying if its relevant to the time when the crime has been committed. The other timeframe analysis of the information extracted is by looking at the time log of the installation of the applications. Moreover the login information also gives clues about the people who have used the computer system.

            Hidden Data Analysis

The data is also hidden in the computer system by changing the file header and the file extensions. If there is a difference between the file header and the extensions then it shows that the information was hidden intentionally. Sometime, the information in the files is hidden by protecting the information with passwords. It is important to get access to the password protected files. The other analysis technique used in this analysis is by looking at the extensions of the files available on the computer and the applications installed in it. It can be understood that someone used email for crime and cleared cache but the application that will be used for sending email may show relevance to the crime.



Validation is a very important step in cyber forensics environment. The validation process confirms that the information that is analyzed from the above steps is relevant to the case or not. If the information is relevant to the case then it will be presented in the court. Otherwise, the information will carry no weight and will not be presentable in the court.


After the information is validated, then the information is presented in the court. The whole documentation that involves all the procedures followed in the above procedures is available. It should be ensured that all the procedures and guidelines were followed in extracting the information from the digital evidences. If the investigator fails to follow any of the guidelines in conducting investigation and working with the digital evidence then the evidence will not be presentable in the court. All the documentation must be very clear about the procedures followed. The investigator must be aware of all the legal aspects as well. The legislation is also different in different countries, so the law of presenting the digital evidence may differ in different countries as well.