Unit Structure 1.0 Objectives 1.1 Introduction 1.2 An Overview 1.2.1 Types of computer forensics 1.2.2 Advantages of computer forensics 1.2.3 Disadvantages of computer forensics 1.3 Present Scenario 1.3.1 Need of computer forensics 1.3.2 Computer Forensics Versus Other Related Disciplines 1.4 The Investigation Process 1.4.1 Policy and Procedure Development 1.4.2 Evidence Assessment 1.4.3 Evidence Acquisition 1.4.4 Evidence Examination 1.4.5 Documenting and Reporting 1.0 OBJECTIVES This chapter would cause you to understand the subsequent concepts: To define computer forensic. To understand the role of forensic investigator. To guide you toward becoming a talented computer forensics investigator . To understand the investigation process in computer forensic. munotes.in
Page 2
Cyber Forensics 2 Understand a way to Investigate the cyber forensics with standard operating procedures. 1.1 INTRODUCTION From a technical standpoint, the most goal of computer forensics is to spot, collect, preserve, and analyse data in a very way that preserves the integrity of the evidence collected so it are often used effectively in an exceedingly legal case. Computer forensic objectives is to recover, analyse and present computer - based material in such the way that it's useable as evidence in an exceedingly court of law. Computer forensic priorities are primarily forensic procedures, rues of maintaining eviden ce, and following the legal processes. Secondarily it's concerned with computers. Computer evidence can be useful in criminal cases, civil disputes, and human resources or employment proceedings. Computer crime has forced the computer and law enforcement profession to develop new area of expertise and avenues of collecting and analysing evidence. The process of acquiring, examining and applying digital evidence is crucial to the success of prosecuting a cyber -criminal.A computer crime is a person can sit in the comfort of his home or a remote site and hack into a bank and transfer millions of dollars to a fictitious account is called “Computer crime”. Forensic sciences defined as an application of physical sciences to law in the search for truth in civil, criminal and social behavioural matters to the end that injustice shall not be done to any member of the society.Forensic sciences aim in determining the evidential value of the crime scene and related evidence. 1.2 AN OVERVIEW 1.2.1 Types of computer fo rensics Computer forensic involves performing a structured investigation while maintaining a documented chain of evidence to seek out exactly what happened on a computer and who was answerable for it.Figure 1.1 describes the types computer forensics. munotes.in
Page 3
Introduction Cyber Forensics
3
Figure 1: Computer Forensics types 1. Disk Forensics: It deals with extracting data from primary or auxiliary storage of the device by searching active, modified, or deleted files. 2. Network Forensics: it's a sub -branch of Computer Forensics which involves monitoring and analysing the systems network traffic. 3. Database Forensics: It deals with the study and examination of databases and their related metadata. 4. Malware Forensics: It deals with the identifi cation of suspicious code and studying viruses, worms, etc. 5. Email Forensics: It deals with emails and its recovery and analysis, including deleted emails, calendars, and contacts. 6. Memory Forensics: Deals with collecting data from system memory (system regi sters, cache, RAM) in raw form and then analysing it for further investigation. 7. Mobile Phone Forensics: It mainly deals with the examination and analysis of phones and smart phones and helps to retrieve contacts, call logs, incoming, and outgoing SMS, etc. and other data present in it. 1.2.2 Advantages of Computer Forensics To produce evidence within the court, which might cause the punishment of the culprit. It helps the businesses to gather important information on their computer systems or networks potentially being compromised. Efficiently tracks down cyber criminals from anywhere within the world. Helps to protect the organization’s money and valuable ti me. Allows to extract, process, and interpret the factual evidence, so it proves the cyber criminal actions within the court. munotes.in
Page 4
Cyber Forensics 4 1.2.3 Disadvantages of Computer Forensics Before the digital evidence is accepted into court it must be proved that it is not tampered with. Producing and keeping the electronic records safe are expensive. Legal practitioners must have extensive computer knowledge. Need to produce authentic and convincing evidence. If the tool used for digital forensic is not according to specifi ed standards, then in the court of law, the evidence can be disapproved by justice. Lack of technical knowledge by the investigating officer might not offer the desired result. 1.3 THE PRESENT SCENARIO 1.3.1 Need for Computer Forensics Adding the flexibility to practice sound computer forensics will facilitate your make sure the overall integrity and survivability of your network infrastructure. One can help your organization if you consider on computer forensics as a replacement basic e lement in what's called an approach to network and computer security. For example, understanding the legal and technical aspects of computer forensics will facilitate you to capture vital information if your network is compromised and can facilitate your p rosecute the case if the intruder is caught What happens if you ignore computer forensics or practice it badly? You risk destroying vital evidence or having forensic evidence ruled inadmissible in an exceedingly court of law. Also, you or your organization may transgress of latest laws that mandate regulatory compliance and assign liability if certain styles of data don't seem to be adequately protected. Recent legislation makes it possible to carry organizations liable in civil or court if they fail to gua rd customer data. Computer forensics is additionally important because it can save your organization money. International Data Corporation (IDC) reported that the marketplace for intrusion -detection and vulnerability -assessment software will reach 1.45 bi llion dollars in 2006. In increasing numbers, organizations are deploying network security devices like intrusion detection systems (IDS), firewalls, proxies, and therefore the like, which all report on the protection status of networks. From a technical standpoint, the most goal of computer forensics is to spot, collect, preserve, and analyse data in a very way that preserves the integrity of the evidence collected so it is often used effectively in an exceedingly legal case.
munotes.in
Page 5
Introduction Cyber Forensics
5 1.3.2 Computer forensics versus other related principles In general, computer forensics investigates data that may be retrieved from a computer’s drive or other storage media. Like an archaeologist excavating a site, computer investigators retrieve information from a computer or its component parts. The information you retrieve might already air the drive, but it would not be easy to seek out or decipher. In contrast, network forensics yields information about how a perpetrator or an attacker gained access to a network. The Netwo rk forensics investigators use log files to work out when users logged on and determine which URLs users accessed, how they logged on to the network, and from what location. However, that network forensics also tries to see what tracks ornew files were lef t behind on a victim’s computer and what changes were made. 1.4 THE INVESTIGATION PROCESS When conducting public computer investigations, you need to understand city, county, state and federal or national crime laws related to computer, considering stand ard legal processes and the way to make a criminal case. In case of criminal cases the suspect is tried for a criminal offense, like burglary, murder, molestation, or fraud. To work out whether there was a computer crime, an investigator asks some set of q uestions like the following: What was the tool accustomed commit the crime? Was it a straightforward trespass? Was it a theft, a burglary, or vandalism? Did the perpetrator infringe on someone else’s rights by cyber stalking or e -mail harassment? Computers are involved in many serious crimes. the foremost notorious are those involving sexual exploitation of minors. Digital images are stored on hard disks, Zip disks, floppy disks, USB drives, removable hard drives, and other storage media and circulated on t he net. Other computer crimes concern missing children and adults because information about missing people is commonly found on computers. Drug dealers often keep information about transactions on their computers or personal digital assistants (PDAs). This information is very useful because it helps enforcement officers convict the person they arrested and locate drug suppliers and other dealers. Additionally digital photos, deleted e -mail and other evidence stored on a computer can help to solve a case. A s an investigator you can track digital activity to attach it for cyber communications and can consider digitally -stored information as a physical evidence of criminal activity; computer forensics also allows investigators to uncover premeditated criminal intent and should aid within the prevention of future cybercrimes. There are five critical steps in computer forensics, all of which contribute to an intensive and revealing investigation are as follows: 1. Policy and Procedure Development 2. Evidence Assessment 3. Evidence Acquisition munotes.in
Page 6
Cyber Forensics 6 4. Evidence Examination 5. Documenting and Reporting 1.4.1 Policy and Procedure Development: If it's related with malicious cyber activity, the digital evidence are always delicate and sensitive. Cybersecurity professionals understand the value of this information and respect the particular undeniable fact that it are often easily compromised if not properly handled and guarded. For this reason, it's critical to dete rmine and follow strict guidelines and procedures for activities associated with computer forensic investigations. Such procedures like this can include detailed instructions about when computer forensics investigators are authorized to recover potential d igital evidence, the way to properly prepare systems for evidence retrieval, where to store any retrieved evidence, and the way to document these activities to assist make sure the authenticity of the info. 1.4.2 Evidence Assessment In order to effectively inv estigate potential evidence, procedures must be in situ for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, employing a style of methods and approaches to analyse inform ation; these could include utilizing analysis software to go looking massive archives of knowledge for specific keywords or file types, further as procedures for retrieving files that are recently deleted. Data tagged with times and dates is especially use ful to investigators, as are suspicious files or programs that are encrypted or intentionally hidden. This may also add reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to th e particular server and computer from which they were uploaded, providing investigators with clues on where the system is located; matching online filenames to a directory on a suspect’s disc drive is a method of verifying digital evidence. At this stage, computer forensic investigators add close collaboration with criminal investigators, lawyers, and other qualified personnel to confirm an intensive understanding of the nuances of the case, permissible investigative actions, and what sorts of information c an function evidence. 1.4.3 Evidence Acquisition Perhaps the foremost critical facet of successful computer forensic investigation could be a rigorous, detailed plan for acquiring evidence. Extensive documentation is required before, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems employed in the investigation process, and therefore the systems being investigated. This step is where policies associated with preserving the integrity of potential evidence are most applicable. General guidelines for preserving evidence include the physical removal of such a storage devices, to retrieve sensitive data and ensure functionality, and taking appropriate munotes.in
Page 7
Introduction Cyber Forensics
7 steps to repeat and transfer evidence to the invest igator’s system. Acquiring evidence must be accomplished in an exceedingly manner both deliberate and legal. 1.4.4 Evidence Examination: For investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within approp riate databases. Investigators typically examine data from designated archives, employing a form of methods and approaches to research information; these could include utilizing analysis software to travel looking massive archives of data for specific keyw ords or file types, additionally as procedures for retrieving files that are recently deleted. When the data is tagged with times and dates it is actually very useful to investigators, as sometimes suspicious files or programs that are encrypted or intenti onally hidden. this might also add reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to the actual server and computer from which they were uploaded, providing investigators w ith clues on where the system is located; matching online filenames to a directory on a suspect’s drive may be a technique of verifying digital evidence. At this stage, computer forensic investigators add close collaboration with criminal investigators, la wyers, and other qualified personnel to substantiate a radical understanding of the nuances of the case, permissible investigative actions, and what varieties of information can function evidence. 1.4.5 Documenting and Reporting: In addition to totally documenting information associated with hardware and software specs, computer forensic investigators must keep an accurate record of all activity associated with the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, additionally as all actions taken to accumulate, examine and assess evidence. It also ensures proper policies and procedures are adhered to by all parties. Because the purpose of the whole process is to accumulate data that may be presented as evidence in an exceedingly court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and ultimately, the case itself. For computer forensic investigators, selected case should be accounted for in an exceedingly digital format and saved in properly designated archives. This helps in the authenticity of any findings by allowing these cybersecurity experts to indicate exactly when, where, and the way evidence was recovered. It also allows gives the information about the evidence by matching the investigator’s digitally recorded documentation to dates and times when this data was accessed by potential suspects via external sources.
munotes.in
Page 8
8 2 COMPUTERS - SEARCHING AND SEIZING Unit Structure 2.0 Computers – Searching and Seizing 2.1Electronic Evidence 2.1.1 Removable Media 2.1.2 Removable Storage Media 2.1.3 Cell phones 2.2 Procedures to be followed by the first responder 2.2.1 The Forensic Process 2.2.2 The First respondent role 2.3 Let us Sum Up 2.4 List of References 2.5 Bibliography 2.6 Unit End Exercises 2.0 INTRODUCTION TO COMPUTERS - SEARCHING AND SEIZING Computers became a principal means for storing both personal and business information for big numbers of individuals. additionally, with the increasing use of the net and e -mail many of us use computers as a method of accessing information and communicatin g with others both in personal and business contexts. People increasingly store and manipulate accounting and business records with computer systems. At the identical time, commercially available computerized accounting software has dropped significantly i n price and has become increasingly easy to use. At just one occasion, maintaining a close and accurate set of accounting records was beyond the power of virtually well trained and experienced professionals. Today, however, persons with little or no acco unting or business background are able competently to keep up their business and accounting records. The trend is one amongst greater availability and constantly dropping prices. As this trend continues, we are going to see an increased use of computers by all sectors of the population. together with the employment of computerized record keeping and communication in munotes.in
Page 9
Computers – Searching and Seizing
9 legitimate enterprise has come the employment of the identical technology by criminal enterprises in closing their activities. As a results of this trend, storage or memory devices have increasingly become the targets of presidency investigations of criminal activity. Here the govt has used evidence gathered from computers countless times in criminal prosecutions. The methods by which organizatio n seek to assemble evidence from computers couple with the boundaries placed on the state by the us Constitution, and also the courts raise critical problems with personal privacy for all citizens who use computers in their daily lives. This will discuss legal issues associated with seizure and search of computers and define the trend that the law is taking within the emerging area of inquiry. The government’s interest can not be placed so high that everyone areas of one’s personal life becomes the topic o f governmental scrutiny. 2.1 ELECTRONIC EVIDENCE Digital forensics could be a rapidly evolving field of forensic study. Its techniques are often utilized in criminal proceedings, civil, administrative so as to validate, identify, collect, validate, analy ze, interpret, document and present digital evidence. An information derived from devices during a way that enables it to be employed in a proceeding is called as Digital evidence. So as to be admissible in a very court of law, digital evidence must follow a group of rules. Electronic evidence is additionally called as “Digital evidence”, is employed to store data, within electronic devices or systems, that may be recovered by forensic experts and may be used as admissible evidence in court. The number of information generated from the devices like smartphones and computers is vast. As such, requirement of any investigation is to spot digital evidence. The electronic evidence can prove crucial to the result of criminal, civil and company investigations.E lectronic evidences are Computers, laptops and tablets, transportable data, HDD, RAID and SSD hard drives, USB memory sticks and SD cards, Social media information, Whatsapp messages, Cloud storage data, Digital photographs, CCTV etc. Data recovered from t hese devices and applications are considered as electronic evidence. However, this can be only admissible if recovered employing a forensic methodology by an authorized expert. Examples of digital evidence are : 2.1.1 Removable Media: If legally permissible (l ike a warrant), we wish to go looking anywhere that might contain a bit of storage media. Considering today’s “stamp - sized” memory cards, this piece of evidence may be hidden almost anywhere like in books, wallets, hat bands, etc. Despite their small size, munotes.in
Page 10
Cyber Forensics 10 memory cards can hold a lot of potential evidence like kiddie porn or stolen master card numbers. A fast check of Amazon.com shows that you just can purchase a 64 -gigabyte memory card for around $120. Gigabytes (GB) are pretty abstract for many people. Ra ther than employing a standard unit of knowledge storage. 2.1.2 Removable Storage Media Removable storage media such as external hard drives, DVDs, thumb drives, and memory cards. Other than the devices and storage media at the scene, the surrounding area and items are also worth a look in the investigation process. For example, books and manuals can be useful to investigators to find the target and what kind of technology they may be up against. Perhaps the biggest payoff is an alert to the possible use of encryption. Discarded packaging in the trash could also be helpful. According to any forensic examiner avoiding encryption is definitely worth the trouble. 2.1.3 Cell phones: These days almost everyone has a cell phone and they often contain some very valuable evi dence. E -mail, call logs, contacts and text messages are examples of what you can recover. Items like call logs, contacts can be used to determine the last person to come in contact with a murder victim to determine approximate locations. Like electronic d evices, it is important to make no changes to the device or its storage media. Therefore, interacting with the phone should be avoided unless very important. Cell phones can be wiped by the cell provider or even by the owner themselves so they are vulnerab le. This functionality is intended to protect your data should you lose your phone or have it stolen. Apple’s “Find My Phone” app is one notable example. We must address this concern by isolating or shielding the phone as soon as possible. After securing t he evidence, a survey of the scene will give investigators an accurate sense of what’s ahead. Several questions need to be answered: ■ What kinds of devices are present? ■ How many devices are we dealing with? ■ Are any of the devices running? ■ What tools will be needed? ■ Do we have the necessary expertise on hand? Once these questions are answered, the real work begins.
munotes.in
Page 11
Computers – Searching and Seizing
11 2.2 PROCEDURES TO BE FOLLOWED BY THE FIRST RESPONDER Imagine if we could return in time and examine a number of the foremost famous crimes. If only we could freeze time to the moment those crimes came about. we might be able to examine each case with near perfect evidence. within the world of computer forensics investigation, we almost have that luxury. the primary response is that the most crucial a part of a computer crime investigation. If done correctly with forensically sound practices, it's a solid building block to any investigation. 2.2.1 The Forensic Process: Every incident should be treated as if it will end up in court. Thi s is why the forensics process should be followed for every incident. The forensics process includes and is not limited to preparation, collection, examination, analysis, and reporting (see Figure 15.5). Each phase feeds the next phase in the process. The first responder is an integral part of the collection phase.
