Cyber Forensics is defined as the process of gathering and documenting proof from a computing device in a form by utilizing investigation and analysis techniques that will be admissible in court. Cyber Forensics is also known as Digital Forensics or Computer Forensics. The term digital forensics was originally used as a synonym for computer forensics but has expanded its range to complete investigation of all digital devices. Cyber Forensics aims to determine the person responsible for the illegal activity that has taken place, followed by proper documentation of the evidence during the investigation.

cyber forensic header


Cyber forensics is a vast field and is divided into the following branches:

  • Disk forensics is defined as the branch of digital forensics relating to the extraction of forensics information from digital storage media like USB devices, CDs, DVDs, Hard Disks, Floppy disks, etc., active, modified, or deleted files.
  • Mobile device forensics is defined as the branch of digital forensics relating to the examination, analysis, and recovery of digital data from a mobile device like SIM contacts, call logs, SMS/MMS, audio/video, etc.
  • Network forensics is defined as the branch of digital forensics relating to the monitoring and analysis of computer network traffic to collect essential data and legal evidence.
  • Wireless forensics is defined as the branch of digital forensics relating to the tools needed to collect and analyze wireless network traffic data.
  • Database forensics is defined as the branch of digital forensics relating to examining databases and their metadata and extracting data essential for forensics investigation.
  • Email forensics is defined as the branch of digital forensics relating to the recovery, analysis, and retrieval of emails, calendars, and contacts essential for investigation.
  • Cloud forensics is defined as the branch of digital forensics investigating cloud environments and extracting information useful for forensics investigation.
  • Malware forensics is defined as the branch of digital forensics relating to examining and identifying malicious code to study the payload, viruses, worms, etc., for forensic investigation.

Start With The "Incident Response and Advanced Forensics" Course Today >>


The goal of cyber forensics is to examine the digital media in a forensically sound manner and to do so, the following steps are followed:

forensic process chart

1. Preparation Working directories of the specific cases should be created to store the evidentiary files, and useful data can be recovered or extracted. The investigators should check the working directories to ensure that they are forensically clean and the evidence being used is from that case only.

2. Identification This forensic process step includes details like what type of evidence was present, where the evidence was found, and what format it was stored. Evidence may include electronic storage media like personal computers, mobiles, CDs, DVDs, etc.

3. Acquisition The acquisition is the process of creating a bit-by-bit authentic copy of the digital evidence found on-site or collected from the site. The acquisition is of two types: live acquisition and offline acquisition.

A live acquisition can be made by a live bootable disk using the DD command, which has a syntax:

dd if= of= filename.dd

The offline acquisition is made using tools with inbuilt write blockers as the write blockers prevent data from being tampered with during the acquisition.

4. Data Extraction Data extraction is the process of extracting essential data from digital devices. There are two types of extraction:

a. Physical Extraction In this type of extraction, the data is extracted at a physical level with no regard to any type of file system present on the drive. Once an image is made, then it is subjected to the following methods:

  • Keyword searching: The examiner should perform a keyword search as it will assist in discovering relevant data and extract the data essential for investigation.
  • File carving: The examiner may use file utility programs to scan the physical drive and recover usable data files essential for investigation.
  • Examining the partition table: The examiner may closely examine the partition table to identify the file system being used and determine the physical drive size.

b) Logical Extraction In this type of extraction, the data is based on the logical drive's file system. The process involves a thorough examination of active files, recovering deleted files, looking at the file slack and unallocated file space. The steps may include:

  • Extraction of the file system information will reveal characteristics like directory structure, file size, file location, file attributes, file names, and time stamps.
  • Identification and elimination of known files by comparing their hash values to check their authenticity.
  • According to the examination, the extraction of critical files is based on file header, file content, file name, file location, and file name.
  • Recovery of deleted files.
  • Extraction of file slack and unallocated space.
  • Extraction of various encrypted, compressed, and password-protected data.

5. Data Analysis Data analysis is the process of interpreting the extracted data to determine their significance to the case. It requires a review of request for service, legal authority to search for the digital evidence and investigative, or analytical leads. The various analytic methods used are:

  • Timeframe: This type of analysis is useful for determining the event sequence on a system that may reveal the system's usage at a specific time. Timeframe analysis can either be done by examining the timestamps in the file system metadata or reviewing the application and system logs. A particular file's timestamp needs to be compared to the time values within the BIOS.
  • Data hiding: This type of analysis is useful for detecting and recovering concealed files from the system, revealing the user's ownership or intent. Analysis can be performed by comparing file headers to their respective file extensions. Thus, identifying any mismatches or gaining access to a host-protected area, where any attempt to create user data may be an attempt to conceal it. While performing data hiding analysis, the examiner might also check for hidden messages or data stored within ordinary pictures.
  • Application and file: This type of analysis is useful as it effectively identifies the programs used and the owner's files. The result of this analysis may suggest additional steps required for the extraction and analysis process.
  • Ownership and possession: This type of analysis is essential to identify the files created, modified, or accessed by the system's user and is useful to establish ownership of the system.

6. Documentation and Reporting The investigator must accurately document all the steps of their investigation from beginning to end. Documentation aims to allow others to reproduce the same conclusions as mentioned by following the steps. There are three main parts of this step:

  • Investigator's notes: The notes should be taken by the investigator while the investigation occurs because they serve as the basis for the report. This includes a copy of the search warrant, irregularities found, additional information regarding authorized users or user agreements, and other information on backups.
  • Investigator's report: The report is given to the investigator who considers the findings and will further decide what happens next. The report has a definite structure and has a formal tone. This includes the reporting agency's identity, essential case information, detailed list and description of items, date of receipt, and investigator's name.
  • Investigator's findings: The findings are usually based on the events described in the report. This often includes specific files requested for, internet-related evidence, a result of data analysis and extraction, and retrieved files.


