Cyber Forensics

UNIT- I Introduction of Cybercrime: Types, The Internet spawns crime, Worms versus viruses,
Computers' roles in crimes, Introduction to digital forensics, Introduction to Incident - Incident Response
Methodology –Steps - Activities in Initial Response, Phase after detection of an incident

UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from
Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication:
Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool
Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive

UNIT – III Forensics analysis and validation: Determining what data to collect and analyze, validating
forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics:
Network forensics overview, performing live acquisitions, developing standard procedures for network
forensics, using network tools, examining the honeynet project.

UNIT - IV Current Forensic tools: evaluating computer forensic tool needs, computer forensics software
tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations:
Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail,
investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic
tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding
acquisition procedures for cell phones and mobile devices.

UNIT - V Working with Windows and DOS Systems: understanding file systems, exploring Microsoft File
Structures, Examining NTFS disks, Understanding whole disk encryption, windows registry, Microsoft
startup tasks, MS-DOS startup tasks, virtual machines.

TEXT BOOKS:

1. Kevin Mandia, Chris Prosise, “Incident Response and computer forensics”, Tata McGraw Hill, 2006.

2. Computer Forensics, Computer Crime Investigation by John R. Vacca, Firewall Media, New Delhi.

3. Computer Forensics and Investigations by Nelson, Phillips Enfinger, Steuart, CENGAGE Learning

REFERENCES:

1. Real Digital Forensics by Keith J. Jones, Richard Bejtiich, Curtis W. Rose, Addison- Wesley Pearson
Education

2. Forensic Compiling, A Tractitioneris Guide by Tony Sammes and Brian Jenkinson, Springer
International edition.
UNIT 1 : Introduction of Cybercrime

What is Cyber Crime?

• Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool
to commit an offense.

• A Cyber Criminal may use a device to access a user’s personal information, confidential business
information, government information, or disable a device.

• It is also a cybercrime to sell or elicit the above information online

A computer security incident is defined as any unlawful, unauthorized, or unacceptable action that
involves a computer system or a computer network. Such an action can include any of the following
events:

• Theft of trade secrets

• Email spam or harassment

• Unauthorized or unlawful intrusions into computing systems

• Embezzlement

• Possession or dissemination of child pornography

• Denial-of-service (DoS) attacks

• Tortious interference of business relations

• Extortion

• Any unlawful action when the evidence of such action may be stored on computer
media such as fraud, threats, and traditional crimes.

TYPES

Cybercrimes can generally be divided into two categories:

• Crimes that target networks or devices

 Viruses

 Malware

 DoS Attacks
• Crime using devices to participate in criminal activities

 Phishing Emails

 Cyberstalking

 Identity Theft

Further, there are three major categories that cybercrime falls into:

• Individual

• Property

• Government

The types of methods used and difficulty levels vary depending on the category

• Individual: This category of cybercrime involves one individual distributing malicious or illegal
information online. This can include cyberstalking, distributing pornography and trafficking.

• Property: This is similar to a real life instance of a criminal illegally possessing an individual’s
bank or credit card details. The hacker steals a person’s bank details to gain access to funds,
make purchases online or run phishing scams to get people to give away their information.

• Government: This is the least common cybercrime, but is the most serious offense. A crime
against the government is also known as cyber terrorism

WORM

• Do not attaches itself to OS

• Self propagates across a network exploiting security in widely used services

• It harms the network and consumes network bandwidth

• Spread much more rapidly. Eg. SQL Slammer worm75,000 victims within ten minutes

VIRUS

• Attaches itself to OS or the programs

• Need user action to abet their propagation

• Damages caused is mostly local to the machine

• Spread quite slowly

General Types of Digital Forensics include

• Network Analysis

 Communication analysis

 Log analysis

 Path tracing

• Media Analysis

 Disk imaging

 MAC time analysis(Modify, Access, Create)

 Content Analysis

 Slack space Analysis

 Steganography

• Code Analysis

 Reverse Engineering

 Malicious code review

 Exploit review

Incident Response Methodology

The Six Steps of Incident Response

1. Preparation: get ready to handle the incident

2. Identification: detect the incident

3. Containment: limit the impact of the incident

4. Remediation: remove the threat

5. Recovery: recover to a normal stage

6. Aftermath: draw up and improve the process

Initial Response and Forensic Duplication

Initial Response

One of the first steps of any preliminary investigation is to obtain enough information to determine an
appropriate response.

• The goal of an initial response is twofold: Confirm there is an incident, and then retrieve the system’s
volatile data that will no longer be there after you power off the system.

• Initial response is an investigative as well as a technical process

CREATING A RESPONSE TOOLKIT

For an initial response, you need to plan your approach to obtain all the information.

• Without affecting any potential evidence, you will be issuing commands with administrator rights on
the victim system, you need to be particularly careful not to destroy or alter the evidence.

