cyber forensics seminar
TRANSCRIPT
-
8/2/2019 Cyber Forensics Seminar
1/47
CYBER FORENSICS
-
8/2/2019 Cyber Forensics Seminar
2/47
-
8/2/2019 Cyber Forensics Seminar
3/47
examine computer evidence properly. Not every department or organization has the
resources to have trained computer forensic specialists on staff.
1. DEFINITION:
Forensic computing is the process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is legally acceptable.(Rodney Mckemmish
1999).
From the above definition we can clearly identify four components:-
IDENTIFYING
This is the process of identifying things such as what evidence is present, where
and how it is stored, and which operating system is being used. From this information
the investigator can identify the appropriate recovery methodologies, and the tools to be
used.
-
8/2/2019 Cyber Forensics Seminar
4/47
PRESERVING
This is the process of preserving the integrity of digital evidence, ensuring the
chain of custody is not broken. The data needs to preserved (copied) on stable media
such as CD-ROM, using reproducible methodologies. All steps taken to capture the
data must be documented. Any changes to the evidence should be documented,
including what the change was and the reason for the change. You may need to prove
the integrity of the data in the court of law.
ANALYSING
This is the process of reviewing and examining the data. The advantage ofcopying this data onto CD-ROMs is the fact it can be viewed without the risk of
accidental changes, therefore maintaining the integrity whilst examining the changes.
PRESENTING
This is the process of presenting the evidence in a legally acceptable and
understandable manner. If the matter is presented in court the jury who may have little
or no computer experience, must all be able to understand what is presented and how it
relates to the original, otherwise all efforts could be futile.
Far more information is retained on the computer than most people realize. Its also
more difficult to completely remove information than is generally thought. For these
reasons (and many more), computer forensics can often find evidence or even
completely recover, lost or deleted information, even if the information was intentionally
deleted.
The goal of computer forensics is to retrieve the data and interpret as much information
about it as possible as compared to data recovery where the goal is to retrieve the lost
data.
-
8/2/2019 Cyber Forensics Seminar
5/47
2. INTRODUCTION:
In a networked world, there are no safe harbors- if you are on the network, you
are available to everyone else on the network. As economies become more dependent
on information and communication technology (ICT), they are becoming more
vulnerable to network attacks (e.g., Threats to the internet as well as other private and
public networks).
The most serious cyber security risks are those that threaten the functioning of
critical information infrastructures, such as those dedicated to financial services, control
systems for power, gas, drinking water, and other utilities; airport and air traffic control
systems; logistics systems; and government services.
2.1 THREATS TO THE SYSTEM
System threats can be broadly classified into human and environment threats.
Environment threats include power outages, fire and floods. Human threats can be
malicious or non-malicious. A threat is considered malicious if the attack or crime
is committed with full knowledge and intension. A non-malicious threat is one where the
individual does not understand its intent or is ignorant of the action that is about to becommitted.
-
8/2/2019 Cyber Forensics Seminar
6/47
For e.g , :-
A disgruntled employee may try to break into the organizations critical business
information to damage the information and the business. This is an example of
malicious human threat.
An ignorant employee may give out information to a hacker without realizing the
consequences. This is an example of non-malicious human threat.
2.2 IMPORTANCE OF SYSTEM FORENSICS
System forensics helps an organization in not only reaching the source of crimeand prosecuting the criminal, but also in organizing their security policy and planning
future security requirements. System forensics helps the organization in the following
way:-
2.2.1 RECOVER DATA THAT YOU THOUGHT WAS LOST FOREVER:-
Computers systems may crash, files may be accidentally deleted, disks may
accidentally be reformatted, viruses may corrupt files, file may be accidentally
overwritten, and disgruntled employees may try to destroy your files. All of this can lead
to loss of your critical data, but computer forensic experts should be able to employ the
latest tools and techniques to recover your data.
2.2.2 ADVICE YOU ON HOW TO KEEP YOUR DATA AND INFORMATION SAFE
FROM THEFT OR ACCIDENTAL LOSS:-
Business today relies on computers. Your sensitive records and trade secrets are
vulnerable to intentional attacks from, for e.g. hackers, disgruntled employees, viruses,
etc. also unintentional loss of data due to accidental deletion, h/w or s/w crashes are
-
8/2/2019 Cyber Forensics Seminar
7/47
equally threatening. Computer forensic experts can advice you on how to safeguard
your data by methods such as encryption and back-up.
2.2.3 EXAMINE A COMPUTER TO FIND OUT WHAT ITS USER HAS BEEN DOING:
Whether you are looking for evidence in a criminal prosecution, looking for
evidence in a civil suit, or determining exactly what an employee has been up to. Your
computer forensics expert should be equipped to find and interpret the clues left behind.
2.2.4 SWEEP YOUR OFFICE FOR LISTNENING DEVICES:-
There are various micro-miniature recording and transmitting devices available in
today s hi-tech world. The computer forensic expert should be equipped to conductthorough electronic countermeasure (ECM) sweeps of your premises.
2.2.5 HI-TECH INVESTIGATION:-
The forensic expert should have the knowledge and the experience to conduct
hi-tech investigations involving cellular cloning, cellular subscription fraud, s/w piracy,
data or information theft, trade secrets, computer crimes, misuse of computers by
employees, or any other technology issue.
2.3 COMPUTER FORENSIC METHODOLOGY
Forensic investigation methodology is basically the approach that an investigator
follows to retrieve possible evidence that may exit on a subjects computer system. For
e.g., the following steps should be taken :-
-
8/2/2019 Cyber Forensics Seminar
8/47
1. Shut Down the Computer
Depending upon the computer operating system involved, this usually involves
pulling the plug or shutting down a net work computer using relevant operating system
commands. At the option of the computer specialists, pictures of the screen image can
be taken using a camera. However, consideration should be given to possible
destructive processes that may be operating in the background. These can be resident
in memory or available through a modem or network connection. Depending upon the
operating system involved, a time delayed password protected screen saver may
potentially kick in at any moment. This can complicate the shutdown of the computer.
Generally, time is of the essence and the computer system should be shut down or
powered down as quickly as possible
2. Document the Hardware Configuration of The System
It is assumed that the computer system will be moved to a secure location where
a proper chain of custody can be maintained and the processing of evidence can begin.
Before dismantling the computer, it is important that pictures are taken of the computer
from all angles to document the system hardware components and how they are
connected. Labeling each wire is also important so that the original computer
configuration can be restored. Computer evidence should ideally be processed in a
computer hardware environment that is identical to the original hardware configuration.
3. Transport the Computer System to A Secure Location
This may seem basic but all too often seized evidence computers are stored in
less than secure locations. It is imperative that the subject computer is treated as
evidence and it should be stored out of reach of curious computer users. All too often,
individuals operate seized computers without knowing that they are destroying potential
computer evidence and the chain of custody. Furthermore, a seized computer left
unintended can easily be compromised. Evidence can be planted on it and crucial
-
8/2/2019 Cyber Forensics Seminar
9/47
evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make
the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you
say that relevant evidence was not planted on the computer after the seizure The
answer is that you cannot. Do not leave the computer unattended unless it is locked in a
secure location! NTI provides a program named Seized to law enforcement computer
specialists free of charge. It is also made available to NTI's business and government in
various suites of software that are available for purchase. The program is simple but
very effective in locking the seized computer and warning the computer operator that
the computer contains evidence and should not be operated
4. Make Bit Stream Backups of Hard Disks and Floppy Disks
The computer should not be operated and computer evidence should not be
processed until bit stream backups have been made of all hard disk drives and floppy
disks. All evidence processing should be done on a restored copy of the bit stream
backup rather than on the original computer. The original evidence should be left
untouched unless compelling circumstances exist. Preservation of computer evidence is
vitally important. It is fragile and can easily be altered or destroyed. Often such
alteration or destruction of data is irreversible. Bit stream backups are much like an
insurance policy and they are essential for any serious computer evidence processing.
