Digital forensics

Forensic Techniques

Ravi Das
October 31, 2017 by
Ravi Das

The main goal of the forensic investigation is to handle a large amount of data, gather as much evidence as possible, and uncover all the hidden and untraced data.

In the field of digital forensic various techniques are considered to extract the maximum amount of information and gather as much evidence. Below is the list of techniques that are used in digital forensic investigation:

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Disk Imaging:

A disk image is a process of copying the entire contents of a storage device, such as a hard drive, DVD, CD, etc. The disk image represents the content bit by bit as it is present on the original device, including both data and structured information.

Disk Cloning: Cloning is the process of copying the contents of a computer hard drive. Data are then saved as a disk image file and transferred to a storage device, which could be DVD, CD, USB or another computer's hard drive, etc.

MD5 Checksum: The MD5 algorithm is a popular and commonly used hash function producing a 128-bit hash value. It produces one-way encryption to generate hashed/ciphertext. It can still be used as a checksum to verify data integrity.

Hashing: Encryption is the process of scrambling a message at the sending point and unscrambling it at the receiving point. The basic premise behind this is to make sure that the intended message remains in an undecipherable state as it is being sent and received. However, despite this, hackers are still very sophisticated, and can still take this and change the integrity of the message. To make sure that this has not been compromised, a technique known as "Hashing" is used. Essentially, this is a series of numbers derived from a complex mathematical formula. This too is encrypted, and if it remains in the same value state when it is unencrypted, then the receiver can be assured that the message has remained intact and not tampered with by a malicious third party.

Tools: HashCalc, MD5 Calculator, HashMyFiles, Md5sum.

Tools: Internet Evidence Finder V6.3; PhotoDNA

Steganography: It is a process of hiding a secret message within a different format of and extracting it at the destination to hide it. Generally hiding a secret message into images, video files are covered in steganography.

Tools: DarkCryptTC, Xiao Steganography, Image Steganography, Steghide, Crypture, SteganographX Plus, rSteg, SSuite Picsel.

Steganalysis: It is a process of analyzing, rendering and converting messages using Steganography. It is a reverse steganography process. This is the process of hiding a secret message within a different format of and extracting it at the destination to hide it. Hiding a secret message into images, video files are covered in steganography.

Tools: DarkCryptTC, Xiao Steganography, Image Steganography, Steghide, Crypture, SteganographX Plus, rSteg, SSuite Picsel.

Tools: Xstegsecret, StegSpy, Stego Watch, Gargoyle Investigator Forensic Pro, StegMark.

Password Cracking:

A password cracker is any component in the form of script or software that can decrypt passwords or otherwise disable password protection to gain unauthorized access to the vulnerable system. Cracking a key means an attempt to recover the key's value, and cracking cipher text means an attempt to recover the corresponding plaintext.

Tools: Passware Kit Forensic, Password Recovery Bundle, L0phtCrack, OphCrack, Cain & Able, Rainbow Crack, Advanced Office Password Recovery.

Types: Wire Sniffing, Password Sniffing, Man-in-the-Middle and Replay Attack, Password Guessing, Trojan/Spyware/Keylogger, Hash Injection.

Looking for a career in computer forensics? Check out InfoSec Institute's fundamental computer forensics course. We've offered award-winning training to our students for nearly twenty years, and right now you can fill out the brief form below to receive course details/pricing.

Log Capturing and Event Correlation: Every device that is connected to a network generates some number of logs for each action performed. Capturing and analyzing the log files is one of the important tasks for investigating the security structure of the network, as they might contain information about all the system, device, and user activities that took place within the network. Event correlation is a practice in which examiner investigates logs by with the help of event correlation tool, deduce and trace the attack. It plays an important role in case of APT attacks. Acquiring, preserving and analysis of network events to disclose the source of security attacks is called Network forensics.

Tools: GFI EventsManager, Activeworx Security Centre, EventLog Analyzer, Syslog-ng, Kiwi Syslog Server, WinSyslog, Firewall Analyzer, EventSentry, Log Viewer Pro.

Types: Logs of Computer Security, Operating System, Application, Security Software, Router, Honeypot, and Windows Log File, DHCP, Syslog, Firewall.

