CYBER FORENSICS UNIT - 3

📌 Forensic Analysis
Meaning:​
A detailed process of detecting, investigating, and documenting the reasons,
course, and results of a security incident or law violation.

🔸 Key Points:
1️⃣ It identifies and examines crimes.​
2️⃣ Helps in understanding how and why the incident happened.​
3️⃣ Documents the findings for legal and organizational use.​
4️⃣ Often used as evidence in court hearings and criminal investigations.​
5️⃣ Involves a wide range of tools, technologies, and investigative methods.​
6️⃣ Forensic experts collect evidence from electronic devices like computers,

📌 Forensic Validation
mobiles, servers, etc.

Meaning:​
A process of confirming through examination and evidence that a forensic tool,
procedure works correctly and as intended.

🔸 Key Points:
1️⃣ Ensures the accuracy and reliability of forensic tools and methods.​
2️⃣ One of the most important steps in digital forensics.​
3️⃣ Validates the integrity and authenticity of collected digital evidence.​
4️⃣ Prevents evidence tampering and errors during analysis.​
5️⃣ Essential for ensuring that evidence is legally acceptable in court.
 📌 Determining What Data to Collect
and Analyze
🔶 Meaning:​
It involves deciding which digital data is important to recover and examine,
depending on the type of case and legal limits.

Type of Case:

●​ Criminal Case:​
Only collect the data mentioned in the search warrant.​
(Example: Files or messages related to the crime.)
●​ Civil Case:​
Data is limited by court discovery orders.​
(Example: Only documents requested by court.)
●​ Corporate Case:​
Check for policy violations like misuse of email or files.​
(Example: Searching only emails of one employee.)

What is Scope Creep?

🔶 Meaning:​
When an investigation grows bigger than planned because new or unexpected evidence
is found.

Why Scope Creep Happens:

●​ New evidence is discovered during the investigation.

●​ Lawyers ask to check other areas for more proof.
●​ Criminal cases need more detailed checking before trial.
●​ Defense lawyers have the right to see all evidence, which may reveal new things

Effect of Scope Creep:

●​ Increases the time, effort, and resources needed.

●​ Delays the investigation process.
●​ Makes the investigation more complicated.

Factors Affecting Digital Evidence Analysis:

1️⃣ Nature of the Case​

2️⃣ Amount of Data to Process​
3️⃣ Search Warrants and Court Orders​
4️⃣ Company Policies

👉 Scope creep occurs when the investigation grows bigger than planned,
increasing workload but sometimes uncovering important evidence.

Using Access Data Forensic Toolkit (FTK) to Analyze Data

🔸 What is FTK?
●​ A tool used in computer forensics to check and analyze data from
computers, drives, and image files.

🔸 FTK Can Work With:

●​ Microsoft FAT12, FAT16, FAT32 file systems
●​ Microsoft NTFS file systems (Windows NT, 2000, XP, Vista)
●​ Linux Ext2fs and Ext3fs file systems

🔸 What Data Can FTK Analyze?

●​ Complete evidence drives
●​ Selected parts of a drive
●​ Image files from other forensic tools
●​ Large data from many sources combined on one drive

🔸 Case Log File:

●​ FTK makes a case log to record:
○​ Searches you do
○​ Data you extract
●​ Helpful for keeping track of your work and reporting errors
●​ You can also turn this feature off if not needed

🔸 Keyword Search Options in FTK:

1️⃣ Indexed Search:

●​ Catalogs all words on the evidence drive

●​ Fast search results after indexing is complete

🔸
●​ Limitations:​

🔸
Cannot search for hexadecimal string values​

🔸
Some words might be missed if not properly indexed​
Indexing can take several hours (best done overnight)​
 2️⃣ Live Search:

●​ Directly searches the evidence drive without prior indexing

🔸
●​ Can find:​

🔸
Text hidden in unallocated space​

🔸
Alphanumeric and hexadecimal values​
Specific items like phone numbers, credit card numbers, Social Security
numbers
●​ Allows right-clicking a search hit to bookmark it for inclusion in the final
report

📌 Topic 📖 Meaning / Key Points

Determining What Data to Deciding which digital data is important to recover, based on the case type
Collect & Analyze and legal rules.

