CYBER FORENSIC
K. B. JENA
ASSTT. DIRECTOR &
SCIENTIST ‘C’
CFSL, KOLKATA

DOCUMENT FORENSIC
TO
DIGITAL DOCUMENT FORENSIC
• PRESENCE OF SCANNED AND PRINTED DOCUMENTS
DURING EXAMINATION OF FORENSIC DOCUMENTS.
• EXAMINATION OF COMPUTERS CONTAINING DIGITAL
COPY THOUGHT TO BE A WAY TO FIX RESPONSIBILITY.
*first case of computer forensic was taken up in the year
2004

TYPE OF CASES EXAMINED
AROUND 2008-10
• THEFT OF DESIGNS AND CUSTORMES LIST BY PARTNERS/
EMPOYESS WHILE LEAVING COMPANY AND OFFERING LOW
PRICE TO EXISTING CUSTOMERS FROM OLD COMPANY
EMAIL.
• THREATNING EMAIL.
• CUSTOMERS DUPED BY TRAVELLING AGENCY FOR FOREIGN
TOUR.
• FLIGHT/ RAIL TICKETS PURCHASED ONLINE BY CREDIT CARD
DETAILS OF OTHERS
• *20-25 cases in year

CHANGE IN NATURE OF CASES IN
2011-2013
• Cases related to fake account in social site(orkut, facebook,
skype, twitter)
• Terrorist communications by internet
• Computers used for transaction of fictitious companies
online/ offline.
• Data of national interest leaked vide internet.
• Online circulation Of defamatory material.
• Mobile communication by sms/ mms/voice recording/ still
and video recording
* 150 cases per year

Elaborate planning, more details and diverse tools requirement
for examination.
*210 cases received

2014-15
• mobile used as communication for all social network and
email activities.
• Laptop replaced desktops.
• Laptop size grew smaller
• Request for CCTV footages increased.
• New applications/ apps on mobile for social networking
(whatsapp, viber, line)
• Apps for financial transaction/ banking /billing.
• Server examination requirements

Seizure of digital evidence
• Why they are called best practices.
• Practices differ(depends on working
environment).
• Need to adopt a Guideline.
• Stringent or Diverse.
• Need to Document.

CHAIN OF CUSTODY
of computer evidence
• Physical(sl. No, IMEI)
• Digital(Hash value)

SCENE OF CRIME
• WHEN DESKTOP COMPUTER IS OFF
• WHEN DESKTOP COMPUTER IS ON
• ANY HARD DISK INSIDE?
• WHEN LAPTOP COMPUTER IS ON?
• WHEN LAPTOP COMPUTER IS OFF?
• WHTHER ACCUSED SHOULD BE ALLOWED TO
BACKUP DATA?

HOW DAMAGING FOR INVESTIGATION
READ LABELS(os, hard disk capacity, repairs in
between)

SEIZURE OF MOBILE/ SIM / MEMORY CARD
• ONE SIM vs DUAL SIM
• REMOVE BATTERY
• FLIGHT MODE/ BLOCK SIM
• SIM LOST
• MEMORY CARD.
• PATTERN LOCK/ PASSWORD ON SCREEN
• MEMORY CARD LOCKED.
• SEIZE POWER CABLE/ CONNECTORS

CCTV SEIZURE
• TIME / DATE CHECK BEFORE SWITCHING OFF.
• CHECK CAPACITY OF THE HARD DISK INSIDE.
• DVR BOX IS REQUIRED ALONGWITH
POWERCORD .
• BACKED UP FOOTAGE ACUIRED AT THE CRIME
SCENE.

NETWORKED COMPUTER
• DELEGATE EXPERTS TO ACUIRE DATA
• ADVICE OF THE NETWORK ADMINISTRATOR /
SERVICE PROVIDER NEEDED.
• POWERING ON AT ORIGINAL SITE IS
REQUIRED.

ONLY HARD DISK/ WHOLE
COMPUTER
• ONLY HARD DISK IF DATA IS QUESTINED
• DESKTOP/LAPTOP CONCERNED IF FUNCTIONS
OF COMPUTER IS QUESTIONED/ SPECIAL.