Figure 2The forensic process 1. Preparation: Prior planning and preparation prevent poor performance. An organization come up with policies and procedures to support forensics process. Software licensing may be a major consideration, because enforcement cannot use evidence collected with pirated software. There should be an organized life cycle supported emerging technologies and personnel working the gathering, examination, analysis, and reporti ng. This ensures that organization forensics practice is scalable for emerging issues and technology. 2. Collection The collection phase of forensics is the very first phase. In this phase first responders are handling incidents. As mentioned before, the collection munotes.in
Page 12
Cyber Forensics 12 phase is critical to any investigation. The first responder should minimize any loss of electronic evidence (it can see the Damage &Defence sidebar for a definition of electronic evidence). The procedures which are required need to be completed by the first responder. The complete data should be verified and hashed for integrity.Although it is impossible to list all forms ofelectronic devices that may hold evidence.Table 1 lists several types of devices and media and the evidence that each of the se devices contains. Responders must be careful because of the volatile nature of electronic devices, in order to maintain the integrity of the evidence. Device or Media Potential Evidence Computer System Computer files, video, audio, e -mail, images, Network Traffic Sniffers Binary log captures Switches MAC address, security violation logs Firewalls Logs, ACLs, configuration information Servers Computer files Routers Logs, ACLs, routing tables MP3 Players Computer files, video and audio record Digital Video Recorders (DVR) Computer files, video, audio Smart Cards Identification, credentials, access information Smart Phones Computer files, video, audio, e -mail, images, notes, contacts Memory Cards Computer files, video, audio
Table 1 Devices and Media 3. Examination During the examination phase, forensics practitioners perform a holistic examination of theevidence collected by the primary responders. Contrary to popular belief, the forensics practitioner’s function is to require an impar tial take a look at the evidence provided to them. The examiner tries to detect hidden, obscured, and encrypted data. The forensics practitioner should provide an unbiased examination report. 4. Analysis The analysis phase is employed to see the who, what, w hen, and where of a happening. The evidence is scrutinized to see its value to a case. At this stage, it's going to be determined that there's nothing of evidentiary value. munotes.in
Page 13
Computers – Searching and Seizing
13 5. Reporting The examination report should contain only relevant information for the requested services. Allprocedures used and notes taken during the examination are preserved for discovery and testimony.The examiner must articulate the findings. 2.2.2 First Responder Roles Identifying and understanding the roles of First Responders are crucial steps within the development of a happening Response Program. the primary responders are just that, the primary members to spot and address an occurrence. More often than not, they're system and network administrators that don't seem to be trained in forensics. this can be why it's crucial for a company to possess policies and procedures in situ, so that they have a written guideline to follow for every style of incident, they know what to not do, and that they know whom to contact before contamina ting evidence. The team should include representatives from legal counsel and Human Resources. they ought to be consulted on all policies and procedures before implementation. Additionally, their expertise are invaluable once the information is collected a nd examined. These could also be considered liaison roles in some organizations (e.g., legal counsel wouldn't likely be member of the forensic incident response team; however, they're a necessary component of the complete process.) 1. System Administrator: System Administrators are giving more importance to any computer crime investigation. it's the computer user that discovers anomalies during their daily operations. Most of the time system administrators are concerned more with system availability than for ensic practices. it's important that each one organizations and agencies indoctrinate their supervisor on incident response procedures. During a response, the computer user can provide system configuration, configuration, logs, and other critical informati on. 2. Forensics Personnel: Forensics personnel are ideal personnel to reply to a suspected incident. Forensics personnel are basically trained to preserve and collect electronic evidence from crime investigation. they sometimes have a variety of tools and software to network administrators who suspect their systems are compromised. The role of forensics personnel is to supply an unbiased forensic analysis to see the evidentiary value of electronic evidence. 3. Non-forensics Personnel: Since computers are a part of everyone’s home and work environment, this raises the possibility that anyone can be a first responder. Organizational management should take steps to ensure that all personnel are aware of what steps to take should an incident occur.Training shoul d begiven informing all non -forensics personnel on policy to ensure that munotes.in
Page 14
Cyber Forensics 14 incidents can be processedwith forensics practice. Figure 15.8 shows the FCC’s Computer Security Incident Form.Thistype of form should be available to all organizations to record accu rate and detailed information of computer systems incidents.
Figure 3 FCC Computer System Incident Report Form 4. Securing Electronic Crime Scene: The number one rule of incident response is to preserve the maximum amount evidence as possible. It is important to quickly establish a cordial relationship to achieve maximum cooperation from personnel, especially management, within the response environment. Management typically assigns someone because the DAA who will work with the incident responder on m aking decisions affecting the organization’s assets. The responder should work efficiently and the things which are necessary it is required to document all events that occur. The responder should immediately start taking notes with dates and times employi ng a known experience source, like a cellular phone. All of your actions, including your notes, are subject to discovery in a very criminal case. munotes.in
Page 15
Computers – Searching and Seizing
15 Initially the responder should take steps to secure the protection of all personnel present. Generally, no pe rsonnel should be ready to take materials off from the crime scene. it's important to treat other areas outside the proximity of a workstation as against the law scene. Once the realm is secured from all personnel, the responder can proceed with collection . If you're responding to an unfamiliar environment, as is that the case with many enforcement and company investigators, you may need some help. 5. Health and Safety Personnel: In incident response, it important to remember the safety of every individual is involved and should me on first priority.In some cases due to some high -pressure situation this is forgotten but it should not. Due to the nature of “electronic” evidence, to take care of this evidence is important. In this case there are natural causes f or concern. It is in everyone’s best interest to preserve personnel as well as electronic evidence. Some safety items to consider are: ■ Unplug the power before working on internal components ■ Some equipment may hold an electric charge after unplugging ■ Liquids and electricity ■ Beware of dangerous radio waves (i.e., microwave transmissions) ■ Lasers components on equipment could damage eyesight 6. Collecting and Preserving Evidence: In a business environment, first responders must locate system administr ators or other personnel with knowledge of the pc and network setup. Once the computers involved within the incident are identified, the responder should take an initial examine the workstation to verify if any destructive activity is going on. In many of the cases the suspect may try and cover their tracks purposely by executing utilities which will destroy electronic evidence. If a happening responder notices such behaviour, they must immediately pull the plug on the equipment. 7. Identifying Potential Evid ence The responder should rummage around for all identifying markings on the system. the simplest information to get may be a serial number. If a serial number isn't present, the responder should record all possible identifying properties of the equipment . When seizing computers, all connections are labelled for reassembly at a forensics lab. All of the cables and also the corresponding ports should be labelled. 8. Collecting Volatile Data When the primary responder arrives, they will try to collect volatile data from the powered -on machine. Volatile data is information that's only present when the machine is turned on. If a network intrusion has munotes.in
Page 16
Cyber Forensics 16 occurred, the attacker should have connection s established. Many organizations have their own trusted toolset and they use it for collecting volatile data. Once you have got collected volatile data, you ought to hash the files and record the hash values in your notes. All collected data must be place d on forensically clean media. The netcat tool is usually accustomed collect volatile data over a network. 9. The Initial Interview First responders must utilize the initial interview to get information that will not be available within the future. System A dministrators and potential suspects could also be willing to offer up more information in an initial interview. If information is stored in notes, it may be retrieved for later testimony and examination. the subsequent is a few of the knowledge you ought to try and collect during an initial interview: ■ Signed statements ■ Owner information ■ All users ■ Contact information ■ Passwords ■ Encryption keys ■ Internet aliases ■ E-mail addresses ■ Internet Service Provider (ISP) ■ Purpose of the system ■ Remot e backups or storage ■ Media storage ■ Removable media 10. Documenting the Electronic Crime Scene Documenting the crime scene must be done meticulously. This process creates a chronicle of the crime scene. Each crime scene tells a story. When first responders document a criminal offense scene, they ought to take 360 -degree pictures of the whole room and any rooms associated with the crime. If a video camera is out there, it should be utilized yet. Pictures of the active programs should be taken to assist profi le the user. 11. Evidence Collection Tools and Equipment As a part of the preparation phase, organizations should have a toolkit ready for action. In short, first responders must be prepared for any munotes.in
Page 17
Computers – Searching and Seizing
17 situation. With the vast amount of equipment available today , it's best to plan for versatility. rather than taking four different card readers for non - volatile storage imaging, take one multi -card reader. A number of the tools within the following list should be included within the responses. 12. Chain of Custody To ensure the integrity of electronic evidence, a sequence of custody should be established. The chain of custody should be documented in writing to incorporate all handlers from seizure, transfer, storage, examination, analysis, and disposition of electronic evidence, and must be wiped out with corporate, local, state, national, and international jurisdictions and may be the other policies. Once the evidence is collected, it must be accounted for in documents literally during every stage of the investigation. Evidence is thrown out at court if it not handled properly. this kind covers the key needs of most chain of custody cases. Each organization should create forms and chain -of-custody procedures specific to that. the standard chain -of-custody form should in clude the case number, evidence details, handler names, signatures, dates, and relevant location information. 13. Transporting Electronic Evidence The delicate nature of equipment requires extra attention. When leaving a scene, electronic evidence must always be packed and labelled together with the chain of custody forms. Ideally, electronic media should be placed in an anti -static bag then wrapped in anti -static wrap or bubble wrap. First responders should transport the fabric in sturdy boxes or cases until arriving at a delegated evidence room. Once the fabric arrives safely to the evidence room, the chain of custody documents are often appropriately documented and turned over to the evidence custodian. If acceptable by your organization, you'll be able to u se mail services to move evidence. it's important to think about the environment during which the devices are placed. Electronic evidence is at risk of damage by extreme cold or heat. If you're transporting evidence by vehicle or air delivery, you ought to consider the extremities of every environment. 2.3 LET US SUM UP The objectives of computer forensic is to identify the evidence quickly and estimate the potential impact of the malicious activity on the victim and assess the intent and identity of the perpetrator. Adding the pliability to practice sound computer forensics will facilitate you ensure the integrity and survivability of your network infrastructure. Additionally, to establishing strict procedures for forensic processes, cyber security divisi ons must also set forth rules of governance for all other digital activity within a company. this will be essential to protecting the data infrastructure of enforcement agencies similarly as other organizations. munotes.in
Page 18
Cyber Forensics 18 2.4 LIST OF REFERENCES The Official CHFI Study Guide (Exam 312 -49) by Dave Kleiman, Craig Wright, Jesse (z -lib.org) Littlejohn Shinder, Michael Cross, in Scene of the Cybercrime (Second Edition), 2008 https://online.norwich.edu/academic -programs/resources/5 -steps -for- conducting -computer -forensics -investigations https://cyfor.co.uk/the -importance -of-electron ic-evidence/ https://resources.infosecinstitute.com/topic/computer -forensics -digital - evidence/ 2.5 BIBLIOGRAPHY Digital Forensics: Advancing Solutions for Today's Escalating Cybercrime, Software Engineering Institute, Carnegie Mellon University Basics of Digital Forensics_ The Primer for Getting Started in Digital Forensics, The - John Sammons Forensics Information from CERT http://www.cert.org/forensics/ https://us -cert.cisa.gov/sites/default/files/publications/forensics.pdf https://online.norwich.edu/academic -programs/resources/5 -steps -for- conducting -computer -forensics -investigations 2.6 UNIT END EXERCISES 1. The ____________is a debugger and exploration tool. a. backtrack b. Netcat c. tcpdump d. Netdog
2. The ___________can be any information stored or transmitted in digital form. a. Chain of custody b. Digital evidence c. Forensic evidence d. Pendrive
3. Computer forensic evidence is also considered as ____________. a. Data b. Hearsay c. Chain of custody d. Information
4. Metadata is a ____________. a. Data about record b. Information/data about data c. Information stored in record d. Information itself munotes.in
Page 19
Computers – Searching and Seizing
19 5. The general task of investigators include s identify digital information or artifacts that can be used as ____________. a. Case study b. Chain of custody c. Physical document d. Evidence
6. The process of gathering possible information for a target computer system is called as ___________. a. Fingerprinting b. 3D printing c. Data printing d. Foot printing
7. Which of these techniques is used by a password recovery tool? a. Brute -force attack b. Dictionary attack c. Hybrid attack d. Denial of service
8. Evidence that exonerates or diminishes the defendant's liability is called as ____________. a. exculpatory b. plaintiff c. inculpatory d. rebuttal
9. The primary storage in a personal computer is ____________. a. hard disk drive b. zip disk c. USB drive d. NIC
10. PDA stands for ___________. a. Personal digital assistants b.Private digital assistants c. Personal data assistants d. Personal digital action
munotes.in
Page 20
20 3 SETTING UP A COMPUTER FORENSICS LAB Unit Structure 3.0 Objectives 3.1 Introduction 3.2 Setting up a lab for Computer Forensics 3.2.1 Computer Forensic Lab 3.2.2 Laboratory Strategic Planning for Business 3.2.3 Elements of facilities build -out 3.2.4 Electrical and Power Plant Considerati ons 3.2.5 Essential Laboratory Tools 3.3 Hard Disks and File Systems 3.3.1 Overview of a Hard disk 3.3.2 Hard Disk Interfaces 3.3.3 Filesystems 3.4 Let us SumUp 3.5 List ofReferences 3.6 Bibliography 3.7 Unit EndExercises 3.0 OBJECTIVES After studying this unit, it will help you to: understand and e valuate a plan for setting up a cyber forensic laboratory. classify the different factors to be considered for performing digital forensics. state and explain the different types of files and hard disk drive.
munotes.in
Page 21
Setting up a Computer Forensics Lab 21 3.1 INTRODUCTION To perform digital forensics by collecting evidence and processing them, thereby maintaining integrity, that is, without letting the original data getting tampered is a major concern. Hence before the forensic investigation of any scenario certain criteria fulfillments need to be ensure d such as Computer forensic laboratories with physical as well as virtual security, the systems to be provisioned with appropriate application software’s and tools, the configuration of appropriate hard disks and file systems for evidence collection withou t modification. 3.2 SETTING UP A LAB FOR COMPUTER FORENSICS 3.2.1 Computer forensic Lab The entire field of data analysis and investigation has evolved in case of malicious intents in the digital realm. Technologies including laptops, desktops, ce ll phones, and the internet have certainly increased individual productivity and creativity, simultaneously it is also being used for violation of law or causing harm to an organization. Thus, such scenarios need to be evaluated by corporate investigators and law enforcement officers based on the phases of identifying, recovering, analyzing, and reporting onto the digital facts. There is an increase in the requirement of expert forensic examiners as well as forensic investigation facilities. 3.2.2 Laborator y Strategic Planning for Business Factors to be considered for strategic planning of laboratory for business may include: a. Philosophy of Operation Each data forensic implementation involves four core modes of operation, that is, the operating philosophie s of forensic implementations will be similar in the case of the individual practitioner or a government -based investigative arm. The four core areas of operations include business operations, technology venue, scientific practice, and the artistic expres sion domain. A computer forensic initiative should pursue business practices, function through high technologies, and must foster a creative vision while technologically solving the investigation case. b.Core Mission and Services During the design plan con sideration of a forensic facility, it is important to consider the type of services and the level of scope or scale at which the services are to be provided. munotes.in
Page 22
Cyber Forensics 22 Determining the core mission and the scope of the service at the prospective laboratory will help analyze the aspects of building, operating the forensic facility, selecting the annual budget for the equipment or the furniture ergonomics. Depending on the service scope, a laboratory can be designed within a single room or an entire building with expe rts executing their multiple domain -specific tasks in each of several geographic regions. There exists a law enforcement agency to focus upon the violations of criminal statutes, a governmental agency to focus on civil litigation, a commercial venture to define service package details, and a market that packages to multiple audiences. c. Revenue Definition Effectively addressing the five w’s (who, what, when, where, why) of a business plan determines the plan completeness from conceptual theory to executio n. Implement a minimum of the five -year strategic plan for successful growth based on the realistic environment where the facility resides and to which the facility will respond. Defining milestones to achieve as well as follow a growth track. Ultimately, the implemented budget needs to serve the facility's needs in the strategic vision of both actual operation and realization. Every forensic facility initiative requires funds to work whether for law enforcement, corporate or for -profit. d. SOP -Policy and procedure execution, whether applied at the strategic, daily operations, or process -specific level, will eventually be the measure of operational excellence by which a data forensic laboratory's (and the product the laboratory generates) caliber is define d. A SOP should be determined and defined during the planning stages of the laboratory design so that valid and objective electronic evidence will be presented in a law court. The laboratory should function at a highly professional standard, along with the employees abiding professionally as well as ethically and the execution of tasks done by the employees should be systematic. Thus, a testable, repeatable procedure that generates predictable and accurate results should be considered. Evidence integrity m ust be maintained against attacks such as data spoliation attacks. Thus, robust policies need to be determined for procedure implementation. The phases of data analysis, that is, Digital munotes.in
Page 23
Setting up a Computer Forensics Lab 23 Investigations Standard Operating Procedure (SOP) are as follows: o Request for Services o Initial Analysis o Data Collection o Data Analysis o Data Reporting e. Human Talent A forensic examination environment as well as a good hardware purchasing plan will not suffice and will require human intervention. Factors such as experience gathering, knowledge sharing, continual education and investment in human resources development are mandatory for a successful data forensic laboratory. 3.2.3 Elements of Facilities Build -out - Elements of facilities build -out denotes budget for constructi ng and operating, provisioning of normal operations as well as based on adverse events or disaster recovery along with provisioning for future modifications, expansions, and growth. A facility’s complexity can be determined based on the scale of implementa tion and the budget constraint.
