top of page

Introduction to Digital Forensics

The field of digital forensics has become increasingly more important over the last few years as both the computer and the cellular market has grown. Nowadays large amount of information is produced, accumulated, and distributed via electronic means. Since digital devices such as computers are vulnerable to attack by criminals, digital forensics is increasing in importance. Digital forensic techniques are used primarily by private

organizations and law enforcement agencies to capture, preserve and analyze evidence on digital devices.

What is digital forensics?

Digital forensic science is a branch of forensic science that focuses on the recovery and

investigation of material found in digital devices related to cybercrime i.e., digital evidence. It is the process of identifying, preserving, analyzing, and documenting digital evidence so that it could be presented in a court of law when required.

Digital forensics protects digital evidence from possible alterations, damage, data

corruption, or infection and also uncovers all relevant files on suspect systems, including

hidden, password protected, encrypted, and also some deleted files. In addition, it also

assists in information dissemination.

Steps of Digital Forensics:

In order for digital evidence to be accepted in a court of law, it must be handled in a very

specific way so that there is no opportunity for tampering with the evidence.

1. Identification

Finding the evidence and noting where it is stored.

2. Preservation

Next, isolate, secure, and preserve the data so as to prevent people from possibly tampering with the evidence.

3. Analysis

Reconstructing the fragments of data and drawing conclusions based on the found


4. Documentation

Following that, create a record of all the data to recreate the crime scene.5. Presentation

Finally, summarize and draw a conclusion.

What are the different types of digital forensics ?

Digital forensics is a constantly evolving scientific field with many sub-disciplines.

Some of the major sub-disciplines are:

Computer Forensics – This branch handle cases related to data stored in the computer

devices. Involves the identification, preservation, collection, analysis and reporting on

evidence found on digital devices like computers, laptops and storage media in support of investigations and legal proceedings. The main goal of computer forensics division is to find out and explain the current state of digital evidence stored into such devices.

Network Forensics – Network forensics deals with cases related to computer network traffic (it can be local (LAN) or the Internet (WAN)). The monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or other problem incidents, such as worms, virus or malware attacks, abnormal network traffic and security breaches.

Memory forensics –Memory forensics is forensic analysis of volatile data in a computer's memory dump. The recovery of evidence from the RAM of a running computer, also called live acquisition. This allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running a special software that captures the current state of the system's memory as a snapshot file, which is known as the memory dump.

Mobile Forensics – Mobile forensics deals with the recovery of digital evidence related to mobile phones and other mobile devices. This information helps especially in

establishing a connection between crime and criminal.

Disk forensics - The science of extracting forensic information or evidence from the

hard disk images.

Digital Image Forensics – The extraction and analysis of digitally acquired images to validate their authenticity by recovering the metadata of the image file to ascertain its history.

Digital Video/Audio Forensics – The collection, analysis and evaluation of audio and video recordings. The science is the establishment of authenticity as to whether a recording is original or it has been modified or tampered either maliciously or accidentally.

Database forensics- Database forensics division handles cases related to the database.

Forensics database is an analysis and examination of databases and their metadata.

Live forensics- The branch of digital forensics which deals with the examination and analysis of cases related to a live scenario. This helps to maintain originality of the evidence without any change or loss.

What are the different tools for forensics?

Digital forensic tools are the predefined software or methods which are available for

application of digital forensic.

Some of the free and proprietary tools are listed below:


EnCase is a software acquired by OpenText and comes in several products designed

for forensic, cyber security, security analytics, and e-discovery use. Encase is traditionally

used in forensics to recover evidence from seized hard drives. It allows the user to

investigate or analyze many machines simultaneously and investigate and analyze multiple


FTK Imager is a data preview and imaging tool that allows the user to examine files and

folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. FTK Imager can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

X-Ways Forensics provides an advanced work environment for computer forensic

examiners. It is a fully portable, efficient and fast tool which could find out even deleted


Computer Online Forensic Evidence Extractor (COFEE) is a proprietary tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from

a Windows computer. It is installed on a USB flash drive or any other external disk drive, and acts as an automated forensic tool during a live analysis.

IsoBuster is a data recovery computer program by Smart Projects, which can recover data from damaged file systems or physically damaged disks including optical discs, hard disk drives, USB flash drives and solid state disks. It has the ability to access "deleted" data on multisession optical discs, and also allows users to access disc images.


The Sleuth Kit is an open source digital forensics toolkit which is used to perform in-depth analysis of various file systems.

Autopsy is an easy to use, GUI-based program that allows the user to efficiently analyze hard drives and smart phones. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality. It is essentially a GUI that sits on top of The Sleuth Kit.

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools needed to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format, Advanced Forensic Format, and RAW evidence formats.

CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, etc.

Volatility is a memory forensics framework for incident response and malware analysis that allows the user to extract digital artifacts from volatile memory dumps. The user can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more by using this.

Linux ‘dd is a very powerful tool that is available on the majority of Linux distributions by default. This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

CAINE (Computer Aided Investigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Main Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

ExifTool is a command-line application used to read, write or edit file metadata information. It is fast, powerful and also supports a large range of file formats although image file types are its speciality. It can be used for analysing the static properties of suspicious files in a host-based forensic investigation.

DEFT is another Linux Live CD which bundles some of the most popular free and open

source computer forensic tools available. It aims to help with Incident Response, Cyber

Intelligence and Computer Forensics scenarios. It also contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.

Xplico is an open source Network Forensic Analysis Tool (NFAT) which aims to extract

applications data from internet traffic. Features are support for a multitude of protocols,

TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst


Hope this post was informational

Connect with me on linkedin

54 views0 comments
bottom of page