Cyber Forensics Up and Running: A hands-on guide to digital forensics tools and technique (English Edition)

By Tarun Vashishth

Digital forensics is the art and science of extracting the hidden truth and this book is your hands-on companion, bringing the world of digital forensics to life.

Starting with the core principles of digital forensics, the book explores the significance of various case types, the interconnectedness of the field with cybersecurity, and the ever-expanding digital world's challenges. As you progress, you will explore data acquisition, image formats, digital evidence preservation, file carving, metadata extraction, and the practical use of essential forensic tools like HxD, The Sleuth Kit, Autopsy, Volatility, and PowerForensics. The book offers step-by-step instructions, real-world case studies, and practical examples, ensuring that beginners can confidently set up and use forensic tools. Experienced professionals, on the other hand, will find advanced insights into memory analysis, network forensics, anti-forensic techniques, and more.

This book empowers you to become a digital detective, capable of uncovering data secrets, investigating networks, exploring volatile and non-volatile evidence, and understanding the intricacies of modern browsers and emails.

• Language: English
• Publisher: BPB Online LLP
• Release date: Dec 12, 2023
• ISBN: 9789355519122

Book preview

C

HAPTER

1

Introduction to Essential Concepts of Digital Forensics

Introduction

Welcome to practical digital forensics. This book is your gateway to the world of digital investigation, offering a comprehensive guide to mastering this dynamic field. In a rapidly evolving digital landscape, the demand for skilled professionals in digital forensics has never been greater. The chapters are structured to equip you with the knowledge and tools necessary for success as a digital forensics investigator.

The first chapter serves as your gateway to the realm of digital forensics. It begins by defining digital forensics and discussing the types of cases that fall under its purview. Furthermore, it explores the relationship between digital forensics and other fields of cybersecurity, providing readers with a context for the role digital forensics plays in the broader security landscape. This chapter also delves into the modern technological growth of the past and reviews future technologies and digital forensics challenges in the modern tech era.

Additionally, you will learn about Locard’s exchange principle, the different types and categories of digital evidence, and the techniques used to preserve evidence integrity, such as chain of custody, hashing algorithms, digital signatures, and write blockers. Finally, the chapter explains the differences between file carving and file recovery and covers time objects and their location on NTFS file systems.

Chapter 2, Digital Forensics Lab Setup, takes a practical approach, guiding you in setting up a virtual environment, mastering cloning and snapshots, and familiarizing you with essential tools like HxD, The Sleuth Kit, Autopsy, Volatility, and more.

Subsequent chapters explore volatile and non-volatile data, live forensics analysis, file systems, Windows Registry analysis, network forensics, memory forensics, browser forensics, and anti-forensics. Along this journey, you will gain the knowledge and skills to uncover hidden truths, identify suspicious activities, and make informed decisions in digital investigations.

This book is not just informative, but it is a practical resource designed to empower you with expertise in digital forensics. Each chapter builds on the last, deepening your understanding and hands-on experience. Join us on this journey of discovery, where each chapter reveals a new facet of digital investigation, and the possibilities are endless.

Structure

In this chapter, we will discuss the following topics:

What is digital forensics?

Types of cases in digital forensics

Digital forensics and other fields of cybersecurity

Digital and cyber technological growth

The future of modern cyber world

Modern technological explosion and its cyber security challenges

Digital forensics challenges in the cyber modern era

Phases of digital forensics

What is data acquisition?

Types of image formats

Locard’s exchange principle

Types of digital evidence/data

Categories of digital evidence

Preserving digital evidence integrity

File carving

Digital forensics time objects - MAC(b)

Objectives

By the end of this chapter, readers will have a solid understanding of the key concepts and challenges involved in digital forensics, as well as the techniques used to preserve digital evidence integrity.

What is digital forensics?

