Cyber Forensics Need , Digital Forensics & RFC2822

What do you mean by Cyber Forensics?

Need for Cyber Forensics

For Example:

• Imagine a scenario where a company's sensitive customer data gets stolen.
• Cyber forensics can help in identifying the culprit by analyzing the digital footprints left behind, such as log files, emails, or traces of malicious software.

What is Digital Evidence?

• Digital evidence refers to any electronic data that can be used in a legal proceeding.
• This evidence can take many forms, such as text messages, emails, images, databases, or computer files.
• In the context of legal proceedings, digital evidence must adhere to certain rules to be admissible in court.
• These rules ensure the authenticity and integrity of the evidence.

Example:

• If you're trying to use an email as digital evidence in a court case, you need to prove that the email is genuine and hasn't been altered.
• This might involve demonstrating that the email header conforms to the RFC2822 standard (a protocol for text messages) and showing that the email hasn't been tampered with.

What is RFC2822 ?

• RFC2822 is a technical standard that governs the format of email messages.
• In digital forensics, it's important to ensure that email evidence complies with this standard to establish its legitimacy.
• This standard outlines how email headers, subject lines, sender and receiver addresses, and message bodies should be formatted.

Example:

• Let's say you're investigating an email as digital evidence.
• You would check if the email conforms to the RFC2822 standard, making sure the sender's address, subject line, and timestamps are correctly structured and consistent with email protocols.

Life Cycle of Digital Forensics

• Digital forensics involves a series of steps and processes that make up its life cycle.
• This life cycle guides investigators through the entire forensic examination, from evidence collection to presentation in court.

Example:

• The life cycle might start with the identification of a potential cybercrime, followed by evidence acquisition, where investigators collect digital data.
• Then, they move on to examination and analysis, determining the relevance of the evidence to the case.
• Finally, the evidence is documented, preserved, and presented in court if necessary.

Phases of Computer Forensics/Digital Forensics

1. Identification and Collection

• In this phase, investigators identify potential sources of digital evidence and collect relevant data.
• This may involve seizing computers, mobile devices, or network logs.

2. Preservation

• Once evidence is collected, it must be preserved to ensure its integrity and prevent any alterations.
• This may include creating a forensic image of a hard drive.

3. Examination and Analysis

• Investigators analyze the collected data to uncover clues and establish a timeline of events.
• This phase may involve recovering deleted files, deciphering encrypted data, and examining system logs.

4. Reconstruction

• The reconstructed evidence helps build a coherent narrative of what happened.
• This can be crucial in understanding the sequence of events in a cybercrime.

5. Documentation and Reporting

• A detailed report is generated, documenting the entire digital forensics process.
• This report is essential for presenting findings in court.

6. Presentation in Court

Example:

• Suppose a computer is suspected to contain evidence of an insider threat.
• In the identification and collection phase, the investigator seizes the computer, ensuring it remains untouched to preserve evidence.
• During examination and analysis, they may discover suspicious activities in log files and, in the reconstruction phase, piece together a timeline of events.
• A detailed report is created for presentation in court, if necessary.

Conclusion