Some of the PROS of cyber forensics are:

  • It ensures the integrity of the computer system.
  • It helps to protect an organization's money and valuable time.
  • It produces evidence in court that provides justice for the victim.
  • It efficiently tracks down cybercriminals.
  • It allows extraction and interpretation of the evidence and proves the cybercriminal's actions in court.
  • It helps companies identify if their computer systems are compromised.

Some of the CONS of cyber forensics are:

  • It is expensive to produce and store electronic records.
  • Evidence produced must be authentic and tamper-proof.
  • The investigating officer's lack of technical knowledge may not produce the desired result.
  • It requires legal practitioners to have extensive computer knowledge.
  • Evidence can be disapproved if the forensic tool is below the standards specified by the court.


Cyber forensic tools are designed to ensure that the information extracted is accurate and reliable. Some popular tools used are:

  • Autopsy

An autopsy is one of the most popular disks and data capture tools. It was designed to analyze disk images and perform an in-depth analysis of the file system and data present on the device. An autopsy is available for both Unix and Windows.

  • X-Ways Forensics

X-Ways Forensics is also a disk and data capture tool. It provides a commercial digital forensics platform for Windows and is resource-efficient. It has a special feature capable of running off a USB Stick useful for live acquisition. The company also offers a sparse version of the platform known as X-Ways Investigator.

  • AccessData FTK

AccessData Forensic Toolkit (FTK) also falls under disk and data capture tools. It provides a commercial digital forensics platform that brags about its analysis speed. It performs upfront indexing, speedy analysis of forensic artifacts, and claims to be the only forensic platform to leverage multi-core computers fully.

  • Encase

Encase is also a disk and data capture tool and provides a commercial forensics platform. It claims to offer support for evidence collection of 25 different types of devices like GPS, mobile devices, and desktops. The collected data can be inspected using the tool and generate a wide variety of reports as it has several predefined templates.

  • Mandiant Redline

Mandiant Redline is one of the popular tools for memory and file analysis. It is used to collect information about running processes on hosts, drivers from memory and gather other essential data like metadata, registry data, services, network information, and internet history to generate a proper report.

  • Registry Recon

Registry Recon is a popular tool for registry analysis and provides a commercial platform. Windows registry serves as a database of OS configuration information and applications running on it. This tool is used to extract the registry information from evidence and then rebuild the registry representation. It can rebuild registries from previous and current Windows installations.

  • Volatility

Volatility is a memory forensic framework and is useful for the analysis of the system's volatile memory, i.e., RAM. It is used for incident response and malware analysis. This tool can extract information from running processes, network sockets, network connections, DLLs, and registry hives. It is capable of extracting Windows crash dump files and hibernation files as well. This tool is available for free under the GPL license.

  • Wireshark

Wireshark is the most widely used network traffic analysis tool. It can capture live traffic or ingest a saved capture file. It has various protocol dissectors and has a user-friendly interface, making it easier to inspect the contents of traffic capture and search for forensic evidence within it.

  • Xplico

Xplico is a network traffic analysis tool and is open-source. It is useful for the extraction of useful data from applications that utilize internet and network protocols. It is known to support the most popular protocols, including HTTP, IMAP, POP, SIP, TCP, SMTP, UDP, and many more. The output given by the tool is stored in an SQLite or MySQL database. It supports both IPv4 and IPv6.

  • Oxygen Forensic Detective

Oxygen Forensic Detective is a commercial mobile device forensic tool distributed using a USB dongle. It is useful for extracting data from different platforms like IoT, cloud services, media cards, backups, drones, and desktop platforms. It can bypass device security using physical methods and collect authentication data for many different mobile applications.

  • Cellebrite UFED

Cellebrite UFED is also a commercial mobile device forensic tool and claims to match industry standards for accessing digital data. It targets mobile devices, but the general UFED product line targets a range of devices, including SIM, drones, SD cards, cloud, and GPS. It claims to use exclusive methods to maximize data extraction from mobile devices.

  • XRY

XRY is a collection of different commercial tools for mobile device forensics. XRY Logical is a suite of tools designed to interact with a mobile device's operating system and extract the desired data. XRY Physical is used to bypass the mobile's operating system using physical recovery techniques enabling the analysis of locked devices.


CAINE (Computer Aided Investigative Environment) is an open-source Linux distribution specifically created for digital forensics. It offers an environment to integrate existing software tools as software modules in a user-friendly manner.

  • HELIX3

HELIX3 is a live CD-based digital forensic suite created to be used during incident response. It comes with several open-source digital forensic tools like hex editors, data carving, and password cracking tools. This tool can collect data from network connections, physical memory, scheduled jobs, Windows registry, internet history, applications, chat logs, screen captures, and drivers. Further, it analyzes and reviews the data to generate the compiled results based on reports.


This article is the ultimate guide for someone who is looking to deep dive into Cyber Forensics. Cyber Forensics has gained traction only because of the rising rate of cyber crimes in the digital era. Everyone needs to gain some knowledge regarding this. I hope you enjoyed reading this article.


https://www.educba.com/cyber-forensics/(Image 1) https://en.wikipedia.org/wiki/Mobile_device_forensics https://www.guru99.com/digital-forensics.html https://blog.ipleaders.in/cyber-crimes-classification-and-cyber-forensics/ http://cybersecurity.jhigh.co.uk/digitalForensics/phasesOfInvestigation.html https://resources.infosecinstitute.com/topic/computer-forensics-tools/

Start learning with Cybrary

Create a free account

Related Posts

All Blogs