Figure 3.1 : Simple model of a facilities plan. I. Space Planning Considerations For designing the overall layout of a forensic laboratory, the following minimum functional areas should be considered: munotes.in
Page 24
Cyber Forensics 24 a. Administrative area Consists of office space for personnel involved with the forensic team consisting of project management, executive staff, investigators, as well as for a meet space amongst internal personnel and clients or private guest areas. Designed to provide en ough space with a comfortable environment for customer -based or team meetings. It can be considered as a private space for confidential calls or conversations, engaging in corporate communication. b. Examination space Entire space which is dedicated to te chnical and investigative aspects of the forensic examination process. Technical staff members spend most of the time working on technical equipment required for the respective examination process. Access to this space should be restricted to relevant per sonnel and details of every person entering or exiting the lab space should be logged. Requires plenty of surface area with dedicated footage per investigator and ample square footage for forensic equipment location. c. Evidence storage Dedicated storage space for storing digital evidence and other evidence items. Should be the most secure environment to access, the most controlled area for any kind of activity or entry within this space of a forensic build -out. Evidence locker should be designed to restri ct forced or unauthorized entry so that its contents survive any environmental events. Access should be limited to key personnel, that is, a single Custodian of Evidence. Automated security systems should be used to challenge all accessors and logging int o accesses. A robust audit methodology should be deployed for the complete accuracy of data being maintained. This facility also ensures every piece of evidence and its details are known and well documented. d. Network Facilities Space where the data netwo rk, security, and telecommunication equipment provisioning services to laboratory space resides. munotes.in
Page 25
Setting up a Computer Forensics Lab 25 This space is equally important as evidence storage space and should be protected. Physical elements of data networking and security, sending or accessing evi dence, or examination work product should be dedicated and stand -alone infrastructure, that is, servers, switches, routers, data cables, and other physical elements serving the forensic space. Inbound or outbound facing day -to-day business protocols such a s corporate, e -mail, telephony, internet access, etc. should be provisioned across a different physical network architecture. II. Fire Protection/Suppression A forensic laboratory requires a well -designed fire protection plan, based on the standards and or dinances mentioned by the local fire marshal. Fires can be classified based on the material which led to the fire. The plan will be determined based on the cost constraints, personnel habitation zones, and technology venue residing in the space as well as its impact on the other aspects of the build -out. The ideal fire suppression methods for any forensic facility can be deployed after the data center or disaster recovery plan designs. Five globally accepted classes of fire include: Class A : Common (solid ) combustibles Class B : Liquids and gases Class C : Fires involving electricity Class D : Combustible metals Class K : Cooking fluids/oils In the case of a forensic laboratory environment, the most common fire classes mostly are Class A (infrastructur e materials) and Class C (electrical wires involving powered -up technology). To resolve class A/C hazards, few options for suppression systems include: Water dispersion systems (air -pressurized water systems) o Water pipe Systems Employs a piping scheme for maintaininga constant water load. It is one of the most cost -effective and low -maintenance of all fire-protection options as they are easy to repair and maintain with a faster recovery window after activation. Also has drawbacks, accidental failure or impa ctful damage could lead to water leaks, whether, small or large. munotes.in
Page 26
Cyber Forensics 26 o Dry pipe System Employs a piping scheme to maintain pressurized air load, where the pressurized air holds back the liquid flow under normal circumstances. Deployment head events trigger gas r elease andallow water to flow into pipes as the gas leaves the same. Are expensive compared to wet pipe systems, though dry pipes also offer the same drawbacks as water pipe systems, in addition to maintenance complexities and higher maintenance costs. Tho ugh dry pipe system offers protection from pipes bursting in cold environments. o Preaction systems -Acts as the second level of fire protection implementation to be considered in a facility build -out. It is a modified dry pipe arrangement, advantage of a pr eactionsystem is the use of two triggers to release the liquid suppressant. An electronic valveacts as the release inhibitor, where water is not held back by gas pressurization. The valve is controlled by a discrete fire sensor, wherein if the valve rele ases, the pipes get filled with liquid while the system behaves like a wet pipe. Another event must occur at the delivery heads level to release the water in the surrounding. Pipe impact damage and head failures offer lesser thread to the surrounding envi ronment, as the pipes are in a no -load state under normal circumstances. The potential time delay between valve sensor engagement and sprinkler engagement may also benefit the environment, assuming some interruption can resolve a sensor -perceived threat be fore head discharge. The cost factor increases from wet pipe to preaction pipe in proportion to the planned facility size increase, along with an increased complexity level and maintenance disadvantages of dry pipe, in preaction systems. o Water Damage Wet pipe, dry pipe, and preaction systems mostly use water as the liquid suppressant. In environments with specialized electronics, computer equipment, evidentiary electronicdevices, consideration should be given to the probabilities of water damage to the ev idenceor technology during any event. munotes.in
Page 27
Setting up a Computer Forensics Lab 27 Waterproofing for certain fixtures should be done in an environment where water dispersion is used for fire control such as waterproof fire - rated safe inside the evidencelocker for storing evidence is a good preventiv e measure against the use of water -based firesuppression systems. Gaseous suppression (clean agents) Gaseous suppression systems are also called gas/clean agents or total flooding systems, which provide a high -end option for laboratory fire control. These suppressants function in one of the two ways: one group removes heat faster than its generation during combustion, thus surpassing combustion, while the second group depletes oxygen for deprivation of oxygen fuels while combustion. Gas agent suppression s ystems are permeable as compared to water -based systems and do not leave chemical residues while lowering the business recovery costs as compared to chemical suppression systems.An important characteristic of these materials is that they are non -conductive , that is, they do not have any conductive material left behind, making them suitable for electronics -based areas. They are costly for implementation and their maintenance tends to be higher. Two main classes of gas agent suppression systems exist, they ar e: i. Inert Gas Suppressors Includes several blend gases such as carbon dioxide, argon, and nitrogen. Inert gas suppressors are oxygen reducers as they displace oxygen and prevent fuel combustion via fuel deprivation. Pure CO2 suppression should never be utilized for laboratory fire suppression as it deoxygenates the air and can prove fatal for people. Inergen and Pro -inert are branded suppressants which are argon/nitrogen blends sold with proprietary delivery system deployments. They decompose into natura l atmospheric gases and can be used in populated environments. They are also environmentally friendly. ii. Fluorine compound Suppressors Fluorine compound suppressors are used as Halon replacements whenever halon systems are upgraded. Fluorine compound suppressors act ascombustion inhibitors, thereby filtering heat at a very high rate. Examples of suppressors include branded suppressants such as Novec, FM -200, and FE -227, which can be used in populated environments and are environment friendly.
munotes.in
Page 28
Cyber Forensics 28 Chemical suppression: Foam, Dry chemicals Apart from water dispersion and clean agent systems, several options for chemical suppression exist, where most chemical suppression methods require facility investment and increased costs in various areas of build -out. Example: Airtight sealed environments may be required for the chemical suppression systems in few areas when used. Both classes, that is, foam and dry chemical suppression systems are available, but tend to be insufficient for a populated environment. Thus, such systems cannot be used in a data center facility. 3.2.4 Electrical and Power Plant Considerations A high -tech facility will require an above -average power demand to run, cool, and stay stable. Thus, the cost of provisioning in a forensic facility will be more as compared to a regular corporate environment. Standard power provision plan would involve factors such as dedicated water provision and stand -alone power generation facilities along with stand -by fuel resources, HVAC, and site security. Three main categories of requirements need to be assessed in the laboratory build -out: i. Facility build -out based on the facility load: Electrical demand of all general infrastructure -level technologies such as lighting, emergency lighting, HVAC, security syste ms, automatic doors/windows, audio/visual implementations, communication systems, corporate equipment, etc. ii. LAN/WAN Load: Any data center or forensic laboratory setting should have independent consideration from a power perspective. Server rooms with L AN provisions need to be implemented to avoid external network issues iii. Examination local workspace load: Applies to individual examiner’s workspace as well as the overall examination space with a requirement of per capita that the forensic team demand s. a. LAN/WAN Planning The examination environment network components need to be separated from the general corporate network, apart from functional separation there is a need for absolute physical boundaries. If corporate and examination hardware are pres ent in the same server room, then a divider wall or door should be built around the examination architecture with an extreme limit to human access levels in the physical space. All the examination traffic should be routed through dedicated examinations and servers. Whenever data storage is planned within the laboratory facility, facilities such as disaster recovery, redundancy, and sustainability concepts and support for large data munotes.in
Page 29
Setting up a Computer Forensics Lab 29 volumes should be considered. Deployment of physical segregations needs to b e optimized. A medium -sized laboratory can encounter tens to hundreds of terabytes of data, leading to significant space requirements within the server room, associated with other high -footprint items such as near - line storage solutions, large tape backup jukeboxes, and others. b. HVAC Huge number of computers may lead tomassive amounts of BTU generation (British Thermal Units, a standard measure of heat generation). Conservative calculations need to be performed to determine the tons of AC required in spac es where heat -generating equipments reside. Planning for hardware growth and their future purchases since the beginning. Entire redundant units in areas cool the examination environment technology to provide the entire cooling burden whenever required. Ventilation requirements should be provisioned for spaces being cooled. An active exhaust system can be provided to recover the environment incase a fire event has been suppressed. HVAC units when placed above the lab space, add security against physical com promise but could also lead to risk in the form of water line breakage or leakage, hence it is important to consider pipes and pump systems to be deployed with a failover system as a countermeasure to any risk. HVAC concerns the environment which should a lso be managed, example an AC unit placed above examination space could create noise pollution in different scenarios. i. Abatements In the forensic laboratory, few factors need to be reviewed and monitored during the planning phase as well as after the compl etion of build -out. 1. Temperature Every equipment has a desired operating temperature range. A data center maintains a temperature of around 68 -70 degrees F. Hence, it requires temperature stability within the desired ranges during equipment failures as wel l. Devices such as a portable cooling device can be placed but within a particular optimized range, as temperatures at a low point could lead to electrostatic buildup and further discharge in air. 2.Humidity A humidity management system should be deploye d so that the humidity can be measured and controlled within +/ -1 percent. Humidity control munotes.in
Page 30
Cyber Forensics 30 plays a key role in reducing electrostatic buildup and discharge. During maintenance, various factors such as tolerance of the equipment to be used in the environme nt along with its geographic location, elevation, and so on should be determined. ii. Static Electricity Since temperature and humidity are considered as two key environmental factors to avoid static electricity issues. Workspace elements include antistatic flooring drawer linings and actively dissipative counter surfaces along with grounding of all metal furniture’s to earth. Provision of anti - static mats, gloves, and sprays should be done for any operation or in case of any employee wearing charge -generati ng fabrics. iii. Electromagnetic interference The electrical plant needs to be planned carefully to reduce the electromagnetic field generation in any storage/handling areas. Main power plan components such as transformers whenever required to be guarded. Evide nce locker should be shielded well, examination laboratory should also be taken into consideration for electromagnetic interference (EMI) shielding. A gauss meter or a series of them should be maintained in the functional laboratory space with regular anom aly checks. EMI regulation should communicate to ISO planning and competency levels for any operation which focuses on electronic data handling. iv. Acoustic Balancing Multiple workspaces purposely putwhite noise into their environments to generate acoustic ma sking for privacy reasons and to avoid a silent environment. A forensic laboratory may have acoustically reflective surfaces, make it mandatory for surface texture applications, baffling, or any other acoustically absorptive abatements. c. Security Securit y is an important concern for any forensic operation. Protocols must be applied to campus -level, environment -level, and object -level access. Video and live surveillance is strongly required. The entire facility should be provisioned with a minimum two -challenge system such that each entrant will have to surpass a minimum of one validator at checkpoint such as biometric, card swipe, etc., while the other could be an independent manual or automatic validator such as sign -in security desk or internal security card swipes, etc. Higher -level access control should be applied especially to examination environments where access should be challenged through dual point authentication (two -factor identification methodology) while the access points should be constantly monitored. A physical sign -in or sign -out log needs to be maintained despite dual -authentication protocol being implemented, as an ink -signature trail could prove useful for independent security audit and review phases. munotes.in
Page 31
Setting up a Computer Forensics Lab 31 d. Evidence Locker Security A locked , fire -rate safe in a locked room along with hand -written access logs could be sufficient security for a minimal environment. A shelf -and- cage methodology with a single portal of entry that is key -locked and monitored for access is implemented for evidence storage environments. The build -out of an evidence locker could be expensive and complex, depending on the facility needs and various other factors such as level of national security. The evidence storage environment has the highest and most restrictive levels of access control, where only a single custodian of evidence will be granted the master access who can execute the chain of custody check -ins and outs from the locker. Each access should be logged with 100 percent accuracy. Video surveillance at ent ry as well as exit view along with the storage space should be deployed. A robust alarm should be configured to capture any unauthorized entry through any location around the space. Air ducts should be of a thinner size to avoid human intervention or inval id objects surpassing through them. No openings or ventilations should be kept open to avoid unwanted entry or evidence tampering activities by any means. e. General Ambience The environment of a data forensic laboratory should not have any disruptions, wi th the lab space being a low -foot-traffic environment so that employees can work without any disruption.Space should be isolated from other environments and should be well -lit with personal comfort and positive support in the common area as well as in pers onal space. f. Spatial Ergonomics A data forensic laboratory functions as a warehouse operation. The computer hard disks being examined, the chassis, monitors, and other products require handling and storage. Other components such as monitors, workstations , servers, and others are very bulky, due to which moving them from evidence lockdown and placing them for work could be difficult, hence this issue needs to be considered during workspace design. Lumbar harnesses or similar safety equipment should be prov ided to employees responsible for lifting or carrying tasks. g. Personal Workspace Design Every lab inhabitant should have an ample amount of operating space, that is, work surface area mostly digital work surface areas such as monitor footprint should be abundant. Electric supplies should be robust and the personal space of every examiner should be considered as a mini - laboratory which should be facilitated with all the hardware and software, to perform the investigative task as well as maintain work prod uct. A dedicated investigation platform, an entire kit of write blockers and accessories, a separate system for corporate or business communications, a munotes.in
Page 32
Cyber Forensics 32 workspace -level data management system, and a library of reference materials are desired elements for an active and personal investigation workspace. h. Common -Area Considerations Consider providing many units of technology withmultiple sets of write blockers and investigation machines for various parallel tasks to be conducted. Workspaces should be designed with a design template to enable multiple individuals to execute the same tasks at the same time in various workspaces or to allow an individual to switch between different stations thereby managing machine and time -intensive tasks. Maximum tasks executio n should be organized with minimal foot traffic. Shared resources should be deployed for serving the needs of the staff without causing workflow deadlocks. 3.2.5 Essential Laboratory tools I.Write Blockers Write block methodology and devices are mandatory in laboratory or field forensic toolkit. Data spoliation, that is, data integrity being tampered with intentionally or accidentally is amajor concern for forensic examiners. Forensic workproductsshould be leveraged spoliation concerns which is considere d to be one of the most common attacks while handling digital evidence. Whenever an unprotected writable data device is connected to a computer, it leads to change. Volume mounts, computer boot sequences, and other events could modify evidence data store components from explicit write -to events. Thus, methodologies and devices should be deployed by forensic examination environment to ensure write block capability. Few windows registry edits could protect USB devices from write events, whereas Linux volumes could be modified so that the data stores are made read -only. Hardware write block devices, namely blockers, forensic bridges are a major component of the forensic tool kit and have advantages such as portability, ease of use, and function testing. Few c ommon write block tools include Tableau, WiebeTech, and Intelligent Computer Solutions DriveLock. Hard -disk technology consists of various multiple interface types such as IDE, SATA, SCSI, etc. wherein different types of interfaces are integrated for diff erent connectivity needs as required by an munotes.in
Page 33
Setting up a Computer Forensics Lab 33 investigator. USB and FireWire form are some interface types used to connect external write blockers to examination machines. Forensic bridges can also be permanently installed into workstations, though it isn’t p ortable, the internal forensic bridges have the advantage of being space -efficient. Write block technology also supports the examination of non -hard disk media.
