Computer Forensics and Digital Forensics are often similar; Computer forensics is the investigation of computers and Digital Forensics include computers as well as digital media devices like network devices, cell phones, flash drives, cameras, routers etc. The whole thing joined together forming Cyber Forensics. Overall Cyber Forensics is finding the evidence and collecting the vital information from the attacker's machine, the victim machine, and any other devices that are included, preserving the data in such a way that they are presentable and admissible in court, the soul branch of digital forensics called as Cyber Forensics. Cyber forensics is there because of cybercrime, and the job of the Cyber Forensic Expert is to detect the leak or find the vulnerability, collect the vital information, protect the digital evidence and maintain its evidentiary value, which is a great challenge for the person on the job. Cybercrime requires only one flaw in the system and the target machine is victimized in many different ways, different cybercrime includes Hacking, illegal or unauthorized intrusion of a person or persons into computer systems, Cracking, Phishing, Vishing, Smishing, Extortion, Denial of Service(DOS), R-U-Dead-Yet(RUDY) attack, IRC Crime, Software Piracy, Cyber Stalking, Viruses, Backdoors, Keyloggers, Worms, Malware, Adware, Boot-Virus, Bot-Net, Dialer, Spywares, Trojans, Rootkits, Zombie, Internet Cookies, Forgery, Malicious Code Injection etc. The Cyber Forensics Expert has to be aware of all the things and how to carry out his job so that he/she can get all the sensitive information and files without harming the system as well as himself as by configuring the ports the system can become a bomb for the Expert, so the primary role is to be aware of all situations and proceed with much cautious.

​

A Cyber Forensics Expert must have certain skills and attributes that can help solve a crime much easier way, those skills are as follows:

​

The person must have the ability to work as a part of a team i.e. teamwork, the expert must have an analytical approach to solve the case and should focus on every detail and perform logical thinking like the famous Sherlock Holmes, he must possess the capacity for lateral thinking and must consider every possible way how the crime has happened, he must have interest in the welfare and human behaviour that can help to solve the case, Strong integrity with a keen power of observation, very good communication skill and non-partisan or unbiased approach to the examination of the digital evidence.

​

The scientific examination of the Forensic Expert finds a missing link and strengthens the evidence and investigation. The duties of the Forensics Expert are very dangerous, risky, perilous and uncertain. The Cyber Forensic Expert must be the very best in the IT field and must know about recent affairs and must come with a unique solution to handle a complicated case skilfully, The Experts have to recover the data from erased, formatted, damaged, or otherwise tampered in any way. Mostly the law enforcement uses their skills to recover the deleted data that is deleted carelessly that can be used as evidence. Cyber Forensic Experts deals with many cases of cyber-crime, like Videotape Examination, Email-Examination, Reverse Engineering the malware, IP tracking, Metadata Extraction etc. Cyber Forensics also include Cell Phone or Sim Card Forensics which is used to recover digital data from Mobile, IoT Devices, Bluetooth Devices, Cameras, internal memory examination etc. The Forensic Expert has the most significant importance in solving or investigating a Computer Security Incident, which includes using many tools and frameworks and handling the evidence with care.

​

Big companies cannot tolerate any computer flaws and they try to secure their devices by spending lots of money, to check that challenge they build various software and frameworks which would help a Forensic Investigator to automate the process of retrieving critical information without damaging the system or evidence. An Investigator must follow the approach to solve a crime, the process is Initial Investigation and find the hidden files and then track the intruder, then gain access over the attacker or closing in on the attacker and then perform the arrest with a warrant and with enough evidence to take him in and forward the process in court. For the Federal Bureau of Investigations, it is a tab bit different, they check the previous records such as documentation logs and suspects information in their database, they interview the informants, and then conduct surveillance on suspects, they prepare a search to gather proof and after execution, they seize the evidence and make the arrest. The Cyber Forensic Expert follows the pattern as follows: He eliminates the obvious and hypothesize the attack and reconstruct the crime himself to figure out how the crime happened, then perform the reverse engineering or any other methods and trace back to the suspected source computer from where the hack came from, and analyse the source, target, middle-men, intermediate computer or network devices if there is pivoting involved, collect evidence including the computers and other devices used in the crime, and turning them and the essential material to corporate investigators or law enforcement for follow-up.