Network Forensics: The process of network forensic contains sniffing and analysis of the network traffic and event logs to investigate a network incident. It allows inspecting network traffic and logs to identify and locate the attacker and attacked system. Some Network Tools include the following:

  1. Visualization Techniques: A commonly used tool here are the various Data Mining Algorithms. They can be used to help detect malformed or suspicious data packets or even any other kind of network trends which appear to be out of the norm. To a certain extent, they can even be used to find the origination point of a Cyber-attack.
  2. Coordinated Views: This technique creates different views of a certain data packet(s). It allows examining the relationships amongst different packets, or even within a single data packet itself.
  3. Selection and Probing: This technique allows for the forensics investigator to examine in further detail the actual contents of the suspicious or malformed data packet. Examples of this include the IP address(es) and port number(s) which are associated with that data packet.

Tools: Wireshark, NetworkMiner, Snort, MaaTec Network Analyzer, NetWitness Investigator, Colasoft Capsa Network Analyzer.

Network Technique Tools: CapAnalysis; chkrootkit; cryptcat; Netcat; NetFlow/flowtools

Types: IP Address Spoofing, MITM, Packet Sniffing, Enumeration, DOS, Session Sniffing, Buffer Overflow, Trojan Horse, New Line Injection, Separator Injection, Timestamp Injection, WordWrap Abuse, Proxy, DNS Spoofing & Poisoning.

Mobile Forensics: Mobile device forensics is the process of recovering the digital evidence or data from a mobile device under forensically sound conditions. However, it can also relate to any digital device like Call records, Messages, Media Files, Applications that has both internal memory and communication ability, including PDA devices, Mobile phones, tablet computers.

Mobile Forensics Techniques: There are many techniques which are used in conducting a mobile forensics investigation, which are as follows:

  1. Verification: This is where the first level of documentation is initiated. The important point to keep in mind is that this the point at which it is necessary to confirm that the correct smartphone device is being studied.
  2. System Description: This is the part where key data about the smartphone is recorded which includes the following: Make/Model of the smartphone, SIM Card version, Carrier, Phone Number, etc.
  3. Evidence Acquisition: This is the step where a copy (a physical based one) of the memory bank of the smartphone is initiated and completed. This can be deemed to be a very complex task, and at times, other specialized tools may be required.
  4. Accessing the File System: This is where the various files in the smartphone's OS are extracted and studied (such as the Android OS, iOS, etc.).
  5. Analysis: Here, the actual detailed analysis is conducted on the smartphone in question. Since each smartphone varies greatly, the analyses are specific to each case. However, in general, this step includes the media of the smartphone by conducting various string searches; extraction of the phone book and SMS messages; the SIM Card; any recent calls made; the Calendar; the Web Browsing history; Multimedia; as well as any other foreign artifacts unique to the smartphone in question.

Tools: Cellebrite UFED System, UME-36Pro (Universal Memory Exchanger), RadioTactics ACESO, Logicube CellDEK, Deployable Device Seizure, Oxygen Forensic Suite, MOBILedit! Forensic, BitPim, SIM Analyzer, SIMCon.

Mobile Forensic Tools: NitPim; TULP2G; Katana Forensics' Lantern Lite Imager, etc.

Sandboxing: It can be described as analysis oriented, virtual or physical environment is called a sandbox. A Sandbox is not only bonded to digital forensics or malware analysis area. A sandbox can be used for executing malware or creating a forensics oriented environment. Sandbox is also used to execute binary data to check behavior.

Tools: Cuckoosandbox

Data Mining: In forensic data mining is a crucial part. It means the extraction of crime-related data to determine crime patterns. Nowadays file size and data size has been increased a lot. To get proper evidence related to crime data mining is helpful.

Evidence visualization: Evidence Visualizing of the digital evidence that is retrieved from the investigation in an easy, constructive format has a major difficulty. This problem persists due to the advance technique of hiding, wiping, encrypting and a large amount of data. It is difficult for a forensic tool to analyze such huge amount of data in a well-organized way. As a confrontation of such problem, a visualization framework is worked upon by the experts known as EPIC


Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at