Figure 3.2: Write Blockers A. Write Block Field Kits -Forensic bridge field kits ar e a part of the forensic laboratory inventory, which can be fully functional on an examiner’s laboratory desktop and help reduce inventory purchase costs by minimizing the hardware amount per examiner needed for data acquisition and investigation in divers e environments. Field kits are lightweight, designed to be shock -resistant, and meet air transport criteria, packed with device, adapter, and cabling options to address the unknowns of field work. Example: Digital Intelligence UltraKit and the Ultimate F orensic Write Protection Kits from Forensic Computers are single - package systems. -Field kits mostly supply a basic multifunction hand toolkit, bit/driver set, and a digital camera to support other aspects of field work. A good core field kit can be sup ported by cabling, adapters, extra devices, and so on to create a powerful and economical portable laboratory system. Redundant highly used/ fragile components such as multiple AC adapters, power cords, and interface cabling units are mandatory.
IDE/SATA FireWire or Connector USB cable
Evidence Hard Disk Write Block Device Examination Workstatio n Reads Allow ed Writes Prevented munotes.in
Page 34
Cyber Forensics 34 Anothe r level of protection can be added to the examination equipment assembly process thereby protecting it against the damage to evidence media via pilot error, through convenience items like Tableau in -line power switch (T2). The write block methodology en sures on original media protection from any modification during examination and duplication. Example: Some field investigation practices require data acquisition through a forensic duplicate of original evidentiary materials for transport of evidence to th e laboratory environment for analysis. The requirement for write blocking can be conjoined to the need for a duplication platform in such cases. B. Hardware Duplication Platforms Multiple handhelds and desktop forensic duplication systems are available, wherein the core functionalities they provide are write -blocking the original evidence media, conducting data replication to secondary media, measuring the accuracy/completeness of the duplication process through some measurement criteria such as hash alg orithm MD5 or SHA1 or both to ensure that the entire original has been duplicated to a forensic copy, while some devices of this class also involve reporting capability. Figure 3.3: Hardware Duplication Devices Various models are readily availa ble such as the logicube forensic talon, which has a duplication rate of upto 4 GB/minute and provides multiple media adapter kits along with possessing extensive reporting capability. Intelligent computer solutions ImageMASSter Solo -III forensic duplicati on device handles interface types and is capable of writing to output hard drives concurrently. Voom technologies hardcopy II provision a simple interface and handle IDE hard -disk duplication, voom technologies also produce a SCSI HardCopy for SCSI platfor m acquisitions. Multiple hardware duplication
IDE/SATA IDE/SATA Connector Connector
Media Card Reads Allowed Writes Prevented Evidence Hard Disk Duplication Device Evidence Transport Media 1 Evidence Transport Media 2 Validation Reporting & Hashing munotes.in
Page 35
Setting up a Computer Forensics Lab 35 devices and accessories can be packaged into a field kit such as the DIBS RAID: Rapid Action Imaging Device. Many devices also support output options of bit -by-bit duplication, one or more forensic image format acquisitions, and transport media sterilization.Data transcription rates of hardware -based duplication platforms are much faster as compared to software -based duplication options. Duplication hardware is considered to be an important addition to the exami ner’s toolbox, but duplication tools do not provide any environment in which an examiner could investigate the data that is being duplicated. An examiner is provisioned with an investigation environment by portable forensic computer systems which expands t he examiner’s field capability. C. Portable Forensic Systems In case of requirement to take the entire investigation process into the field, a forensic examiner should have access to the protective and duplication tools as well as completely interactive examination environments. A specialized portable forensic computing system provisions a highly mobile, equipment -intensive, and methodology -sound platform to the forensic examiner. The examiner duplicates digital evidence and analyzes it on a robust plat form through complete field examination. ‘Bye -hand transport’ level portable forensic systems will contain feature -packed laptops or custom suitcase -style workstations along with the second tier having a class of machines and mini networks which are rugg edized for mobility but are not recommended for day - to-day high mobility.These investigation systems have faster processor capability, ample amount of memory, and high -volume data storage space which are optimized for specific forensic software packages. Multiple operating systems can be implemented on one workstation. Each examiner requires a personal field kit inventory making it easier to manage it into vehicles and for air travel. High -mobility portable systems rely on external field kits like the wri te blocker field kit, supplemental cable, and adapter solutions to make the core system compact and easier to transport. Suitcase -style workstations consist of detachable monitor, keyboard and mouse set which could be utilized to work with evidence works tations for boot -up procedures like BIOS checks and verifying proper suspect system reassembly. D. Portable Enterprise Systems Sometimes field portability addresses the requirement of a robust, temporary laboratory facility at an examination location. Fo rensic portability could be extended to network -in-a-box solutions wherein these needs can be fulfilled by half -rack solutions. munotes.in
Page 36
Cyber Forensics 36 The core components that aportable enterprise system can offer include an examination system along with integrated write block bridges and robust examination hard -disk storage space with add -on hardware such as monitors, KVM, and so on. This portable environment is mostly highly durable but with low mobility, quite heavy, and transported as crated and packed, that is, the setup time and breakdown time as opposed to the plug and play high mobility equipment. E. Laboratory Enterprise Systems The high -mobility equipment used by the field examiner can also be used on the desktop. Facilities that support a permanent lab installat ion of desktop investigative gear along with field support equipment, many non - portable investigative systems are available. These systems offer various field hardware solutions in portable kits for write blocking and hard -disk management combined into a single desktop chassis. All-in-one devices like Tableau T35i Combination Bridge and Tableau T335 Drive Bay Controller can be economical options that implement multiple write -block and multiple hard -disk solutions in a single chassis. Prebuilt desktop forensic systems have the best computing power available at the purchase time. When selecting the specifications for a desktop laboratory processing system, factors such as faster processing, largest memory allocation, and largest possible hard -disk d rive volume as per budget should be targeted. Based on the process -intensive needs of most forensic software application suites, a faster, powerful, and a larger amount of RAM are important. Hence, maximizing the storage space and considering the relativ ely shorter span of any volume’s sufficient during the allocation of resources for acquiring forensic computing equipment. Evaluation of hardware -level redundancies and robust backup systems for data volume management. The viewable area of the computer monitors on which they work can have an impact on the investigation speed and efficiency. Many forensic systems are sold with dual -head video cards in a way that two to four monitors can be attached to a single system. Large flat-panel monitors are consid ered space -efficient, readily available, and cost -effective. munotes.in
Page 37
Setting up a Computer Forensics Lab 37 Multiple OS are desirable as they will support various investigation tools. Powerfulprebuilt forensic systems can provide four or more bootable operating systems. II. Media Sterilization Syst ems Spoliation challenges, that is, causing harm to evidence integrity, that is, to the duplicate evidence copy. Thus, a solid policy should be determined during any forensic practice for work product media sterilization. A hard drive to be used as a s ubstrate for the duplication of evidence should be sterilized before use and should be documented as sterile, that is, totally clean and then it can be validated by some post - sterilization procedure. Sterilization can be done by some hardware and softwa re duplication tools along with data acquisition by using hash -validation to written sectors and zeroing out all the other writable space. The acquired evidence data stream will be validated via hash methodology and then wipe any remaining writable data sp ace to a random or zero value through data overwrite methods. Software’s such as Guidance Software’s EnCase forensic examination suite involves the capability to sterilize and validate the hard disk media, products such as White Canyon Software’s WipeDri vedestroys data as per several data overwrite patterns. Hardware sterilization devices can bulk -overwrite the hard disk media. Sterilization followed by a validation process can be used to destroy sensitive data after its value expires. A forensic l aboratory must have a data destruction tool to address the real needs of that facility. Thus environments, where data destruction practices are conducted, should have consideration of bulk data wiping hardware devices for a new media preparation as well as a degauss chamber or a physical destruction device for any disposal sterilization requirements. III. Data Management (Backup, Retention, Preservation) Whenever considering a forensic environment implementation, there arises a need for data storage and preservation. Requirement of high volumes of digital workspace with examination workstations having terabytes of onboard storage, wherein high -volume data may be transacted across the environment. Networked storage has data content that requires preserv ation for a longer duration, a rapid workflow turnaround to archive, or an extended presence in online storage. A forensic facility might require more stringent policy and procedure for auditing and report on data management activities. Both per -munotes.in
Page 38
Cyber Forensics 38 machine, as well as enterprise level data management solutions, guarantee options for data handling, minimizing workflow -based bottlenecks. A forensic environment should be designed to manage the need for constant, rapid, and high -volume data management. Compone nts for data management might include data storage and movement -based hardware and software solutions. Systems of tape backup deployed at a per -machine or enterprise -level may provide the ability to backup and store large volumes of product through the clone -validate -delete methodology. Offline storage such as tape, optical disk, and offline hard disk arrays, etc. allow multiple options for long -time preservation. External devices or hot -swappable devices provision additional value to the data managem ent proposition through instant access or instant storage methodology for data repository refreshes along with fast data offlining. Several magnetic tapes and DVD formats are readilyavailable along with being cost -effective for evidence preservation. Hig h storage solutions can be provided by magnetic storage such as hard disk or tape when the environmental factors are tightly controlled, both formats are subject to limitations of data degradation over time and are magnetic. Tamper resistance adds or del etesthe data resulting in physical signs (splicing) or electronic signs (readability/non -readability) as an advantage of magnetic tape. Disadvantages of tape could include tape readability being impacted from backup software versioning changes along wit h media degradation after a certain period and little recourse for restoration when tape span media tapes fail. Tape hardware is expensive, especially at the enterprise level wherein installing and licensing for backup software at an enterprise -level could be costly. Although, tape systems as high -end hardware rotary jukeboxes and advanced library software systems are more cost -effective as compared to full hardware storage dependencies such as parallel storage area networks (SANs). i. CD/DVD Hardware S olutions Optical media such as CD or DVD are used for long -term evidence preservation and storage needs and are very inexpensive along with being readily available. CD and DVD media can be used as backup evidence storage. High -grade optical media has a life span measured in decades, which could prove as an ideal for preserving long -term evidence. For munotes.in
Page 39
Setting up a Computer Forensics Lab 39 example, an image file set can be created in a specific format and size, while the default image segment file sizes reflect the anticipated use of CD as t he ultimate storage unit. The special needs of the forensic environment can be handled by data and media duplication hardware. Example: Fernico FAR system is a technology -based on CDR/DVD burning technology from Primera technology and is made greater by specialized forensic data archiving software developed by Fernico. Combined system provisions the forensic examiner with robust data management and archival tool which provides several services which are explicit to the evidence management requirements. The FAR system burns DVDs or CDRs, labels the media, manages the spanning of data across disks and applies forensically desired validators like robust hashing options to the data burned onto the disk. Device is network -capable, automating activities to utilize a calendar and job -based scheduling system, which is designed to archive data to disk and restore data from disk archive libraries. A FAR system can be used to replicate CD/DVD original evidence media. Each FAR system caters to a specific scope of media capacity and disk production. An optical media production platform could act as an addition to the Forensic laboratory tool set. Forensic laboratories need to be prepared to process old storage technologies, such as floppy diskettes are a feasib le medium to duplicate evidence for media thatcan be automated by bulk duplication machines. Ashby and CopyPro are vendors which provide floppy diskette duplication systems which auto -feed the bulk diskette media and bit - for-bit validate copies. IV. P ortable Device Forensics: Some Basic Tools Portable device forensics embraces configuration uses of the Faraday enclosure for data integrity preservation or to prevent a data transmission. A Faraday enclosure is capable of blocking electromagnetic fiel ds and energy waveforms and is composed of conductive materials such as wire mesh layers, which allow the occurrence of electrical induction across the material surface when energy is applied to it. When a penetrating electromagnetic field or a waveform of a particular frequency or range of frequencies are introduced to a Faraday enclosure, they won’t penetrate the enclosure surface instead they will travel across the conductive surfaces of the enclosure. munotes.in
Page 40
Cyber Forensics 40 In case the faraday enclosure consists of a sign al generator within itself thenthat signal can be kept inside the box. In case asignal receiver is kept inside a Faraday enclosure, it can prevent the receiver from hearing the signal. V. Portable Devices and Data Storage Portable devices can store data in many ways such as SIM cards along with other card media types, chip -based storage while modern portable devices might have more than one way of storage mechanisms. The form factor predisposes either the static data, that is, phone numbers stored on a SIM card, or volatile data storage such as recently dialed phone numbers stored in battery -powered, chip -based memory, as the storage form multiplies. a. Power The primary rule for securing portables for forensic examination is the device should be kept off but the battery should be fully charged, in case the device is on, it should be ensured that the device stays on unless the entire examination is completed. To manage power and limited time to respondto portable device research, multiple tools can be a dded to the examiner’s tool kit. Multipurpose power devices such as Paraben’s Remote Charger and Handheld First Responder Kit supply power to a device to extend its data preservation window, which gives ample time to the examiner for transporting the devi ce to a laboratory environment for detailed analysis. To document a live review process in a lab or field, the Project -A-Phone device analysis platform and the Fernico ZRT Mobile Device Screen Capture Tool helps examiners perform rapid examination and pres ervation of power -on screenstates, menu system and other live -system processes whose recovery is difficult by a data export process or document for examination and future presentation purposes. b. Readers Many of the card types to cell phone technology su ch as SIM are proprietary, to differentiate SIM contents, leads to the requirement of custom forensic software/hardware packages. A 15 -in-1 card reader could act as a good tool to add to the tool kit for the common data storage card types such as PDSs, cam eras, cell phones, etc. with formats like SD, MMC, and CF. Forensically sound card media readers are distributed across by forensic vendors such as digital intelligence. c. Cables Many portable device power and data cablesare included in a good portable d evice forensic tool kit. Multiple all -in-one forensic cell phone and PDA examination suites provide an extensive cable selection for powering as well as linking to the many data interface formats found on the portable devices. Don’t discount the retail cel l phone outlets, electronic munotes.in
Page 41
Setting up a Computer Forensics Lab 41 stores, websites for supplemental cables, and adapters to increase the mobile device field kit. Adapters are also included in a good tool kit along with cables. VI. Forensic Software The domain of forensic software selection i s extremely vast, a forensic examiner will require various types of applications to address the different investigative scenarios faced during the business course. None of the tools are all -inclusive, thus, utilization of multiple tools is required. Though tools may have similar features which help validation of processes and methods, every tool has its unique strength also which helps in the investigative process being thoroughly conducted with the diverse investigation. Whenever software services are prov isioned to an investigative team, the following areas need to be considered: i. Operating Systems Operating systems are software that performs operation control of a computer and processing of programs, that is, input, output, assigning storage space func tions. While considering a forensic laboratory, a need for a software library with many OS including the available version levels of each OS can be retained. Multiple OS can be leveraged as a production environment, where the forensic examiner can conduct an investigation. Leveraging multiple OS permits an examiner to access software applications written for specific OS platforms, wherein the ability to work with multiple OS versions needs to be standard.Example: Some features which are required in an older version of software may require the use of an older version of OS. Thus, strategically it needs to be decided which version of OS will be required for the examination. An investigation may require examination of NTFS (New Technology File System) format a hard disk from a Windows OS of the suspect’s computer while working on an examination system configured with Linux OS, which may lead to evidence spoliation. Thus, the forensic examiner may need to work on diverse OS depending on the OS configured by the s uspects of different investigations. Thus, the advantage of having an installable OS libraryallows the investigator to reconstruct events in the same software universe as thesuspect computer by creating a test environment. ii. File systems To examine file systems of a specific type it may require a compatible OSas different OS support different file systems, wherein a file system represents the way data is organized and stored in a medium. File system in computer forensics denotes the organization of data stored on computer media such as hard disks, floppy disks, thumb drives, optical disks, etc. A forensic examiner may require access to multiple OS, hardware devices, and software applications to work with different file systems.