5. Mathematically Authenticate Data on All Storage Devices
You want to be able to prove that you did not alter any of the evidence after the
computer came into your possession. Such proof will help you rebut allegations that you
changed or altered the original evidence. Since 1989, law enforcement and military
agencies have used a 32 bit mathematical process to do the authentication process.
Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion.
However, given the speed of today's computers and the vast amount of storage
capacity on today's computer hard disk drives, this level of accuracy is no longer
accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes
-
8/2/2019 Cyber Forensics Seminar
10/47
two programs in its forensic suites of tools that mathematically authenticate data with a
high level of accuracy. Large hashing number, provides a mathematical level of
accuracy that is beyond question. These programs are used to authenticate data at both
a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro.
The latter program was specifically designed to validate a restored bit stream backup
and it is made available free of charge to law enforcement computer specialists as part
of NTI's Free Law Enforcement Suite. The programs are also included in our various
suites of forensic software which are sold NTI's clients.
6. Document the System Date and Time
The dates and times associated with computer files can be extremely importantfrom an evidence standpoint. However, the accuracy of the dates and times is just as
important. If the system clock is one hour slow because of daylight-saving time, then file
time stamps will also reflect the wrong time. To adjust for these inaccuracies,
documenting the system date and time settings at the time the computer is taken into
evidence is essential.
7. Make a List of Key Search Words
Because modern hard disk drives are so voluminous, it is all but impossible for a
computer specialist to manually view and evaluate every file on a computer hard disk
drive. Therefore, state-of-the-art automated forensic text search tools are needed to
help find the relevant evidence.
8. Evaluate the Windows Swap File
The Windows swap file is potentially a valuable source of evidence and leads.
The evaluation of the swap file can be automated with several of NTI's forensic tools,
e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent
filters automatically identifies patterns of English language text, phone numbers, social
-
8/2/2019 Cyber Forensics Seminar
11/47
security numbers, credit card numbers, Internet E-Mail addresses, Internet web
addresses and names of people.
9. Evaluate File Slack
File slack is a data storage area of which most computer users are unaware. It is
a source of significant 'security leakage' and consists of raw memory dumps that occur
during the work session as files are closed. The data dumped from memory ends up
being stored at the end of allocated files, beyond the reach or the view of the computer
user. Specialized forensic tools are required to view and evaluate file slack and it can
prove to provide a wealth of information and investigative leads. Like the Windows swap
file, this source of ambient data can help provide relevant key words and leads that mayhave previously been unknown.
10. Evaluate Unallocated Space (Erased Files)
The DOS and Windows 'delete' function does not completely erase file names or
file content. Many computer users are unaware the storage space associated with such
files merely becomes unallocated and available to be overwritten with new files.
Unallocated space is a source of significant 'security leakage' and it potentially contains
erased files and file slack associated with the erased files. Often the DOS Undelete
program can be used to restore the previously erased files. Like the Windows swap file
and file slack, this source of ambient data can help provide relevant key words and
leads that may have previously been unknown to the computer investigator.
11. Search Files, File Slack and Unallocated Space for Key Words
The list of relevant key words identified in the previous steps should be used to
search all relevant computer hard disk drives and floppy diskettes. There are several
forensic text search utilities available in the marketplace. NTI's forensic search
TextSearch NT can be used for that purpose and it has been tested and certified for
-
8/2/2019 Cyber Forensics Seminar
12/47
accuracy by the U. S. Department of Defense. This powerful search tool is also included
as part of NTI's suites of software tools.
12. Document File Names, Dates and Times
From an evidence standpoint, file names, creation dates, last modified dates and
times can be relevant. Therefore, it is important to catalog all allocated and 'erased'
files. NTI includes a program called FileList Pro in its various suites of forensic tools.
The FileList Pro program generates its output in the form of a database file. The file can
be sorted based on the file name, file size, file content, creation date, last modified date
and time. Such sorted information can provide a timeline of computer usage.
13. Identify File, Program and Storage Anomalies
Encrypted, compressed and graphic files store data in binary format. As a result,
text data stored in these file formats cannot be identified by a text search program.
Manual evaluation of these files is required and in the case of encrypted files, much
work may be involved. NTI's TextSearch Plus program has built in features that
automatically identify the most common compressed and graphic file formats. The use
of this feature will help identify files that require detailed manual evaluation. Depending
on the type of file involved, the contents should be viewed and evaluated for its potential
as evidence.
14. Evaluate Program Functionality
Depending on the application software involved, running programs to learn their
purpose may be necessary. NTI's training courses make this point by exposing the
students to computer applications that do more than the anticipated task. When
destructive processes are discovered that are tied to relevant evidence, this can be
used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the
execution of common operating commands tied to the operating system or applications.
Before and after comparisons can be made using the FileList Pro program and/or
-
8/2/2019 Cyber Forensics Seminar
13/47
mathematical authentication programs. All these tools are included in most of NTI's
suites of forensic tools
15. Document Your Findings
As indicated in the preceding steps, it is important to document your findings as
issues are identified and as evidence is found. Documenting all of the software used in
your forensic evaluation of the evidence including the version numbers of the programs
used is also important. Be sure that you are legally licensed to use the forensic
software.
2.4 APPLICATION OF COMPUTER FORENSICS
System forensics is not different from any other forensic science when it comes
to application. It can be applied to any activity, where other mainstream traditional
forensics such as DNA mapping is used, if there has been an involvement of a system
or computer in the event.
Some of the common applications of computer forensics are:-
2.4.1 FINANCIAL FRAUD DETECTION:-
Corporates and banks can detect financial frauds with the help of evidence
collected from systems. Also , insurance companies can detect possible fraud in
accident, arson, and workman s compensation cases with the help of computer
evidence.
-
8/2/2019 Cyber Forensics Seminar
14/47
2.4.2 CRIMINAL PROSECUTION:-
Prosecutors can use computer evidence to establish crimes such as homicides,
drug and false record-keeping, financial frauds, and child pornography in the court of
law.
2.4.3 CIVIL LITIGATION:-
Personal and business records found on the computer systems related to fraud,
discrimination, and harassment cases can be used in civil litigations.
2.4.4 CORPORATE SECURITY POLICY AND ACCEPTABLS USE VIOLATIONS:-
A lot of computer forensic work done is to support management and human
resources (HR) investigations of employee abuse. Besides cyber crimes and system
crimes, criminals use computers for other criminal activities. In such cases , besides the
traditional forensics, system forensic investigation also plays a vital role.
3. CYBER CRIME:
Cyber crime is addressed in the broadest sense, in a way that most emerging
crimes today involve the use information technology. The terms Computer Crime ,
Computer Related Crimes , Internet Crime , Online Crimes , Hi -Tech Crimes ,
Information Technology Crime , and Cyber Crimes are being used interchangeably.