• The best way to meet this goal is to prepare a complete response toolkit.

GATHERING-THE-TOOLS

In all incident responses, regardless of the type of incident, it is critical to use trusted commands. For
responding to Windows, we maintain a CD or some storage devices that contain a minimum of the tools
listed
GATHERING-THE-TOOLS
Preparing the Toolkit

We take several steps to prepare our toolkits for initial response:

• Label the response toolkit media

• Case number

• Time and date

• Name of the investigator who created the response media

• Name of the investigator using the response media

• Whether or not the response media contains output files or evidence from the victim
system

• OBTAINING VOLATILE DATA

• Now that you have a forensic toolkit and a methodology, you need to determine exactly
which data to collect. At this point, you want to obtain the volatile data from the
Windows

• NT/2000 system prior to turning off that system. At a minimum, we collect the following
volatile data prior to forensic duplication:

•  System date and time

• A list of the users who are currently logged on

• Time/date stamps for the entire file system

• A list of currently running processes

• A list of currently open sockets

• The applications listening on open sockets

• VOLATILE DATA COLLECTION FROM WINDOWS SYSTEM

• Now that you know what to collect and how to document your response, you are ready
to retrieve the volatile data.

1. Execute a trusted cmd.exe.

2. Record the system time and date.

4. Record modification, creation, and access times of all files.

5. Determine open ports.

6. List applications associated with open ports.

7. List all running processes.

8. List current and recent connections.

9. Record the system time and date.

10. Document the commands used during initial response.

Collecting Volatile Data from a Linux System

• Remotely Accessing the Linux Host via Secure Shell

1) You will be collecting forensic evidence from this machine and storing it on the
“VTELaunchpad.” You will need to reestablish the VTELaunchpad to listen for incoming
connections.

2) You will want to save the collected data in a file called C:\
LinuxCollectiondata.txt or C:\LinuxCollectiondata. cvs.

Collecting Volatile Data from a Linux System

• Examining and analyzing digital evidence depend on the nature of the investigation

– And the amount of data to process

• Scope creep - when an investigation expands beyond the original description

– Because of unexpected evidence found

– Attorneys may ask investigators to examine other areas to recover more evidence

– Increases the time and resources needed to extract, analyze, and present evidence

• Scope creep has become more common

– Criminal investigations require more detailed examination of evidence just before trial

– To help prosecutors fend off attacks from defense attorneys

• New evidence often isn’t revealed to prosecution

– It’s become more important for prosecution teams to ensure they have analyzed the
evidence exhaustively before trial

• Ensuring the integrity of data collected is essential for presenting evidence in court

• Most forensic tools offer hashing of image files

• Example - when ProDiscover loads an image file:

– It runs a hash and compares the value with the original hash calculated when the image
was first acquired

• Using advanced hexadecimal editors ensures data integrity

Validating with Hexadecimal Editors

• Advanced hex editors offer features not available in digital forensics tools, such as:

– Hashing specific files or sectors

• With the hash value in hand

• WinHex provides MD5 and SHA-1 hashing algorithms

Validating with Hexadecimal Editors

• Advantage of recording hash values

– You can determine whether data has changed

• Block-wise hashing

– A process that builds a data set of hashes of sectors from the original file

– Then examines sectors on the suspect’s drive to see whether any other sectors match

– If an identical hash value is found, you have confirmed that the file was stored on the
suspect’s drive

Validating with Hexadecimal Editors

• Using Hash Values to Discriminate Data

– AccessData has its own hashing database, Known File Filter (KFF)

– KFF filters known program files from view and contains has values of known illegal files

– It compares known file hash values with files on your evidence drive to see if they
contain suspicious data

– Other digital forensics tools can import the NSRL database and run hash comparisons

Validating with Digital Forensics Tools

• ProDiscover

– .eve files contain metadata that includes hash value

– Has a preference you can enable for using the Auto Verify Image Checksum feature
when image files are loaded

– If the Auto Verify Image Checksum and the hashes in the .eve file’s metadata don’t
match

• ProDiscover will notify that the acquisition is corrupt and can’t be considered reliable evidence

• Data hiding - changing or manipulating a file to conceal information

• Techniques:
– Hiding entire partitions

– Changing file extensions

– Setting file attributes to hidden

– Bit-shifting

– Using encryption

– Setting up password protection

Hiding Files by Using the OS Techniques:

• One of the first techniques to hide data:

– Changing file extensions

• Advanced digital forensics tools check file headers

– Compare the file extension to verify that it’s correct

– If there’s a discrepancy, the tool flags the file as a possible altered file

• Another hiding technique

– Selecting the Hidden attribute in a file’s Properties dialog box

Hiding Partitions

• By using the Windows diskpart remove letter command

– You can unassign the partition’s letter, which hides it from view in File Explorer

• To unhide, use the diskpart assign letter command

• Other disk management tools:

– Partition Magic, Partition Master, and Linux Grand Unified Bootloader (GRUB)

Hiding Partitions

• To detect whether a partition has been hidden

– Account for all disk space when examining an evidence drive

– Analyze any disk areas containing space you can’t account for

• In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS

– Other forensics tools have their own methods of assigning drive letters to hidden
partitions
• UNIT 4 : Current Forensic Tools

• Look for versatility, flexibility, and robustness

– OS

– File system(s)

– Script capabilities

– Automated features

– Vendor’s reputation for support

• Keep in mind what application files you will be analyzing

• Types of Computer Forensics Tools

• Hardware forensic tools

– Range from single-purpose

• Software forensic tools

– Types

• Command-line applications

• GUI applications

– Commonly used to copy data from a suspect’s disk drive to an image file

• Tasks Performed by Computer Forensics Tools

• Five major categories:

– Acquisition

– Validation and discrimination

– Extraction

– Reconstruction

– Reporting

• Validating and testing forensics software

• Validation
– Ensuring the integrity of data being copied

• Discrimination of data

– Involves sorting and searching through all investigation data

• Validating and testing forensics software

• Subfunctions

– Hashing

• CRC-32, MD5, Secure Hash Algorithms

– Filtering

• Known system files can be ignored

• Based on hash value sets

– Analyzing file headers

• Discriminate files based on their types

• National Software Reference Library (NSRL) has compiled a list of known file hashes

– For a variety of OSs, applications, and images

• Subfunctions

– Hashing

• CRC-32, MD5, Secure Hash Algorithms

– Filtering

• Known system files can be ignored

• Based on hash value sets

– Analyzing file headers

• Discriminate files based on their types

• National Software Reference Library (NSRL) has compiled a list of known file hashes

For a variety of OSs, applications, and images

• Many computer forensics programs include a list of common header values

– With this information, you can see whether a file extension is incorrect for the file type
• Most forensics tools can identify header values

• What is E-mail investigation?

• “E-mail investigation is a digital forensics process of finding out evidences from suspect emails
that allows investigator to examine, preserve, and reveal digital evidence”(branch of forensics
science).

Vital Roles of E-mail Forensics

• Examine.

• Preserve.

• Carve Evidence.

• Report.

Requirements of E-mail Investigation

• To carve evidence.

• To ensure the reliability of e-mails.

• To pointing on illegal acts and intertwine them.

• Presenting an evidence

• Goal of E-mail Forensics

• E-mail investigation contains the wealth of mails that’s why E-mail forensics investigator must
not only investigate but also retrieve the kind of evidence from mails which is presentable and

• leads to legal action taken on the crime.

• Types of E-mail Crimes

• 1. Email spoofing.

• 2.Email frauds.

• 3. Email bombing.

• 4. Sending threatening emails.

• 5. Defamatory emails.

• 6. Sending malicious codes through email..

Investigating E-mail from Corporate

Everything after @ belongs to the domain name.

• Investigating corporate emails is easier.

Investigating E-mails from Public Servers

Try to ignore the use of your own email-id while investigating. Use public severs like yahoo,
Hotmail..,etc.

• Public: [email protected]

• Investigating E-mail Header

• Search e-mail header in

• • GUI clients.

• • Command- line clients.

• • Web-based clients.

• Header contains useful information

• • Unique identifying number.

• • Sending time.

• • IP address of sending e-mail server.

• • IP address of e-mail client.

Application of E-mail Investigation

• Criminal undertaking.

• Civil litigation.

• E-mail tracing.

• Corporate security policy .

Use specified E-mail Investigating tool

• AccessData’s FTK Imager.

• MailXaminer.

• Encase.

• DBXtract.
• Paraben, etc.

Understanding Mobile Device Forensics

• People store a wealth of information on cell phones and mobile devices

o People don’t think about securing their mobile devices

• Items stored on mobile devices:

o Incoming, outgoing, and missed calls

o Text and Short Message Service (SMS) messages

o E-mail

o Instant-messaging (IM) logs

o Web pages

o Pictures

o Personal calendars

o Address books

o Music files

o Voice recordings

o GPS data

• Investigating cell phones and mobile devices is one of the most challenging tasks in digital
forensics

Mobile Device Forensic Analysis Process

• Biggest challenge is dealing with constantly changing models of cell phones

• When you’re acquiring evidence, generally you’re performing two tasks:

– Acting as though you’re a PC synchronizing with the device (to download data)

– Reading the SIM card

First step is to identify the mobile device

Data Acquisition Procedures for Cell Phones and Mobile Devices

• Check these areas in the forensics lab :

– SIM card

– file system is a hierarchical structure

– Removable or external memory cards

• Information that can be retrieved:

– Service-related data, such as identifiers for the SIM card and the subscriber

– Call data, such as numbers dialed

– Message information

– Location information

• If power has been lost, PINs or other access codes might be required to view files.

• Encryption