🔹 Criminal Case Collect data only mentioned in search warrant (e.g. crime-related
files/messages).

🔹 Civil Case Data limited by court discovery orders (e.g. requested documents).

🔹 Corporate Case Look for policy violations (e.g. emails of a specific employee).

Scope Creep Investigation grows bigger than planned because of new or unexpected
evidence.

🔹 Why It Happens New evidence found, lawyer requests, criminal case needs, defense
lawyer rights.

🔹 Effects Increases time, effort, resources, delays investigation, makes it complex.

Factors Affecting Evidence 1️⃣ Nature of the case
Analysis
2️⃣ Amount of data

3️⃣ Legal orders

4️⃣ Company policies

What is FTK? A forensic tool to analyze data from computers, drives, and image files.

FTK Can Work With 1.​ FAT12, FAT16, FAT32,

2.​ NTFS (Windows NT, 2000, XP, Vista),
3.​ Linux Ext2fs, Ext3fs

Data FTK Can Analyze 1.​ Entire drives,

2.​ selected data parts,
3.​ image files from other tools,
4.​ combined large data

Case Log File in FTK Keeps record of searches & data extractions. Helpful for tracking work.
Can turn off if needed.

FTK Keyword Search Options 1️⃣ Indexed Search (fast after cataloging words, but limited, takes time to
index)

2️⃣ Live Search (direct, finds hidden text & hex values, bookmark hits)
 📌 Validating Forensic Data
🔶 Meaning:
●​ In computer forensics, it’s very important to check that the digital evidence
collected is original, unchanged, and reliable.
●​ This is called validating forensic data and it ensures that the evidence can
be safely presented in court without being questioned.

🔶 How Validation is Done:

●​ Most computer forensic tools (like ProDiscover, X-Ways, FTK, EnCase)
perform automated hashing when a disk image is created and when it is
opened for analysis.
●​ A hash value (like MD5 or SHA) is a unique digital fingerprint for a file.
●​ If two hash values match, the file has not been altered. If they don’t, it means
the data has changed.

📌 Hash Value Comparison 📖 Meaning 📊 Conclusion

Hash values match The hash value before and after ✅ File is unchanged (original)
matches exactly

Hash values do not match The hash value before and after ❌ File has been altered
is different

🔶 Example:
●​ In ProDiscover, when you load an image file, it automatically calculates a
hash and compares it to the original value.
●​ A message box called “Auto Image Checksum Verification” appears to
confirm the integrity.

🔶 Limitations of Forensic Tools:

●​ Most tools can only hash entire images, not individual files or sectors.
●​ That’s why learning hexadecimal editors is important for more advanced and
detailed validation.
 Validating with Hexadecimal Editors

🔸 Advanced hexadecimal editors (like Hex Workshop) provide extra features:

●​ Can hash individual files or disk sectors.
●​ Faster and more flexible than standard forensic tools.

🔸 Why Important:
●​ Useful when trying to locate a suspicious file, like a contraband image.
●​ Even if someone renames a file, its hash value remains the same if content
is unchanged.

🔸 How It Helps:
●​ With the known hash value of illegal/sensitive files, investigators can quickly
search and match files, even if renamed.
●​ Hex editors can do this faster and allow more control than basic forensic
software.

✅ In Short:
●​ Validation = Check evidence integrity using hash values
●​ Hash match = file unchanged | Hash mismatch = file altered
●​ Hex editors are useful for advanced validation of specific files or sectors
 Data Hiding Techniques:-
🔶 Meaning:
●​ In digital forensics, criminals may use various techniques to hide data on
computers and drives.
●​ These techniques make evidence harder to find during investigation

🔶 Common Data-Hiding Techniques:

1️⃣ Hiding Partitions

How Partitions Are Hidden

1️⃣ Using a Disk Editor (e.g. Norton Disk Edit):

●​ Create a partition.
●​ Manually delete its reference from the partition table using the disk editor.
●​ The partition disappears from the system.
●​ To access it again, edit the partition table to recreate the link. When the system
restarts, the hidden partition will reappear

How to Detect Hidden Partitions (During Forensic

Analysis)
●​ When examining an evidence drive:
○​ Check total disk space available vs space used by visible partitions.
○​ If there’s unaccounted disk space, it could be a hidden or deleted partition.

Example Scenario
●​ Disk Manager shows:
○​ An extended partition (EXT DOS) of 5381.1 MB.
○​ Two logical partitions inside it (Drive E + F) totaling only 5271.3 MB.
○​ Difference = 109.8 MB — this could be:
■​ A previously deleted partition
■​ Or a hidden partition

Clue:

●​ Some systems may mark hidden partitions with a letter like ‘H’ in partition tables.

What is a Partition Gap?

 ●​ When a hard disk is divided into partitions (like C: D: E: drives), the system leaves a
small empty space (called a gap) between these partitions.
●​ This gap is measured in sectors (a small unit of storage on a disk).

Detection:

●​ Check total disk space vs visible partitions.

●​ If there’s unaccounted space, it could be a hidden partition
●​ Example: Windows 2000/XP standard partition gap is 63 sectors, Vista is 128
sectors. If the gap is bigger, it’s suspicious.

2️⃣ Marking Bad Clusters

●​ A cluster is the smallest unit of storage on a disk used to store files.

●​ Example: One file might be saved in 2 or 3 clusters.
●​ Sometimes, a part of the hard disk becomes damaged or corrupted.
●​ This damaged area is called a bad cluster.
●​ The operating system (OS) marks these clusters as "bad" and never
uses them for storing data, to avoid errors.
●​ In FAT file systems, users can mark good clusters as bad using a disk
editor
●​ The operating system then ignores those clusters.
●​ Hidden data can be stored in these “bad” clusters.

Detection:

●​ By checking all clusters using disk editors and forensic tools, you can identify
unusual marked areas.

3️⃣ Bit-Shifting

●​ This technique rearranges bits within a file, making it unreadable to text

editors or forensic software.
●​ Done using programs written in assembly language or macros.

Working:

●​ A program shifts bits of a file to the left or right, scrambling it.

●​ Another program is needed to restore the file to its original form.

Example Exercise:

●​ Create a file called Bit_shift.txt in Notepad.

●​ Open it in Hex Workshop (a hexadecimal editor).
●​ Use the Shift Left (<<) operation to move bits.
●​ Save the new file as Bit_shift_left.txt.
 ●​ The file content will now appear as unreadable symbols like @ indicating
shifted bits.

4️⃣ Steganography
🔶 Meaning:
●​ Technique of hiding secret data inside other normal-looking files like
images, audio, video, or documents.
●​ It hides the existence of data, not just its content.

🔶 Example:
●​ A text file hidden inside a JPEG image.

🔶 Detection:
●​ Use steganography detection tools like StegSpy, Stegdetect.
●​ Check for unusual file sizes or hidden data sections in media files.

5️⃣ Encryption
🔶 Meaning:
●​ Process of converting data into unreadable form using a secret key or
password.
●​ Only authorized users can decrypt and access the data.

🔶 Example:
●​ A folder encrypted with a password or encryption software like BitLocker.

🔶 Detection:
●​ Identify encrypted files using forensic tools (FTK, EnCase).
●​ Check for password-protected files or encrypted volumes.
●​ Attempt to recover passwords or keys from system memory or config files.
📌 Topic 📖 Meaning / Key Point 📊 Detection / Note
Validating Forensic Ensuring evidence is original, Use hash values (MD5, SHA) to
Data unchanged, reliable before court use. check.

Hash Match Hash before & after same → ✅ File Evidence valid.
unchanged

Hash Mismatch Hash before & after different → ❌ Investigate further.

File altered

ProDiscover Example Shows Auto Image Checksum Confirms data integrity.

Verification when loading image.

Forensic Tool Can hash full images only, not Use Hexadecimal Editors for
Limitation individual files/sectors. detailed check.

Hiding Partitions Create partition, delete its reference to Check total disk space vs visible
hide it. partitions

Partition Gap Small empty space between partitions If gap bigger → possible hidden
(Windows 2000/XP: 63 sectors, Vista: data
128 sectors).

Marking Bad Clusters Mark good clusters as bad using disk Use disk editor to scan all clusters.
editor, then hide data there.
 Performing Remote Acquisitions
🔶 Meaning:
●​ A technique used in digital forensics to create a forensic image of a
computer’s hard drive remotely (from a different location).
●​ Useful when:
○​ The computer is far away.
○​ You want to acquire data without alerting the suspect.
○​ It helps save time, effort, and travel costs.

Remote Acquisitions using Runtime Software

🔶 Tools Provided by Runtime Software:​
1️⃣ DiskExplorer for FAT — For drives using the FAT file system.​
2️⃣ DiskExplorer for NTFS — For drives using the NTFS file system.​
3️⃣ HDHOST — A remote access tool that connects two computers over a network.

Preparing for Remote Acquisition

🔸 Requirements:
●​ Runtime Software tools installed.
●​ A portable media device (like USB drive or floppy disk).
●​ Two computers connected to the same network (preferably via the same
hub or router).

Making a Remote Connection

🔸 Steps:​
1️⃣ Run HDHOST on the suspect’s computer.​
2️⃣ Conditions for HDHOST:

●​ Computer must be powered on.

●​ Connected to the network.
●​ Logged into any user account with permission to run non-installed programs.
●​ Note: HDHOST cannot be run secretly without the user knowing.

3️⃣ Use DiskExplorer on the investigator’s machine to establish a connection with

HDHOST.
Performing Remote Acquisition
🔸 After Connection is Established:
●​ Investigator can navigate through suspect’s files and folders.
●​ Can copy data and create image files.

🔸 Important Note:
●​ Runtime Software tools do not automatically generate hash values for
the acquired data
●​ Hashing must be done separately to verify data integrity.

Network Forensics Overview

🔶 Meaning:
●​ It is the process of collecting, recording, and analyzing raw network data
to trace how a network attack or event happened.
●​ Helps to track down attackers, identify vulnerabilities, and understand how
incidents occur.

Importance of Network Forensics

●​ Network attacks are increasing rapidly in today’s connected world.
●​ High demand for skilled network forensic specialists in law enforcement,
legal firms, corporations, and universities.
●​ Helps to determine whether a network issue is caused by an attack or an
accidental error (like an untested patch or buggy program).
●​ Detecting abnormal network traffic patterns can help identify attacks or
disruptions quickly.

Responsibilities of a Network Forensics Examiner

●​ Must follow standard procedures to collect and analyze network data after
an attack.
●​ Work with network administrators to:
○​ Find affected machines.
○​ Isolate them from the network.
○​ Restore them as quickly as possible to minimize downtime.
Securing a Network (Before an Attack Happens)
●​ Network forensics is reactive (after an incident), but networks should also
be proactively secured to reduce risks.

NSA’s Defense-in-Depth (DiD) Strategy

A layered approach to network protection using three modes of protection:

1️⃣ People

●​ Hire qualified, well-trained staff.

●​ Ensure all employees follow the organization’s security policies and
procedures.

2️⃣ Technology

●​ Build a strong, secure network architecture.

●​ Use reliable tools like firewalls, Intrusion Detection Systems (IDS), and
Intrusion Prevention Systems (IPS).

3️⃣ Operations

●​ Focus on day-to-day security practices.

●​ Regularly update patches, antivirus software, and operating systems.

📌 Performing Live Acquisitions

●​ Maintain routine checks and monitoring for potential vulnerabilities.

🔶 Meaning:
●​ A live acquisition is done while the suspect system is still running, before
shutting it down.
●​ Important because some valuable evidence may only exist temporarily in
RAM, running processes, or active network connections.
●​ Example: Some malware hides in memory and disappears after a system
restart.

Why Live Acquisitions Are Needed

●​ Certain data like RAM contents, open files, or active network connections
exist only when the system is running.
●​ If the system is powered off, this volatile data is lost forever.
●​ Malware or rootkits may only exist in active memory.
 ●​ Helps preserve temporary evidence during an investigation.

Order of Volatility (OOV)

●​ Order of Volatility means how quickly different types of data are lost when a
system is turned off.
●​ Example of data lifespan:
○​ RAM, CPU cache, running processes — lost in milliseconds.
○​ Network connections — lost immediately after shutdown.
○​ Hard disk files — may last for years.

General Procedure for Live Acquisition

1️⃣ Prepare a Bootable Forensic CD

●​ Create or download a bootable forensic CD.

●​ Test it before using it on a suspect system.
●​ If remote access is possible, connect through the network.

2️⃣ Maintain a Log

●​ Keep a detailed log of every action performed and the reason for each
action.

3️⃣ Select a Storage Location

●​ Ideally, use a network drive to store collected data.

●​ If unavailable, connect a USB thumb drive to the suspect system.
●​ Record this step in your log.

4️⃣ Capture Physical Memory (RAM)

●​ Use memory acquisition tools to copy the RAM contents.

●​ Tools include:​

○​ Microsoft built-in tools

○​ memfetch (for Unix systems)
○​ BackTrack (Linux live CD with forensic tools)​

5️⃣ Proceed with Further Acquisition Steps

●​ Depending on the case, capture network connections, running processes,

clipboard contents, etc.
 Developing Standard Procedures for
Network Forensics
🔶 Meaning:
●​ Network forensics is the process of monitoring, collecting, and analyzing
network traffic to investigate attacks, intrusions, or unusual activities.
●​ It helps trace how an attack was carried out, identify affected systems, and
gather evidence before it disappears.

Standard Procedure for Network Forensics

1️⃣ Use a Standard Installation Image

●​ All computers on a network should be installed using a standard installation

image containing approved operating systems and applications.
●​ This makes it easy to later compare system files and identify any
unauthorized files or malicious modifications.
●​ Maintain hash values (like MD5, SHA-1) of all original OS and application
files for comparison during investigations.

2️⃣ Fix Vulnerabilities Immediately

●​ As soon as an intrusion is detected, immediately patch the security hole or

vulnerability used by attackers.
●​ This prevents other hackers from exploiting the same weakness and protects
the remaining systems.
●​ Quick action is essential to minimize damage and avoid multiple
simultaneous attacks.

3️⃣ Retrieve Volatile Data First (Live Acquisition)

●​ Volatile data like RAM content, running processes, and active network
connections exists only while the system is powered on.
●​ Before turning off the system, perform a live acquisition to capture this
critical data.
●​ This information can reveal active malware, open network sessions, and data
in memory that would be lost after shutdown.

4️⃣ Acquire and Image the Compromised Drive

●​ Make a forensic image of the entire hard disk from the affected system.
 ●​ This image is an exact copy of the data at the time of acquisition, preserving
important evidence.
●​ Investigators can safely analyze the image without risking changes to the
original evidence.

5️⃣ Compare with Original Installation Image

●​ Use forensic tools to compare hash values of system files and

applications from the forensic image with those from the standard installation
image.
●​ Any differences indicate files that have been altered, replaced, or infected by
malicious programs.
●​ This helps locate the source and nature of the attack.

6️⃣ Restore Image for Testing if Needed

●​ In some cases, it’s necessary to restore the forensic image to a separate

physical drive to run and observe malware behavior in a controlled
environment.
●​ This allows forensic experts to understand how the malware operates,
what data it accesses, and how it communicates over the network.

Example Case:
●​ Attackers might upload a Trojan program to gain remote control of a
system.
●​ Later, they install a rootkit to hide their presence and monitor system
activities.
●​ Through network forensics, investigators can detect unusual network traffic,

📌 Using Network Tools

retrieve volatile data, and track down these malicious tools.

🔶 Meaning:
●​ In network forensics and administration, various tools are used to monitor,
control, and investigate network-connected systems.​

●​ These tools help in detecting suspicious activity, monitoring system

processes, performing remote shutdowns, and much more.​
Sysinternals Suite
🔶 What is it?
●​ Sysinternals is a collection of free Windows system tools developed by
Mark Russinovich and Bryce Cogswell, later acquired by Microsoft.
●​ These tools are widely used for troubleshooting, monitoring, and
analyzing system behavior in real-time.

Common Sysinternals Tools

1️⃣ RegMon

●​ Displays Registry activity in real-time.

●​ Helps track changes made by programs to the Windows Registry.

2️⃣ Process Explorer

●​ Shows detailed information about active processes, files, and Registry

keys loaded at a given moment.
●​ Useful for identifying unknown or suspicious processes.

3️⃣ Handle

●​ Displays which files are currently open and which processes are using
those files
●​ Helps find processes that lock specific files.

4️⃣ Filemon

●​ Monitors file system activity in real-time.

●​ Detects when files are created, read, written, or deleted.

What is PsTools?
●​ A set of command-line tools (text-based) for managing computers on a
network.
●​ Helps in remote control, monitoring, and process management
📌 Tool Name 📖 Use
PsExec Runs programs on remote computers.

PsGetSid Shows user or computer security IDs (SID).

PsKill Stops (kills) running processes.

PsList Lists details of all running processes.

PsLoggedOn Shows who is currently logged in.

PsPasswd Changes user passwords remotely.

PsService Manages Windows services.

PsShutdown Shuts down or restarts computers remotely.

PsSuspend Pauses (suspends) a process.

📌 Quick Recap
✅ Sysinternals = Free Windows tools to check and monitor computers.​
✅ PsTools = Set of tools for managing systems remotely using simple commands.​
✅ Useful for network administrators, security experts, and forensic
investigators.
 Honeynet Project
🔸 Meaning:
●​ The Honeynet Project is an international, non-profit research
organization started in 1999
●​ Its purpose is to study cyber-attacks and hackers safely, without risking
real systems.

📌 What is a Honeynet?
●​ A honeynet is a fake network designed to look like a real one.
●​ It is created using honeypots, which are fake computers or servers made
to appear valuable.
●​ Hackers are tricked into attacking this fake setup, while their actions are
carefully monitored and recorded.
●​ This helps researchers learn how attacks happen and how to defend against
them in real systems.

📌 Objectives of the Honeynet Project

1️⃣ Research:

●​ Study attack techniques, tools, methods, and trends used by hackers.

2️⃣ Education:

●​ Share the knowledge gained from honeynets with security professionals,

students, and the public.
●​ Raise awareness about cybersecurity threats.

3️⃣ Open-Source Tools:

●​ Develop and distribute free security tools for detecting, analyzing, and
responding to cyber-attacks.

4️⃣ Collaboration:

●​ Work with security experts, organizations, and researchers worldwide to

improve cybersecurity knowledge and defenses.

📌 How Does It Work?

●​ A honeynet mimics a real network with fake servers, data, and applications.
 ●​ Hackers are fooled into attacking the honeynet instead of a real system.
●​ Their actions are secretly monitored using tools like:
○​ Sebek → captures keystrokes.
○​ Honeywall → controls and monitors network traffic to and from the
honeynet.
●​ No real harm is done, but valuable information about attack patterns and
weaknesses is collected.

📌 Example Use Case

●​ A company creates a virtual honeynet with fake websites and services.
●​ A hacker breaks in and tries to steal data or plant malware.
●​ Every action is logged and recorded by forensic tools.
●​ Later, the company analyzes the hacker’s methods and strengthens their
real network by fixing the same weaknesses.​

Quick Recap
✅ Honeynet Project → Studies hackers safely using fake networks.​
✅ Uses honeynets and honeypots to observe attack methods.​
✅ Main goals → Research, Education, Free Tools, Collaboration.​
✅ Helps improve real-world cybersecurity by learning from attackers without
risk.