Cyber crime is hard to detect, thus giving the perpetrators plenty of time to flee
the area in which the crime was committed, because of this fact the criminals can be in
another country far away from the scene of the crime by the time it is detected.
Cyber Crimes differ from most terrestrial crimes in four ways:
They are easy to learn how to commit
-
8/2/2019 Cyber Forensics Seminar
15/47
they require few resources relative to the potential damage caused
they can be committed in a jurisdiction without being physically present in
it and
they are often not clearly illegal.
The development of information technology and the widening usage of the
Internet have made it possible for cyber crimes to happen. Some people argue that
cyber crime gives advantages to certain individuals because it gives them an
opportunity to enhance their computer skills and make a profit out of it. However, that is
far from truth. In reality, cyber crime kills e-commerce industry as seen through the
unleashing of viruses, fraud, and variety of tools available on the net and unauthorizeduse of computers.
The first recorded cyber crime took place in the year 1820. That is not surprising
considering the fact that the abacus, which is thought to be the first earliest form of computer,
has been around since 3500 B.C. in India, Japan and China. The era of modern computers,
however, began with the analytical engine of Charles Babbage.
Maintaining the security of a computer system and electronic transactions
involves checking:
Adequate physical security to prevent accidental or intentional damage to the
computer system and related equipment.
Software and data file security to ensure computer programs and data files are
not altered accidentally or deliberately.
Techniques for maintaining transaction data controls and for analyzing the
reasonableness of transactions to detect and report possible crime attempts.
Use of computer identification methods to restrict unauthorized individuals from
initiating transactions to customer accounts.
-
8/2/2019 Cyber Forensics Seminar
16/47
Secure communications networks to prevent unauthorized interception or
alteration of electronic data.
Adequate internal controls to prevent, detect, and correct computer crime and
other concerns.
3.1 EXAMPLES OF CYBER CRIME:3.1.1 Email Spoofing:
Email spoofing is email activity in which the sender address and other parts of
the email header are altered to appear as though the email originated from a different
source. Because core SMTP doesn't provide any authentication, it is easy to
impersonate and forge emails.
Although there are legitimate uses, these techniques are also commonly used
in spam and phishing emails to hide the origin of the email message.
By changing certain properties of the email, such as the From , Return-
Path and Reply-To fields (which can be found in the message header), ill-intentioned
http://en.wikipedia.org/wiki/Emailhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Email_spamhttp://en.wikipedia.org/wiki/Phishinghttp://en.wikipedia.org/wiki/Return-Pathhttp://en.wikipedia.org/wiki/Return-Pathhttp://en.wikipedia.org/wiki/Return-Pathhttp://en.wikipedia.org/wiki/Return-Pathhttp://en.wikipedia.org/wiki/Phishinghttp://en.wikipedia.org/wiki/Email_spamhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Email -
8/2/2019 Cyber Forensics Seminar
17/47
users can make the email appear to be from someone other than the actual sender. The
result is that, although the email appears to come from the address indicated in
the From field (found in the email headers), it actually comes from another source.
Prior to the advent of unsolicited commercial email (spam) as a viable business
model, "legitimately spoofed" email was common. For example, a visiting user might
use the local organization's SMTP server to send email from the user's foreign address.
Since most servers were configured as open relays, this was a common practice. As
spam email became an annoying problem, most of these "legitimate" uses fell victim to
anti-spam techniques.
It is much more difficult to spoof or hide the IP or Internet Protocol address. TheIP address is a 32 or 128 bit numerical label assigned to each device participating in a
network and originates through the network provider making it more difficult to spoof or
hide. Although this kind of verification is difficult for individual users, companies can use
this technology as well as others such as cryptographic signatures (e.g., PGP "Pretty
Good Privacy" or other encryption technologies) to exchange authenticated email
messages. Authenticated email provides a mechanism for ensuring that messages are
from whom they appear to be, as well as ensuring that the message has not been
altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail
transfer software. Using certificates in this manner increases the amount of
authentication performed when sending mail.
Example: Sameer spoofs her email and sends obscene messages to all her
acquaintances. Since the emails appear to have originated from Pooja, her friends
could take offence and relationships could be spoiled for life.
Email spoofing can also cause monetary damage. Misinformation about
companies are sent through emails and thus large lose will occur to companies in form
of money and customers.
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocolhttp://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol -
8/2/2019 Cyber Forensics Seminar
18/47
3.1.2 FORGERY:
Forgery is the process of making, adapting, or imitating objects, statistics,
or documents with the intent to deceive. Copies, studio replicas, and reproductions are
not considered forgeries, though they may later become forgeries through knowing andwillfulmisrepresentations. Forging money or currency is more often
called counterfeiting. But consumer goods may also be counterfeits if they are not
manufactured or produced by the designated manufacture or producer given on
the label or flagged by the trademark symbol. When the object forged is a record
or document it is often called a false document.
Counterfeit currency notes, postage and revenue stamps, mark sheets, etc can
be forged using sophisticated computers, printers and scanners.
3.1.3 UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS OR
NETWORKS:
This occurs when a user/hacker deliberately gets access into someone else s
network either to monitor or data destruction purposes .
HOW TO PREVENT UNAUTHORIZED COMPUTER ACCESS:
FIREWALL:
A system designed to prevent unauthorized access to or from a private network.
Firewalls can be implemented in both hardware and software, or a combination of both.
Firewalls are frequently used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially intranets . All messages entering
or leaving the intranet pass through the firewall, which examines each message and
blocks those that do not meet the specified security criteria. There are several firewall
techniques, including:
http://en.wikipedia.org/wiki/Deceptionhttp://en.wikipedia.org/wiki/Misrepresentationhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Currencyhttp://en.wikipedia.org/wiki/Consumer_goodhttp://en.wikipedia.org/wiki/Labelhttp://en.wikipedia.org/wiki/False_documenthttp://en.wikipedia.org/wiki/False_documenthttp://en.wikipedia.org/wiki/Labelhttp://en.wikipedia.org/wiki/Consumer_goodhttp://en.wikipedia.org/wiki/Currencyhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Misrepresentationhttp://en.wikipedia.org/wiki/Deception -
8/2/2019 Cyber Forensics Seminar
19/47
Packet Filter: Looks at each packet entering or leaving the network and accepts
or rejects it based on userdefined rules. Packet filtering is fairly effective and
transparent to users, but it is difficult to configure. In addition, it is susceptible to IP
spoofing.
Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose performance
degradation.
Circuitlevel gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can flow
between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert. A firewall is
considered a first line of defense in protecting private information. For greater security,
data can be encrypted.
3.1.4 EMAIL BOMBING:
In Internet usage, an email bomb is a form of net abuse consisting of sending
huge volumes of email to an address in an attempt to overflow the
mailbox or overwhelm the server where the email address is hosted in a denial-of
service attack.