Digital forensics is the process of using scientific methods to collect, preserve, analyze, and present digital evidence in a court of law in a legally permissible manner. It is a branch of forensic science that deals with recovering and investigating digital data to help law enforcement agencies, businesses, and individuals understand and use digital proof to solve crimes and disputes.

Types of cases in digital forensics

Digital forensics experts have to deal with various types of cases. Let us see a few examples in this section.

Computer crime

Digital forensics analysts may be called upon to investigate crimes committed using a computer or other digital device. It could include hacking, identity theft, data exfiltration, sabotage, etc.

For example, a financial institution suspects that an employee has been using a compromised credit card to make fraudulent purchases online. Digital forensics investigators would be called to examine the individual’s computer and other digital devices to determine how the credit card information was obtained. They would analyze the individual’s browsing history, email, and other electronic communications to look for any signs of phishing attempts or other social engineering methods that could have been used to obtain the credit card information. They would also examine the individual’s computer for malware or potentially malicious software that could have been used to steal credit card information.

Corporate espionage and intellectual property theft

Digital forensics experts investigate intellectual property theft, such as the theft of trade secrets, copyrighted material, and corporate espionage cases.

For example, an employee at a company is suspected of stealing sensitive information from the company’s digital assets. Digital forensics investigators would be brought in to examine the employee’s computer and any other devices they may have used to access the company’s network. They would use specialized software to analyze the computer’s hard drive, looking for signs of data exfiltration, such as large amounts of data transferred to external devices or cloud storage services. They would also examine the employee’s internet browsing history, email, and other electronic communications to determine whether the employee had any motive or intent to steal the information.

Financial fraud and embezzlement

Digital forensics experts assist financial forensics experts in collecting digital evidence, such as financial records and emails, identifying fraud, and helping prosecute criminals.

Electronic discovery

Digital forensics analysts would assist in identifying and collecting electronically stored information relevant to a legal case.

Human trafficking and drug crimes

Digital forensics experts assist by analyzing digital evidence, such as text messages and social media posts, to help identify suspects and build a case.

Child exploitation

Digital forensics analysts also help investigate child exploitation cases. They would use specialized software to search the computer’s hard drive for images and videos of child pornography. They would also examine the suspect’s internet browsing history, email, and other electronic communications, to determine whether the suspect had been actively searching for or distributing child pornography. They may also look for further evidence, such as chat logs or other communications related to child pornography.

Murder

Digital forensics experts would assist in investigating murder cases. They may be called upon to analyze digital evidence, such as cell phone records, social media posts, and GPS data, to help identify suspects and build a case.

Terrorism

Digital forensics experts may be called to investigate digital evidence related to terrorism activities by analyzing in-line communication and to identify individuals or groups involved in promoting or planning terrorist activities by analyzing emails, social media posts, chat groups, and applications to help identify the suspect.

In conclusion, digital forensics play a critical role in investigating digital crimes and can be used to uncover and present evidence in various cases. In each scenario, the digital forensics investigator must use a combination of technical expertise and legal knowledge to conduct a thorough and legally admissible investigation.

Digital forensics and other fields of cybersecurity

The tools, techniques, and methods used in digital forensics can be directly applied to other fields of cyber security like malware investigation, incident response, and E-discovery. It allows investigators to collect, preserve, and analyze digital evidence to uncover the truth behind cybercrime, security breaches, and other cyber and digital incidents. This section will discuss how digital forensics is used in these fields and provide detailed examples to illustrate the process.

Malware investigation and digital forensics overlap

First, let us begin with the question: what is malware?

Malware, or malicious software, is a type of software designed to harm or exploit computer systems. Digital forensics play a vital role in investigating malware incidents by allowing investigators to identify the origin and spread of the malware, as well as the damage it has caused.

For example, when a company detects malware on its network, a digital forensic investigator is called to examine the infected systems. The investigator would first make an image of the hard drive of the affected computer, allowing them to safely analyze the system without altering any evidence. Then, they would then use specialized software tools to analyze the malware, such as identifying the type of malware, how it entered the system, and its intended purpose.