TOOLS REQUIRED FOR
PREVIEW/DUPLICATION
• WRITE BLOCKERS
• IDENTIFICATION OF DIFFERENT OS
• NEW HARD DISK/ PROPERLY WIPED HARD
DISK
• VALIDATION OF HARDWARES/ SOFTWARES
• HASH VALUE

CLONING VS BIT STREAM IMAGE
• CLONING FOR REBOOT
• BIT STREAM IMAGE FOR RESTORE.
• HASH VALUE

WHAT MAY ESCAPE DURING
PURVIEW
• SLACK SPACE
• WEB MAIL
• INTERNET ACTIVITY
• HIDDEN FILES
• FILES NOT SUPPORTED BY SOFTWARE.
• HOST PROTECTED AREA
• DEVICE CONFIGURATION OVERLAY
• BACK UP OF DEVICES (COMPRESSED FILES, IMAGE OF CD/DVD,
BACK OF MOBILE, BACK UP OF CHAT HISTORY

DIFFERENT APPROACH
• REGISTRY FORENSIC
• BROWSER FORENSIC
• SYSTEM RESTORE POINT FORENSIC
• VIRTUAL MACHINE FORENSIC
• CLOUD FORENSIC
• NETWORK FORENSIC

MATERIAL FOR SEARCH
• TEXT SEARCH
• IMAGE SEARCH
• VIDEO SEARCH
• EMAIL SEARCH

EXAMINATION
• INTERNET ARTIFACTS
• ARCHIVED/ WEBMAIL
• UNALLOCATED CLUSTER
• FILE SLACK

SYNCHRONISE/ BACK UP/ CREATE SYSTEM
RESTORE
REMOVABLE DRIVE

EXHIBITS
 CPU
 HARD DISK
 CD/DVD/FLOPPY
 PENDRIVE/ EXTERNAL HARD DISK
 MOBILE PHONE/SIM CARD/MEMORY
CARD
 DIGITAL VIDEO RECOREDER
 STILL/VIDEO CAMERA/MEMORY CARD
 SPY CAM

 INTERNET HISTORY
 FILES DOWNLODED/UPLOADED FROM
INTERNET
 COOKIES
 WEBMAIL
 SOCIAL NETWORK ARTIFACTS
 CHAT HISTORY
 FILES FROM PRIVATE
NETWORK(BLUETOOTH, WIFI)

 INTERNET HISTORY
 FILES DOWNLODED/UPLOADED FROM
INTERNET
 COOKIES
 WEBMAIL
 SOCIAL NETWORK ARTIFACTS
 CHAT HISTORY
 FILES FROM PRIVATE
NETWORK(BLUETOOTH, WIFI)

DIFFRENCE BETWEEN DATA EXTRACTION
AND COMPUTER FORENSIC
 IT MUST BE PROVED THAT CHAIN OF
CUSTODY IS PROPERLY FOLLOWED
 NOTHING HAS BEEN DELETED, ADDED
OR CHANGED DURING EXAMINATION.
 THE PROCESS OF SUCH ASSURANCE
STARTS FROM CRIME SCENE.
 BEST PRACTICES FOR SEIZURE OF
DIGITAL EVIDENCE
 HASH VALUE

UNCOMMON CASES
 PICTURES IN EXCEL SHEET
 IMAGE OF HANDWRITTEN NOTES AS
EMAIL MESSAGES
 FORMATTED HARD DISK
 VOICE RECORDING AS SUICIDE NOTE

MOBILE PHONE EXAMINATION
 SIM
 INTERNAL MEMORY
 MEMORY CARD

DATA IN SIM
 LOCATION
 ICCID(INTEGRATED CIRCUIT CARD
IDENTIFIER)
 IMSI(INTERNATIONAL MOBILE
SUBSCRIBER IDENTITY)
 SERVICE PROVIDER
 CONTACT
 SMS
 LAST CALL DETAILS

INTERNAL MOBILE MEMORY
 IMEI
 CONTACTS
 SMS
 MOBILE SETTINGS
 TO DO LIST
 NOTES
 EMAIL/CHAT/SOCIAL NETWORK SITE
DETAILS
 INTERNET HISTORY

MEMORY CARD
 IMAGE/ VIDEO/ AUDIO
 ARCHIVED DATA/ SMS BACK UP/
WHATSAPP
 INTERNET DATA
 HISTORY OF USE IN OTHER DEVICES
 DELETED DATA

CHALLENGES
 PASSWORD PROTECTION
 LOST SIM
 NOT SUPPORTED BY TOOLS
 PROBLEM IN SWITCHING ON THE
MOBILE.(broken/ blast cases)

CCTV CASES
 PROPRIETORY OPREATING SYSTEM
 REQUIRES OWN HARDWARE FOR
EXAMINATION.
 INHERENT CLOCK SETTINGS CAN NOT
BE CROSS CHECKED
 DELETED FILES CAN NOT BE
RECOVERED