3.1.4.1 Methods Of email bombing:
There are two methods of perpetrating an email bomb: mass mailing and list
linking.
http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Emailhttp://en.wikipedia.org/wiki/Denial-of-service_attackhttp://en.wikipedia.org/wiki/Denial-of-service_attackhttp://en.wikipedia.org/wiki/Denial-of-service_attackhttp://en.wikipedia.org/wiki/Denial-of-service_attackhttp://en.wikipedia.org/wiki/Emailhttp://en.wikipedia.org/wiki/Internet -
8/2/2019 Cyber Forensics Seminar
20/47
Mass mailing:
Mass mailing consists of sending numerous duplicate mails to the same email
address. These types of mail bombs are simple to design but their extreme simplicity
means they can be easily detected by spam filters. Email-bombing using mass mailing
is also commonly performed as a DDoS attack by employing the use of
"zombie" botnets; hierarchical networks of computers compromised by malware and
under the attacker's control. Similar to their use in spamming, the attacker instructs the
botnet to send out millions or even billions of emails, but unlike normal botnet
spamming, the emails are all addressed to only one or a few addresses the attacker
wishes to flood. This form of email bombing is similar in purpose to other DDoS flooding
attacks. As the targets are frequently the dedicated hosts handling website and email
accounts of a business, this type of attack can be just as devastating to both services of
the host.
This type of attack is more difficult to defend against than a simple mass-mailing
bomb because of the multiple source addresses and the possibility of each zombie
computer sending a different message or employing stealth techniques to defeat spam
filters.
List linking:
List linking means signing a particular email address up to several email list
subscriptions. The victim then has to unsubscribe from these unwanted services
manually. In order to prevent this type of bombing, most email subscription services
send a confirmation email to a person's inbox when that email is used to register for a
subscription. This method of prevention is easily circumvented: if the perpetrator
registers a new email account and sets it to automatically forward all mail to the victim,he or she can reply to the confirmation emails, and the list linking can proceed.
http://en.wikipedia.org/wiki/Email_addresshttp://en.wikipedia.org/wiki/Email_addresshttp://en.wikipedia.org/wiki/Email_filteringhttp://en.wikipedia.org/wiki/DDoShttp://en.wikipedia.org/wiki/Botnetshttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Spam_emailhttp://en.wikipedia.org/wiki/DDoShttp://en.wikipedia.org/wiki/DDoShttp://en.wikipedia.org/wiki/Spam_emailhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Botnetshttp://en.wikipedia.org/wiki/DDoShttp://en.wikipedia.org/wiki/Email_filteringhttp://en.wikipedia.org/wiki/Email_addresshttp://en.wikipedia.org/wiki/Email_address -
8/2/2019 Cyber Forensics Seminar
21/47
Zip bombing:
A ZIP bomb is a variant of mail-bombing. After most commercial mail servers
began checking mail with anti-virus software and filtering certain malicious file
types, EXE, RAR, Zip, 7-Zip. Mail server software was then configured to unpack
archives and check their contents as well. A new idea to combat this solution was
composing a "bomb" consisting of an enormous text file, containing, for example, only
the letter z repeating millions of times. Such a file compresses into a relatively small
archive, but its unpacking (especially by early versions of mail servers) would use a
greater amount of processing, which could result in a DoS (Denial of Service).
3.1.5 Data Diddling:
This kind of attack involves altering raw data just before it is processed by a
computer and the changing it back after the processing is completed.
Examples include forging or counterfeiting documents used for data entry and
exchanging valid disks and tapes with modified replacements.
To deal with this type of crime, a company must implement policies and internal
controls. This may include performing regular audits, using software with built-in
features to combat such problems, and supervising employees.
3.1.6 Computer Viruses:
Computer viruses are programs that can attach themselves to other programs or
files. The virus infected files can then become carriers of the virus, or become damaged
in some way. The virus may effect computer services, displaying messages or playing
sounds, or may crash the operating system so that the computer won t run as expected
(if at all).
You can prevent computer viruses by installing an anti-virus program on your
computer, which scans files for known viruses. There are a number of these programs
on the market, and they can be purchased from software stores or acquired on the
http://en.wikipedia.org/wiki/ZIP_bombhttp://en.wikipedia.org/wiki/EXEhttp://en.wikipedia.org/wiki/RARhttp://en.wikipedia.org/wiki/ZIP_(file_format)http://en.wikipedia.org/wiki/7-Ziphttp://en.wikipedia.org/wiki/DoShttp://en.wikipedia.org/wiki/DoShttp://en.wikipedia.org/wiki/7-Ziphttp://en.wikipedia.org/wiki/ZIP_(file_format)http://en.wikipedia.org/wiki/RARhttp://en.wikipedia.org/wiki/EXEhttp://en.wikipedia.org/wiki/ZIP_bomb -
8/2/2019 Cyber Forensics Seminar
22/47
Internet. Once installed, you will need to regularly update anti-virus files, which are used
to detect and remove viruses from your system.
3.1.7 Hackers and Crackers:
In computer jargon, "hacker" has a variety of meanings, including being
synonymous with programmers and advanced computer users. In these cases, it refers
to someone who hacks away at a keyboard for long periods of time, performing any
number of computer-related tasks. In recent years, hacking has come to mean the
same as another term "cracker," which is a person who cracks the security of a system
or computer application. Hacking (and cracking) now refers to the act of gaining
unauthorized access to a computer, network, Web site, or areas of a system.
A person may hack their way into a system for a variety of reasons; curiosity, the
challenge of breaking through security measures, or to perform malicious actions and
destroy or steal data. All to often, it involves performing mischief and damaging a Web
site or corporate network in some manner.
Commonly, hackers will impersonate a valid user to gain access to a system. If
the system requires a username and password before allowing entry, a hacker may
take an authentic user s identity. On a network or an office with Internet access, a
hacker can impersonate someone else by simply sitting at the unattended workstation
-
8/2/2019 Cyber Forensics Seminar
23/47
of another user who hasn t logged off. It also commonly occurs when someone has an
easy to guess username and password, or allows this information to be known by
others.
Another common method hackers use to gain access is to guess or crack ausername and password that s used to access a computer, network, or Internet
account. To prevent being hacked in this manner, you should use passwords that are
difficult to guess. You should also make your passwords a mixture of letters, numbers,
and special characters (e.g. !, @, #, $, %, , &, *). You should change your password at
regular intervals, and set a minimal length to passwords (such as being a minimum of
six or eight characters).
3.1.8 Salomi Attacks:
These attacks are used for the commission of financial crimes. The key here is to
make the alteration so significant that in a single case it would go completely unnoticed.
E.g., a bank employee inserts a program, into the bank server s, which deducts a small
amount of money from the account of every customer. No account holder will probably
notice this unauthorized debit, but the bank employee will make a sizable amount of
money every month.
3.2 Computer Fraud
Any incident involving computer technology in which there is a victim who
suffered (or could have suffered) a loss and a perpetrator who by intention made (or
could have made) a gain is the defined as computer fraud.
3.3 INVESTIGATION
-
8/2/2019 Cyber Forensics Seminar
24/47
Investigation is the process of collecting, analyzing, and recovering, evidence,
and presenting, a report detailing a crime. Evidence is the key factor that determines a
crime and helps prosecute the guilty in the court of law.
The investigation process consists of procedures and techniques for finding out
what happened, what damage was done, and to what extent, whether the intruder is still
a threat, and whether any fixes still need to be implemented. An investigation, to a great
extent depends on the skill of the investigator or forensic expert.
3.4 IMPORTANCE OF INVESTIGATION
With the increase in system and cyber crime and the uses of new tools and
techniques, organizations have realized that it is not only important to prevent thesecrimes and protect information, but to trace the source of crime.