The investigator would also look at the system’s logs to determine when the malware was first introduced and track its spread throughout the network. This information is critical in identifying the source and scope of the attack and devising a strategy to respond and recover from the incident.

Once the investigation is complete, the investigator will provide a detailed report of their findings, which can be used to prosecute the attackers and help the company improve its security measures to prevent future attacks. Examples of tools and techniques that can be used in malware investigation are:

Tools: Volatility, Memoryze, OllyDbg, Ghidra, NetworkMiner, Yara rules, etc.

Techniques and methods: Registries, MRUs (bag and run), Pagefile.sys, AmCache, Shimcache, prefetch, email analysis, browser analysis, etc.

Incident response and digital forensic overlap

Digital forensics and Incident Response (IR) are intertwined when it comes to responding to a cyber incident, attack, or breach. Let us explore what incident response is, and how digital forensics techniques, methods, and tools can be used in IR.

What is an incident response?

Incident response is identifying, responding to, and recovering from a security incident or other disruptive events. It involves a set of procedures and guidelines that are put in place to ensure that the organization can respond quickly and effectively to a cybersecurity incident.

Digital forensics tools, techniques, and methods play a crucial role in incident response by providing the necessary evidence to understand the nature of the incident, contain and eradicate the threat, and recover from any damage. It helps incident responders gather volatile and non-volatile data and logs from the system and the network, allowing them to understand how, what, where, and when it happened.

For example, if a company experiences a data breach, the incident response team would use digital forensics to identify the source of the breach, the type of data that was compromised, and the extent of the damage. They would also use digital forensics to determine the specific methods used by the attacker, such as which vulnerabilities were exploited, and to track the attacker’s movements throughout the network.

Once the incident response team understands the incident, they can take the necessary steps to contain and eradicate the threat, such as isolating the affected systems, patching vulnerabilities, and restoring backup data. They would also use the information from the digital forensics investigation to improve the company’s security measures and prevent future incidents. Examples of tools and techniques that can be used in IR are:

Tools: Volatility, DumpIt to collect memory, Forensics scripts, FTK Imager, Wireshark, Windows file analyzer, PowerForensics, LiME

Techniques and methods: Registry analysis, file carving from disk, user profile analysis, system, and network log analysis.

E-Discovery

E-discovery, or electronic discovery, identifies, collects, and produces electronic evidence in legal proceedings. Digital forensics play a critical role in e-discovery by allowing investigators to identify and collect relevant electronic evidence, such as email, text messages, and other digital documents.

For example, in a civil lawsuit, one party may request electronic evidence from the other party to support their case. A digital forensic investigator would be called to collect and analyze the electronic evidence, such as reviewing the parties’ email and text message history. They would also examine the Metadata associated with the electronic evidence, such as the date and time it was created and the author.

Once the electronic evidence is collected and analyzed, the investigator will provide a detailed report of their findings, which can be used as evidence in legal proceedings.

In conclusion, digital forensics supports malware investigations, incident response, and e-discovery. This technology allows investigators to collect, preserve, and analyze digital evidence to uncover the truth behind cybercrime, security breaches, and other digital incidents. Examples of tools and techniques that can be used in E-Discovery are:

Tools: EnCase, FTK, autopsy, Magnet Internet Explorer Finder (IEF), ChromeCache analyzer, etc.

Techniques and methods: File carving, recovering deleted files, device timeline analysis, keyword searches, etc.

Digital and cyber technological growth

In this section, we will look at the journey from PCs to smartphones and beyond.

The advancements in digital and cyber technology have changed how we live, work, and communicate. From the early days of Personal Computers (PCs) and MacBooks, we have come a long way with the advent of smartphones, gaming consoles, and the Internet of Things (IoT). The development of new technologies such as autonomous vehicles, drones, and cloud computing has further enhanced our lives.

