Cyber forensics is key in detecting, analysing, and stopping a cyberattack. Even an innocuous action such as opening a WhatsApp image infected with malware can spread throughout the entire network. Forensic experts track back to trace sources, preserve evidence and analyse malicious code to understand its impact. The growing cyber threats to call for substantially enhancing the cyber forensics capabilities.
BY DR AMIT DUA, ASSOCIATE PROF, BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE, PILANI, INDIA & FOUNDER OF YET PVT LTD
FOR THE NEWS ANALYTICS JOURNAL
a 4 mins read.
It’s a typical Monday morning. You casually scroll through WhatsApp, half-focused. Amid the usual good morning messages, you tap on a simple image from a colleague. Nothing suspicious, right? Except, this time, you’ve unknowingly unleashed a Trojan. That innocent-looking image was designed to hide malware. It quietly lodges itself in your phone and then, like a digital spy, it moves further. It begins probing your company’s network, creeping from one system to another. You remain unaware until odd signs emerge—an unauthorised login, unfamiliar activity. By then, the damage is done. Confidential data, including financial records and company secrets, may have already been stolen and sent to a remote server. That’s where cyber forensics steps in. With their advanced techniques, experts trace the attack to its origin, uncover how it happened and stop it from spreading.
THE BREACH
Cyberattacks often start with a small action—a click on a link, opening a file or logging into an unfamiliar network. In this case, the attack began with a seemingly harmless WhatsApp message, hiding a malicious payload. This technique, called social engineering it manipulates users into unknowingly compromising a system. By the time forensic experts are called in, the attackers have usually gained a head start, already lurking deep within the network.
The first task is identification—figuring out how the breach occurred and how widespread it is. This is where tools like Wireshark and Splunk are essential. Wireshark captures and analyses network traffic, identifying anomalies like unusual data spikes or suspicious connections. Splunk combs through system logs to find traces of unauthorised access or unexpected behaviour, giving experts the clues they need to begin the investigation.
CAPTURING DIGITAL EVIDENCE
Once identified, the breach must be preserved to prevent evidence from being altered or lost. Forensic experts create a forensic image—a precise copy of the compromised system—similar to freezing a crime scene. This ensures investigators can analyse data without affecting the original. Tools like EnCase and FTK are essential for copying hard drives, memory or even mobile devices, capturing the full state of the system for detailed analysis. These snapshots protect the integrity of the investigation and ensure the evidence is legally sound if required in a court of law.
Tracking the Command-and-Control (C2) system is crucial in cyberattack analysis, revealing attackers’ intent. Tools like Suricata detect suspicious encrypted communications, aiding forensic investigations.
ANALYZING THE DATA
Now begins the examination—the deep dive into the forensic image. Experts sift through data, examining logs, emails and files for malware signatures—unique traces left by known malware. But not all attacks leave a simple trail. Some use fileless malware, which hides in memory instead of on the hard drive. Tools like Volatility are used to analyse memory snapshots, revealing what was running in the system’s RAM during the attack and exposing threats that leave no trace on the disk.
Next comes reverse engineering, where forensic experts dissect the malware’s code to understand its behaviour. Tools like Ghidra or IDA Pro allow them to see how the malware exploited vulnerabilities and communicated with its operators. Through this process, forensic teams uncover what data may have been stolen, identify ongoing risks and determine if the attacker still has access to the system.
An essential part of analysing a cyberattack is tracking the Command-and-Control (C2) system—this is how malware communicates with its handlers. Using encrypted channels, attackers send commands and extract stolen data. Detecting these communications is key to understanding the attacker’s location and intent. Tools like Suricata and Snort help forensic teams detect unusual traffic patterns, such as encrypted data being transmitted to unknown servers. Isolating these signals allows experts to trace the malware back to its source, uncovering the identity and whereabouts of the attackers.
BUILDING THE TIMELINE
With the collected evidence, forensic experts create a detailed timeline of the attack. This is essential to understand the full scale of the breach—when the attack started, how long the malware operated, which systems were affected and what data was accessed. This timeline not only helps companies gauge the damage but also fulfils legal and regulatory requirements. Many organisations must report breaches, especially when sensitive data is stolen. The timeline serves as the backbone of the investigation, revealing how attackers moved from the initial infection to the final data exfiltration.
REPORTING THE FINDINGS
The final step is reporting. Forensic experts document every stage of the investigation, from detection to analysis. This report is critical for both internal reviews and legal proceedings. Under India’s Information Technology Act (2000), it often serves as key evidence in court. If legal action follows, forensic experts may testify, presenting their findings and detailing how they traced the attack back to its source. Beyond legal needs, these reports help organisations learn from the breach and implement stronger security measures, like better employee training and improved firewall protocols.
