Cyber Forensics: Its Importance, Cyber Forensics Techniques, and Tools

Cyber Forensics

Cyber is a prefix used to describe, a person, a thing or any idea related to computers and the internet. Forensics means using some sort of scientific process for the collection, analysis, and presentation of the evidence which has been collected. Forensics deals primarily with the recovery and examination of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive as per An Introduction to Computer Forensics-Infosec Resource. Thus, a formal definition of cyber forensics is:

Mostly, the data collected during a cyber-forensic investigation is not easily available or seen by a common computer user. This may comprise items like fragments of data that can be found in the space allocated for existing files and deleted files from the computer system, which can only be known by a cyber-forensics expert. Special skill, practice, and tools are essential for obtaining this type of evidence. In a crime scene cyber forensics is mainly concerned with three types of data and they are as follows (as said by (New York Computer Forensics).

• 1.

  Active Data: Active data is the data available on the computer system. This type of data is easily noticeable and can be obtained without using any restoration process. The data or information readily accessible to users includes word files, spread sheets, images, databases, email-messages, program files, system files or files used by the operating system. This is the easiest type of data.

• 2.

  Archival Data: Archival data is a collection of data that has been moved to a storage media (Like cloud) for backup and storage. This type of data includes chats, a simple list of files, files organized under directory or catalogue structure, backup tapes, entire hard drives.

• 3.

  Latent Data: Latent data, also known as ambient data, is not easily seen or accessible upon first glance at the scene of a Cyber-crime by an expert. It takes a much deeper level of investigation by the cyber forensic experts to unearth them. Specialized software is needed to access this type of data. Obtaining latent data is time-consuming and costly compared to the other two types of data. Some example of Latent data includes:

  • a)

    Deleted files or partially overwritten files.

  • b)

    The information which is in computer storage but is not readily referenced in the file allocation tables;

  • c)

    The information which cannot be viewed readily by the operating system or commonly used software applications;

  • d)

    Data which has been purposely deleted and is now located in: Unallocated spaces in the hard drive; Swap files; Print spooler files; Memory dumps;

  • e)

    The slack space between the existing files and the temporary cache.