A noob’s guide to Digital Forensics

Avatar photo
Srishti Saha Senior Author

Digital Forensics addresses one of the many facets of a highly digitized world: the ugly picture of alarmingly increasing rates of crime cases. As technology penetrates each one of our lives deeper, it makes us more vulnerable to notorious and malevolent criminals. Despite following cybersecurity protocols and building firewalls, digital trails are created by every user. Each function performed by an individual on a computer system, be it creating a document or clicking a link on a website, leaves a footprint on the network. Every action completed on a digital network, creates data.

Need for Digital Forensics

Social media is one of the biggest generators of data online – you would classify this as BIg Data, in fact, given the amount of variables and parameters involved. Our friends at Algoscale have an interesting primer on this topic. Twitter usage statistics reveal that the number of tweets has increased by 30%, to more than 350,000 tweets per minute, since 2013. The total number of Google searches in 2015 amounted to over 2.8 trillion. With the huge amount of data being generated, finding traces on crime within, is inevitable. Cybercrime is not an alien concept to modern society. Both large organizations and individuals have fallen prey to perilous acts of crime. Big Data technologies and Internet of things have added to the scope of cybercrime and other malicious activities on the digital platform.

While we obviusly cannot put brakes on innovation, we could definitely mitigate and combat the dangers that tag along with it. While measures of cybersecurity try to avoid such scenarios, Digital Forensics play a role in fighting them down after the damage has been caused.

The digital paradox lies in the fact that the same technologies that permit large organizations to connect to a large audience, also permit countervailing forces like cybercrime to heighten. 2016 saw its biggest data breach in a case where more than 412 million user accounts were exposed at FriendFinder Networks. November,2016 was marked by another huge fraudulent massacre in the digital world. Tesco Bank was forced to stop its online banking owing to multiple fraudulent transactions performed by hackers, who managed to steal £2.5m from the existing account customers. These are just a couple of the many dangerous cases of cybercrime that have tainted the delicate technological fabric. Despite numerous ethical practices and cybersecurity architectures being deployed at various levels, crimes are on the rise. This has led to the need and growth of Digital Forensics.

Defining Digital Forensics

To go by the book, Digital Forensics can be defined as the collective procedure of ‘uncovering and interpreting electronic data.’ Digital evidence is information, stored or transmitted in binary form that can be found on any digital medium. Such evidence is used to prosecute crime both in and beyond the digital world. So Digital Forensics has served a couple of purposes since its inception:

  1. It has provided evidence on a crime that occurred in the physical world: Due to the ubiquitous nature of computerization, it is inevitable to find relevant data in any civil or criminal investigation.
  2. It has solved cases of crime that involve computer systems directly: Such cases have a massive amount of data that could incriminate all involved in cybercrimes like hacking.

Digital Forensics can be thought of as a combination of art and science. Digital Forensic Sciences uses scientifically derived algorithms for preserving, collecting, validating, identifying, analyzing, documenting and presenting digital evidence. Data derived from digital sources is then used to reconstruct events and scenarios to arrive to a judgement on unauthorized and criminal activities. This requires dexterity and an ability to think beyond pre-defined boundaries. Hence, the art of Digital Forensic Science has evolved and grown into different areas with the evolution of technology. Some branches of Digital Forensics are:

  • Cloud Forensics
  • Network Forensics
  • Mobile Device Forensics
  • Database Forensics
  • Disk Forensics
  • PDA Forensics
  • Printer and Scanner Forensics


While the sources may differ, the basic methodology remains the same:

  • Acquire: The data for the evidence is to be obtained without altering or damaging its original form.
  • Authenticate: While the volume of data available on any digital medium is large, the trick is to extract the most useful information signals from a pile of low-significance data.
  • Analyze: To make decisions on the basis of the derived data, one needs to accurately interpret, compute and represent the observations made.

All these steps need to be completed with the integrity of the evidence kept untampered. Let us now look into a few of the above-mentioned branches of computer forensics.

Network Forensics

Network forensic science deals with the capture and analysis of network events to procure evidential information against security breaches. With close to 3.5 billion Internet users across the world, it is not surprising to have a steep growth rate in the number of illegal activities in the network. Big corporate firms and individuals are victimized by dangerous cases of data theft and identity theft.

network forensics

The three important parts of network forensics are:

  1. Intrusion Detection at the network level
  2. Data logging of all activities performed in the network
  3. Finding the correlation between the Network Intrusion and Activity Logs

The major communication streams in any network are E-mail and the World Wide Web. Having said that, E-mail forensics and Web Forensics form the most integral parts of Network forensics. Tools like Wireshark (Ethereal) and WinPcap are used to capture the packets intercepted at any system interface on a network. Such tools and technologies help us arrive at a definite fault-point that might have served as the hub for any illegal activity. Once the host or IP address is located, the path has to be connected to obtain the complete scenario of the victim, criminal and the series of events that have elapsed.