​

A Forensic Expert follows a certain methodology during a cybercrime investigation. The methodology is as follows: Initiation, Information Gathering, Chain of Custody, Data Acquisition, Data Analysis, and Reporting. In organisations, most employees are the culprits and usually delete the data, which is reverse engineered using a forensic toolkit by the Forensic Expert. The Initiation shows that the Expert will understand the incident like what are the devices were involved in the crime and how it carried out. In the information-gathering phase, they will question the persons that are involved in the crime, both the attacker and the victim to get a clear picture of what and how the crime took place. The chain of custody states the Device Acquisition, the devices are the source of information, and the electronic devices such as Mobiles, Floppy Disks, Hard Disks, ROMS, RAMS, Network Devices, Switches, Modems, Routers etc., and in those the devices searching for the vital information and where they are located like in certain application or SMS or cloud server or any hidden folder or encrypted folder, the Metadata files and many more which states the Data Acquisition. Chain of Custody states the forensic link, the paper trail, or the chronological documentation of the electronic evidence handling. It collects information like who handled the device and when date/time the purpose etc. It preserves the integrity of the evidence and prevents it from unauthorized access. If it is not preserved then the document is not admissible in the court, it is a very important job that is carried out by Cyber Forensic Experts and they are also required to maintain the logbook of the data acquisition process.

​

The integrity of data needs to be checked by connecting the disk to a forensic bridge, it includes taking the hash values like NTLM Hashes from Active Directory, MD5 and SHA, SHA-2 hashes from applications, kerberoasting tokens and other vital information is taken and cross verified to confirm the evidence that they have is legit. The Expert needs to perform the copy of the Mechanical Hard-disk and Solid StateDrives and also perform a bitstream copy which is taking backup of all areas including the hidden folders and sectors and clusters, this allows retrieval of deleted data. To analyse the computer crimes Expert examine the DOS Disks, Slack Space, Partitions, Un-allocated space, Swap Files, Browser Caches, the data from the resource monitor.

​

Limitations / Legal Issues to prove Digital Evidences:

​

               The primary focus of the Forensic Expert is evidence collection, and as the evidence are vital and fragile, it is easy to lose some or all of the data if there is a lack of seriousness and as per the instructions if it were lost then all the hard work are just waste. As digital evidence is volatile, vital and fragile, slight improper handling can alter the whole evidence and its characteristics. Because of its value and volatility and tenuousness, some protocols are needed to be followed to ensure that the data captured is not modified during its handling and the hashes ensure that the data has not been tampered with after the collection. There are 4 phases or protocols that an Expert should be aware of: identification, collection, acquisition and preservation. The ISO 27037 provides specific instructions within the handling of the digital evidence which will be of evidential value. It also assists organisations in their disciplinary procedures and the exchange of potential digital evidence between jurisdictions. It gives guidance for the following devices and situations: Digital and storage media used in computers like Hard disk, Solid State Drives, Floppy Disk, Compact Disk, optical and magneto Disk, data devices, pen drives and external hard drives, Mobile phones, personal electronic devices like Bluetooth devices, memory cards, navigation systems, video cameras, standard computers with network connections, Network devices like modems and routers and switches, network based on TCP/IP and other protocols, any devices with similar functions are the devices are not exhaustive. The procedures followed in identifying, collecting the devices, acquiring the data, preserving the essentials, analysing the extracted data and finally to be present in court as digital evidence must follow the existing criminal procedural law. This procedural law must be followed to make the evidence admissible in court. Information and Communication Technology (ICT) can provide evidence for the crime and the data obtained from the ICT can be used as electronic evidence in court. Volatile evidence should be assembled in the order of volatility, like registers, cache, routing table, temporary files, disk files, metadata folders and files, remote logging and monitoring data, physical information and network topology, media files. Before digital evidence are often introduced in court, it must be authenticated which suggests that the evidence must be shown for what it purports to be. Cybercrime investigators and Forensic Experts process the digital evidence, and they need to hold fast to national policies and ensure the evidence does not lose its evidential value and can be admissible in court against the culprit, which includes legal and technical requirements that are needed to ensure that the evidence is authentic and authorized.

​

The main issue lies in handling the evidence, to be able to present in court the evidence has to be original and the hashes should match with primary hashes. The evidence should follow the five rules of evidence that are Admissible, Authentic, Complete, Reliable, and Believable. The Admissibility shows the legality of acquisition which includes a search warrant that gives the investigators to search a vicinity, consent is given willingly by the property owners, or party concerned, exigency; how urgent or need for demand is. The authenticity and reliability ensure that the information presented are unchanged, information originated from the device alleged to be the source, and timestamps are correct which shows there is no tampering with the data. Complete and Believable ensures that the evidence presented is clear and complete and should reflect the whole story and the Forensic Examiner should be able to explain with clarity and conciseness and should be able to explain the processes and the way integrity of the evidence was preserved, Expert must be aware of showing incomplete evidence is more dangerous than showing no evidence so the evidence has to be in order and complete and safe.