What is Cyber Forensics?

Cyber forensics is the science of collecting, inspecting, interpreting, reporting,

and presenting computer-related electronic evidence. Evidence can be found on
the hard drive or in deleted files.
Computer forensics becomes more relevant daily as the world becomes
increasingly digitally connected. The management of digital evidence is critical
for solving cyber crimes and recovering important, compromised data. A
computer forensics investigator's job is to collect, examine, and safeguard this
evidence.
It is the process of examining, acquiring, and analyzing data from a system or
device so that it can be transcribed into physical documentation and presented in
court.
During the inspection, it is critical to create a digital or soft copy of the system’s
special storage cell. The purpose of carrying out a detailed cyber forensics
investigation is to determine who is to blame for a security breach. The entire
inquiry is carried out on the software copy while ensuring that the system is not
affected.
In the technological age, cyber forensics is an inevitable factor that is incredibly
important.
How are cybersecurity and digital forensics related?
Cybersecurity aims to reduce the risk of cyber-attacks and protect against
unauthorized exploitation of systems, networks, and technologies. While digital
forensics focuses on the recovery and investigation of artifacts found on a
digital device.

Types of computer forensics

Computer forensics always involves gathering and analyzing evidence from
digital sources. Some common types include:
 Database forensics: Retrieval and analysis of data or metadata found in
databases
  Email forensics: Retrieval and analysis of messages, contacts, calendars,
and other information on an email platform
 Mobile forensics: Retrieval and analysis of data like messages, photos,
videos, audio files, and contacts from mobile devices
 Memory forensics: Retrieval and analysis of data stored on a computer's
RAM (random access memory) and/or cache
 Network forensics: Use of tools to monitor network traffic like intrusion
detection systems and firewalls
 Malware forensics: Analysis of code to identify malicious programs like
viruses, ransomware, or Trojan horses
Common computer forensics techniques
When conducting an investigation and analysis of evidence, computer forensics
specialists use various techniques; here are a few examples:
 Deleted file recovery. This technique involves recovering and restoring
files or fragments deleted by a person—either accidentally or deliberately
—or by a virus or malware.
 Reverse steganography. The process of attempting to hide data inside a
digital message or file is called steganography. Reverse steganography
happens when computer forensic specialists look at the hashing of a
message or the file contents. A hashing is a string of data, which changes
when the message or file is interfered with.
 Cross-drive analysis. This technique involves analyzing data across
multiple computer drives. Strategies like correlation and cross-
referencing are used to compare events from computer to computer and
detect anomalies.
 Live analysis. This technique involves analyzing a running computer's
volatile data, which is data stored in RAM (random access memory) or
cache memory. This helps pinpoint the cause of abnormal computer
traffic.

Key Concepts in Computer Forensics

Data Recovery
Data recovery, a linchpin in computer forensics, revolves around the meticulous extraction of data from
diverse storage mediums, ensuring the sanctity of the original data during the retrieval process.
Leveraging a plethora of tools and methodologies, forensic specialists recover data that might have been
deleted, encrypted, or otherwise obscured. Techniques such as file carving, live memory forensics, and
database forensics are indispensable in affirming the recovered data's suitability for subsequent analysis
and legal adjudication.

Cybersecurity

Within the realm of cybersecurity, computer forensics acts as a bulwark against cyber onslaughts,
facilitating the post-mortem dissection of cyber incursions, pinpointing exploited vulnerabilities, and
tracing the tactics of cyber adversaries. Insights derived from forensic evaluations shape cybersecurity
protocols, bolstering defenses and preempting future assaults.

Data Breach and Privacy Violations Investigations

Computer forensics is pivotal in probing data breaches and privacy infringements, decoding the
magnitude of data compromise, discerning exploited vulnerabilities, and gauging the ramifications of the
breach on impacted entities. Forensic connoisseurs dissect compromised systems, trace data exfiltration
trajectories, and play a role in alerting the affected stakeholders, thus aiding in regulatory adherence
and curtailing reputational fallout.