Tracing the footprint of a computer crime is important because:
3.4.1 It helps to understand the system security weaknesses:-
Investigating a computer crime helps an organization understand if the system
were exploited for a weakness in the security system. For e.g. administrators need not
know if an existing flaw helped someone transfer money from one bank account to
another, and whether that flaw still exists.
3.4.2 It helps to understand security violation techniques:-
The techniques could range from implanting spyware in the systems, to recruiting
internal employees to gain security information to sabotage organizations from within.
An investigation might collect information such as each employee s involvement, and
the way the crime was organized.
-
8/2/2019 Cyber Forensics Seminar
25/47
3.4.3 It helps to identify future security needs:-
These investigations also provide information on new tools that were used or are
being developed. The investigations may help companies and even law-enforcement
agencies discover future trends and design new tools to protect network s and
information.
3.4.4 It helps to prosecute criminals:-
If the crime has led to financial and other losses, prosecution may be initiated
against the criminals. Investigation becomes extremely important, because without it,
there can be no case.
3.5 COMPONENTS OF INVESTIGATION
An investigation has three important components. They are:-
3.5.1 EVIDENCE:-
Almost all types of investigation of a system crime relies on the evidence
obtained from the target computer. You can collect evidence for a computer crime by
analyzing digital data such as e-mails, files, and other system information. Evidence
provides vital information about the crime in terms of tools and techniques that were
used.
E.g. Information in a system s RAM can provide clues about the last program executed
that may have been used in computer crime. Such type of evidence is volatile as
compared to evidence on paper and must be preserved. Digital evidence may include
deleted files or e-mails, computer logs, spreadsheets, and accounting information.
electronic data include record, file, source code, program, computer manufacturer
specifications, and other information on the computer storage devices.
Digital information can take the following forms:-
-
8/2/2019 Cyber Forensics Seminar
26/47
- word processing documents
- personal records
- customer lists
- financial information
- e-mail via the local network or internet
- system and application logs
- voice mail transcript
- electronic scheduling system
3.5.2 Linking the chain of evidence:-
After evidence of a crime has been found it is important to figure out thecomplete sequence of activities that may have taken place during the commission of
crime.
3.5.3 Documentation:-
It is the most important factor in investigation of system crimes. Each piece of
evidence must be recorded systematically for the law, as well as for better analysis of
the system. Failure to do so weakens the investigation, and the result may not be
correct.
3.6 STEPS FOR INVESTIGATION
Every investigation follows a well-defined procedure. The procedure involves the
following four steps:-
3.6.1 COLLECTING EVIDENCE:
The first and the most important step in an investigation is collection of evidence.
sAs an investigator, it is important to understand, to know, and to choose what is to be
-
8/2/2019 Cyber Forensics Seminar
27/47
treated as evidence from the available information. The evidence varies from situation
to situation. E.g., the evidence from investigating a hard disk may be different from
investigating a CD-ROM drive. It is important that the investigator is up-to date with the
new technologies, and of what they can and cannot do.
You can locate digital evidence at various sources such as:-
- Workstations
- Servers
- Network attached storage
- Scanners
- Proxy server and ISP logs
3.6.2 ANALYZING EVIDENCE:
The second step is analyzing the evidence. it requires careful and systematic
study to determine the answer to questions such as:-
- What damage was done
- Why was the damage done
- What information is there about the technique used to inflict damage
- Why this set of information serve as good evidence
Answering these questions gives you a clear picture of the extent and nature of
damage.
There are different tools and techniques that are used to commit computer crime.
It is important to identify the tools as well as the techniques. These provide the all
important footprints of the crimes. These footprints can be evaluated later to translate
them into meaningful sources of evidence. Many vulnerability software manufacturers
recognize the fact that their software is also effective hacking tools, so they are
-
8/2/2019 Cyber Forensics Seminar
28/47
designed to leave their identity traces along the path they followed, this serves as strong
forensic evidence against the acts of computer crimes and criminals.
3.6.3 RECOVERING EVIDENCE:
There is certain evidence that is removed by computer criminals for various
reasons. At times, there are changes in the evidence simply because the system was
rebooted. As an investigator, you must attempt to recover all the data that might have
been tampered with, and locate the information that may be of some evidence. e.g. if
some data has been deleted from the hard disk, it might be recovered to obtain more
accurate information about what actually had happened.
3.6.4 PRESERVING EVIDENCE:
After all the evidence as been collected, it is important to preserve it, as it existed
during or soon after the crime. The procedure should follow a well-devised technique to
avoid any changes in the data. Following is a checklist used to ensure that the evidence
remains protected and preserved:-
- The evidence is not damaged or altered due to tools and techniques used for
investigation.
- The evidence is protected from mechanical or electromagnetic damage.
- The target computer is not infected by any virus during the investigation process.
- Business operations of the organization are not affected during the investigation.
- Continuing chain of evidence is maintained.
3.7 Computer Crime Investigator:
The computer crime investigator is a specialist in criminal investigation, data
processing, auditing, and accounting. His knowledge of data processing should include
computer operations, systems design and analysis, programming, and project
management.
-
8/2/2019 Cyber Forensics Seminar
29/47
A primary element in a computer crime investigation course is the manner in
which it is structured and whether it contains all the vital areas of required knowledge. A
computer crime investigation curriculum should include the following:
1. The types of threats and vulnerabilities to which a computer is susceptible.
2. Data processing concepts relative to software (programming) and hardware (the
equipment itself).
3. Types of computer crimes.
4. Investigative methodology including investigative procedures, forensic
techniques, review of technical data systems, investigation planning,
interview/interrogation techniques, information gathering and analysis, and case
presentation techniques.
3.8 TYPES OF INVESTIGATION
Investigations are done on different lines under different situations. Although
investigation techniques vary, they can be categorized broadly into two types:-- Physical investigation- Logical investigation
These investigations give information about the system usage patterns, including
application and resource usage. This information might require application monitoring
tools such as sniffers.
3.8.1 PHYSICAL INVESTIGATION
It includes identifying or locating physical evidence, such as removal of computer
hardware. Certain behavior or incident could trigger a physical investigation. Some
examples are:-
- Unusual or unauthorized late hours
- Changes in the pattern of system usage
- Changes in the login system
-
8/2/2019 Cyber Forensics Seminar
30/47
- Making physical attempts to reach connected physical devices.
The above are some of the physical forms of malicious intent that needs to be
monitored through physical investigation, such as checking the system for changes in
hardware, network monitoring s/w, or asset management s/w to keep a close eye on the
systems physical assets.
3.8.2 LOGICAL INVESTIGATION
It can be referred as digital investigation. Logical investigation takes a look at log
files that can be used as evidence against the criminal. It requires a well designed
security policy that clearly defines the process for logging information. It is importantthat the logs be maintained systematically. Some of the logical investigation
requirements are:-
- No modifications :-
The system logs should not be modified at all. The system should remain in the
same state as it was when the crime occurred or else it could lead to loss of evidence.
- Log date and time stamp:-It is important that the date and time stamp of the log has not been changed.
Otherwise this will introduce a difference when connecting evidence to the change of
activity that may have occurred at time of the crime.
- Logs of the system:-
The logs of the system being investigated must be checked and studied to
analyze their integrity.
- System registry:-
System registry keys must be checked to identify the authenticity of the last
logged-in users and the integrity of critical files.