The PC revolution

The PC revolution began in the 1970s by introducing the first commercially available PC, the Altair 8800. However, it was not until the launch of the IBM PC in 1981 that personal computing became widely adopted. The IBM PC became the standard for personal computing, and its operating system, MS-DOS, paved the way for the development of Windows.

The Apple MacBook

The introduction of the Apple MacBook in the 1980s changed the game, making computing more accessible to the general public. Apple’s user-friendly interface and sleek design made the MacBook popular among consumers. Over the years, Apple has continued to innovate, introducing new technologies such as the Mac OS X operating system, the MacBook Air, and the MacBook Pro.

The rise of smartphones

The introduction of smartphones marked a new era in digital technology. These compact and portable devices combined the functions of a computer and a phone, making it possible to access the internet, make calls, send messages, and perform other tasks on the go. The launch of the iPhone in 2007 changed the game, making smartphones accessible to a broader audience. The popularity of smartphones has led to the development of new technologies such as mobile apps and mobile commerce.

The gaming revolution

The gaming industry has also undergone significant changes in the last few decades. The introduction of home video game consoles in the 1970s paved the way for the development of gaming as we know it today. The introduction of online gaming in the 1990s and the rise of mobile gaming in the early 2000s transformed the gaming industry. Today, gaming is a multi-billion-dollar industry, with games available on various platforms, including consoles, smartphones, and personal computers.

The Internet of Things

The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, and connectivity, enabling these things to connect and exchange data. The IoT has the potential to revolutionize the way we live and work. By clicking everyday devices, the IoT has the potential to make our lives more convenient, efficient, and secure.

Cloud computing

Cloud computing has also revolutionized the way we store and access data. The cloud allows users to store their data and applications on remote servers and access them from anywhere with an internet connection. This has made it possible for businesses to access the resources they need without having to invest in expensive hardware and software. Additionally, the cloud has enabled individuals to access their data from anywhere, making it easier to work and collaborate with others.

Drones and autonomous vehicles

The advancements in digital and cyber technology have led to the development of new technologies such as drones and autonomous vehicles. Drones, also known as Uncrewed Aerial Vehicles (UAVs), are becoming increasingly popular for various applications, including photography, delivery, and surveying. On the other hand, autonomous vehicles are changing the way we think about transportation. These vehicles have the potential to make our roads safer, reduce traffic congestion, and improve energy efficiency.

The future of the modern cyber world

Digital and cyber technological advancements have paved the way for the development of Virtual Reality (VR), Augmented Reality (AR), and the metaverse concept. These technologies can potentially change how we experience the world and interact with each other.

Virtual Reality

VR is a simulated experience that can be the same or completely different from the real world. VR can be experienced through a headset that provides a 360-degree view of the virtual environment. VR has numerous applications, including gaming, education, and healthcare. In gaming, VR provides an immersive experience that allows players to enter virtual worlds and interact with them in real-time. In education and healthcare, VR provides realistic simulations for training and treatment.

Augmented Reality

AR is a technology that enhances the real world with virtual elements. AR can be experienced through a smartphone or a headset that projects virtual objects into the real world. AR has numerous applications, including gaming, retail, and advertising. AR provides a new way to play gaming by adding virtual elements to the real world. AR provides interactive experiences in retail and advertising that engage customers and bring products to life.

The metaverse

The metaverse is a term used to describe a shared virtual world created by the convergence of virtual reality, augmented reality, and the internet. The metaverse has the potential to provide a new form of social interaction where people can connect and interact with each other in virtual spaces. The metaverse also has the potential to offer new opportunities for commerce, entertainment, and education.

Virtual reality, augmented reality, and metaverse, are the next digital and cyber technology frontiers. These technologies can potentially revolutionize how we experience the world and interact with each other. As technology advances, we can expect further developments in VR, AR, and the metaverse that will continue to change how we live and work.