REQUIREMENTS WHILE
SUBMITTING CASE
1. PROPER FORMAT
2. PROPER SEALING AND LABELLING OF
EXHIBITS
3. SIGNATURE AND SEAL OF AUTHORITY
4. ATTESTED COPY OF FIR
5. REQUIREMENT OF HARD DISK

PROPER DESCRIPTION OF
EXHIBITS IN FORWARDING
LETTER
• CPU / LAPTOP
• HARD DISK
• MOBILE PHONE
• CCTV

QUERY
FORMAT OF QUERY
SUPPORTING MATERIAL

WHEN QUERY IS SOCIAL
NETWORK SITE RELATED
RELATED EMAIL ADDRESS
PROFILE NAME
SCREENSHOT OF ALLEGED PAGE
ALLEGED IMAGE VIDEO
CHAT ROOM
CHAT HISTORY

QUERY REGARDING ACTIVITY OF
A COMPANY
DOCUMENT RELATED TO ALLEGED
ACTIVITIES.

WHEN QUERY IS IMAGE/ VIDEO
RELATED
COPY OF ALLEGED IMAGE /VIDEO

WHEN QUERIES DO NOT SERVE
PURPOSE.
1. MISSING NAME OF THE COMPANY.
2. ASKING RANDOM SYSTEM RELATED
QUERIES.
3. ALL EMAILS/ CREDIT CARDS/ IP
ADDREESS
4. ALL USERS
5. MISSING INTERNET HISTORY AND
KEYWORDS

JUDICIOUS DISTRIBUTION/
SEIZURE OF EXHIBIT
CAMERA WITH DVR
MONITOR WITH CPU
MODEM WITH LAPTOP
DETACHED HARD DISKS OF SERVER
BUNDLING 10 BRANCHES OF A COMPANY
IN 01 BIG CASE

REQUIREMENT OF HARD DISK
COPY
CLONE/ MIRROR IMAGE
WHAT ARE CHANCES OF MISSING
EVIDENCE WHEN INVESTIGATING
AGENCY DECIDES TO SEE EVIDENCE
THEMSELVE.

Multiple queries
What is ip address used in this computer
What is mac address used in this computer
What are programs installed in this computer
Who are users of this computer
Whether this computer was used for email.
Which modem was used for connecting to
internet

Traslate to single query
WHETHER THE MAILS AT ANNEXURE- A
WAS SENT RECEIVED FROM THIS
COMPUTER.

Multiple queries
What are the accounting packages installed
How many xls files are there
How many word files are there
What is opreating system of the computer
Are there any password or encrypted files
What are different types of data avillable in the
system
any deleted files are there.

Translate to single query
Please provide all the data related to company
and any simmilar document related to
documents at annexure a b c

What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Writing a file

What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
Writing a file

What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
2
E
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FATs are updated
Writing a file

What areas change when a FILE is written?
MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
FILE 2 1024
Unused Directory Entry
Unused Directory Entry
Directory entry is created
2
E
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FATs are updated
FILE contents
written to data area
Writing a file

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
What areas change when a FILE is deleted?
Deleting a file

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
RootC
FILE
FILE
FILE
FILE
Reserved
Area
Filename Start Cluster Size
 ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to 
Deleting a file

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
FAT entries are ed
Filename Start Cluster Size
 ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to 
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
2
Deleting a file

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root D
FAT2
Root D
Root D
Root D
FILE
FILE
FILE
FILE
Reserved
Area
FAT entries are ed
Filename Start Cluster Size
 ILE 2 1024
Unused Directory Entry
Unused Directory Entry
First character of the Directory
entry is changed to 
Data area is not changed !
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
2
Deleting a file

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
What areas change when a partition is reformatted?
Reformatting

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Reformatting

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed
Reformatting

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Boot Record is written
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed

MBR
FAT1
BR
FAT1
FAT1
FAT2
FAT2
Root C
FAT2
Root C
Root C
Root C
FILE
FILE
FILE
FILE
Reserved
Area
Three areas change when a partition is reformatted
Filename Start Cluster Size
Unused Directory Entry
Unused Directory Entry
Unused Directory Entry
Root Directory entries are ed
Boot Record is written
2
0
6
0
10
0
3
0
7
0
11
0
4
0
8
0
12
0
5
0
9
0
13
0
FAT entries are ed

Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
What are the two
types of slack?
RAM Slack
RAM Slack is the area
from the end of the file
to the end of that
sector.
- Comes from RAM
File
File
File
File
Slack Space

Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
Cluster 2
RAM Slack
Residual
Slack
Residual
Slack
Residual
Slack
Residual data slack is
the area from the end of
RAM slack to the end of
the cluster – whatever
was on the media before.
File
File
File
File
Slack Space

 THANK YOU.