Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Forensics Lifecycle, Investigation Phases & OSI Model in Forensics

Lesson 15 of 15 in the free Cyber Security notes on Siksha Sarovar, written by Rohit Jangra.

Forensics Lifecycle, Investigation Phases & OSI Model in Forensics

This final lesson covers the systematic process of conducting a digital forensics investigation — from the moment an incident is detected through to the presentation of findings in court or to management. It also explores how the OSI 7-layer model provides a framework for network forensics.

---

The Digital Forensics Lifecycle — Six Phases

The lifecycle is the structured methodology that ensures forensic investigations are thorough, repeatable, legally defensible, and scientifically rigorous.

PhaseNameObjectivesKey ActivitiesTools Used
1IdentificationIdentify what devices and data are relevant to the investigationInterview witnesses, review logs, identify crime scene scopeCase management software
2PreservationPrevent alteration or destruction of evidenceWrite-block devices, create forensic images, Faraday bags for mobileHardware write blockers, Faraday bags
3CollectionSystematically acquire evidence following legal proceduresBit-for-bit imaging, hash verification, document chain of custodyFTK Imager, dd, dcfldd, Guymager
4ExaminationFilter and process large data volumes to find relevant contentFile system analysis, deleted file recovery, keyword search, timelineAutopsy, EnCase, X-Ways Forensics
5AnalysisInterpret and correlate findings to reconstruct eventsTimeline reconstruction, malware analysis, attributionVolatility, Log2Timeline, Maltego
6PresentationCommunicate findings to stakeholders and courtsWrite expert report, prepare exhibits, testify as expert witnessReport templates, courtroom presentations

---

Phase 1: Identification — Detailed

Proper identification sets the scope and direction of the entire investigation:

  • Triage assessment: Which systems, accounts, or devices are likely to contain evidence?
  • Legal authority: Is there a search warrant, court order, or employee consent? What is the scope?
  • Evidence potential: Is the device still powered on (volatile data available)? When was the incident?
  • Documentation: Photograph the scene before touching anything — screen state, physical setup

---

Phase 2 & 3: Preservation and Collection — Detailed

Preservation protects evidence from inadvertent modification:

  • Power-on systems: Use RAM capture BEFORE powering off (RAM is volatile!)
  • Powered-off systems: Do NOT power on — connect write blocker, then image
  • Mobile devices: Faraday bag immediately (prevents remote wipe)
  • Cloud evidence: Issue legal hold or preservation request to provider

Collection — Forensic Imaging:

  1. Connect evidence drive to forensic workstation through hardware write blocker
  2. Create bit-for-bit forensic image using FTK Imager or dd command
  3. Calculate MD5 + SHA-256 hash of original evidence drive
  4. Calculate hash of forensic image
  5. Verify hashes match (proves exact copy)
  6. Work exclusively on the forensic image — never on the original

Hash Comparison Table:

Hash AlgorithmHash LengthCurrent StatusSpeedUse in Forensics
MD5128-bit (32 hex chars)Cryptographically broken (collisions)Very FastStill widely used for file integrity (not security)
SHA-1160-bit (40 hex chars)Broken (SHAttered, 2017)FastLegacy forensics tools
SHA-256256-bit (64 hex chars)SecureMediumRecommended standard
SHA-512512-bit (128 hex chars)Very SecureSlowerHigh-value evidence

---

Phase 4 & 5: Examination and Analysis — Detailed

Examination transforms the raw forensic image into useful data:

  • File system analysis: Recover deleted files (unallocated clusters), parse file system metadata (MFT entries, inodes)
  • Registry analysis: Extract user activity, installed programs, USB history, last run programs (Windows Registry)
  • Browser forensics: History, downloads, bookmarks, cache, saved passwords
  • Email forensics: PST/OST files, webmail cache, sent/received email
  • Log analysis: Windows Event Logs (Security, System, Application), /var/log/* (Linux)

Analysis draws conclusions:

  • Timeline reconstruction: Using all timestamp sources to build a chronological activity timeline
  • Malware analysis: Static (strings, PE headers, hashes) and dynamic (sandbox execution) analysis
  • Network forensics: Reviewing PCAP captures, firewall logs, DNS logs
  • Attribution: Attempting to identify who is responsible

---

Computer Forensics Investigation Process

The investigation process (distinct from the lifecycle) focuses on the specific investigation workflow:

StepActivityDecision PointOutput
Case IntakeReceive assignment, understand legal contextCivil vs criminal? Internal vs external?Case file opened
Scene DocumentationPhotograph and note all devices, connections, statesDevices on/off? Encryption visible?Scene photos + notes
Evidence SeizureBag and tag all relevant devicesFollow search warrant scope exactlyTagged evidence bags
Lab IntakeLog into evidence management systemCondition check, tampering signs?Evidence log entry
Forensic ImagingCreate verified forensic copiesHash verification passed?Forensic image + hash log
Initial TriageQuick scan for obvious relevant artifactsAnything immediately visible?Triage report
Deep ExaminationThorough forensic analysisFollow the evidenceAnalysis notes
Timeline ConstructionCorrelate all timestampsConsistent with alleged events?Activity timeline
Report WritingDocument findings in legally defensible reportFindings support allegation?Expert forensics report
TestimonyPresent findings to court or managementFindings withstand cross-examination?Court decision

