This article is written by  Ravikant Rai. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho). 

This article has been published by Sneha Mahawar.


Digital forensics is computer forensic and investigation forensic science. The word forensic science comes from the Latin term ‘forensis’ meaning off or before the forum, which means presenting the case before a group of public individuals in the forum. It is an application of anything science-related and used in the court of law, as if there is a dispute between two people, one who presents evidence and arguments against the other, wins the case.

Digital forensics is a part of forensic science that focuses on the recovery and investigations of material found in digital devices related to cybercrime. Digital forensic investigation is the forensic investigation of any devices that can store digital data. Digital forensics is a process of identifying, preserving, analyzing, and documenting digital evidence; it helps in presenting evidence in a court of law when required. It is to be systematic in a very specific way, that is:


It is a process to identify where the attacker has stored the data or evidence.


The data and evidence are kept secured and preserved; so that they cannot tamper with.


This is the process of recreating fragments of data and drawing conclusions based on the evidence found therein.


It includes the creation of records of the data, for the recreation of the crime scene.


The last step includes summaries and drawing a conclusion based on data collected.

Forensic investigator

A digital forensic investigator follows the evidence and deals with virtual crimes. An Investigator determines how the attacker attacked the network, how it was damaged, where they damaged the network, what the attacker did to the network, and whether or not there is still malware.

The digital forensic investigator recovers the deleted data, deleted files, photos, documents, emails, etc. to another system or drive. They crack the password and find the source of the breached data.

The digital investigator finds out using a digital footprint what device the attacker was using; he uses the data for solving the case. They use various software and tools to investigate encrypted data.

First, they seize the devices through which crimes were committed, they seize the device so that they can carefully extract the data, information, and evidence from them. They find out whether the collected data is authentic and accurate, and make a safe environment where data and evidence can be stored securely. Acquiring data is a process of retrieving electronically stored information (ESI), there is a need for getting insights into the incident, the wrong process can alter the data, evidence might get erased, they analyze the data, extracts essential information, and they convert it so that it can be made presentable before the court, then it goes to the expert witness, to affirm the findings of evidence.

When they complete data collection, they make it presentable before the court or transfer it to the police for their further investigation.

Sources of digital evidence

Mostly, the source of digital evidence comes from Video cameras, cell phones, computers, mobile devices, game consoles, file storage, the internet of things, wearable, automated license plate readers, in-car, body-worn cameras, unmanned aerial systems, interview room recording, closed-circuit television, TASERs, etc.

Mobile evidence

Mobile evidence includes:

  • Text messages: Messages through texting and photo sending via social media apps can convey information and plans for criminal activity.
  • Phone record: This includes the retrieval of a suspect’s data when a suspect has called and who he has called in the course of criminal activity.
  • Browser or search history: The history of a computer or cell phone removes so many doubts and gives accurate information during the investigation.
  • GPS location: During the investigation, GPS location helps a lot to track the location at the time of the crime, where the phone was by using nearby network towers.
  • Application data: Retrieval of application data sometimes becomes very difficult; some criminals use apps like snap chat where data is deleted after sending information to others, which is critical to track down for the investigator.
  • Wi-Fi or Bluetooth: It gives a lot of information and helps a lot during the investigation; it gives the exact location at every point in time.
  • Multimedia: Today although all cell phones have multimedia functionaries, which helps a lot in extracting evidence if the phone is not fully destroyed, sensitive information can be extracted by forensic specialists even if all files are deleted from it.

Mobile forensic

Today’s mobile phone contains a lot of gadgets on it and all these gadgets are connected to the phone and contain a lot of user information. The expansion of the Internet of Things, cloud computing is the result of the vast expansion of trends in mobile phones. 

Process for forensic investigation of mobile data

Forensic work starts with the seizure of the materials because it is the first visual evidence in the court and after the confiscation of the material involved the investigation procedure becomes easy. After the confiscation of a mobile, breaking its lock without losing internal data is very hard, and it is a challenge to keep it away from connectivity by putting it into flight mode or cloning the sim card and keeping it on to avoid alteration of data so that data stays safe. The faraday box and external power are equipment for conducting the investigation. The use of the Faraday box is for keeping away mobile from connectivity and safe transportation.