What challenges the approach is the massive amount of data being generated in a network system. Among terabytes of data generated in a day, it is very difficult to track a particular incident. A delay in discovering the incident makes the process even more tedious. The inherent anonymity of the Internet protocols (IP addresses) is another challenge faced by network forensic specialists. However, with the help of powerful technological tools and services, these problems can be solved quickly and efficiently.

Cloud Forensics

cloud forensics

Cloud Forensics can be thought of as a combination of the two paradigms: Cloud Computing and Digital Forensics. Cloud Forensics intersects with Network Forensics in the sense that a cloud computing environment provides servers, storage, databases, networking, software and analytical opportunities over a network i.e. the cloud. Thus, cloud forensics shares its basic principles with network forensics.

In cloud forensics, the two main parties involved are the cloud customers and the Cloud Service Providers (CSP). A lot of CSPs tend to outsource service to other parties, thus increasing the scope of the investigation, in the case of a crime. Cloud crime can be fatal in either of the 3 cases mentioned below:

  1. Cloud as an object: when the target of the crime is either the CSP or the Cloud service subscriber and the cloud is attacked in parts or as a whole.
  2. Cloud as a tool: When data related to the crime is saved on a cloud server and the cloud network is used to facilitate the illegal activities
  3. Cloud as a subject: when the criminal activity is committed within an established cloud environment

In such cases, cloud forensic investigation employs various processes to acquire significant evidence against the crime. Methods like trouble shooting, log monitoring, data and system recovery, reconstruction and regulatory compliance are followed under cloud forensics.

One major challenge in cloud forensics is the high-cost demands of the investigation procedures. Keyun Ruan, a PhD. candidate at the Center for Cyber Crime Investigation in Ireland says, “Cloud forensics is difficult because there are challenges with multi-tenant hosting, synchronization problems, and techniques for segregating the data in the logs.” Limitations lie in the complexity of strategy, logistics, and infrastructure of the cloud platform. However, with developments in research in cloud computing, forensics is expected to become easier in the near future.

Database Forensics

database forensics

Database Forensics seeks to find evidence of crime in databases and piles of raw information. In an age where almost all applications use sophisticated databases and manipulative functions, it is of pristine importance to secure our databases. Examples of critical data that could be maliciously affected to cause harm to people are bank account records, medical records or even Personal Identification Numbers of individuals.

Database forensics use advanced tools like SQL and Python to retrace Data Definition Language (DDL) and Data Manipulation Language (DML) commands that might have been operated on in an illegal way.


The basic database forensic investigation follows a 3-step infrastructure:

  1. Logfile Analysis (Incident Verification): Huge log files are sieved through to collect relevant information for the criminal case.
  2. Artifact Collection: Cache memories are rigorously scanned for suspicious artifacts or functions. The highly critical and volatile ones are given utmost importance to look for suspicious cases.
  3. Artifact Analysis: All the data acquired in the Incident Verification and Collection phases is then analyzed. This is used to trace a clear path to the main site of the crime.

Success Stories

Digital forensics has helped solve large and significant cases of data and identity theft in the recent past. The UK’s National Crime Agency took down a major cloud-based crime network, after over four years of investigation, on 30 November 2016. The fraud linked to Avalanche network witnessed the cloud platform being used to launch and manage mass global malware attacks and money mule recruiting campaigns. Concentrated cyber attacks on an online banking system in Germany alone caused a damage of EUR 6 million.

four-year investigation led by the German police into the Avalanche case that had affected people in around 180 countries. This led to an operation that saw coordinated action to take down over 800,000 malicious web domains and block communication streams between the criminals and their computers in a single day. At the end, 5 people were arrested and 37 premises were searched. The investigation also led to 39 servers being seized and 221 servers being put into ‘offline’ status, through abuse notifications sent to the hosting providers.

Another case of cyber-crime witnessed the exploitation of vulnerable online payment channels. A group of researchers at Newcastle University had uncovered a payment card vulnerability in December 2016. The attack could be exploited to carry out fraudulent transactions online. It could work out the card number, expiry date and security code of any Visa card and hence, use it to subvert any card validation mechanisms on the authorized sites. Researchers believe this attack could be the cause of the November case of Tesco Bank fraud worth £2.5m. An investigation of the top 400 online merchants’ payment sites revealed the criminal activities and is now expected to be useful in protecting hundreds of thousands of individuals from online monetary thefts.


Digital forensics is still in its nascent stage and is yet to form a concrete structure. It lacks broad scientific standards that could be followed for an organized approach. The need of the hour lies in better forensic practices and tools that could deal with the massive amounts of data in the current world. Moreover, there is a need for technological advancement in the quality of tools being used at various stages of the cyber forensic investigation.

Having stated the obvious, we can see developments being made in the field by leaps and bounds. A popular adage from the fictional detective stories, Sherlock Holmes says, “There is nothing more deceptive than an obvious fact.” It is anticipated that better tools and processes will soon make this emerging trend an imperative one.