munotes.in
Page 42
Cyber Forensics 42 iii. Main investigative pl atform Multiple software applications act as the main investigative software platform for a forensic examiner, where the common characteristics of the main investigative tool suite involve the capability to create an ‘image file set or bit for bit clone’ c opy of suspect media, analyze live or imaged data streams, search and obtain suspect data content, develop reports on contents and findings, as well as export required data for subsequent use external to the software. Investigative software suites are avai lable for multiple OS (Windows, Linux, and Mac), where some investigative software’s are restricted to law enforcement (iLook) and other applications are accessible to the general public (in the form of EnCase Forensic, Forensic Tool Kit, S.M.A.R.T., and M acForensicsLab). During an investigation, forensic examiners oftenpossess several software suits and leverage more than one investigative suite.Every investigative suite has some strengths. Encase forensic of Guidance software has a robust scripting langua ge that strengthens custom investigation. Forensic Tool Kit of AccessData has an intuitive user interface as well as the capability to integrate password -breaking software from the same vendor. MacForensicsLab is the only forensic investigative suite devel oped for the Apple OS X system. S.M.A.R.T. is a robust tool developed for the Linux OS. ProDiscover Forensic by Techpathways can perform examinations on Sun Solaris UFS media. iv. Special focus tools To conduct specific data analysis, multiple software pa ckages have been developed. Several tools such as E -mail analysis, password -breaking, decryption, portable hardware analysis, artifact -specific identification, and analysis tools, and other types of data identification, conversion, and analysis tools have been developed, which may prove valuable to the forensic data examiner.AccessData’s password recovery toolkit executes password breaking and decryption tasks, whereas Windows Registry examinations are enabled by Access Data Registry Viewer. Product -specif ic e-mail analysis is provided by Hot Pepper Technology’s EMail Detective AOL e - mail analysis. Specific realm analysis capability can be provided by Paraben’s Chat Examiner, Email Examiner, and Device Seizure. Steganographic investigation capability can be provided by Wetstone’sStego Suite, whereas malware detection is provisioned by Wetstone’s Gargoyle Investigator. These specialty tools could supplement an investigator’s digital toolbox. VII. Tools in the Enterprise The forensic examination could be exec uted against LAN or WAN resources in the enterprise. Investigative tools were developed to deal with forensic -grade in widely distributed environments, that is, enterprise forensic tools can investigate live systems remotely and can also analyze volatile m emory contents, network metrics as well as local machine activities. munotes.in
Page 43
Setting up a Computer Forensics Lab 43 Guidance Software’s EnCase Enterprise Edition allows various functional aspects such as data collection, analysis, and reporting to be driven across networked resources through local appl ication connector clients and centralized investigative resources. It is intended for the corporate implementation, a special version known as Field Intelligence Model (FIM) is available to law enforcement only for ad hoc investigation. Live wire, an agent less investigation tool designed for permanent installation in a corporate network or ad hoc investigation, pushes its application software packet across network resources into the memory space of suspect systems. VIII. Ad Hoc Scripts and Programs Despit e several prebuilt tools, there may be a need for a custom solution that might need to be created for addressing the investigative requirements. Additionally, code writing, scripting, and resource fabrication skills are also available within forensic exami ner's toolbox. Any ad hoc implementation requires complete validation and testing of mechanical and process which guarantees the tool performs as per expectation and preserves the evidence integrity. IX. Software Licensing The entire software environment which consists of the OS as well as the applications should be licensed for an examiner, thus the use of any unlicensed software, that is, software piracy is illegal. Software licensing is considered as one of the main cost factors for laboratory scope of service provision, initial space targets as well as ongoing laboratory operations. The laboratory SOP needs to be integrated with maintaining, auditing, documenting, and demonstrating license compliance. X. Tool Validation One of the mandatory and constan tly ongoing processes for the forensic examiner and the laboratory is tool testing. Testing of both hardware and software is needed, consistent repetitive testing ensures methods and leads to maintenance of the integrity of the equipment. It is important t o demonstrate as well as document the proof of any tool’s ability to preserve the integrity of any data which is under examination. Testing and documentation of test methodology, results, and theory that surrounds the test design help provide forensic defe nsibility that the evidence hasn’t been tampered with by the tool. Testing must be performed specifically and exhaustively to prove the tool functionality valid. Example: Examiners can create a specific test script for their respective write block devices, create standard test media, and perform procedures such as an attempt to write, delete or access media to and from media, to demonstrate function integrity. munotes.in
Page 44
Cyber Forensics 44 3.3 HARD DISKS AND FILE SYSTEMS 3.3.1 Overview of a Hard di sk Hard disks are non -volatile storage devices which can store and fetch data quickly, that is, it reserves data even after the system is shut down thereby making it suitable for permanent data storage. A hard disk drive (HDD) is installed within the compu ter making it easier to access the data and process it as compared to floppy disks or any removable media. It writes digital data into magnetic patterns onto the disks. The data is organized and can be located on a hard disk through file systems, which is responsible for controlling how the storage of directories(folders) and files in an organized way can be done on physical media. There are two placement of disk drives: a. Fixed storage drives , to be installed within the system. b. External storage drives attached explicitly to the system. The hard disk can be placed in either of the two roles: a. Primary hard disk: The computer accesses it during boot up (starting) of the system as they generally consist of the operating system to be loaded. b. Secon dary hard disk: Generally used for data storage or as the location for additional software to be installed. Components of a Hard disk: Internal i. Disk Platter: May consists of one or many platters which are flat and round disks. Made of a rigid material such as aluminum, alloy, glass, or glass composite and coated with a magnetic substance. ii. Spindle: Runs through a hole in the middle of every platter, multiple platters are placed one above another. Spins the platters at a faster speed, with some spinni ng at thousands of revolutions per minute (RPM). iii. Motor: Rotates the platter and is attached to the spindle. iv. Electromagnetic Heads: Writes the information in the form of magnetic impulses on the disks and also reads the information that was recorde d from them. Read/Write head moves over the platter and reads or writes data over the platter. In the case of more than one platter on a hard disk, each platter has a read/write head on either of its sides. Smaller platters save space as well as improve th e seek time, that is, disk performance as the movement of heads at a far space is not required. v. Tracks: Concentric circles are further divided into sectors where data is stored on the magnetic surface of the platter. Data resides within a specific secto r of a specific track on a particular platter. When the platter is munotes.in
Page 45
Setting up a Computer Forensics Lab 45 spinning, the part under the read/write head is known as a track. Tracks and sectors are defined physically through the process of low -level formatting (LLF), which designates the location of tracks and sectors on every disk. Tracks are numbered for reference to the computer during the read/write operation of data. The numbering ranges from zero to the highest - numbered track (mostly 1023) starting from the outermost edge, which is the first track of the disk to the track which is nearest to the platter center, that is, the highest -numbered platter close to the center. vi. Sectors: Divided as segments in a track, they are the smallest physical storage unit on a disk. The size of sectors i s 512 bytes (0.5 KB) in size. Whenever a low -level format is performed, a number is assigned to the sector before the contents. The number in the header helps identify the sector address on the disk. A computer can locate the physical location of the data on the disk through the tracking number and specific sector address. Bad Sectors Sectors that cannot store data due to some accidental damage or manufacturing defect are known as bad sectors. In case of sectors getting damaged, those specific areas become unusable but it does not impact the other areas of the disk. Since damage to sectors denotes damage at the disk surface, it cannot be repaired, thereby leading to irreversible loss of data, if any, in that section of the hard disk.Such sectors are marked a s bad to avoid attempt of data being written in those areas by an operating system or any software. Windows supports programs such as ScanDisk and CheckDisk, while Linux allows the use of the Badblock tool to detect sectors that are damaged and to tag them as bad sectors.
Figure 3.4: Tracks and Sectors on a hard disk Disk Capacity Disk Capacity is the capability of the hard disk in terms of the amount it can store. Measurement of disk capacity is done in bytes (7 or 8 bits), where a bit is the smallest measurement unit of data. A bit consists of munotes.in
Page 46
Cyber Forensics 46 binary values, either 1 or 0, indicating on or off. A bit is abbreviated as b, while a byte is denoted by B. A kilobyte (KB) equals 1,024 bytes, instead of 1000 bytes since it is calculated using binary (base 2) instead of decimal (base 10). Disk capacity in terms of different units are as follows: Kilobyte (KB) = 1,024 bytes Megabyte (MB) = 1,024 KB = 1,048,576 bytes Gigabyte (GB) = 1,024 MB = 1,073,741,824 bytes Terabyte (TB) = 1,024 GB = 1,099,511,627,7 76 bytes Petabyte (PB) = 1,024 TB = 1,125,899,906,842,624 bytes Exabyte (EB) = 1,024 PB = 1,152,921,504,606,846,976 bytes Zettabyte (ZB) = 1,024EB = 1,180,591,620,717,411,303,424 bytes Yottabyte (YB) = 1,024ZB = 1,208,925,819,614,629,174,706,176 bytes Calculating Disk Capacity Hard disk capacity can be determined based on the elements of the disk, including the number of tracks, sectors and surfaces on which various amounts of data can be accessed or written. Formula: Capacity = (bytes/sector) * (sectors/track) * (tracks/surface) * # of surfaces Example: To calculate the disk capacity of the drive, considering the following factors: Bytes per sector 256 Total tracks: 21,576 Total cylinders : 7,192 Sectors/track (avg): 213 Number of heads: 3 Following specification of the actual hard disk, does not contain tracks/surface, but the values for the total tracks and the number of physical heads is provided. Since each head reads the disk surface, it helps find the total number of surfaces on the disk. To obtain the tracks/surface, the total tracks can be divided by the number of heads, that is, (21,576/3). Thus, the formula can be written as: Capacity = (bytes/sec tor) * (sectors/track) * total tracks munotes.in
Page 47
Setting up a Computer Forensics Lab 47 The capacity of the above -mentioned specification can be calculated as: Capacity = 256 bytes/sector * 213 sectors/track * 21,576 total tracks = 1176496128 or 1.1GB 3.3.2 Hard Disk Interfaces It is an interface which connects a hard disk to the computer for data access from the disk, thus it is one of the standard technologies which acts as a communication channel through which data flows between the HDD and the computer. An interface helps connect the hard disk to a disk controller, whichis mounted directly on the computer’s motherboard.Few commonly used hard disk interfaces include: i. IDE/EIDE/ATA IDE stands for Integrated Drive Electronics since the disk controller is integrated with the disk driv e’s logic board, while EIDE is an acronym for Enhanced IDE. IDE is also known as ATA (Advanced Technology Attachment) which is a standard of the ANSI (American National Standards Institute). Mostly all modern PC motherboards consists of two EIDE connec tors.Maximum two ATA devices (HDD or CD) can be connected to each connector, in a primary/secondary configuration, where the primary drive responds to the probes or signals on an interrupt (signal from any device or program to its OS that causes a pause to determine next task to be done) and shares it with the secondary drive which shares the same cable. Users can configure settings where drives can be considered as primary, secondary or cable -controlled. ii. SCSI SCSI (Small Computer System Interface) i s an ANSI standard with faster data transfer than IDE/EIDE. SCSI connectors and controllers are in -built within some motherboards, while SCSI disks can be added by installing a SCSI Controller card in one of the expansion slots. Devices are chained on a SCSI bus, each with a different SCSI ID number. Either eight or sixteen SCSI IDs can be attached to one controller depending on the SCSI version, wherein controller uses one ID while allowing seven or fifteen SCSI peripherals. iii. USB USB is an acr onym for Universal Serial Bus, which is used for various peripherals, such as keyboards, mouse, and other devices, that previously required serial and parallel ports, and several newer munotes.in
Page 48
Cyber Forensics 48 technologies including digital cameras and digital audio devices. Since these devices are based on a bus topology, they can be daisy - chained together or connected to a USB hub, allowing up to 127 devices to connect to the computer at the same time. USB also provides an interface for external hard disks, where disk which provide USB connection can be mounted by plugging into a USB port of the computer. Current standard for USB is USB 2.0, backward -compatible to earlier 1.0, 1.1 standards and supports bandwidths of 1.5Mbps (megabits per second), 12.5Mbps, and 480Mbps, 12 .5Mbps, and 480Mbps respectively. USB 2.0 supported external USB hard disk provides faster exchange of data between the computer and the HDD. iv. Fibre Channel It is another ANSI standard which provisions faster data transfer and uses optical fiber for connecting devices. Various standards are applicable to fiber channels, but Fiber Channel Arbitrated Loop (FC -AL) primarily applies to storage, that is, it is designed for mass storage devices and for Storage Area Networks (SANs) wherea SAN is a net work architecture where computers attach to remote mass storage devices such as disk arrays, tape libraries, etc. Since optical fiber connects devices, FC -AL supports transfer rates of 100 Mbps, and may replace SCSI for network storage systems. 3.3.3 Fi le Systems File management systems or file systems are used by the operating system to organize and locate the data stored on a hard disk. File systems manage storage media such as hard disks along with controlling sectors on those drives, it also keeps tr ack of sectors occupied for storage of data and vacant sectors, available for storage. Network file systems provision client’s access to data on a remote server. Hierarchical systems involve organization of data in a tree structure. munotes.in
Page 49
Setting up a Computer Forensics Lab 49
Figure 3.5: Hierarch ical Directory Structure As seen in Figure 3.5., a hierarchical file system looks like an inverted tree. In figure 3.5., the base of the structure is a root directory, and directories(folders) branch from the root. These directories are containers which store files or other directories. Directories which are present in other directories are also known as subdirectories (subfolders). A. Microsoft File Systems Different operating systems use different file systems, while some OS support multiple file syst em. Few file systems which are commonly used by Microsoft OS include: i. FAT12 FAT (File Allocation Table) file system was developed by the DOS operating systems. The first version of FAT used a 12 -digit binary number(12 bits) for cluster information , hence it was called as FAT12. It was useful for the smaller hard disks that came with the original IBM PC (less than 16MB in size) and were also used to format floppy diskettes. ii. FAT16 FAT16 was a standard file system for formatting har d disks for a long time, it was developed for disks greater larger than 16MB. Uses 16 -bit allocation table entries and is supported by all Microsoft operating systems, from MS -DOS to Windows XP along with some non-Microsoft operating systems, such as OS /2 and Linux. Thus, it was the most universally compatible file system. Some drawbacks of FAT16 included its inability to scale well to large disks since the cluster size increases as disk partition increases, lot of space was wasted when a large disk gr eater than 2GB was formatted with FAT16. It doesn’t support file -level security, that is, individual level permissions to files and directories) and also does not support file-level compression, as the entire drive needs to be compressed. munotes.in
Page 50
Cyber Forensics 50 iii. VFAT Virtual FAT or VFAT, is a file system driver introduced in Windows for Workgroups 3.11 and was supported by Windows 95. It works in protected mode and allows usage of long filenames with FAT16. VFAT is a program extension and not a file system, which hand les filenames over the 8.3 limitations imposed by the original FAT16. iv. FAT32 FAT32 uses a 32 -bit allocation table and was first supported by the OSR 2 version of Windows 95 (95b). Advantages of FAT32 over FAT16 included: Efficient use of space with larger hard disks through small cluster sizes Support for larger partitions, up to 2TB in size, theoretically (Practically supports up to 32GB) Better reliability, as includes backup copy of information in the boot record. Disadvantages of FAT32 was th at it is incompatible with several versions of Windows such as MS -DOS, Windows 3.x,Windows 95a,Windows NT, and some non -Microsoft operating systems (although FAT32 drivers were available from third -party vendors for Windows 95, NT, and even non -Microsoft o perating systems such as Linux).Additionally, the overhead used by FAT32 can also slow performance slightly. B. NTFS NTFS (New Technology File System) is the most secure file system for computers running Microsoft Windows operating systems. NTFS was rel eased in 1993 as a replacement to FAT file system on Windows NT OS, followed by successive releases in Windows 2000, 2003 Server, XP and Vista. It was more robust and secure as compared to other Microsoft file systems. NTFS handles partitions, where par titions are logical sections ofa hard disk which operate as a separate drive. Example: A hard disk could be partitioned as C: , D: or E: drive on the computer. NTFS supports very large partition sizes (up to 16EB theoretically)and permits creation of vo lumes that can span two or more partitions. It is more reliable since it supports hot fixing feature, wherein the OS detects a bad sector on the disk and relocates the data from that sector to a good sector, and marks the bad sector so that the system d oes not munotes.in