Network Intrusion Detection and Analysis

Computer forensics is harnessed to detect and dissect network intrusions, pinpointing unauthorized
incursions and curtailing potential damage to the network fabric. Forensic maestros pore over network
logs, evaluate traffic dynamics, and spot anomalies, ensuring the triad of network integrity,
confidentiality, and availability remains inviolate.

Malware Analysis

In the milieu of malware analysis, computer forensics empowers experts to anatomize malware, fathom
its modus operandi, dissemination mechanisms, and repercussions on compromised systems. Forensic
scrutiny of malware is instrumental in crafting detection signatures, discerning the malware's intent, and
instituting countermeasures to neutralize its effects and avert subsequent infiltrations.

Mobile Forensics

Mobile forensics zeroes in on the extraction and evaluation of data such as messages, images, videos,
audio files, and contacts from mobile apparatuses. This domain is paramount in investigating a spectrum
of malefactions, encompassing cyberbullying, online intimidation, and unauthorized data access,
ensuring malefactors exploiting mobile ecosystems face retribution.

Computer Forensics Tools

Computer forensics, a niche specialization, concentrates on the amassment and dissection of digital
evidence from a gamut of digital media platforms, spanning desktops, mobile gadgets, cloud paradigms,
and IoT devices. This evidence can be pivotal for incident redress or legal adjudications. Given the
eclectic nature of digital platforms and the myriad data types they harbor, a vast array of tools is at the
disposal of forensic experts, each tailored for specific tasks within the forensic investigative continuum.
Here's an exhaustive overview of some of the most salient tools in this domain:

Disk Analysis: Autopsy/The Sleuth Kit

Description: Autopsy and The Sleuth Kit rank among the most venerated forensic toolkits. While The
Sleuth Kit operates as a command-line tool, dissecting forensic images of hard drives and smartphones,
Autopsy offers a graphical interface, harnessing The Sleuth Kit's capabilities.
Features: They boast a modular and extensible architecture, permitting users to augment
functionalities. Both are open-source, but commercial support and training avenues exist.

Image Creation: FTK Imager

Description: Tools like Autopsy and The Sleuth Kit, while adept at analyzing disk images, don't fabricate
them. FTK Imager bridges this chasm, facilitating the creation of disk images and ensuring the sanctity of
the original drive during the forensic endeavor.
Features: An integral component of the AccessData Forensics Toolkit, FTK Imager is a gratis tool.

Memory Forensics: Volatility

Description: Volatility stands out as a preeminent tool for the analysis of volatile memory (RAM). Given
that RAM can be a repository of pivotal forensic data, its swift and precise capture is imperative.
Features: Volatility, an open-source marvel, welcomes third-party plugins. The Volatility Foundation
even orchestrates an annual contest to crown the best plugin development.

Windows Registry Analysis: Registry Recon

Description: The Windows registry, a treasure trove of data about the OS and resident applications, is
the forte of Registry Recon, which specializes in its analysis and can even resurrect deleted segments
from unallocated memory realms.
Features: It's a proprietary tool, tailored to reconstruct registries from forensic images.

Mobile Forensics: Cellebrite UFED

Description: Given the omnipresence of mobile devices, mobile forensics has burgeoned into an
indispensable domain. Cellebrite UFED stands as a premier commercial tool for this endeavor.
Features: It is versatile, supporting a plethora of platforms and proffering exclusive methodologies for
mobile device scrutiny.

Network Analysis: Wireshark

Description: Wireshark, the quintessential tool for network traffic analysis, offers a lens into cyber-
attacks and other network activities.
Features: It's gratis, open-source, and can parse a plethora of network traffic types. It supports real-
time traffic capture and can dissect archived network capture files.

Browser Analysis: DumpZilla

Description: DumpZilla, tailored for browser forensics, predominantly targets Firefox, Iceweasel, and
Seamonkey clients.
Features: It renders and extracts a plethora of data, including cookies, downloads, history, bookmarks,
cache, add-ons, saved credentials, and session data.