| Stage | What It Does | Tools Used |
| Identification | Detects that a breach has occurred by monitoring and analysing network and system logs | Wireshark (network traffic analysis), Splunk (log analysis), SIEM (Security Information and Event Management) tools |
| Preservation | Freezes the digital crime scene by creating forensic images to prevent evidence alteration | EnCase (forensic imaging), FTK (Forensic Toolkit), X-Ways Forensics (disk imaging) |
| Collection | Gathers digital evidence, including deleted files, logs, and active memory snapshots | FTK (file recovery and disk analysis), Volatility (memory analysis), Magnet AXIOM (mobile and cloud evidence collection) |
| Examination | Analyses collected evidence, such as logs, network traffic and malware signatures for malicious activity | Volatility (memory forensics), X-Ways Forensics (disk and file analysis), Wireshark (network traffic analysis), Splunk (log analysis), YARA (malware signature matching) |
| Analysis | Breaks down the malware or attack strategy using reverse engineering and forensic tools | Ghidra, IDA Pro (reverse engineering), Suricata, Snort (network intrusion detection for command-and-control analysis), Autopsy (file system analysis) |
| Reporting | Creates a detailed report documenting findings, timelines and recommendations for legal use | FTK (report generation), Autopsy (documentation), Sleuth Kit (case management) |
| Incident Response | Takes action based on findings, including remediation, blocking command-and-control channels and legal action | Suricata, Snort (for blocking C2 channels), endpoint protection tools, reporting tools for legal proceedings, Splunk (real-time monitoring and alerting) |
Table 1: Stages of Cyber Forensics
The Kudankulam Nuclear Power Plant cyber attack should have come as an eye-opener to India to its vulnerabilities in critical infrastructure. Fortunately, cyber forensics stopped the attack before severe damage occurred.
THE KUDANKULAM CYBERATTACK
India has faced numerous cyberattacks on critical infrastructure, especially the 2020 Kudankulam Nuclear Power Plant breach. This high-stakes attack targeted a key energy facility, intending to disrupt operations and steal sensitive information. Forensic experts were tasked with identifying the malware, creating forensic images and tracing the attackers through their C2 communications. Their investigation uncovered the use of Advanced Persistent Threats (APTs), showing that attackers had infiltrated the system long before detection. Fortunately, cyber forensics stopped the attack before severe damage occurred, but it underscored the growing risks to India’s critical infrastructure.
For organisations, the takeaway is simple, while cyber forensics is critical after a breach, prevention is the strongest defence. Here are key steps to improve cybersecurity:-
- Deploy SIEM Tools: Security Information and Event Management systems, like Splunk, monitor network activity in real-time to catch potential breaches early.
- Train Employees Regularly: Social engineering attacks often succeed due to human error. Frequent training helps staff recognise suspicious messages and phishing attempts.
- Schedule Regular Audits: Conduct security audits to identify vulnerabilities before attackers can exploit them.
- Create An Incident Response Plan: Time is critical during a breach. Having a clear response plan ensures quick, coordinated action when an attack occurs.
| Tools | Function | Resources |
| EnCase | Creates forensic images of compromised systems, preserving all data for later analysis | https://www.opentext.com/products/encase-forensic |
| FTK (Forensic Toolkit) | Recovers deleted files, scans hard drives and extracts digital evidence | https://www.exterro.com/digital-forensics-software/forensic-toolkit |
| Wireshark | Captures and analyses network traffic to spot unusual activity | https://www.wireshark.org/ |
| Splunk | Scans and analyses system logs to detect unauthorised access or suspicious behaviour | https://www.splunk.com/ |
| Volatility | Specialises in memory forensics, allowing experts to analyse running processes in a system’s RAM | https://www.volatilityfoundation.org/ |
| Ghidra | Reverse engineering tool to break down malware code and understand how it operates | https://ghidra-sre.org/ |
| IDA Pro | Reverse engineering tool used for in-depth malware analysis | https://www.hex-rays.com |
| Suricata | Network Intrusion Detection System (NIDS) that monitors traffic for signs of attack and C2 communications | https://suricata.io/ |
| Snort | Network Intrusion Detection System (NIDS) to detect suspicious traffic and potential breaches | https://www.snort.org/ |
| Magnet AXIOM | Gathers and analyses evidence from mobile devices, cloud services and hard drives | https://www.magnetforensics.com/products/magnet-axiom/ |
| X-Ways Forensics | Forensic tool used for disk imaging, file recovery and analysis | https://www.x-ways.net/forensics/ |
| Autopsy | Open-source forensic tool for file system and disk analysis, often used for case management | https://www.sleuthkit.org/autopsy/ |
| YARA | A tool for malware signature matching, helping to identify malicious files or behaviour patterns | https://yara.readthedocs.io/ |
| Sleuth Kit | A collection of command-line tools for forensic analysis of file systems | https://www.sleuthkit.org/
|
Table 2: Forensic Tools and Their Functions
Cyber forensics is a field of constant vigilance, where experts trace the unseen actions of attackers and work to shield organizations from potentially devastating breaches. A single click—like a WhatsApp message—can spiral into a large-scale security crisis. But with the power of cyber forensics, these incidents can be detected, analyzed, and neutralized.
In a rapidly digitizing country like India, the need for robust cyber forensics is greater than ever. Whether safeguarding government data or securing financial systems, forensic experts are the last defence in an increasingly interconnected, yet vulnerable, world.
Cyber forensics isn’t just about solving digital crimes; it’s about protecting the future of our digital landscape, one investigation at a time.
(Dr Amit Dua ia an Associate Professor at BITS, Pilani and Founder of YET Pvt. Ltd. He is a TEDx speaker and the author of books on Blockchain Technology and Zero-Knowledge Proofs. The views expressed are of the author and do not necessarily reflect the views of The News Analytics Journal.)