Page 51
Setting up a Computer Forensics Lab 51 use it. It happens in the background which does not require any user intervention. i. Metadata and the Master File Table (MFT) Metadata is the information about a specific set of data, which contains information such as author of the file, its size, and other technical information hidden from the common user, that is, it is data about data. It describes a file, its format, its creation time, and other details. NTFS stores additional files which are hidden in the system and contain informati on about users, files and other details. Whenever a disk is formatted to use NTFS, the files are created with their locations being stored in these files, known as Master File Table (MFT) to keep track of each file on the volume. FAT file system kee ps track of files using a File Allocation Table, NTFS performs similar complex functions using a Master File Table. ii. NTFS Attributes -A record stored in the MFT works with NTFS attributes, every file and directory are viewed as a set of file attributes containing information such as name, data, and security information by NTFS. The data which defines a file, and is used by the OS and other software’s to decide how a file is accessed and used is called as attribute. Every attribute has a code and mi ght contain information on attribute’s name and description in MFT. Two different kinds of attributes can be used in NTFS: Resident attributes: Can fit in an MFT record. The name of the file and its timestamp are always included as resident attributes. Non-resident attributes:Are allocated on the disk to one or more clusters elsewhere.These attributes are useful when the information about any file is too large to fit in the MFT. iii.NTFS Compressed Files - NTFS permits compression of files, entire NTFS volumes or file -by- file basis to save space. It compresses individual folders, files or anything on the drive using the NTFS file system. The file gets automatically decompressed when being read and compressed whenever the file is saved or closed. Whene ver the data is compressed on an NTFS drive it can only be read by the file system, if a program attempts to open a compressed file, then the file should be decompressed by the file system’s compression drive before providing access to it. munotes.in
Page 52
Cyber Forensics 52 Compressing da ta does not need additional software for compression and decompression thereby saving disk space and archive folders. iv. NTFS Encrypting File Systems (EFS) Encryption involves the process of file encoding to make it unreadable for any unauthorized pers on to open, copy, view,or rename the data, file, or folder. Encryption can be performed on a disk as well as on a single file, where disk encryption refers to encrypting all the contents on the diskette, hard disk or removable disk and file encryption re fer to encrypting the data on a disk through file -by-file basis. Disk or file encryption can be built onto an OS or file system. EFS cannot protect data on floppy diskettes as they cannot format in NTFS format, but can encrypt files/folders. EFS is in tegrated with the OS, where the encryption and decryption processes are invisible to the user.EFS relies on public key cryptography and digital certificate, wherein public key cryptography consists of public key and private key to be used togetherand digit al certificate helps identify the person logged into the system, and credentials to verify authorized person uses digital certificates associated with the user account. While public key cryptography is time -consuming, digital certificates could cause is sues in case the user has left the system logged in and unattended leading to unauthorized access. C. Linux File Systems Linux is an open -source OS based on UNIX OS.Use of a Virtual File System (VFS), supports multiple file systems where VFS acts as an abstract layer between kernel and lower -level file systems. Linux can support multiple file systems using VFS, such as: i. ext:First version of Extended file system created for Linux.It was the first file system to use VFS added to the Linux kernel, which was replaced by ext2 and xiafs based on the older Minix system (shortcomings such as 14-character file naming limit, 64 MB limitation on partition sizes) and not found in current systems since they are obsolete. ii. ext2:Second extended file system, whic h offers great performance with file size of upto 2 TB. This file system had implementation of a data structure which includes inodes, storing information about files, directories and other system objects. It stores files as data blocks on the hard disk. T he smallest units of data in the file system are called blocks, and a group of blocks that contain information to be utilized by the operating system and is known as a superblock. iii. ext3: Third extended file system, extends ext2. A major advantage of ext3 is a journaled file system, making it easier for recovery where a munotes.in
Page 53
Setting up a Computer Forensics Lab 53 journal resembles a transaction log used in databases, where the data is logged before it is written. Journal is updated prior to blocks of data being updated in ext3 and it could be used to restore the file system ensuring that any data which was not written in blocks prior to the crash is resolved. In case of any issue on ext2, a filesystem check (fsck) needs to be resolved with files and metadata on the system. iv. ext4: Fourth extended file system, has been improvised in terms of performance, which supports volumes of up to 1 EB. D. Mac OS X File System Originally, Macintosh used the Macintosh File System (MFS) used to store data on 400KB floppy disks. Files are stored onto hard d isks in MFS into two parts: a resource fork which stores structured information and a data fork which stores unstructured data. Thus, the data used in a file will be stored in a data fork, whereas file information such as menus, icons, menu items, etc. will be stored in the resource fork. The resource fork enables files to be opened by the appropriate application, without a file extension requirement as well as to store metadata. MFS was further replaced by Hierarchical File System (HFS) which uses multi ple forks while storing data and manages the data on both the hard disks or floppy disks. HFS supports filenames of 255 characters length. Since MFS works with floppy disks leading to slow down on larger media, while HFS works with hard disks and uses a hierarchical design through a Catalog File which replaces the flat table structure which was used by MFS. Apple launched a HFS new version known as HFS Plus, where improvements were made in performance and how HFS plus handled data. HFS and HFS Plus store blocks of data on the hard disk, where volumes are divided into logical blocks of size 512 bytes.HFS uses 16 - block bit address whereas HFS Plus supports an improvement with 32 - bit block addresses being supported. E. Sun Solaris 10 File System: ZFS Sun Solaris is an open -source OS developed by Sun Microsystems, the first ZFS file system was first used in Solaris 10. ZFS (Zettabyte File System) handles large amount of data and uses virtual storage pools known as zpools, composed of virtual devices (vdevs). These pools could contain various vdevs, further containing one or more storage devices, along with those using Redundant Array of Inexpensive Disks). munotes.in
Page 54
Cyber Forensics 54 ZFS is a 128 -bit storage system, supporting more data and variable sized blocks of up to 128 KB. It can improve I/O throughput, if the file system compresses data to fit into smaller blocks. F. Network File Systems and File Sharing Protocols - Permits users to access and update the files on remote computers as if they are placed on the local comp uter. File systems on remote machine are irrelevant whenever machine’s resources are accessed, this also helps OS such as Windows 9x computer which does not suppose NTFS to read and write NTFS files stored on a remote computer such as Windows NT, 2000, XP, or Vista. File sharing across a network can be done through the following: i. Server Message Block (SMB): Microsoft uses SMB protocol to permit client applications to access as well as write to remote files and request services from server applications on remote systems. SMB is involved in Windows OS. SAMBA is an implementation of SMB and the Common Internet File System (CIFS) which can be installed on UNIX computers to allow Windows clients to access their files as if SMB servers. ii.Common Internet F ile System (CIFS) : A protocol proposed as a standard which permits remote files access across the internet. CIFS is an open (nonproprietary) version of SMB. SMB and CIFS run on top of TCP/IP protocol stack. iii.NetWare Core Protocol (NCP): NCP is a set of protocol which provide file and printer access between clients and remote servers on NetWare networks. NCP runs over IPX or IP. iv.Network File System (NFS): A client -server application which was developed by Sun Microsystems to run on TCP/IP which allow s remote file access. NFS uses the Remote Procedure Call (RPC) as the communication method. Used for the remote file access by UNIX/Linux machine, can also be installed on Windows or Macintosh computers. G. Disk Partition o To use a hard disk which can be formatted, a file system can be used. Logical division of a hard disk which permits a single hard disk to work as though it is a single or more hard disks on the computer is known as partition. o Even though multiple partitions are not being used, a part ition must be setup so that the OS knows that the entire partition will be considered. A drive letter can be given to the partition and it is formatted to use a file system. When an area of the hard disk is formatted and assigned a drive letter, it is know n as a volume. munotes.in
Page 55
Setting up a Computer Forensics Lab 55 o Example: On a single volume of Windows computer, C: could be formatted as NTFS and D: could be formatted as FAT32. Similarly, for Linux different drives can be formatted as ext or ext2 respectively. Thus, it provides the advantage of diffe rent file systems used on the same computer. o Two types of partitions exist, namely: o Primary partition: Partition on which an OS can be installed and is used whenever the computer starts to load the OS. o Extended partition: Partition which can be divided into additional logical drives. It does not need a drive letter or installation of file system. Instead OS can be used to create more logical drives with extended partitions with drive letters assigned to logical drives. i. System and BootPartitions Amongst multiple partitions, a partition maybe designated as the boot partition, system partition or both. A system partition is responsible for storing files which are used to start or boot start the computer, wherein when a computer is powered on it is kn own as cold boot and when it is restarted from within the system it is known as warm boot. Boot partition is a computer volume which contains the system files which are used to load the OS. System partition is where the OS in installed, whereas the syste m and poot partition can exist as separate partition on the same computer or else on separate volumes. ii. Boot Sectors and Master Boot Record Many sectors exist but the first sector, that is, sector 0 on a hard disk is considered as boot sector, where t he boot sector contains codes which the comput ers use to boot the machine. The boot sector is also known as the Master Boot Record (MBR), where the MBR consists of a partition table to store the information on which primary partitions need to be create d onto the hard disk to start the machine. Using the partition table in the MBR, the computer understands the organization of hard disk before the OS starts interacting within it. Once partitions are set up on the machine, they can provide the informati on to the operating system. iii. NTFS Partition Boot Sector Since NTFS uses a Master File Table used to store file system information, location information of the MFT as well as MFT mirror file is stored in the boot sector. A duplicate of the boot sector is stored at the disk’s logical center, to prevent the information from getting lost and for recovery. munotes.in
Page 56
Cyber Forensics 56 Clustersand Cluster Size A group of two or more consecutive sectors on a hard disk are called clusters, where they are the smallest amount of disk spa ce that can be allocated to store a file. A sector is mostly 512 bytes in size but the data stored onto a hard disk is greater, thus data is saved on a greater number of sectors. Clusters are logical units of file storage, where a unique number is assigned to every cluster and their respective files can be accessed. Cluster size is controlled by the OS, wherein the cluster size is determined by different factors such as the file system being used. During the formatting of a drive, the ability to se lect the file system in which the disk will be formatted is called allocation unit size. Slack Space Clusters are a fixed size, the entire space will be used by the cluster. Example: Cluster size if 4,096 bytes, but a 20 -byte file is stored onto the d isk, the entire 4KB cluster would be used even though 4,076 bytes of space will be wasted. This wasted space may be known as Slack Space or File Slack, where it is the space area between end of the file and the last cluster used by that data. The cluster size should be smaller, so that the amount of space in the final cluster can be used to store a file with lesser unused space being wasted and lead to effective usage of disk. The formula to calculate the amount of wasted space is: (Cluster size/2) * number of files It provides a estimate of disk spacebeing wasted on a particular hard disk, instead of the exact amount. Lost Clusters Each cluster is a unique number which is used by the OS to keep track of files that are stored on the hard disk. At equal intervals of time, even though the cluster has not been assigned to a file still the OS will mark the cluster as being used, this concept is known as a lost cluster. Lost clusters are called as lost file fragments or lost allocation units . In Linux or UNIX machines clusters are denoted as blocks, while they are referred as lost blocks or orphans. Lost clusters do not belong to any specific file, instead they are created from sudden shutting down of computer, closing of application, file not being closed appropriately, etc. When such an event occurs, the cluster must have been assigned to the data in the cache, but may not have been written due to unexpected events. munotes.in
Page 57
Setting up a Computer Forensics Lab 57 In case the system was shut down incorrectly, the cluster might also have had data written to it before, this data could be a fragment of the file or any other corrupted data. Tools such as ScanDisk and CheckDisk could also be used to detect lost clusters and also to recover the data stored in the cluster. 3.4 LET US SUMUP This unit helps gain an understanding into the various factors that need to be considered for setting up a cyber forensic laboratory, performing digital forensics on different OS, the different types of file systems and hard disk drive, tools needed for performing digital forensics on a windows -based machine, tools and techniques required for evidence acquisition and data replication. 3.5 LIST OFREFERENCES [1] The official CHFI Exam 312 -49 Study Guide by Dave Kleiman, Syngress Publication, 2007. 3.6 BIBLIOGRAPHY [1] EC -Council CHFIv10 Study Guide, EC -Council, 2018 3.7 UNIT ENDEXERCISES 1. Which of these is not a space planning factor in the facilities build -out? a. Administrative area b. Examination space c. Domain are a d. Evidence storage
2. Write Blockers methodology is deployed for prevention of __________. a. Data Spoliation b. Data Availability c. Data Confidentiality d. Data Repudiation
3. ___________ is considered as one of the ma in cost factors for laboratory scope of service provision, initial space targets as well as ongoing laboratory operations. a. Tool Validation b. Software Licensing c. Software Validation d. System Licensing
munotes.in
Page 58
Cyber Forensics 58 4. Whenever a disk is formatted to use NTFS, the files are created with their locations being stored to keep track of each file on the volume. This concept is known as ___________ . a.Master File Table b. Master File c. Master Table d. Master Data Table
5. Concent ric circles further divided into sectors where data is stored on the magnetic surface of the platter are known as ___________. a. Disks b. System c. Tracks d. Drives
6. ___________ is a computer volume that contains the system files which are used to load the operating system. a. Last partition b. Boot partition c. Data partition d. Computer partition
7. ___________ do not belong to any specific file, instead they are created from sudden shutting down of computer, closi ng of application, file not being closed appropriately, etc. a. Found cluster b. Lost cluster c. dd cluster d. Slack cluster
munotes.in
Page 59
59 4 WINDOW FORENSICS, DATA ACQUISITION AND DUPLICATION Unit Structure 4.0 Objectives 4.1 Introduction 4.2 Forensics on Windows Machine 4.2.1 Locating and Gathering Evidence on a Windows Host 4.2.2 Understanding file slack and its Investigation 4.2.3 Interpreting Windows Registry and Memory Dump Information 4.2.4 Investigating Internet Traces 4.2.5 Investigating System State Backups 4.3 Acquire and Duplicate Data 4.3.1 Data Acquisition Tools 4.3.2 Hardware Tools 4.3.3 Backing Up and Duplicating Data 4.3.4 Data Acquisition in Linux 4.4 Let us SumUp 4.5 List ofReferences 4.6 Bibliograph y 4.7 Unit EndExercises 4.0 OBJECTIVES After studying this unit, it will help you to: Perform digital forensics on a windows -based machine. Select appropriate tools for collecting evidence. Understand the importance of backups. Determine the various tools and mechanisms that can be used for acquiring and replicating the data. munotes.in
Page 60
Cyber Forensics 60 4.1 INTRODUCTION Certain procedures need to be followed to perform forensic on a Windows machine without tampering the evidence.To fetch or acquire the data and then process it with the help o f various forensic tools is a major concern. Usage of those tools for acquiring data and backing them up in case of any requirement for disaster recovery or data loss should be taken into consideration. 4.2 FORENSICS ON WINDOWS MACHINE 4.2.1 Locating and G athering Evidence on a Windows Host Evidence location involves the process of investigating and gathering information of a forensic nature and legal importance. It aids in the investigation of both criminal investigations and civil suits. Several locations could act as a rich source of evidence in Windows OS. File attributes and timestamps are also considered as valuable. Perpetrators may try to change a file’s attributes so that their tracks can be covered or the data stays hidden within the system. Few im portant sources of electronic evidence on a Windows host could include: Files, Slack space, Swap files, unallocated clusters, unused partitions, and hidden partitions. a. Gathering Volatile Evidence It is considered one of the most important aspects of di gital forensics. During the investigation of a Windows -based OS for the probable evidence or information and facts that are related to the case, it should be ensured that all the relevant volatile data, that is, current data about the system, registry, cac he and memory has been collected. If the system is powered down, data may be lost and cannot be recovered.
munotes.in
Page 61
Window Forensics, Data Acquisition and Duplication 61 - In non -volatile memory data isn’t lost, after the power is cycled.