Linux Distributions: CAINE (Computer Aided Investigative Environment)

Description: CAINE is a Linux distribution, custom-crafted for digital forensics. It comes preloaded with
forensic tools, obviating the need for investigators to set them up.
Features: It encompasses numerous popular computer forensics tools and might support third-party
plugins for tools like Autopsy.

Future of Computer Forensics

The trajectory of computer forensics is inexorably tethered to nascent technologies. The amalgamation
of Artificial Intelligence (AI) and Machine Learning (ML) into forensic methodologies promises to amplify
data analysis capabilities, automating pattern and anomaly detection, and expediting the analysis of
voluminous datasets. Moreover, the advent of Blockchain technology augurs well for data integrity,
offering a verifiable and immutable ledger of digital transactions.

The horizon also portends a surge in the intricacy of cyber threats. The proliferation of IoT devices,
juxtaposed with advancements in cyber-attack stratagems, mandates a ceaseless evolution of forensic
practices. The future tapestry of computer forensics will be painted by a relentless tussle against
evolving cyber threats, necessitating the genesis of avant-garde strategies and tools to shield digital
domains.
Introduction To Dumpzilla:
Outline
The tool that has been chosen to be covered in this blog is Dumpzilla, a Python
based application that allows you to visualize and extract information from the
browsers Firefox, Iceweasel and Seamonkey.
Creator
The tool was created by Busindre and provided to the public as an Open source
tool. Busindre has a website in which you can find tools he has created and
other tools that like minded people may find of interest. Natively the website is
in Spanish however you can find the link here.
Dependencies
The most recent version of Dumpzilla was released on 15/03/2013 and is stated
in the manual to work with Unix and Windows 32/64 bit systems with little
dependencies. In order to run this tool the given dependencies include:
 “Python 3.x (Found via GNU/Linux Repositories or here)
 Unix systems with UTF-8 locale / Windows Systems
 Python Magic Module (Found here)” (Dumpzilla, n.d)
Capabilities
The tool is command line based with no GUI available, it is stated that the tool
does not extract the data only displays within the terminal window. However
using inbuilt OS commands you can easily extract the data to a text file. The
below information is taken from the Dumpzilla manual, it outlines the given
capabilities of the tool regarding what information can be extracted from the
browsers.
 “Cookies + DOM Storage (HTML 5).
 User preferences (Domain permissions, Proxy settings…).
 Downloads.
 Web forms (Searches, emails, comments..).
 Historial.
  Bookmarks.
 Cache HTML5 Visualization / Extraction (Offline cache).
 Visited sites “thumbnails” Visualization / Extraction.
 Addons / Extensions and used paths or urls.
 Browser saved passwords.
 SSL Certificates added as a exception.
 Session data (Webs, reference URLs and text used in forms).
 Visualize live user surfing, Url used in each tab / window and use of
forms.
Dumpzilla will show SHA256 hash of each file to extract the information and
finally a summary with totals. Sections which date filter is not possible: DOM
Storage, Permissions / Preferences, Addons, Extensions, Passwords/Exceptions,
Thumbnails and Session.”(Dumpzilla, n.d)
While testing this tool the above list of capabilities taken from the manual will
be used throughout in order to rigorously examine and confirm the tool is able
to complete all activities given.
Licensing/Terms Of Use
As previously stated the tool is Open Source and therefore free to download,
edit and redistribute back to the public. As the tool is Open Source it does not
come with any warranty and is licensed by GPLv3+ (GNU GPL version 3 or
later). GNU GPL or GNU General Public License works with Open Source
software with the aim of giving total freedom to openly share and edit software
with the community. As part of the GNU GPL licensing the author of a piece of
software must supply a way that users can access the source code giving its
users the same freedom in which the author recieved (Free Software
Foundation, Inc, 2007). A full copy of this license can be found here.
Website
The tool can be found here for download as well as the official manuals and
screenshots of the application.