Modern technological explosion and its cyber security challenges

Digital and cyber technological growth has been explosive in recent years, with advancements ranging from PCs and MacBooks to smartphones, game consoles, IOTs, drones, autonomous vehicles, and cloud technology. These technologies have changed the way we live, work, and interact with each other. The virtual and augmented reality developments and the metaverse concept add another layer of complexity to the digital world.

However, with this growth comes numerous challenges and risks. The sheer number of devices and users connected to the internet creates a large attack surface for cybercriminals. Women, children, and older adults are particularly vulnerable to cyber threats, and the rise of nation-state motives for cyber-attacks has only added to the danger. The increasing complexity of technology also makes it difficult for digital forensics experts to keep up as the cyber-criminal element continues to find new ways to exploit vulnerabilities.

According to statista.com, the average cost per attack has reached $9.48 million in the United States of America in the year 2023. This cost is expected to rise as cyber-criminal activity becomes more sophisticated and widespread. Regarding nation-state motives, the United States and China are the top two countries associated with cyber-attacks. Other countries, such as Russia and North Korea, are also making significant contributions.

The cyber security community faces numerous limitations in its efforts to keep up with the new technology and provide protection against cyber threats. The digital landscape constantly evolves, making it difficult for security professionals to stay ahead of the curve. This is compounded by the lack of resources and personnel available to tackle the problem.

In conclusion, the past few decades’ digital and cyber technological growth has been truly transformative but has also created numerous challenges and risks. It is equally essential for the cybersecurity community to continue developing new tools, techniques, and methods to keep up with the evolving landscape and provide the necessary protections for individuals, businesses, and governments.

Digital forensics challenges in the cyber modern era

The rapid growth of technology has brought new challenges to digital forensics in recent years, especially in the cloud environment, with the increasing use of the IoTs, drones, VR, and the metaverse. Some of the digital forensics’ challenges are:

Lack of physical access: As cloud data is stored on remote servers, investigators may not have physical access.

Data sprawl: The vast amount of data stored in the cloud may make it difficult for investigators to locate and extract relevant evidence.

Multi-jurisdictional issues: Data stored in the cloud may be subject to different laws and regulations in different countries, making it difficult to access and use the data legally.

Device heterogeneity: IoT devices may have different hardware and software configurations, making analyzing evidence from these devices challenging.

Physical damage: The physical damage caused by drone crashes may make it difficult to recover evidence from the drone.

Limited storage capacity: IoT devices and drones often have limited storage capacity, making it challenging to recover relevant data.

Technical skills: The technical skills required to analyze drone data may not be readily available to investigators.

VR, IOTs, drones, autonomous vehicles, and so on, are new technologies. The digital forensic field has to catch up to these new technologies to build forensically sound methods, techniques, and tools to identify, acquire, and process the evidence.

Phases of digital forensics

Digital forensics is the process of collecting, analyzing, and preserving digital evidence in a legally admissible manner. The National Institute of Standards and Technology (NIST) has developed a framework for digital forensics that includes four phases: acquisition, examination, analysis, and presentation.

Acquisition

The acquisition phase involves collecting digital evidence from various sources such as computers, servers, mobile devices, and storage media. This phase is critical as it ensures that the integrity of the evidence is maintained and the evidence is collected in a legally permissible manner. This phase aims to make a forensic copy of the evidence while preserving the original as an unaltered copy.

Examination

The examination phase involves analyzing the forensic copy of the evidence to identify any relevant data. This includes identifying the file types, sizes, timestamps, and other relevant information. This phase also includes checking for any signs of tampering or alteration of the evidence.

Analysis

The analysis phase involves identifying data patterns, trends, and anomalies. This phase is critical as it provides valuable insights into the evidence and helps identify potential suspects or culprits. This phase also involves using various tools and techniques to extract and analyze data from the forensic copy of the evidence.