Figure 4.1: Steps for sea rching data on a windows -based system
Within the volatile data most crucial areas which could be checked for evidence would include registers, physical and virtual memory, cache, network connections, running processes, and disk. Any other external device connected to the system such as floppy disk, tape, CD -ROM, and printers should also be verified for evidence if any. All the data captured should be gathered to store in external devices for it to be safely removed and placed offline at another location. Capability of a windows forensics tool to gather data on a live Windows system is very important. Offline imaging and searching through disk images are standard fare for a computer forensic analyst. But sometimes it could be infeasible to take a system offl ine for imaging, especially for larger e -commerce sites where critical infrastructure is a factor to be kept online. Thus, live imaging is an important aspect to be considered. b.Helix Live on Windows Helix runs on Windows to collect evidence from active or live Windows systems which could cause a constant flux, which is constantly changing such as virtual memory. Turning off the system could result in evidence destruction. Thus, the Helix tool can be used to collect volatile information and presents a p ortable forensics environment that may provide access to many windows -based tools. Helix Live Response is about the tools wherein the CD contains static binaries for Linux, Solaris, and Windows using GNU utilities and Cygwin tools. Locate Evidence on Windows Gather Volatile Evidence Investigate Windows File Examine the File System Investigate Internet Traces Check System State Backup Memory Dumps are important Check the Windows Registry munotes.in
Page 62
Cyber Forensics 62 The Helix.exe graphica l application will only operate in a live Windows environment and will vary on each version of OS. Since windows are live, many DLL files are used by Helix and the OS during this process. The Helix Windows Live function is a GUI interface to a Windows - based CLI and other tools. A major advantage is that Helix performs the actions to maintain the integrity of the command line so that the built-in Windows tools are not run through the compromised system, thereby risking the data from corruption. Windows comma nd-line tools which can be accessed from the Helix.exe application on the CD may include .cab extractors, ipconfig, netstat, kill, etc. Tools available from Windows Live side of Helix for forensics may include: o Access PassView o Astrick Logger o Drive Mana ger o FAU o Forensic Server Project o FTK Imager o Galleta o HoverSnap o IECookiesView o IEHistoryView o IRCR (The Incident Response Collection Report) o Mail PassView o MEM Dump o Messen Pass o Mozilla Cookies View o Network Password Recovery o Pasco o PC Inspector File Recover y o PC On/Off Time o Process Explorer o Protected Storage Pass View o Ps Tools Suite o Pst Password Viewer munotes.in
Page 63
Window Forensics, Data Acquisition and Duplication 63 o PT Finder o PuTTY SSH Client o Reg Scanner o Re SysInfo o Rifiuti o Rootkit Revealer o Sec Report o Win Audit o Windows Forensic Toolchest (WFT) c. MD5 Generators MD5 Generators are used to maintain the integrity of a file, file system, or application. A cryptographic hash of the bit -wise information in the data will be created by the application. This added layer of protection helps maintain the value of the chain of c ustody as well as to ensure the admissibility of the evidence that the evidence has not been tampered with. d. Pslist Displays process, CPU, and thread statistics or memory information for all processes currently running on the system. The process informa tion listed involves process execution time, process execution in kernel and user modes, physical memory that the OS has allocated to the process. Example: Pslist [ -?] [-d] [-x][-t] [-s [n] [ -r n] ] [ \\computer [ -u username] [ -p password] ] [name | pid] where, d: Displays statistics for all the active threads on the system, grouping the threads with their owning process m: Displays memory -oriented information for every process x: Displays CPU, memory, and thread data for each process specified t: Display s process trees munotes.in
Page 64
Cyber Forensics 64 e. fport - Displays all the open TCP/IP and UDP ports and maps them to the applications which own the port. It is similar to netstat, except that it maps the ports to the running processes with the PID, process name, and path. The switches may be used through either a / or a – prior to the switch. The command -line switches include: /? Usage help /i Sorting by PID /p Sorting by port /ap Sorting by applicati on path /a Sorting by application f. Psloggedon Displays both locally logged on users and users logged through resources for either local or remote computer, it verifies which users are logged in by examining them under the HKEY_USERS keys. Psloggedon searches for the corresponding username and displays that particular user name for every key with a name, that is, a user SID (Security Identifier). Psloggedon uses NetSessionEnum API to verify who has logged onto a computer through resource share s. Example: psloggedon [ -?] [-1] [-x] [\\compname | username] Few common parameters include: ? Shows supported options and measurement units for output values. l Shows local logon instead of local as well as network resource logons. 4.2.2 Understand ing file slack and its Investigation A windows disk cluster is a fixed -length data block used to store files. File slack is the gap or the space that exists onto the Windows disk between the end of the file and the end of the lastcluster since the sizes of both can never match. System -associated data such as usernames, passwords, and other sensitive data can be found within the slack. Storage space is wasted if there is an increase in the slack space due to larger cluster sizes. Window OS fills the differe nce between the end of a file and the end of a cluster with data from its buffers, in case there is no space available. This data is selected randomly from the system’s RAM is known as RAM slack since it is obtained from the computer memory. munotes.in
Page 65
Window Forensics, Data Acquisition and Duplication 65 RAM slack co nsists of created, viewed, modified, or copied files, since the last time the system was booted. Encase software provides tools to perform complex digital forensic investigations and manage large volumes of digital evidence along with viewing computer driv e contents. o To examine file systems: o Built -in Tool: Sigverif.exe o Can analyze a system as well as report on any unsigned drivers detected. To run the tool: Click Start | Run, type Sigverif, click OK -> Click Advanced button -> Select Look for others wh ich are digitally unsigned ->Selecy WINNT | Sytem32 | Drivers folder, click on OK. Sigverif displays all the unsigned drivers installed on the system after its process completion. List of signed and unsigned drivers detected by Sigverif.exe can be viewed i n Sigverif.txt file within the Windir folder, that is, Winnt or Windows folder, while unsigned drivers are marked as Unsigned. Word Extractor Forensic Tool - An application which extracts the human -understandable interpretation from the computer binary format and resembles the UNIX command, strings. It includes features such as replacing non -human words with spaces or dots for better visibility, supports wrap text as well as drag and drop, multitasking through response to command and large file processe s, saving results as txt or rte. 4.2.3 Interpreting Windows Registry and Memory Dump Information - Registry is a component to be examined during the investigation of a Windows system. Selected keys should be verified with significance to supply evidence for what the services have been running for, services presently running and who has logged into the system over a certain span of time. Primary keys to be known include: a. HKEY_LOCAL_MACHINE - \Software \Microsoft \Windows \CurrentVersion \Run - \Software \Microsoft \Windows \CurrentVersion \RunOnce - \Software \Microsoft \Windows \CurrentVersion \RunOnceEx - \Software \Microsoft \Windows \CurrentVersion \RunServices -\Software \Microsoft \Windows \CurrentVersion \RunServicesOnce - \Software \Microsoft \WindowsNT \CurrentVersion \Winlogon munotes.in
Page 66
Cyber Forensics 66 b. Registry Viewer Tool: Reg Scanner o The RegScanner is a registry tool from NirSoftprovides a search function that can search for any registry value and display the instances of thatvalue in a sing le view. It allows a selection and jumps function which redirects to that registry key for editing. o It also helps export results to a REG file for saving or loading into another computer. o No installation will be required; it can be unpacked fro m the .zip file into any folder and run. After launching, it provides an option to select which base key to start searching from. The search string could be case sensitive or insensitive along with the match being exact or within certain parameters. o Example: Matching can be done against data and the values, instead of the key names themselves. o The application also provisions a search function for Unicode strings in binary values. -RegScanner does result reporting in a grid -formatted list, to be saved as REG file or either exported into an HTML format. c. Microsoft Security ID Microsoft Security IDs can be obtainable in Windows Registry key: HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \WindowsNT \Curre ntVersion \ProfileList The ProfileList key hol ds the SIDs, selecting the individual ID valueentry, along with an associated username is probably feasible. Some specific IDs enclosed under Microsoft Security are as follows: Retrieve MAC Address, Registry Dump, Registry Scan, Registry Dump, Event Loggin g Utility, etc. Importance of Memory Dump After every crash, Windows generates a memory dump filethat contains information that can help in determining why has the system stopped. For memory dump in Windows, the system needs a paging file with a minim um of 2 MB on the boot volume. Memory dumps are useful in helping with the system bug diagnosis and for memory content analysis during a program failure. They might contain binary, octal or hexadecimal forms of information. When a system runs MS Wind ows 2000 or later, a new file gets created whenever the system stops suddenly. Microsoft tool, dumpchk.exe can be designed to verify memory dump files for information. munotes.in
Page 67
Window Forensics, Data Acquisition and Duplication 67 The systemroot | Minidump folder consists of a small memory dump files list. While con ducting an MS Windows system, memory dumps need to be checked and obtained on the system. A memory dump file may contain: o Stop message with its parameters o Loaded drivers list o Processor’s context (PRCB) for the processors responsible for stopping the norma l operation of Windows o Processor information and kernel context (EPROCESSES) for the processes stopped o Process information and kernel context (ETHREAD) for the thread which stopped o The kernel -mode call stack for the thread is responsible for stopping the process from execution. Pagefile.sys and PMDump Windows XP Professional uses paging file information to generate a memory dump file in the system root directory. This dump file analysis can be done to supply data, that is, the reason for the crash durin g the offline analysis. Analysis can also be done through tools running on another computer. PMDump or Post Mortem Dump tool performs the dumping of memory contents relative to any process or a file with its process stopped. It can be used for conducti ng forensic analysis of a dump file. What is Virtual Memory? An imaginary location that is supported by the Windows OS is known as virtual memory, where it is an alternate memory address set that expands the available memory range. Data that isn’t ne eded often for programs can be store in instructions and data into the virtual memory. Virtual memory is converted into RAM, whenever these memory address locations are called. An OS divides the virtual memory into pages whenever virtual memory needs to be copied into RAM, where each page consists of a fixed number of addresses stored on disk which are yet to be called by the OS. When the OS calls the pages, it is copied from disk memory to RAM, which translates virtual addresses to real addresses also called mapping, while the process where virtual pages are copied to main memory is known as paging or swapping. munotes.in
Page 68
Cyber Forensics 68 System Scanner System scanner acts as a replacement to the task manager, wherein the System scanner fetches more specific informa tion about the processes.The main window in the system scanner consists of the current running processes in the system, number of threads per process as well as the executable path, while the status bar shows the overall number of running processes, which is updated every 5000 milliseconds. The refresh time can be customized along with the colors of the memory regions in the memory map as per requirement. Integrated Windows Forensics Software: X -Ways Forensics X-ways forensics is and advanced work envir onment, based on WinHex for the digital forensic analysis.Its features include forensic sound disk imaging and cloning, complete directory structure examination inside raw image files, native support for various file systems, several data recovery techniqu es along with file carving, hard disk cleansing for producing forensically sterile media, automated file signature verification etc. 4.4.4Investigating Internet Traces Evidence can be searched from different locations in Internet Explorer. Follo wing files and folders can be investigated for analyzing Web browser activity: o Cookies: Can be found on the following locations in Windows 2000/XP: C:\Documents and Settings \%username% \Cookies C:\Windows \Cookies (in Windows 95/98/ME) o Typed URLs o History o Temporary Internet Files Internet explorer can store records of sites visited by a user in the History folder, where theURLs of websites are present.C: \ drive also consists of Documents and Settings, further consisting of another folder, that is, Cookie’s folder which stores cookies visited by each user based on which individual user folders are created. These files are further stored in the Temp folder, where the temporary internet file’s location provides the name and number of sites visited by eac h user. Thus, temp files contain details of the user’s activities in the various TMP files. a. Traces Viewer A tool that helps view all images, flash movies, pages, and other media files that are cached by the Internet Explorer browser on a system. It involves a function in which Web traces generated by Internet Explorer munotes.in
Page 69
Window Forensics, Data Acquisition and Duplication 69 can be removed from a system. Though, it does not wipe the evidence and can be uncovered. b. IECookiesView A forensic utility that displays the details of the cookies saved by th e Internet Explorer. It provisions the capability to sort the cookies as per the name and their date. Additionally, it provisions a search function that can find a cookie in the list based on the website name. The cookie information can also be copied on t he clipboard and using remote login, the cookies of other users of the same or another system can also be displayed. c. IE History Viewer Whenever a URL is typed into the address bar or any link is followed in Internet Explorer, it leads to the address being stored in the history index file. IE History Viewer inputs all the history data from the file and prints a list of URLs visited. The list of addresses is stored as text, HTML, or XML files through this application. d. Cache Monitor Cach e monitor provisions a real -time view of the systems cache’s present state as well as can check the configuration of dynamic caches. It can help the forensic analyst verify the cache policies and monitoring of cache statistics. Some other tools also provid e the capability to monitor the data flow through cache and the data present in the edge cache. The statistics available through Cache monitor include: Cache hits: The match entries with the number of requests onto the edge servers. ESI Processors: Number of processes which are configured as edge caches. Cache Misses by URL: Cache policy that does not exist on the edge server for the requested template. Several Edge Cached Entries: Number of entries that are currently cached across all edge servers and pro cesses. 4.4.5 Investigating System State Backups A system state backup involves the backup of the entire system so that no data will be lost in case of a system crash or corruption of the driver files. To perform a forensic analysis of the evid ence on a Windows system, only backing up the system is not sufficient. Thus, an extended data backup is essential to remain secure against any malfunction. An extended state backup saves the: o Active directory munotes.in
Page 70
Cyber Forensics 70 o Registry o Windows boot files o Syste m volume (SYSVOL) o IIS Metabase o COM+ class registration database - The procedure to create a system state backup is as follows:
Investigating ADS Streams o NTFS consists of a compatibility feature known as Alternate Data Streams (ADS). It could help an attacker with hiding rootkits or hacker tools on a compromised system, which can further get executed without being detected by the system. o Thus, ADS may be used as a way of hiding the executables or proprietary contents, if any. To maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams, a third -party checksum application could be utilized. Common DOS commands like type can create ADS, wherein these commands in conjunction with > (redirect) a nd : (colon) could fork one file in another. Example:typec:/maliciousfile.exe>c: \winnt \system32 \calculator.exe: maliciousfile.exe munotes.in
Page 71
Window Forensics, Data Acquisition and Duplication 71 Where, ADS Tool ? LADS (List Alternate Data Streams) : Syntax: {file name} : {stream name} Create: type textfile>visible.txt:hidden.txt View: more CD-ROM Bootable Creation for Windows XP Multiple tools such as Bart’s PE Builder and Ultimate Boot CD -ROM could be used to create bootable Windows CD -ROM. These tools could be useful for PC maintenance tasks and yield a complete Win32 environment with network support along with a GUI and NTFS/FAT/CDFS file system support. Bart PE (Bart Preinstalled Environment) A Bart Preinstalled Environment (BartPE) bootable Windows CD -ROM or DVD can be created by Bart’s PE Builder through the installation/setup CD of Windows XP or Server 2003. It can also restore any DOS -based boot disk. Windows versions that are supported include Windows XP (Home Edition or Professional) and Windows Server 2003 (Web, Standard, or Enterprise Edition). Ultimate Boot CD -ROM The execution of floppy -based diagnostic tools from CD -ROM drives onto Intel-compatible machines is permitted by Boot CD -ROM.This tool contain s multiple diagnostic utilities which provide sharing of Internet access or web surfing. It does not need a separate OS. With network support, modifying NTFS volumes, recovering the deleted files, scanning the hard drives for viruses, and creating NTFS vol umes are possible. It includes multiple CPU tests, memory tests, and peripheral tools. 4.3 ACQUIRE AND DUPLICATE DATA 4.3.1 Data Acquisition Tools While selecting the tools to use, it needs to be ensured that data does not get modified. The validity of tools needs to be acceptable in court. Example: Tools such as Encase would lead to lesser chance of it being mostly scrutinized.Although tool validation is still required but using tools could make the process easier comparatively.Below mentioned data acqu isition tools may consist of software to duplicate data, creating image files which may be mounted and analyzed later or hardware solutions which can acquire data from a suspect’s machine. a. FTK Imager Forensic Tool Kit (FTK) is a fully integrated foren sic data acquisition and analysis program which was developed by AccessData. FTK provides features like full -text indexing image files without extracting them to a hard disk as well as include a file viewer to preview the files. munotes.in
Page 72
Cyber Forensics 72 FTK also has an imaging co mponent for collecting data from CDs and DVDs with commonly supported file systems. FTK Imager is an imaging tool to preview data and assess the potential evidence on a machine. A forensic image of the data, duplication on the machine using the tool, so that modification of original data does not take place. FTK Imager reads image files with ICS and SafeBack as well as uncompressed images created with Ghost. FTK Imager will read or write image files in different formats such as Encase, dd Raw, SMART, and FT K. The major advantage is that even if the image files are created by another organization in any format, they can be read easily. FTK Imager has an easy -to-use interface wherein once the evidence file is opened, the folder structure can be viewed in the Evidence tree located in the upper left lane. b. SafeBack One of the earliest DOS -based tools developed by NTI for acquiring evidence sector by sector from a computer. It can boot from a floppy disk, make a duplicate image of everything on the hard disk , thereby preserving its integrity and analyzing evidence without it getting modified. Capable of replicating individual partitions or entire disks of any size virtually with the image files being transferred to SCSI tape units, etc. An audit trail of the software’s operations is maintained through the product’s CRC function which checks the integrity of the copies, its data, and timestamps. Despite being a DOS tool, it can copy DOS, Windows, and Unix disks onto Intel -compatible systems and the images can b e stored as multiple files on CDs or any small capacity media. No compressions or translations take place during the creation of the image. c. DriveSpy It is a DOS -based data acquisition tool that was developed by Digital Intelligence Forensic Solutions. Despite being DOS -based, it can acquire evidence from partitions using FAT, non -DOS, and hidden DOS partitions, that is, visible files to the file system, deleted files, exists inslack space, and unallocated space on the disk. Performs data acquisition fro m hard drives greater than 8.4 GB and floppy disks as well as other storage media. DriveSpy is also responsible for providing a built -in sector and cluster Hex Viewer to view the data, it also can create and restore compressed partition forensic images. munotes.in