---

OSI 7-Layer Model Applied to Computer Forensics

The OSI (Open Systems Interconnection) model provides a framework for understanding where evidence exists in network communications:

OSI LayerLayer NameProtocol ExamplesForensic ArtifactsForensic Tools
Layer 1PhysicalEthernet, Wi-Fi (physical signals)Cable taps, hardware keystroke loggers, network tap evidencePhysical inspection, spectrum analyzer
Layer 2Data LinkEthernet frames, ARP, MAC addressesMAC address logs, ARP cache (attacker's MAC in victim's ARP table), Wi-Fi probe requestsWireshark (Layer 2 frames), ARP logs
Layer 3NetworkIP, ICMP, routing protocolsSource/destination IPs, IP packet headers, traceroute resultsWireshark, tcpdump, firewall logs
Layer 4TransportTCP, UDP, port numbersTCP connection logs (source port, destination port, timestamps), session reconstructionZeek (Bro), NetFlow, firewall logs
Layer 5SessionNetBIOS, RPC, SMB session setupSession establishment logs, authentication attempts, SMB shares accessedWindows Event Logs, Wireshark SMB dissector
Layer 6PresentationSSL/TLS, encoding, encryptionTLS certificate logs, encrypted traffic metadata, protocol fingerprintingJA3 fingerprinting, TLS inspection logs
Layer 7ApplicationHTTP, SMTP, DNS, FTP, SSHWeb access logs, email headers, DNS queries, file transfer logs, command historyWeb server logs, Splunk, Elastic

---

Key Forensic Tools Reference

ToolCategoryPrimary UseOSLicense
AutopsyDisk ForensicsComplete disk forensics, file system analysis, deleted file recoveryWindows, LinuxFree, Open Source
FTK ImagerAcquisitionForensic imaging, hash verification, previewWindowsFree (Imager), Paid (FTK full)
VolatilityMemory ForensicsRAM analysis — processes, network connections, malware detectionWindows, Linux, macOSFree, Open Source
WiresharkNetwork ForensicsPacket capture and analysisAll platformsFree, Open Source
EnCaseEnterprise ForensicsComplete investigation platform, e-discoveryWindowsCommercial
Cellebrite UFEDMobile ForensicsiOS and Android data extractionWindows (hardware)Commercial
Log2Timeline / PlasoTimeline AnalysisSuper-timeline creation from multiple evidence sourcesLinuxFree, Open Source
MaltegoLink AnalysisVisualize relationships between entitiesAll platformsFree (limited), Commercial
Exam Tip: The six phases of digital forensics lifecycle are: Identification → Preservation → Collection → Examination → Analysis → Presentation. Remember them in order — they are a very common exam question. Also know that the OSI model's Layer 7 (Application) provides the most forensically rich evidence (email, HTTP, DNS logs), while Layer 1 (Physical) evidence includes hardware keystroke loggers and network taps.

---

Steganography in Forensics

Steganography poses unique forensic challenges:

  • Detection: Analysts use steganalysis tools to detect statistically anomalous images (unusual LSB patterns, unexpected file entropy)
  • Extraction: Tools like Steghide, StegSolve, and SilentEye can extract hidden data from known carrier formats
  • Legal context: In the 2010 Anna Chapman spy ring case (USA), Russian spies used steganography in public website images to transmit instructions — demonstrating that steganography is a genuine operational tradecraft tool, not just academic curiosity

---

Study Deep: Investigation Process and OSI Forensics

  1. Timeline analysis is the gold standard: Super-timelines — created by tools like log2timeline/Plaso — aggregate timestamps from dozens of evidence sources (filesystem metadata, registry, event logs, browser history, email headers) into a unified chronological view. This enables investigators to reconstruct exactly what happened, in sequence, with second-level precision. Timeline gaps (missing logs) are themselves forensically significant.
  1. The OSI model guides network forensic strategy: When investigating a network intrusion, Layer 7 logs (web server, email) tell you WHAT was requested. Layer 4 logs (NetFlow, firewall) tell you HOW MUCH data moved and WHEN. Layer 3 logs (router syslog) tell you WHERE the traffic came from. Correlating all layers gives a complete picture. Attackers aware of forensics try to delete Layer 7 logs but often forget Layer 3–4 logs.
  1. Malware reverse engineering is a specialized forensic discipline: Analyzing malware found on a forensic image requires both static analysis (IDA Pro, Ghidra disassembly, PE header analysis) and dynamic analysis (running in a sandboxed VM, monitoring system calls with Process Monitor, network activity with Wireshark). CAPA (by Mandiant) automatically identifies malware capabilities from binary code.
  1. Living off the Land evidence is subtle: When attackers use native OS tools (PowerShell, WMI, PsExec), they don't leave malware artifacts. Forensic evidence is in: Windows Event Log ID 4688 (process creation), PowerShell Operational logs, WMI subscription entries, Scheduled Task XML files, Prefetch files (which executables ran and when). These are easy to overlook without systematic examination.
  1. Report writing is as important as analysis: A forensic report that is technically brilliant but incomprehensible to a judge or jury fails its purpose. Forensic reports must: (1) explain complex technical concepts in plain language, (2) distinguish findings (facts) from opinions (interpretations), (3) use exhibits and diagrams, (4) state methodology clearly so it can be independently reproduced, (5) comply with jurisdiction-specific expert witness report requirements.