- forensic imaging tool:-
forensic imaging tool must be used to make multiple copy of the hard disk that
have been taken for investigation. Bib-by-bit copy of the hard disk must be made so that
-
8/2/2019 Cyber Forensics Seminar
31/47
no portion of the hard disk whether filled or empty, is left without being copied. An
example of forensic imaging tool is SETBACK.
Table 2.1 shows sample of log user
RECORD 1 RECORD 2
User Id: user1 User Id: user 2
TimeL showed: 12:30:00 TimeL showed: 12:40:50
DateL showed: 22-07-2003 DateL showed: 22-07-2003
TimeS showed: 10:40:00 TimeS showed: 10:50:50
DateS showed: 22-07-2003 DateS showed: 22-07-2003
Duration: 20mins Duration: 30minsSystem Id: s1 System Id: s1
Table 2.1
CHAPTER 4
COMPUTER FORENSIC TECHNOLOGY
Computer forensics tools and techniques have proven to be a valuable resource
for law enforcement in the identification of leads and in the processing of computer-related evidence. Computer forensic tools and techniques have become important
resources for use in internal Investigations, civil law suits, and computer security risk
management.
Forensic S/w tools and methods can be used to identify passwords, logons, and
other information that is automatically dumped from the computer memory. Such
forensic tools can be used to tie a diskette to the computer that created it. Some of the
tools used are as follows:
4.1 TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY
4.1.1 MIRROR IMAGE BACKUP SOFTWARE
SafeBack is a sophisticated evidence-preservation tool. It was developed
primarily for processing of computer evidence. This tool has become the industry
-
8/2/2019 Cyber Forensics Seminar
32/47
standard in the processing of computer evidence in the world. SafeBack is used to
duplicate all storage areas on a computer hard disk drive. The drive size creates no
limitation for this tool. It is used to create mirror-image backups of partitions of hard-
disk, which may contain multiple partitions and/or operating systems. The back-up
image files, created by SafeBack, can be written to essentially any writable magnetic
storage device, including SCSI tape backup units.
PROGRAM FEATURES AND BENEFITS
- Dos based for ease of operating and speed
- Provides a detail audit trail of the backup process for evidence documentation
purpose.- Checks for and duplicates data stored in sectors wherein the sector CRC does not
match the stored data.
- Copies all areas of the hard disk drive.
- Allows the archive of non-Dos and non-Windows HDD, (Unix on an Intel based
computer).
- Allows for the back-up process to be made via the printer port.
- Duplicate copies of HDD can be made from HD to HD in direct mode.
- SafeBack image file can be stored as one large file or separate files of fixed sizes.
This feature is helpful in making copies for archives on CDs
- Tried and proven evidence-preservation technology with a 10-year legacy of success
in government agencies.
- Creates a non-compressed file that is an exact and unaltered duplicate of the original.
This feature eliminates legal action against the potential alteration of evidence through
compression or translation.
- Fast and efficient. Depending on the hardware configuration involved, the data transfer
rate exceeds 50 million bytes per minute during the back-up process.
- Copies and restores one or more partitions containing one or more operating systems.
- Can be used accurately to copy and restore Windows NT and Windows 2000 drives in
raid configuration.
http://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentation -
8/2/2019 Cyber Forensics Seminar
33/47
- Writes to SCSI tape backup units or HDD.
4.1.2 ANADISK DISKETTE ANALYSIS TOOL
AnaDisk turns your PC into a sophisticated diskette analysis tool. The software
was originally created to meet the needs of the U.S. Treasury department.
PRIMARY USES
- Security reviews of floppy diskettes for storage
- Duplication of diskettes that are non-standard or that involve storage anomalies.
- Editing disks at a physical sector level.- Searching for data on FDs in traditional and non-traditional storage areas.
- Formatting disks in non-traditional ways for training purpose and to illustrate data-
hiding techniques.
PROGRAM FEATURES AND BENEFITS
- Dos based for ease of operation and speed
- Keyword searches can be conducted at a very low level and on disks that have been
formatted with extra tracks. This feature is helpful in the evaluation of disks that may
involve sophisticated data-hiding techniques.
- All dos formats are supported and many non-dos formats, (apple machintosh, unix tar,
and many others. If the disk fits in the drive, it is likely that AnaDisk can be used to
analyze it.
- Allows custom formatting of disks with extra tracks and sectors.
- Scans for anomalies will identify odd formats, extra tracks and extra sectors. Data
mismatches concerning certain file formats are also identified when file extensions have
been changed in an attempt to hide data.
- This S/w can be used to copy any disk, including most copy-protected disks.
-
8/2/2019 Cyber Forensics Seminar
34/47
4.1.3 TEXT SEARCH PLUS
TextSearch plus was specifically designed and enhanced for speed and
accuracy in security reviews. It was widely used by classified government agencies and
corporations that support these agencies. The s/w is also used by hundreds of law
enforcement agencies throughout the world in computer crime investigations.
PRIMARY USES
- Used to find occurrences of words or strings of text in data stored in files, slack, and
unallocated file space.
- Used in exit reviews of computer storage media from classified facilities.- Used in internal audits to identify violations of corporate policy.
- Used by fortune 500 corporations, government contractors, and government agencies
in security reviews and risk assessments.
- Used in corporate due diligence efforts regarding proposed mergers.
- Used to find occurrences of keywords strings of text in data found at a physical sector
level.
- Used to find evidence in corporate, civil, and criminal investigation that involve
computer-related evidence.
- Used to find embedded text in formatted word processing documents.
PROGRAM FEATURES AND BENEFITS
- Dos based for ease of operation and speed
- Small memory footprint, which allows the s/w to run on even the original IBM PC.
- Compact program size, which easily fits on one FDisk with other forensic s/w utilities.
- Searches files, slack, and erased space in one fast operation.
- Has logical and physical search options that maintain compatibility with government
security review requirements.
- User defined search configuration feature.
http://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentationhttp://www.seminarprojects.com/Thread-computer-forensics-full-download-seminar-report-and-paper-presentation -
8/2/2019 Cyber Forensics Seminar
35/47
- User configuration is automatically saved for future use.
- Embedded words and strings of text are found in word processing files.
- Alert for graphic files (secrets can be hidden in them)
- Alert for compressed files
- High speed operation. This is the fastest tool on the market, which makes for quick
searches on huge HDDs.
- False hits d on t stop processing.
- Screen and file output.
- Government tested specifically designed for security reviews in classified
environments.
4.1.4 INTELLIGENT FORENSIC FILTER
This enhanced forensic filter is used to quickly make sense of nonsense in
analysis of ambient computer data. This tool is so unique that process patents have
been applied for with the U.S. patent office.
Filter_I relies on preprogrammed artificial intelligence to identify fragments of
word processing communications, network passwords, fragments of e-mail
communication, fragments of internet chat room communication, fragments of internet
news group posts, encryption passwords, network log-ons, database entries, credit card
numbers, social security numbers, and the first and last name of individuals who have
been listed in communication involving the subject computer. This s/w saves days in
processing of computer evidence when compared to traditional methods.
PRIMARY USES
- Used covertly to determine prior activity on a specific computer.
- Used to filter ambient computer data, the existence of which the user is normally
unaware of (memory dumps in slack file, window swap files, windows DAT files and
erased file space).