Presentation/reporting

The presentation phase involves presenting the findings of the digital forensic investigation in a legally permissible manner. This includes creating reports, charts, and other forms of documentation that can be used to present the findings in court. This phase also includes the process of preparing and presenting expert testimony in court. In the following table, you can see each process explained in detail:

Table 1.1: Process and phases

The following figure showcases the phases of digital forensics as per the NIST framework of digital forensics:

Figure 1.1: Digital Forensics Process Flow

What is data acquisition?

The first key step is identifying the potential data sources. Once they are identified, the analyst must follow these steps to acquire the data:

Developing a plan to acquire the data

Acquiring the data

Verifying the data’s integrity

The steps of acquiring the data and verifying its integrity will vary based on the type of data source, for example, OS data, system logs, system memory, network, and application data. We will cover these data sources, and how to acquire and verify them in Chapters 5, File System and Log Analysis, and Chapter 6, Windows Registry and Artifacts.

Types of data acquisitions

These are the following types of data acquisitions:

Physical disk acquisition: This type refers to copying the entire hard drive from the Master Boot Record to the last sector.

Logical disk acquisition: This type involves copying a single partition from the hard drive.

Types of image formats

In digital forensics, image format refers to the way in which digital images are stored and organized for the purpose of forensic investigation. An image format is a file format that is used to capture and store a bit-by-bit copy of a storage device, such as a hard drive, USB drive, or memory card.

In digital forensics, it is essential to use a reliable and secure image format to ensure the integrity of the original data. Therefore, forensic investigators use specialized software to create forensic images, which are exact copies of the original data stored on the storage device.

These images can be analyzed and processed using forensic tools to extract evidence, recover deleted files, and perform other investigative procedures. Different image formats may have varying levels of detail and metadata, which can provide additional information that can be useful in forensic analysis.

The following are the types of image formats:

Raw Image Format: This format is a direct copy of the hard drive without any modifications. It comes with a separate file that contains information about the image file. Tools such as DD and FTK Imager can create a raw image format.

EnCase Evidence File (E01): This format is used in forensic investigations and contains information related to the acquisition process, such as the investigator’s name and timestamp. It also includes checksum values for each 32 KB of data and an MD5 hash for the entire image. Tools such as EnCase Forensic can be used to create an E01 format.

Advanced Forensics Format (AFF): This format is used to store disk images and forensic Metadata and is an open format that can be used with any analysis tool. Tools such as Autopsy and The Sleuth Kit can create an AFF format.

Locard’s exchange principle

Locard’s exchange principle is a forensic concept that states every contact leaves a trace. The principle was developed by Edmond Locard, a French criminologist and pioneer in forensic science. The principle asserts that when two objects come into contact with each other, a transfer of material occurs. This material transfer can provide evidence to identify and link a suspect to a crime scene.

For example, a common example of Locard’s exchange principle is the transfer of fibers from clothing. If a person walks through a room, their clothing may come into contact with fibers from the carpet or furniture. These fibers can then be transferred to other surfaces, such as a door handle or evidence, providing a link between the person and the crime scene.

Locard’s exchange principle can also be applied to digital or cyber forensics.

For example, when a computer is used to access a website, it leaves a trace of the activity on the computer’s hard drive. This trace can include information such as the IP address, the time and date of the visit, and the files or images accessed. This information can identify and link a suspect to a specific online activity, such as downloading illegal materials.

In conclusion, Locard’s exchange principle is a foundational concept in forensics. It provides a basis for understanding how evidence can connect suspects to crime scenes. The principle can be applied to a wide range of scenarios, including physical and digital interactions, and continues to play an important role in modern forensic science.

Types of digital evidence/data

For this book’s purpose, we will look deeper into the type of digital evidence.

There are several types of digital evidence in the field of cyber or computer forensics, including:

System files: This includes data stored in the file system of a computer, such as files and directories, as well as information about the file system itself, such as allocation tables and Metadata.

Memory data: This refers to the data stored in the memory of a computer or device at a given time, including information about running processes, open files, and network connections.

Log files: Log files refer to records created by operating systems, applications, and devices as they operate, providing information about system activity, security events, and errors.

