1. What is Computer Forensics?

Computer Forensics = Science of collecting, preserving, analyzing, and presenting digital evidence from devices like computers, phones, USBs.

Used when:

• A crime involves digital devices (e.g., drug dealer has a PC).
• You need to prove or disprove someone’s guilt using digital files.

2. Computer Forensics Process (4 steps - Old Method)

1. Acquisition: Copying digital data (e.g., hard disk).
2. Identification: Finding files, emails, pictures.
3. Evaluation: Decide what is useful.
4. Admission: Present evidence in court.

3. Modern Methodologies (Newer Models)

• DOJ, DFRWS, IDIP, EDIP = All are different methods.
• Don’t memorize them all – just know DFRWS method (used in exams).

DFRWS (Important - 6 Steps)

1. Identification – Detect incident type (e.g., hacking, fraud)
2. Preservation – Protect evidence (Chain of Custody!)
3. Collection – Gather devices properly
4. Examination – Deep technical inspection
5. Analysis – Understand what it means
6. Presentation – Report and testify

4. Chain of Custody (VERY IMPORTANT)

• Track who touched the evidence, when, and what they did.
• Use evidence custody forms:
  • Single-evidence (one item)
  • Multi-evidence (many items)
• If this chain is broken → evidence becomes useless in court.

5. GCFIM Model (Generic Model – 5 Steps)

1. Pre-Process: Plan, get approvals
2. Acquisition & Preservation: Collect and secure
3. Analysis: Find out who’s guilty
4. Presentation: Report clearly
5. Post-Process: Close case, archive data

6. Systematic Approach (Real-life method to investigate)

Steps:

1. Know the case
2. Make plan and checklist
3. Identify resources and risks
4. Copy evidence safely
5. Analyze data
6. Report and review

7. Handling Cases

• Stay neutral – don’t take sides.
• Evidence can also prove innocence!
• Plan well and be careful.

8. Types of Investigations & What to Look For

A. Employee Termination Cases

• Look for abuse like:
  • Internet misuse
  • Email threats
  • Stealing files

B. Internet Abuse

Steps:

1. Forensic scan for URLs
2. Get proxy server logs
3. Match both
4. Report any inappropriate access

C. Email Abuse

Steps:

1. Get Outlook files (.pst, .ost)
2. Check header + content
3. Match with server logs
4. Use forensic tools to search

D. Media Leak

• Check:
  • Email
  • Internet messages
  • Logs
  • Phone records

E. Industrial Espionage

• Similar to media leaks
• Goal: Catch who stole trade secrets

9. Interviews vs Interrogations

• Interview = Ask witness/suspect facts.
• Interrogation = Try to get confession.

10. Bit-stream Copy vs Backup

• Bit-stream copy = exact copy (used in forensics)
  • Includes deleted files, fragments
• Backup = normal file copy (not useful for forensics)

💡 Real-Life Scenario You Must Know:

Example 1 – Dead Box

• Computer is OFF
• Copy the disk using tools like HardCopy 3P
• Easy case

Example 2 – Live Box

• Computer is ON
• Use CaptureGUARD to get memory (RAM)
• Collect volatile data (passwords, sessions)

Keywords to Remember for MCQs / 1 Mark Questions

• DFRWS, Chain of Custody, Dead Box, Live Box
• Bit-stream copy, Outlook .pst, Proxy server logs
• Forensic Toolkit, Exculpatory evidence, Preservation

Bonus: Forms and Documentation

• Fill Evidence Custody Form
  • Who collected it
  • Where it's kept
  • What was done
• Use tags, evidence bags, lockers.

One-liner Revisions (Before You Enter Exam)

• Computer forensics = science of digital evidence
• DFRWS = 6 steps, starts with Identification
• Chain of Custody = keeps evidence valid
• Bit-stream copy > backup (includes deleted files)
• Interview ≠ Interrogation
• Dead Box = Computer OFF
• Live Box = Computer ON, RAM must be saved
• Plan → Acquire → Analyze → Present → Close