- The ideal tool for use by corporate and government internal auditors.
-
8/2/2019 Cyber Forensics Seminar
36/47
- The ideal tool for use by corporate and government computer security specialists.
- The ideal tool to use for corporate, military, and law enforcement investigators.
- Perfect for covert intelligence gathering when laws permit and you have physical
access to the subject computer.
PROGRAM FEATURES AND BENEFITS
- DOS based for speed. The speed of operation is amazing.
- Automatically processes any binary data object.
- Provides output in an ASCII text format that is ready for import into any word
processing application.
- Capable of processing ambient data files that are up to 2GB in size.
4.2 TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
Lets look at the following types of business computer forensics technology:
4.2.1 REMOTE MONITORING OF TARGET COMPUTERS
Data interception by remote transmission (DIRT) from codex data system (CDS),
Inc, is a powerful remote control monitoring tool that allows stealth monitoring of all
activity on one or more target computers simultaneously from a remote command
center. No physical access is necessary. Application also allows agents to remotely
seize and secure digital evidence prior to physically entering suspect premises.
4.2.2 CREATES TRACKABLE ELECTRONIC DOCUMENT
Binary audit identification transfer (BAIT) is another powerful intrusion detection
tool from CDS that allows the user to create trackable electronic documents.
Unauthorized intruders who access, download, and view these tagged documents will
-
8/2/2019 Cyber Forensics Seminar
37/47
be identified (including their location) to security personnel. BAIT also allows security
personnel to trace the chain of custody and chain of commands of all who possess the
stolen electronic document.
4.2.3 THEFT RECOVERY SOFTWARE FOR YOUR PCs AND LAPTOPS
If your pc or laptop is stolen, is it smart enough to tell you where it is CDs has a
solution: PC PhoneHome-another software application that will track and locate a lost or
stolen pc or laptop anywhere in the world. It is easy to install. It is also completely
transparent to the user. If your PhoneHome computer is lost or stolen, all you need to
do is make a report to the local police and call CDS 24 hour command center. CDSs
recovery specialists will assist local law enforcement in recovery of your property.
4.2.4 BASIC FORENSIC TOOLS AND TECHNIQUES
The digital detective workshop from CDS was created to familiarize investigators
and security personnel with the basic techniques and tools necessary for a successful
investigation of internet and computer related crimes. Topics include:
- Types of computer crimes
- Cyber law basics
- Tracing e-mail to source.
- Digital evidence acquisition
- Cracking password
- Monitoring computer remotely
- Tracking online activity
- Finding and recovering hidden and deleted data
- Locating stolen computers
- Creating trackable files
- Identifying software pirates and so on.
-
8/2/2019 Cyber Forensics Seminar
38/47
-
8/2/2019 Cyber Forensics Seminar
39/47
- Strong analytical skills Patience to invest days in taking computers apart in search of
evidence
- Strong computer science fundamentals
- Broad understanding of security vulnerabilities
- Strong system administrative skills
- Excellent verbal and written communication skills
- Knowledge of the latest intruder tools
- Knowledge of and experience with the latest forensic tools
- Knowledge of cryptography and steganography
- Strong understanding of the rules of evidence and evidence handling
-The ability to be an expert witness in a court of law
5.2 TRAINING
There are many training courses to learn the art of computer forensics.
eSec Limited and Found stone Education - conduct 4 day training courses on Incident
Response and Computer Forensics.
Guidance Software - offers six, four day courses: EnCase Introduction to Computer
Forensics, EnCase Intermediate Analysis and Reporting, EnCase Internet and E-Mail
Examinations, EnCase EScript Programming, EnCase Prosecutor Training, and
EnCase Advanced Training. Each has a curriculum designed to address the various
skill levels of the students. Not all of these courses are available in Australia. Guidance
Software offers the EnCase Certified Examiner (EnCE) program. Certification is
available to anyone who meets the minimum requirements for the program. Information
can be found at http://www.guidancesoftware.com/html/ence.htm.
http://www.guidancesoftware.com/html/ence.htmhttp://www.guidancesoftware.com/html/ence.htmhttp://www.guidancesoftware.com/html/ence.htm -
8/2/2019 Cyber Forensics Seminar
40/47
6. Top Cyber Forensics Tools:
forensic is an interesting domain which is coupled with technical advances and
the ability to use them effectively. Cyber forensic primarily is used in the investigation of
cyber crimes (i.e., crimes that occur over and on the technology front). However this
need not be the case, since most forensic techniques and tools are also used for
scientific purposes and research. With serious issues like terrorism that threaten the
national integrity of a country it is only wise to learn and know the tools of the trade that
terrorists use against the state. Cyber forensic tools aid not only in investigating crime
cases but also for drafting and creating hard evidences for the same. Let us evaluate
just some of these tools that have been used since long by forensic investigators,
scientists and some notorious elements alike:
6.1 X-Ways WinHex:
WinHex is used as a universal hexadecimal editor and is primarily useful in low-
level data processing, file inspection, digital camera card recovery, recovery of files
even from corrupt files systems, etc. This is one heck of a powerful tool and can
especially be used in gathering digital evidence.
6.2 FirstOnScene (FOS):FOS is the only one tool of its kind. It is rather a visual basic script code than a
executable binary file. First On Scene works with other tools such as PSTools,
LogonSessions, FPort, NTLast, PromiscDetect, FileHasher, etc. to gather an evidence
log report. This log report can further be analyzed by forensic experts to extract
important information.
6.3 Rifiuti:
Rifiuti is a unique tool that aids investigators in finding the very last details of your
system's recycle bin folders. Rifiuti is useful to gather critical information on all your
delete and undelete activities.
6.4 Pasco:
-
8/2/2019 Cyber Forensics Seminar
41/47
Pasco is a Latin word for "browse". Pasco helps in the analysis of the contents of
internet explorer's cache. So in short it can be particularly useful to gather internet
activity records from a target computer.
6.5 Galleta:
Galleta is a Spanish word that means "cookie". Galleta is useful in examining the
contents of cookie files on your machine. Cookie files are basically temporary internet
files used by websites to maintain their indigenous logs for tracking and other such
purposes.
6.6 Forensic Acquisition Utilities (FAU):
Forensic Acquisition Utilities is a set of forensic tools such as md5 checker, filewiper, etc. used for assorted purposes in research and investigation.
6.7 NMap:
NMap is particularly associated with network security. NMap is a port scanner
tool that helps find open ports on a remote machine. What separates NMap from other
tools is its ability to evade source machine identity and to work without causing any
Intrusion Detection System (IDS) alarms to go of.
6.8 Ethereal:
Ethereal is another network security tool which is not a port scanner but rather a
network packet sniffer. Ethereal sniffs data packets over the network and can provide
investigators with incoming/outgoing data that is sent over a network. However, ethereal
itself cannot be useful in cases where strong encryption algorithms are in place at the
source and destination computers.
6.9 BinText:
BinText does not directly investigate but can be useful to browse through
gathered evidence files such as that of log files generated by other forensic tools.
BinText can be used for pattern matching and filtering these log files.
-
8/2/2019 Cyber Forensics Seminar
42/47
6.10 PyFlag Tools:
PyFlag are a couple of tools used for log analysis and can be a very effective tool
for investigators if coupled and used with other forensic tools.