Network data: This type of data includes information about network activity, such as IP addresses, port numbers, and data transmitted over the network.

Cloud storage: The access logs and data are stored in cloud-based services like Google Drive or Dropbox. Cloud data can include files, emails, and other data types stored in the cloud.

Mobile data: Mobile data refers to data stored on mobile devices, such as smartphones and tablets, including text messages, call logs, and GPS data.

Audio and video files: This type of evidence includes audio and video files, such as recordings of phone calls or videos stored on a device.

Social media data: This refers to data stored on social media platforms, such as Facebook, Twitter, and Instagram. This type of evidence can include messages, posts, and images.

Web browsing data: This type of digital evidence includes information about web browsing activities, such as web history, cookies, and cache data.

Digital evidence in the field of digital forensics can take many forms and be used to support investigations and provide insight into digital activities and events. Different types of digital evidence have other characteristics that can be used differently. It is vital to understand the strengths and limitations of each type to analyze and interpret digital evidence effectively.

Example of digital evidence

In this section, we will discuss the various examples of digital evidence:

Logs:

OS Logs:

Windows: System logs, Security logs, application logs

Mac: Console logs, system.log, secure.log

Linux: Syslog, messages, dmesg

Android: Main, System logs, application logs, events, Radio logs, Dalvik

iOS: syslogd, diagnostic logs

Database Logs: transaction logs, error logs, slow query logs

Email Logs: Incoming/Outgoing mail server logs, email client logs, webmail logs

Network Logs: Router logs, firewall logs, VPN logs, proxy logs, DHCP logs

Web server logs

API logs, etc.

Digital images, video, and audio:

MP3, MP4, Jpeg, and PNG files

Archives, backup, and files:

ZIP/RAR/similar files

Backups

Files stored on hard disks

Active and replicant data:

Data processors like Microsoft Word, Excel, image and video processing, and editing software create temporary files.

Many software and system processes create temporary files to prevent unfortunate data loss due to forgetting to save it, mistakenly closing the application, or better supporting the software/application features.

EXIF data: When and where the photo was taken, which lens was used, name of the camera.

Residual data:

Deleting or overwritten data could hold significant value if recovered through forensic means.

The deleted data may still be present on a machine and is simply unlinked from the operating system’s file structure, making it inaccessible through typical means such as file explorer searches or hard disk/storage device browsing.

Categories of digital evidence

Furthermore, the digital evidence and artifact data can be divided into two categories:

Volatile

Non-volatile

Volatile

Volatile data refers to the data that is stored in temporary memory (RAM) and is lost when the power is turned off.

Examples of volatile data include:

Operating system’s temporary data, such as cache and swap space.

Data stored in RAM includes running processes, established connections, running services, and system state.

Non-volatile

Non-volatile data refers to data stored on permanent storage media such as Hard Disk Drives (HDD), Solid-State Drives (SSD), and USB flash drives and is retained even after the power is turned off.

As evidence, the distinction between volatile and non-volatile data is vital because volatile data can be easily lost. In contrast, non-volatile data provides a more reliable and permanent record. In digital forensics, for example, volatile data such as the contents of RAM or a computer’s cache can provide valuable information about a system’s current state. Still, non-volatile data, such as complex drive files, emails, logs, or archives, provides a more complete and permanent record of the activities on the system.

Examples of non-volatile data include:

Data is stored on hard drives, solid-state drives, and USB flash drives, such as files, documents, emails, or archives.

Data is stored in databases, such as emails, instant messages, financial transactions, and other records.

Preserving digital evidence integrity

As we know, Digital forensics is the practice of preserving, collecting, analyzing, and presenting electronic evidence in a manner that is admissible in a court of law. Evidence integrity is an essential aspect of digital forensics, as the accuracy and reliability of electronic evidence can significantly impact the outcome of a case. To maintain the integrity of digital evidence, there are several do’s and