Computer forensics: It is the lawful and ethical seizure, acquisition,

analysis, reporting and safeguarding of data and metadata derived from

digital devices which may contain information that is notable and perhaps
of evidentiary value to the trier of fact in managerial, administrative, civil
and criminal investigations.

In other words, it is the collection of techniques and tools used to nd

evidence in a computer.

Forensics science is the application of physical sciences to law in search for

truth in civil, criminal and social behavioral matters to the end that injustice
shall not be done to any member of society.

Digital forensics: It is the use of scienti cally derived and proven methods
toward the preservation, collection, validation, identi cation, analysis,
interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitation or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.

Chain of custody means the

chronological documentation trail, etc. that indicates the seizure, custody,
control, transfer, analysis and disposition of evidence, physical or electronic.

Used to maintain the

integrity of the evidence by providing documentation of the control, transfer
and analysis of evidence.

Network forensics is the study of network tra c to search for truth in

civil, criminal and administrative matters to protect users and resources
from exploitation, invasion of privacy and any other crime fostered by
the continual expansion of network connectivity.

MIME & SMIME - secure/multipurpose Internet mail extensions

MIME or SMIME is a protocol that provides digital signatures and
encryption of Internet MIME messages.
fi
ffi
fi
fi
The cardinal rules to remember are that evidence:
1. is admissible;
2. is authentic;
3. is complete;
4. is reliable;
5. is understandable and believable.

Types of Hard Disk

 NAT/NTFS

Database Forensics is a specialized branch of digital forensics focused on the identi cation,
preservation, extraction, and analysis of data stored in databases.

SQL databases are relational databases that store data in structured formats using tables, rows,
and columns. They use SQL as their query language to manage and manipulate data.

SQL databases typically follow ACID (Atomicity, Consistency, Isolation, Durability) properties,
ensuring reliable transactions and maintaining data integrity.

NoSQL databases are non-relational and provide a exible schema, allowing for the storage of
unstructured or semi-structured data. They are designed to handle large volumes of diverse data
types.

Data can be stored in various formats, such as key-value pairs, documents, graphs, or wide-
column stores.

Steps in Database Forensics

•Identi cation: Locating the database and identifying potential evidence
•Preservation: Ensuring data is not altered (write-blockers, backups)
•Collection: Extracting relevant data (using forensic tools)
• Analysis: Interpreting data to uncover evidence
•Reporting: Documenting ndings indepth explanation

Database Forensic tools

SQL Server Forensic tools:
ApexSQL Audit
SQL Server Pro ler
MySQL Forensic tools:
MySQL Enterprise Audit
fi
fi
fi
fl
fi
 Database Snapshots
Snapshots are point-in-time representations of a database’s state. They are often used for backup

purposes but can also be useful in forensic investigations.

Table Forensics tools:

ApexSQL Log

What is the need of packet capture?

•Packet capturing allows network administrators to monitor the ow of data, identify bottlenecks,
and ensure that the network operates e ciently.
•By analyzing captured packets, they can pinpoint speci c issues that may a ect user experience,
such as latency or packet loss, ultimately leading to more e ective network management.
•Capturing packets enables security teams to analyze tra c patterns and detect anomalies that
may indicate a breach. For example, unusual spikes in outbound tra c could suggest data
ex ltration, while unexpected communication with unknown IP addresses may point to
compromised systems.

Packet capture tools:

Wireshark
tshark(cmd)
tcpdump(cmd)
Fw monitor

Network Analysis tools:

Network Miner
Wireshark
•Most Popular Network Analyzer
•Open Source
•Free
•Works on Windows, Linux and MAC OS
•Made by Gerald Combs, With the rst name as Ethereal
•Normal Mode: By default, a NIC only captures packets intended for its MAC address.
•Promiscuous Mode: When enabled, the NIC captures all packets it detects on the network,
regardless of their destination.
Wireshark supports:
•Over 850 protocols
•HTTP,HTTPS
•TCP/UDP
•IPV4,IPV6
•Ethernet, Wi-Fi
•DHCP, DNS
•RIP, BGP, OSPF
•ICMP

Social media forensics is a specialized area of digital forensics that deals with the identi cation,
collection, preservation, analysis, and presentation of social media data for legal and investigative
purposes.
Steps:
Identi cation
Collection
Preservation
Validation
Analysis
Correlation
Reporting
Presentation
fi
fi
fi
ffi
fi
ffi
ff
fl
ffi
ff
fi
SQL Injection occurs when attackers manipulate a web application’s input elds to execute
arbitrary SQL queries against the database. This can lead to unauthorized access to data, data
manipulation, or even database deletion.
How to prevent SQLi?
•Error Messages: Look for error messages returned to users, as they can indicate successful
injection attempts.
•Input Validation: Review the application code to check for lack of input validation and sanitization
on user inputs.

Image forensic analysis involves examining digital images to determine their authenticity, origin,
and integrity. This process is crucial in legal investigations, verifying news, detecting deepfakes,
and identifying image manipulation.
Steps:

Mobile forensics is a specialized area of digital forensics focused on the recovery of digital
evidence from mobile devices.
The process typically involves several stages, each crucial for ensuring that the evidence is
collected, preserved, and analyzed in a forensically sound manner.
Steps:
Preparation
Seizure
Isolation
Analysis
Reporting
Review and Follow-up
fi
 Types of Wireless Networks in forensics
1.Wi-Fi Networks:
Commonly used in homes, businesses, and public spaces.
Evidence can include network tra c, access logs, and connected device information.
2.Bluetooth Networks:
Used for short-range communication between devices.
Evidence can include paired devices, message logs, and connection histories.
3.Cellular Networks:
Used by mobile phones to communicate with cell towers.
Evidence can include call records, text messages, and location data.
4.Zigbee and Z-Wave Networks:
Used in Internet of Things (IoT) devices for home automation.
Evidence may consist of device interactions and data logs.
5.Near Field Communication (NFC):
Used for contactless payments and data exchange.
Evidence can include transaction logs and paired device histories.

Wireless Forensics Steps:

Planning and Preparation
Environment Assessment
Capture Wireless Tra c
Identify and Analyze Devices
Examine Wireless Protocols
Data Recovery from Devices
Preserve and Secure evidence

Purpose:
•Steganography: Aims to hide the existence of a message, making it undetectable.
•Cryptography: Focuses on transforming a message into an unreadable format to protect its
content, even if its existence is known.
Visibility:
•Steganography: The hidden message is concealed within another medium (e.g., images, audio
les) and is not obvious.
•Cryptography: The encrypted message is visible, but it appears as gibberish or random data
without the appropriate key.
Methods:
•Steganography: Techniques include least signi cant bit (LSB) insertion, masking, and ltering to
embed data.
•Cryptography: Involves algorithms and keys, such as symmetric (AES) and asymmetric (RSA)
encryption methods.
Detection:
•Steganography: The challenge is to detect hidden information, requiring steganalysis
techniques.
•Cryptography: While encrypted messages can be recognized, breaking the encryption requires
signi cant computational e ort.
fi
fi
ffi
ff
ffi
fi
fi