7. Anti forensics Techniques:
Anti-forensic techniques try to frustrate forensic investigators and
their techniques. This can include refusing to run when debugging mode is enabled,
refusing to run when running inside of a virtual machine, or deliberately overwriting data.
Although some anti-forensic tools have legitimate purposes, such as overwriting
sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.
Secure Data Deletion
Securely deleting data, so that it cannot be restored with forensic methods.
Overwriting programs typically operate in one of three modes:
1. The program can overwrite the entire media.
2. The program can attempt to overwrite individual files. This task is complicated by
journaling file systems: the file itself may be overwritten, but portions may be left
in the journal.
3. The program can attempt to overwrite files that were previously deleted but left
on the drive. Programs typically do this by creating one or more files on themedia and then writing to these files until no free space remains, taking special
measures to erase small files for example, files that exist entirely within the
Windows Master File Table of an NTFS partition (Garfinkel and Malan, 2005).
http://www.forensicswiki.org/w/index.php?title=Forensic_investigator&action=edit&redlink=1http://www.forensicswiki.org/wiki/Techniqueshttp://www.forensicswiki.org/w/index.php?title=Debugging&action=edit&redlink=1http://www.forensicswiki.org/wiki/Toolshttp://www.forensicswiki.org/w/index.php?title=Secure_data_deletion&action=edit&redlink=1http://www.forensicswiki.org/w/index.php?title=Secure_data_deletion&action=edit&redlink=1http://www.forensicswiki.org/wiki/Toolshttp://www.forensicswiki.org/w/index.php?title=Debugging&action=edit&redlink=1http://www.forensicswiki.org/wiki/Techniqueshttp://www.forensicswiki.org/w/index.php?title=Forensic_investigator&action=edit&redlink=1 -
8/2/2019 Cyber Forensics Seminar
43/47
-
8/2/2019 Cyber Forensics Seminar
44/47
Preventing Data Creation
Prevent the creation of certain data in the first place. Data which was never
there, obviously cannot be restored with forensic methods.
For example, a partition can be mounted read-only or accessed through the raw
device to prevent the file access times from being updated. The Windows registry key
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
can be set to 1 to disable updating of the last -accessed timestamp; this setting is
default under Windows Vista (Microsoft 2006).
Cryptography, Steganography, and other Data Hiding Approaches
Encrypted Data
Cryptographic file systems transparently encrypt data when it is written to the
disk and decrypt data when it is read back, making the data opaque to any attacker (or
CFT) that does not have the key. These file systems are now readily available for
Windows, Mac OS, and Linux. The key can be protected with a passphrase or stored on
an auxiliary device such as a USB token. If there is no copy of the key, intentionally
destroying the key makes the data stored on the media inaccessible (Boneh and Lipton,
1996). Even if the cryptographic system lacks an intentional sanitization command or
self -destruct, cryptography can still be a potent barrier to forensic analysis if the
cryptographic key is unknown to the examiner.
Cryptography can also be used at the application level. For example, Microsoft
Word can be configured to encrypt the contents of a document by specifying that the
document has a password to open. Although older versions of Microsoft Word
encrypted documents with a 40-bit key that can be cracked with commercial tools,
modern versions can optionally use a 128-bit encryption that is uncrackable if a secure
passphrase is used.
-
8/2/2019 Cyber Forensics Seminar
45/47
Encrypted Network Protocols
Network traffic can likewise be encrypted to protect its content from forensic
analysis. Cryptographic encapsulation protocols such as SSL and SSH only protect the
content of the traffic. Protecting against traffic analysis requires the use ofintermediaries. Onion Routing (Goldschlag, Reed and Syverson, 1999) combines both
approaches with multiple layers of encryption, so that no intermediary knows both ends
of the communication and the plaintext content .
Program Packers
Packers are commonly used by attackers so that attack tools will not be subject
to reverse engineering or detection by scanning. Packers such as PECompact (Bitsum2006) and Burneye (Vrba 2004) will take a second program, compress and/or encrypt it,
and wrap it with a suitable extractor. Packers can also incorporate active protection
against debugging or reverse engineering techniques. For example, Shiva will exit if its
process is being traced; if the process is not being traced, it will create a second
process, and the two processes will then trace each other, since each process on a
Unix system may only be traced by one other process. (Mehta and Clowes, 2003)
Packed programs that require a password in order to be run can be as strong astheir encryption and password. However, the programs are vulnerable at runtime.
Burndump is a loadable kernel module (LKM) that automatically detects when a
Burneye-protected file is run, waits for the program to be decrypted, and then writes the
raw, unprotected binary to another location (ByteRage 2002). Packed programs are
also vulnerable to static analysis if no password is required (Eagle 2003).
Steganography
Steganography can be used to embed encrypted data in a cover text to avoid
detection. Steghide embeds text in JPEG, MBP, MP3, WAV and AU files (Hetzl 2002).
Hydan exploits redundancy in the x86 instruction set; it can encode roughly 1 byte per
110 (El-Khalil 2004). Stegdetect (Provos 2004) can detect some forms of
steganography.
http://www.forensicswiki.org/wiki/SSL_forensicshttp://www.forensicswiki.org/wiki/SSL_forensics -
8/2/2019 Cyber Forensics Seminar
46/47
StegFS hides encrypted data in the unused blocks of a Linux ext2 file system,
making the data look like a partition in which unused blocks have recently been
overwritten with random bytes using some disk wiping tool (McDonald and Kuhn,
2003).
FreeOTFE and TrueCrypt allow a second encrypted file system to be hidden
within another encrypted file system. The goal of this filesystem-within-a-filesystem is to
allow the users to have a decoy file system with data that is interesting but not overtly
sensitive. A person who is arrested or captured with a laptop encrypted using this
software could then give up the first file system s password, with the hope that the
decoy would be sufficient to satisfy the person s interrogators.
Generic Data Hiding
Data can also be hidden in unallocated or otherwise unreachable locations that
are ignored by the current generation of forensic tools.
http://www.forensicswiki.org/wiki/FreeOTFEhttp://www.forensicswiki.org/wiki/TrueCrypthttp://www.forensicswiki.org/wiki/TrueCrypthttp://www.forensicswiki.org/wiki/FreeOTFE -
8/2/2019 Cyber Forensics Seminar
47/47
Metasploit s Slack er will hide data within the slack space of FAT or NTFS file
system. FragFS hides data within the NTFS Master File Table. RuneFS (Grugq 2003)
stores data in bad blocks. (Thompson and Monroe, 2006). Waffen FS stores data in the
ext3 journal file (Eckstein and Jahnke 2005). KY FS stores data in directories (Grugq
2003). Data Mule FS stores data in inode reserved space (Grugq 2003). It is also
possible to store information in the unallocated pages of Microsoft Office files.
Information can be stored in the Host Protected Area (HPA) and the Device
Configuration Overlay (DCO) areas of modern ATA hard drives. Data in the HPA and
DCO is not visible to the BIOS or operating system, although it can be extracted with
special tools.
http://www.forensicswiki.org/wiki/DCO_and_HPAhttp://www.forensicswiki.org/wiki/DCO_and_HPAhttp://www.forensicswiki.org/wiki/DCO_and_HPAhttp://www.forensicswiki.org/wiki/DCO_and_HPAhttp://www.forensicswiki.org/wiki/DCO_and_HPAhttp://www.forensicswiki.org/wiki/DCO_and_HPA