The acquisition is the main goal after unlocking the device. As encryption of these things makes it very difficult to crack, however, data synchronization and cloud services such as Microsoft one driver, and Apple iCloud are in almost every multimedia device, from where data acquisition becomes easy for them.  Besides all these, there are vast varieties of open-source operating systems which creates impediments.

For investigation purposes, it is necessary to identify the type of mobile device, type of network, carrier, and service provider.

All the findings and other relevant details are presented before the expert or to the police or court in a clear format. 

Tools used in digital forensic analysis

Various tools are used for forensic investigation; most of them are freely available on an online platform. Whether it is used for interpersonal purposes or investigation into unauthorized access to a server, it provides in-depth information, these tools are:


An autopsy is a GUI-based open-source digital forensic program to analyze hard drives and smartphones internally. It is used to investigate what happened in the system.

Encrypted Disk Detector

It checks encrypted physical drivers. It supports TrueCrypt, PGP, Bit locker, and safe boot encrypted volumes.

Wire shark

It is a network capture and analyzer tool for the network and is used to find network-related issues.

Magnet RAM Capture

It is used to capture the physical memory and analyze it on a computer.

Network Miner

It is a network analyzer for Linux, Mac OS X, and Windows to detect OS, hostname, and open ports through packet sniffing. It provides artifacts in an intuitive user interface.


Network Mapper is one of the network and security auditing tools, it is open-source and free software.

Hash my files

It is used to calculate SHA and md5 hashes, for window OS users.

Crowd response

It is an application for security engagement and incident response and collects system information, its results can be viewed on XML, CSV, TSV, or HTML through CR convert. 

For investigation, there are some tools; such as

·         Tortilla:  For anonymous route IP/TCP and DNS traffic.

·         Shellshock Scanner: It scans the network for vulnerability.

·         Heart bleed scanner: It scans your network for OpenSSL.


It has many tools which are very useful in an investigation. These are:

·         File signature verifier

·         Hash and validate

·         File Identifier

·         Encode text

·         Binary inspector

·         URI data generation


It’s a Computer-Aided Investigative Environment. It is a Linux Distro and offers the forensic platform and tools to investigate reports.


Volatility is a forensic framework, used for malware reporting and incident response. This information can be extracted from the processor, network connection, even from crash dump files and hibernated files.

Bulk extractor

The bulk extractor is used to scan files, disk images, and a directory of files to extract information and is used by law enforcement agencies and investigative bodies for investigative purposes.

Oxygen forensic suite

It is used by investigating agencies to extract evidence from a mobile phone.


This is also an open-source network for forensic analysis tools. It helps in extracting data of an application from the Internet traffic.

Data storage in devices

All data is stored on storage media as a solid-state drive (SSD) hard disk drive (HDDs), USB, SD Card, or external hard drive, it can be converted to a string of bits (1byte = 8bits) or binary digits having a value of 0 or 1, and it can make photos, documents, audios, and videos.

Data recovery includes the process of recovery of lost, deleted or inaccessible data from the backup system.

Causes of loss of data

Data loss occurs mainly due to an error in the system or by a mechanical fault or due to some error while working on the system; it may occur due to a ransomware attack or due to a data breach. It may occur due to natural disaster, system failure or malfunctions, or due to formatting of the hard drive, damage of hard drive, logical error, etc.

Process of data recovery

The data recovery process includes different processes according to the loss of data. Users can recover lost data themselves, while sometimes it requires IT intervention, sometimes data remains in the hard disk even after deletion from the system.

The window files are stored in the hard disk as pages in the books; the operating system uses a file allocation table to find out the location of files in the drive.

Data recovery takes place through a backup server, where a duplicate file is created of every file in a pristine form, without the user’s intervention recovery process working in the background.

