Digital forensics – Types

This section covers the major types of digital forensics. With growing technology and advancements in the field of forensics, we are able to derive a great deal of information using digital forensic techniques.

There are different types of digital evidence offering unique types of information. They are broadly categorized into two groups:

  • Evidence from data at rest (obtained from any device that stores digital information).
  • Data intercepted while being transmitted (interception of data transmission/communications).


Mobile forensics

Even though there are many methodologies involved, I think NIST has outlined the best practices with mobile forensics. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving
specialty in the field of digital forensics. Read the guideline here

The production process of the forensic evidence is divided in five main phase: the seizure, the identification, the acquisition and the examination or analysis. Once the data is extracted from a device, different methods of analysis are used based on the underlying case. Though, there are different tools which are available for mobile forensics, XRY has been recommended for mobile forensics investigation. For more information please check here.

Network forensics

Network forensics is the study of data in motion, with special focus on gathering evidence via a process that will support admission into court. This means the integrity of the data is paramount, as is the legality of the collection process. Network forensics is closely related to network intrusion detection: the difference is the former is legal-focused, and the latter is operations-focused.

Network forensics is described as: “Traditionally, computer forensics has focused on file recovery and file system analysis performed against system internals or seized storage devices. However, the hard drive is only a small piece of the story. These days, evidence almost always traverses the network and sometimes is never stored on a hard drive at all {Yong Guan et al, 2014}.

For more information please check here.

Database forensics

Database forensic scientist have a serious troublesome undertaking with regards to working through corrupted databases, as opposed to standard digital forensics, which deal with fragmented “normal” data as it is found on a conventional hard drive. This is on the grounds that standard record frameworks apportion a header and a footer cycle to a document, taking into account the reproduction of the document, now and again, by utilizing data from the metadata in the document framework.

A database forensics expert will normally use a read-only method or an identical forensic copy of the data when interfacing with a database to ensure that no data is compromised. The most common types of databases used for forensics include Oracle and SQL. For more information, check this article.

Web forensics

Web browsers are used in mobile devices, tablets, netbooks, desktops, etc., and often can be used not just for web surfing, but for navigation through the file system of the device. The web browser’s cache can contain downloaded images, videos, documents, executable files and scripts.

Web browsers also can contain data entered into forms: search queries, logins and passwords for web email accounts, social networks, other web sites and financial information (for example, credit card numbers). Favorites and searches can give the researcher an idea of ​​the device owner’s interests. For more information please check here.

Email forensics

Email forensics refers to analyzing the source and content of emails as evidence. Investigation of email related crimes and incidents involves various approaches. Furthermore it focuses on investigation of emails to collect digital evidence for crimes and incidents. It comprises in-depth & systematic examination of emails, especially aspects such as message transmission routes, attached files and documents, IP addresses of servers and computers, etc.  

Cybercriminals forge e-mail headers or send it anonymously for illegitimate purposes which lead to several crimes and thus make e-mail forensic investigation crucial {}. For more information please check here.

Malware forensics

It is a method of finding, analyzing & investigating various properties of malware to find the culprits and reason for the attack. The process also includes tasks such as finding out the malicious code, determining its entry, method of propagation, impact on the system, ports it tries to use etc. investigators conduct forensic investigation using different techniques and tools.

Because the malware developers use the various advanced techniques to hide the actual code or the behavior of malware. Thereby, it becomes very hard to analyze the malware for getting the useful information in order to design the malware detection system because of anti-static and anti-dynamic analysis technique. For more information please check here.

Disk Forensics

Hard Disk Forensics extracts actionable information from computer storage to be presented as evidence in criminal proceedings. The process often entails fetching information which was deleted or damaged and later on, reconstructing the same.

Recent statistics and analytics show the exponential growth of cyber threats and attacks and thus necessitate the need for forensic experts and forensic researchers for automation process in the cyber world. As digital forensics is directly related to data recovery and data carving, this field struggles with the rapid increase in volume of data. For more information please check here.

Memory forensics

Digital Guardian defines Memory forensics (sometimes referred to as memory analysis) refers to the analysis of volatile data in a computer’s memory dump. Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.

A memory dump (also known as a core dump or system dump) is a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise. Memory dumps contain RAM data that can be used to identify the cause of an incident and other key details about what happened. or more information please check here.

%d bloggers like this: