Cyber Forensics UNIT II

Definition
What is Computer Forensics??
Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for
evidentiary and/or root cause analysis.
Evidence might be required for a wide range
of computer crimes and misuses
Multiple methods of
Discoveringdata on computer system
Recovering deleted, encrypted, or damaged file
information
Monitoring live activity
Detecting violations of corporate policy
Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity
 Definition (cont)
What Constitutes Digital Evidence?
Any information being subject to human
intervention or not, that can be extracted
from a computer.
Must be in human-readable format or
capable of being interpreted by a person
with expertise in the subject.
Computer Forensics Examples
Recovering thousands of deleted emails
Performing investigation post employment
termination
Recovering evidence post formatting hard
drive
Performing investigation after multiple
users had taken over the system
 History of Cyber forensics
• 1969-70 First case of pysical damage of
Computer systems In USA
• 1978 First law for Cyber crimes act
• Termed as digital or computer forensics
• Forensics means characteristics of evidence
• Forensic science – scientifically and proven
methods to study evidences
 Reasons For Evidence
 Wide range of computer crimes and
misuses
◦Non-Business Environment: evidence collected
by Federal, State and local authorities for crimes
relating to:
 Theft of trade secrets
 Fraud
 Extortion
 Industrial espionage
 Position of pornography
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information

 Reasons For Evidence (cont)
 Computer related crime and violations
include a range of activities including:
 Business Environment:
 Theftof or destruction of intellectual property
 Unauthorized activity
 Tracking internet browsing habits
 Reconstructing Events
 Inferring intentions
 Selling company bandwidth
 Wrongful dismissal claims
 Sexual harassment
 Software Piracy
 Who Uses Computer Forensics?
 Criminal Prosecutors
 Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
 Civil Litigations
 Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases
 Insurance Companies
 Evidence discovered on computer can be used
to mollify costs (fraud, worker’s compensation,
arson, etc)
 Private Corporations
 Obtained evidence from employee computers
can be used as evidence in harassment, fraud,
and embezzlement cases
 Who Uses Computer Forensics?
 Law Enforcement Officials(cont)
 Rely on computer forensics to backup search
warrants and post-seizure handling
 Individual/Private Citizens
 Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination
from employment
 Role of Digital Forensics
• Uncover and record evidence
• E-Discovery
• Showing and understanding patterns of events
• Reveal end to end paths of events
• Extract data ie hidden, encrypted , deleted etc.
Typical Scenarios Involved
 Emp. Internet abuse
 Data leak or breach
 Espionage or corporate spying
 Fraud
 Criminal cases
 Copyright Voilation
Organizational Forensic policy
 Need for Computer Forensic
Services
 Convergence of new Tech./ New online Businesses
 New intrusion methods by Hachers
 Data culling or discovery , Comparison again known
data
 Index of files , recovered files , mail indexing , meta
indexing
 Transaction sequencing and history recovery
 Extraction of data and cell phone forensics
 Recovering deleted data files
 Format conversion , pdf to .. , image .. etc
 Keyword searching, log history and extarction
 Network extractions and Decrypting passwords
 Analyzing and comparing limited source code
 Demand for deep freeze tools – E-Discovery Tools
[Cobwebs Technologies is a global leader in Web Intelligence (WEBINT) solutions]
 The best computer forensics tools

• Disk analysis: Autopsy/the Sleuth

Kit. ...
• Image creation: FTK imager. ...
• Memory forensics: volatility. ...
• Windows registry analysis: Registry
recon.
• Mobile forensics: Cellebrite
UFED. ...
• Network analysis: Wireshark. ...
• Linux distributions: CAINE.
 Digital Evidence Collection Phases
• Adhere to your site Security measures and employ professional
expert
• Capture pictures of site accurately
• Keep detailed notes with date and time[note sys date and actual
time]
• Keep track of action present and future
• Do not update or minimize changes the original contents of data
[freeze data ]
• Do not allow other to do changes and do collection on your own
using automation and fast procedures with precision.
• Follow step by step and systematic approach
• volatile to non volatile data – ie – registers, routing tables, temp.
files, disk, remote logging, physical and n/w toplogy and lastly
Archival data.
Digital Evidence Collection Phases
 Forensic Analysis of E-Mail
• E-mail system is H/W ans S/w that controls flow of
emails
• E-mail server - An email server, or simply mail server, is an
application or computer in a network whose sole purpose is to act
as a virtual post office. The server stores incoming mail for distribution
to local users and sends out outgoing messages. Email Gateways are the
connections between different email servers.
• A mail server (or email server) is a computer system that
sends and receives email. ... This software allows the system
administrator to create and manage email accounts for any
domains hosted on the server.
• E-MAIL Header - that contains information about the sender,
recipient, email's route to get to the inbox and various
authentication details. The email header always precedes the
email body.
• E-mail Spammers - Spammers and hackers use complex
automated tools to scan the web and gather email addresses.
Spammers harvest email addresses from mailing lists, websites,
Forensic Analysis E-Mail Header
 Forensic Analysis E-Mail Header
• SMTP - SMTP stands for Simple Mail Transfer
Protocol. SMTP is a set of communication guidelines that
allow software to transmit an electronic mail over the
internet
• Hypertext Transfer Protocol- (HTTP) is an application-
layer protocol for transmitting displayable , hypermedia
documents, such as HTML.
• Return-Path -The return-path is used to process
bounces from your emails and is set in the email header.
It defines how and where bounced emails will be
processed.
• MIME AND SMIME - S/MIME is a security-enhanced
version of Multipurpose Internet Mail Extension[MIME] -Is
a protocol that provides dig. Signatures and encryption of
Internet messages.
• X-Originating - standard for identifying the
originating IP address of a client connecting to a mail
service's HTTP frontend.
 Digital forensic Life Cycle
• Rules to Maintain and adhere to handle
Evidences
• - it should be admissible
• - it should be authentic
• - it should be complete
• - it should be reliable
• - it should be understandable and believable
 Digital forensic Life Cycle cont..
• Broadly Phases are ….….
 1.Prepare : sequence of events, maintain files
and folders date and time stamps, produce file
and manage
 2.Collect and Record : sources like cell,
system, laptop, cameras , CDs, USNs, RFID tags,
webpages etc. Use Hashing to protect the
collected data.
 3.Storing and transporting : storage as per
chain of custody, while transporting to have
exact duplicates
 4.Investigate : entire hard disi as a unit or a file
[image], freezed, tools such as – DFCLdd,
Iximager , then apply SHA, MD5[Hashing]
 5.Analysis , Interpretation : review of
 5.Analysis , Interpretation Cont……

• Media Analysis
• Media Mgt. Analysis- organize media, cloud eta.
• File system Analysis- Disk Partitioning , recovery
of deleted files
• Application Analysis: Application or process
specific information
• Network Analysis- Routing, raw packets analysis,
executables are examined often
• Image Analysis – Steganograhy , searching match
• Video Analysis- Review camera placement,
pictures and video content analysis
 6. Reporting
• Post Analysis a report is written
• Very useful for court proceedings
• The elements of the report include :
 Identity of the reporting agency
 Case no. or identifier
 Case investigator
 Date of receipt and date of report
 Description of list of item under
examination, sequence no, make and model.
 Identity and signature of the examiner
 Description of steps in examination ,
information kind of searches done,
recoveries of erased files.
 Results/Conclusion.
 7. Testifying – Post Life Cycle

• This phase include presentation and cross

examination of the expert witnesses
• Expert witness must possess skill,
knowledge ,experience and trained to withstand
the cross examination has to undergo :-
• a) the testimony is based on sufficient data and
facts
• b) The testimony is the product of reliable
principles and methods
• C) the witness must apply principles and
methods reliably to support his testimony
 Precautions for Handling and collecting
 Evidence
Admissibility of Evidence:
◦Legal rules which determine whether potential evidence can be
considered by a court
◦Must be obtained in a manner which ensures the authenticity and
validity and that no tampering had taken place
 No possible evidence is damaged, destroyed, or
otherwise compromised by the procedures used to search
the computer
 Preventing viruses from being introduced to a
computer during the analysis process
Extracted / relevant evidence is properly handled and
protected from later mechanical or electromagnetic
damage
Establishing and maintaining a continuing chain of
custody
Limiting the amount of time business operations are
affected
Not divulging and respecting any ethically [and legally]
 Forensic Investigation
 DO NOT begin by exploring files on system randomly,
secure the subject of investigation
 Take a copy of Hard disk/disk
 Establish evidence custodian - start a detailed journal with
the date and time and date/information discovered and
recovered files
 View access/copy Hidden files
 Investigate settings/configuration of system and
Applications
 Consider back-ups, remotely or locally scheduled
 house-keeping, and configuration changes
 Collect email, DNS, and other network service logs
 Users activities and habits
 Create detailed report and assessment / finding s
information
 Typical Elements Addressed in Forensic
Investigation
• Authorization By : customer , company
and stake holders
• Confidentiality to be maintained : No
disclosure , no sharing , have confidence
proper technical and organizational
measures
• Payment s: done by parties and
stakeholders
• Any correspondence Done prior or during
the events
 Challenges in Computer Forensics
• Huge data in terabytes – searching a needle in
haystack situation
• Large pool of files in different formats
• To look in to patterns of text and data mining
• In network zones multiple jurisdictions[ offline or
online modes of data availability ]
• Real time frauds cant be detected with present
tools
• Seizes of systems at crime site not easy to have
control
• Real time data collection needs legalities and
privileges
 Challenges in Computer Forensics
Technical Challenges [ Raw data and its structures]
• - Complex and raw data to be handled with utmost care
• -Low level format to be understood i.e. ASCII, HTML, -Windows
registry Network packets
• -Identifying known Packets using IDS Signatures
• -Identifying unknown entries in logs
• -Sorting any type of files
• -Identifying know files using hash databases.
• -Always needs up skilling attitude
Understand low level tech. terminology such as Abstraction
levels of FAT in disk:
• Layer 1: Raw file system image
• Layer 2: Values from Boot sector and Fat entry size.
• Layer 3 :FAT Area and Data Area
• Layer 4: Staring clusters and , FAT Entries
• Layer 5: Raw clustres Contetnt and contetnt type
• Layer 6: Formatted Cluster Content
• Layer 7: List of clusters
 Challenges in Data Privacy Issues

 Evidence to be admissible in the court , must be

relevant
must be probative and unbiased

 Workmanship of players in Dig. Forensics /

Computer Forensics -- Technicians , Policy
Makers and professionals -- to articulate ,
understand, execute , record and follow
documented forensics guidelines .
 Special Tools and Techniques of CF
• File carver tools – Work within the limits of File
headers and footers

Most of the CF Tools work on following

principles :
• 1. Creating forensic Quality , Sector by Sector
Analysis
• 2.Locating deleted / old partitions
• 3. Date/time stampings
• 4. Getting data from slack space recovery of
undeleted files /directories
• 5. Perform keyword searching
• 6.Recovery of internet browsing history
• 7. Disk Duplicators etc.
 Special Tools and Techniques of CF- LIST of
CARVING TOOLS

3 categories of Digital Forensics

tools

A.Data Recovery Tools

B.Partition Recovery Tools
C.Carving Tools
A. Data Recovery Tools
Partition Recovery Tools
C. File Carving Tools
 Top Tools for Complete CF
• The coroners Tool Kit-open source
• EnCase Forensics Version 5.0- $3000
• Forensics Toolkit –FTK-$1100
• i2 Analysts Noted Version 6.0.55-$3700LogLogic
LX 2000 - Cost $50000
• NetWitness Version 6.0 – for Network Analysis-
IDS based-$30000
• ProDiscover Incident Response Version 4.55-
$8000
• Sleuth Kit and Autopsy Browser- For reporting
and Documentation- Freeware