Cyber Forensic Investigation


We engage in the examination of digital evidence, including complete forensic computer
Detecting and gaining clues from the crime scene plays a major role in the process of investigation.
Now days with increase in cybercrime and fraud on the internet, digital forensics is gaining importance. It needs to collect information of the events that happened at crime place. The process of reconstruction is based on crime event and event characteristics. It also furnishes crime rate guess using some semi-formal techniques

Following techniques are followed by Cybervault for investigating any Cyber Crime :

– System Preservation
This phase is always the first thing to do once a digital crime is detected or even assumed. As with classic crimes the first act of investigation is to preserve the crime scene. This is the main aspect of this phase. In classic crime investigation you can close of the crime scene, e.g. a house or at, but it is more difficult to follow this approach in digital investigation. Here it is difficult to shut down a network or computers without altering data. As with classic crime scenes it should be tried to avoid every change of the evidences. It has to be tried to copy and save all information contained in the network or on physical storage devices without changing them. It is important to have a proof that the data was not changed during the investigation process. One approach to achieve this is to compute a cryptographic hash sum of the data, which would indicate a change of them later.

– Search for Evidence
Now, after the crime scene is preserved, the next step is to look for evidences.
The main methods for searching for evidence are:

  • to look at log files, e.g., those of routers or other network components
  • search for altered data, e.g., again with cryptographic hash sums
  • looking for root kits, e.g., by checking the low levels of the operating system
  • search the file system for ominous files

– Event Reconstruction
The third and last phase of the digital investigation process is to use the collected evidences to
reconstruct what has happened in the system or network. To do this, it is necessary to correlate various evidence, maybe even from different sources, to get a proof of the one hypothesis that stands last. For this phase it is important to have a knowledge of the operating systems and the network basics of the digital components involved in the crime. To understand how an operating system or the network components work is essential to come to a clue what the hints are indicating.