top of page

Forensics: How to guide?

Updated: Aug 20, 2022

Cyber Security Forensics: Know all about restoring deleted files and evidence of execution.

C-DAC, The institution, which has developed a number of cyber forensic tools such as True Back, Cyber Check, Email Tracer, Cyber Investigator, Hasher and PDA Analyzer has proved the robustness of its tools used for probing cyber crimes.

Union Minister Raja said government had taken steps to amend the IT Act so that information collected using Cyber Forensic Tools developed by C-DAC would be considered as solid evidence in any court of law in the country. As of now, courts do not accept such information as evidence. The amendment would be brought in the next Parliament session.

TIP #1 :CyberCheck: Disk Forensics Tool

Cybercheck is a Windows-based application, which allows law enforcement agencies to analyze hard disk content, including deleted files.

CyberCheck supports data indexing. The text data in different document file formats can be indexed. This index-based search gives faster results compared to conventional search. The search facility of CyberCheck supports adding multiple keywords, regular expression and fuzzy options with filtering based on date and file size. CyberCheck has Unicode based searching to find data in any languages, search based on file hash values and search based on filename with wildcard options.

Other Features

  • Web browser based user interface.

  • Multiuser solution with multiple case analysis option.

  • Registry Analysis.

  • Sophisticated data carving facility to carve documents, images, audio and video.

  • Disk Indexing with stop and resume options.

  • Browser analysis feature for extracting forensically relevant information from Google Chrome, Firefox, Safari and Opera.

  • Communication App analyser for Microsoft Windows 10.

  • Shell bag Analysis & Anti Forensic activities detection like Signatures Mismatch analysis and password protected files detection.

  • Advanced Timeline Analysis with multiple event options.

  • Known good file filtering using NSRL dataset.

  • Document language detection.

  • Recycle bin data extraction.

  • Recover images from thumbnail database.

  • Evidence hash verification using MD5, SHA1, SHA256 and SHA512 algorithms

  • Can convert proprietary evidence file formats to raw image.

  • Integrated viewer for file content, Meta information, pictures and file hex-values.

  • Integrated Gallery view for viewing all pictures in the evidence.

  • File hash computation in MD5, SHA1, SHA256 and SHA512 algorithms

  • File bookmarking and bulk file export.


Tip #2: Win-LiFTImagerBuilder (Tool for building Win-LiFTImager)

Win-LiFT Imager Builder, which runs in the Investigator's machine, builds Win-LiFTImager tool.


  • Facility to enter crime details

  • Facility to select / deselect the list of volatile artifacts to be collected from the Suspect's system

Win-LiFTImager (Forensic Volatile Data Acquisition Tool)

Facility to select USB/Hard Disk drive to which Win-LiFTImager tool is to be built

Searching and Filtering

Searching and filtering helps to reach analyst's goals faster. Flexible filter expressions are provided for packet level analysis and for data level analysis. The data level filtering supports filtering based on date, time, IP, MAC and port. The regular expression based searching gives the analyst the full power that he expects from a tool.


  • Analyze the Live Forensics data captured by Win-LiFTImager from the Suspect's machine

  • Advanced Memory Analysis from Windows XP and Windows 7 Physical Memory dump to extract the following forensically sound information

  1. Running Process and its associated details

  2. Process Reconstruction

  3. Bitlocker Key Reconstruction

  4. Internet usage based Information

  5. MFT Records

  6. Executable Reconstruction

  • Structural Analysis of Reconstructed Executables

  • Forensic Data Carving

  • Event Log Analysis

  • Browser Forensics of IE, Edge, Chrome, Firefox, Mozilla and Safari

  • Keyword Searching facility

  • Detailed Report Generation

  • Bookmarking and appending to Report facility

  • Facility to save and print Report

  • Independent Loading and analysis of Memory dump

  • Hash Verification of acquired information

Other Features