For avoiding data loss to take place, data loss prevention products help to avoid companies’ data leaks, and come in two versions (1) Stand Alone; (2) Integrated.

Standalone products come in software format and are sold as software, and Integrated products are used to detect sensitive data in rest or motion.


Hashing is a technique to solve problems through a formula or by using an algorithm to map object data and store data in a collection after converting it into a small value of data.

The hash code (hash) can be used to convert small searches.

Guidelines for hash value

The guideline related to the hash value extracted from the Digital Evidence Investigation, Central board of direct taxes Department of Revenue, Ministry of Finance, and Government of India are:

  • Using a system without the use of write protects devices from making changes or fingerprinting of the disk; resulting in the inadmissibility of evidence.
  • One-way encryption is similar to mathematical hashing, where every digital evidence of the lowest value converts into a large number of values. The hash algorithm converts data into a fixed-length number known as the dark message digest, this is always fixed in length. Its number is generated randomly.

Chain of custody

It is a logical sequence used to transfer custody; dispose of evidence (both physical and digital) for legal cases. Following the procedure of evidential quality; the Chain should not be broken to make it admissible in court. It includes the collection, sequencing, transfer, and analysis of data. It includes in the documentation the person involved in evidence collection, date and time of collection to maintain the trust of the court and client that evidence does not tamper.

The chain of custody in digital forensics is known as chronological documentation of the evidence. Chain of custody helps in preserving the integrity of evidence so that it cannot be tampered with.


Cybercrime is any illegal act involving a computer, its system, or its application. It is an unlawful act where criminal activities occur on an online platform. It must be intentional and not accidental. For Example, theft of intellectual property, damage of company networks, denial of service attacks, etc.

Modes of Cyber-attacks

Cybercrimes fall into two categories:

  1. Insider Attacks
  2. External Attacks

A digital crime includes defamation, theft, forgery, fraud, and mischief as well.

Cybercrimes, which may occur on the computer include Hacking, virus attack, DOS attacks, etc., and the other is intellectual property rights violations, pornography, credit card fraud, etc. are dealt with in the sections of the Indian Penal Code, 1860 and IT Act, 2000. As:

Hacking and Data theft

Section 43 and Section 66 of the Information technology act 2000 penalize hacking on digital devices, spamming, data theft, damaging computer programs, access denial, and damaging information. The punishment for such crimes may extend to three years or a fine of five lacs or both.

For data theft and all other movable property including digital media platforms, section 378 of IPC comes into effect which prescribes a punishment of 3 years of imprisonment or fine or both.

Section 66A of IT act provides punishment for identity theft including signature, a password shall be punished with imprisonment of either description for a term which may extend to 3 years or fine up to one lac rupees or both.

Section 66D provides punishment for cheating by personation, by using digital platform shall be punished for a term which may extend to 3 years or fine up to 1 lacs rupees or both.

Section 67, 67A, 67B of the IT act provides punishment for uploading and transmitting obscene material containing sexually explicit acts and depicting children in such activity shall be punished with imprisonment for a term which may extend to 3 years or a fine up to 5 lacs rupees or both. And the punishment for Section 67A & 67B of the IT act includes imprisonment of 5 years which may extend to 7 years if convicted for a second time or a fine up to 10 lacs rupees or both.


Digital evidence processing involves digital forensic investigation of any devices that can store digital data. It involves very cumbersome procedures likewise the process of Physical forensic data collection. There are various ultra-technology-equipped modern tools used for the collection of digital evidence.

In India, we have enacted the Cyberlaw which is the Information Technology Act, 2000, and the Indian Penal code, 1860 which helps in the classification of different types of digital crimes.

Digital forensic and Forensic are very distinct from one another; some of the normal forensic processes are used in digital forensics as well. A Digital forensic investigation may be difficult; gathering strong evidence on the digital platform is not an easy task at every step new technology is evolving which requires a specific tool to investigate its operations. Both sides of the expert get evidence but the issue arises to prove how such evidence is relevant and how it is obtained.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here