Page 73
Window Forensics, Data Acquisition and Duplication 73 A major advantage is its logging capabilities, such as logging each keystroke that was made, which are then written on a log file and can be logged into a report of procedures that were followed to acquire the evidence. d. Mount Image Pro A tool developed by GetData Software Development that mounts and view forensic image files created by EnCase, Unix, and Linux DD images, SMART and ISO images of CDs and DVDs. When an image is mapped to a drive letter,data acquired can be explored through the image and use third -party tools. It can mount different types of forensic image files and does not need additional copies of software or dongles such as EnCase software to view evidence acquired from the image. It can save a considerable amount of money because image analyzer machines don’t require the original software to acquire the evidence. EnCase image file can be opened without knowing the password despite being password protected. e. DriveLook A free forensic search tool designed for indexing all of the text w ritten to a hard disk or other media, was developed by Runtime software. Searched drives can be physical, logical, or remote drives, which can be connected using a serial cable or network connection using TCP/IP. It can also be used with image files create d with Runtime’s DiskExplorer or GetBackData, which helps search for words stored on a suspect machine. Once the words are indexed on the media and saved to a table, the search can be done through keywords or browsing the table to view the location of the stored words. f. DiskExplorer A tool that helps browse the hard disk contents and was developed by Runtime software with two main versions, namely, DiskExplorer for NTFS and DiskExplorer for FAT. They are disk editors, which help browse NTFS and FAT file systems along with recovery of data stored on a disk as well as view the contents of a physical, logical drive or image files. When the information on the disk is being viewed, analysis of partition table, MFT, boot record, and index buffers can be done. DiskExplorer also involves search capabilities which will allow searching for text, viewing the files and their properties, identifying the cluster to which the file belongs. Sectors of the disk can be edited and lost or deleted files can be recovered usin g this tool. munotes.in
Page 74
Cyber Forensics 74 It can also create an image file to duplicate the data on a hard drive. Once the image is created it can be preserved on the disk for further analysis or can be used to restore data on another machine. g. SnapBackDatArrest Snapback developed a suite of data duplication and forensic tools known as DatArrest, where data can be acquired using a program on a bootable floppy from a machine. Images also contain the deleted, encrypted files or those which are present in the slack space on the disk ap art from the files that can be seen by the filesystem. CMOS settings used by the computer are also captured as a part of the image. Data can be acquired and images can be created to and from hard disks, removable media, and magnetic tapes with the help of the modules and utilities included in the project. h. SCSIPAK Suite of tools developed by Vogon, which provides data recovery and conversion between Windows NT4 or 2000 and other systems such as DEC, ICL, and IBM Mainframe. SCSIPAK extends the abilities o f the Windows tape drive to make the data readable. Data from tapes or optical discs can be downloaded and written up to seven drives at the same time. Thus, tapes can be copied, data can be transferred from Windows NT or 2000, or can also be transferred between disk, tape, or optical disc using SCSIPAK. i. IBM DFSMSdss Data Set Services (DFSMSdss) is an IBM -developed utility that was designed for disaster recovery and data management. It was developed as a part of the Data Facility Storage Management Subsystem (DFSMS), DFSMdss can be used to move or copy data between various types of storage media so that storage on different servers can be managed. Permits backup, restore data and copy backups to another storage media irrespective of the type of media. 4.3.2 Hardware Tools Tools for duplicating data can be used in a forensic lab or the field, wherein forensic images can be created which can be analyzed later for potential evidence. These tools act as portable forensic labs, which allow acquisition and analysis before the computer is removed from the crime scene. The majority of these tools store data on a hard disk within the munotes.in
Page 75
Window Forensics, Data Acquisition and Duplication 75 device, thus providing the ability to transfer image filesfrom a device to another system in a forensic lab, and can then wipe th e device’s drive to make it sterile forensically. a. ImageMASSter Solo -3 Forensic It is a hardware tool that is portable and hand -held device which can acquire data from the suspect’s machine at a speed exceeding 4 GB/minute. It was developed by Intellige nt Computer Solutions. Since the hard disks is directly connected to the machine using a drive - to-drive interface or external Firewire/USB interface, a duplicate copy of data can be created from one or two drives at the same time without letting the speed get reduced. Can acquire data from hard drives such as IDE, SATA and SCSI. b. LinkMASSter -2 Forensic It is a hardware tool developed by Intelligent Computer Solutions where the device connects to a computer through a USB port or Firewire and create an ima ge of any data on the machine. A software permits access and data acquisition using Firewire or USB ports, after booting the machine and connecting to the LinkMASSter. The write -block feature protects the data during acquisition on the original machine. c. ImageMASSter 6007SAS It is a powerful tool for generating data images from the suspect machines and duplicating IDE, SAS, SATA, and IDE hard drives. Was developed by Intelligent Computer Solutions and can migrate the server data from SCSI to SAS/SATA. I t can acquire data from multiple disks as well as store multiple images on a single hard drive. It is the only tool to support SAS (Serial Attach SCSI) hard drive and copies multiple drives at the same time with a faster speed. The system provides a window XP-based interface that allows copying data from Windows, Macintosh, and Unix file systems. d. RoadMASSter -3 It is a data acquisition and analysis tool developed by Intelligent Computer Solutions to create an image and also to analyze the data acquired f rom the suspect’s hard drive. Can connect to an unopened computer using Firewire and USB ports. Can also connect directly to IDE, SATA, SAS, and SCSI hard drives. Capable of acquiring data from multiple drives to a single target drive which makes the acqu isition faster. It analyzes the data quickly. munotes.in
Page 76
Cyber Forensics 76 Designed with a 15 -inch color display inside its case which helps view data stored in the image file to enable it to determine if any evidence exists on the machine. e. Disk Jockey IT It is a portable, hand -held hardware tool by Diskology and is the smallest write -blocking and disk copy device for computer forensics. Can be used as a write -blocking device for acquiring data using Firewire and USB connections to a suspect computer. Device can then be connected to a Windows or Macintosh system through write -protect mode to analyze the data without altering it. 4.3.3 Backing Up and Duplicating Data Many tools can be used to backup data so the restoration of systems can be done in case of any virus or malicious s oftware, failure of a hard disk, intrusion, or any other event which could lead to loss, corruption, or deletion of the data. During mass deployment of a system, images are made of systems. Example: Since mostly all the workstations will have similar OS an d software configurations, hence making a single image of a system could be utilized to restore that image on others computers with a slight change in the system’s name, IP address, etc. This restoration helps save time and money in setting machines that w ere being deployed in the network. Backups and Duplicate data minimize the impact of losing a system as a replacement system can be immediately deployed. a. R-Drive Image It is a data duplication tool developed by r -Tools technology and is designed for ba ckup and duplication data, as well as creates a byte -by-byte data copy on hard drives, partitions, and logical disks. These files are stored on another hard disk, network drive, or storage media and restored as needed. b. Save -N-Sync Save -N-Sync tool was designed by Peer software to synchronize the data stored in a directory on a laptop or system with the data stored on another location like a network server.Data can be backed up on a location or can synchronize the changes on either the source or target folder to be reflected in both the directories which will help for restoration in case any problem occurs. A single directory can be chosen to synchronize with another directory in the standard version of the tool, while the corporate version permits 15 dir ectories for synchronization.
munotes.in
Page 77
Window Forensics, Data Acquisition and Duplication 77 c. QuickCopy It is a tape duplication system developed by Shaffstall Corporation which is designed to make tape -by-tape backup copies. When the data on the server or any other computer is backed up on magnetic tape, copies ar e required for offsite storage. Whenever a nightly backup is done, QuickCopy duplicates this data, thereby providing a backup of the backup tape. Duplicates of tapes can be used for the analysis of potential evidence. QuickCopy checks the data byte -for-byte along with the capability to copy a single tape to an image file which can be stored on a hard disk. 4.3.4Acquiring Data in Linux Apart from data recovery and forensic tools run on Linux, UNIX, and other Posix OS, specific commands can be used on OS to copy data on a machine and transfer it across a network. Other versions of similar tools can be used for Windows OS. Commands are: i. dd: Convert and Copy Command dd is used in Linux to convert and copy the data, along with a version of it that runs on windows. Allows copying a hard disk to another disk drive, magnetic tape, or vice -versa. Data is transferred byte -for-byte, thus generating an exact mirror image. Syntax: dd The command can be used in various ways,for example: to copy contents of a disk to another, use the command with if (input file) and of (output file) options: dd if=/dev/hda of=/dev/hdy Example: To backup the disk into an image on the hard disk, dd if=/dev/hda of=/path/to/image Option Description if=inputfile Specifies whe re to input data from (file or device) of=outputfile Specifies where to output data (file or device) ibs=bytes Number of bytes to read at a time obs=bytes Number of bytes to write at a time bs=bytes Several bytes to read and write. This is used instead of ibs and obs, and it specifies the same number of bytes to use for both input and output. bs=bytes Number of bytes to convert at a time munotes.in
Page 78
Cyber Forensics 78 skip=blocks Specifies to skip blocks in the input file before copying seek=blocks Specifies to skip blocks in the output file before copying count=blocks Copy blocks from the input file, instead of everything at the end of the file conv=conversion Specifies to convert the input file before copying to an output file. Conversion methods include ■ ascii, which convert s EBCDIC to ASCII ■ ebcdic, which converts ASCII to EBCDIC ■ ibm, which converts ASCII to alternate EBCDIC ■ block, which replaces the input newline with padding of spaces to fit the size of cbs ■ unblock, which replaces trailing space characters in dat asets of size cbs with newline characters ■ lcase, which converts uppercase characters to lowercase ■ ucase, which converts lowercase characters to uppercase ■ swab, which swaps every pair of input bytes ■ noerror, which ignores read errors ■ notrunc, which specifies not to truncate the output file ■ sync, which pads every input block to the size of ibs with null bytes if its shorter than the specified size Table 4.1: dd options MBR can be extracted from a disk using the dd command. Since MBR and par tition table are present in the first bytes of the disk, by specifying first few data bytes from the disk, a backup of data can be acquired. Example: To acquire file from the disk, use the command: dd if=/dev/hda of=/path/to/img count=1 bs=512 To restore d ata to the disk, incase of any problem, the input and output value needs to be interchanged: dd if=/path/to/img of=/dev/hda ii. Netcat: Transfer data and for other functions Netcat tool is available on all Posix OS such as UNIX and Linux, which uses Trans mission Control Protocol (TCP) and User Datagram Protocol (UDP) to transfer data across a network. A Netcat version can be used on systems running Windows 9x, NT, ME, 2000, and XP OS. munotes.in
Page 79
Window Forensics, Data Acquisition and Duplication 79 A partition image can be created and transferred files between remote computers or send to a machine. It supports port scanning and the ability to connect through Telnet. Netcat runs in server mode on one machine and client on another for communication between them. Server mode Netcat listens on a port specified and transmits data to the client connected to that port number. Following syntax is used for Netcat to run from the server: nc -l <- options> where the port number is the port on which the server should listen and that clients connect to: nc -l <-options>
Following syntax would be used by the client: nc -l <-options> Netcat has additional options which can be used for listening on a network and connecting to computers. Option Description -d Background mode. Det ach from console -e program Inbound program to execute -g Source routing flags -h Help -i seconds Delay interval for lines sent, ports scanned -l Listen for inbound connections -n Numeric only IP addresses (no DNS) -o Hex dump of traffic to a file -p Local TCP/IP port to listen to. Used with -l in server mode -r Random local and remote ports -s addr Local source address -t Answer TELNET negotiation -u Use UDP to listen on a port. Used with -l in server mode -v Verbose. –v-v will put i t into an ultra -verbose mode -w seconds Connects and final net reads timeouts before Netcat will automatically quit -z No, I/O mode. Used for scanning ports Table 4.2: Netcat Options munotes.in
Page 80
Cyber Forensics 80 Netcat can be used with other tools to generate a compressed image o f the disk and permit others to download a file. In the below -mentioned example, the dd command creates an image of a disk, with gzip to compress it. Netcat listens to the port number, making the file available: Dd if=/dev/hdb | gzip -9 | nc -l 4321 4.4 LET US SUMUP This unit helps gain an understanding of the various factors that need to be considered for performing digital forensics on Windows OS, the tools needed for performing it and techniques required for evidence acquisition and data replication. 4.5 LIST OF REFERENCES [1] The official CHFI Exam 312 -49 Study Guide by Dave Kleiman, Syngress Publication, 2007. 4.6 BIBLIOGRAPHY [1] EC -Council CHFIv10 Study Guide, EC -Council, 2018 4.7 UNIT END EXERCISES 1.___________ is a tape duplication system develo ped by Shaffstall Corporation which is designed to make tape -by-tape backup copies. a. SCSI b. SCSIPAK c.ScanCopy d.QuickCopy
2. ___________are disk editors, which help browse NTFS and FAT file systems along with recovery of data stored on a disk as well as view the contents of a physical, logical drive or image files. a. DExplorer b.DiskExplorer c.DiskScan d.PCScan
3. ___________ is a powerful tool for generating data images from the suspect machines and duplicating IDE, SAS, SATA, and IDE hard drives. a. ScanCopy b.ImageMASS c.QuickCopy d.ImageMASSter 6007SAS
munotes.in
Page 81
Window Forensics, Data Acquisition and Duplication 81 4. The space area between the end of the file and the last cluster is known as ___________. a. Space Gap b. Gap c. Slack Space d. Slack data
5. ___________ is used in Linux to convert and copy the data, along with a version of it that runs on windows. a. dsd b. dd c. sdd d. dss
6. ___________ tool is available on all Posix OS such as UNIX and Linux, which uses Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to transfer data across a network. a. Disk Explorer b. Quick Copy c. Net cat d. Imag e MASS
7. ___________is a set of protocol which provide file and printer access between clients and remote servers on NetWare networks. NCP runs over IPX or IP. a. Common Internet File System b. Network File System c. NetWare Core Pro tocol d. Server Message Block
munotes.in
Page 82
82 5 RECOVERY OF DELETED FILES AND PARTITIONS, USING ACCESS DATA FTK AND ENCASE FOR FORENSIC INVESTIGATION Unit Structure 5.0 Objectives 5.1 Introduction 5.2 Recovery of deleted files and partitions 5.2.1 Recycle bin 5.2.2 Deleted File Recovery tools 5.2.3 Recover thedeleted fil es using Recuva 5.2.4 Recovering deleted partitions 5.2.5 Methods and tools to recover the deleted partitions 5.3 Using Access data FTK and EnCase for Investigation 5.3.1 Forensic Tool Kit( FTK) 5.3.2 Investigation using FTK 5.3.3 En Case 5.3.4 Investigation using EnCase 5.4 Let us Sum Up 5.5 List o f References 5.6 Bibliography 5.7 Unit End Exercises 5.0 OBJECTIVES After studying this unit, you will be able to know: Recycle bin What are the deleted files How to recover the deleted file munotes.in
Page 83
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 83 5.1 INTRODUCTION Investigator performs digital forensics by collecting and correlating and analyzing evidence to know the process and motive behind the crime and to identify criminal, but hidden or deleted data are major concern before forensic investigator, various tools and techniques will help the digital forensic investig ator in every phase of the digital forensic process. Hence Computer forensic investigators should know those tools and techniques, their functions. 5.2 RECOVERY OF DELETED FILES AND PARTITIONS 5.2.1 Recycle bin Recycle bin is a temporary stor age place on windows desktop for deleted files where those deleted files are temporarily stored if not deleted permanently. Recycle bin will not store deleted Files from removable storage media like floppy disk, USB pen drive, or network drive, and even if a deleted file is too large will not get a place in recycle bin. Users can delete a file from a hard disk in the Windows operating system by right -clicking on that file and selecting the delete option to send a file to recycle bin. Even users can restore an individual deleted file or all deleted files by selecting the restore option.
munotes.in
Page 84
Cyber Forensics 84 Table shows Location and Storage size Limit of Recycle bin File System Operating System Location on drive Size Limit FAT Win 98 and prior Drive: \RECYCL ED 3.99 GB NTFS Windows 2000/Win XP Drive: \RECYCLER 3.99 GB NTFS Windows Vista and later Drive: \$Recycle_Bin No Limit
When user deletes a file from computer actually it won’t delete it physically only the entries of those files are deleted from MFT ( Master file table) but file remains there on hard disk and OS replace first letter with E5h hex byte code to indicate that the file has been deleted 5.2.2 Deleted File Recovery tools : Various Tools are designed to recover/restore deleted or corrupted data/files from hard disks, USB pen drives, Memory cards, and other storage devices. Tools available for recover deleted data/files : Recover My Files : (www.recovermyfiles.com) o It recovers deleted files from a hard drive, memory card, USB, ZIP, floppy disk . o It also recovers deleted files emptied from the windows recycle bin, o It recovers deleted files from a formatted or corrupted hard disk. o It also recovers documents, photos, videos, and audio files. EaseUS data recovery wizards : Diskdigger : Handy reco very Quick recovery Stellar Phonix Windows Data Recovery Total Recall Advanced Disk recovery Window data recovery software R-Studio munotes.in
Page 85
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 85 Orion File Recovery Software Data Rescue PC Smart Undeleter DDR Professional Recovery Software Data Recovery Pro Undelete Pl us File Scavenger VirualLab Active UNDELETE WinUndelete R-UnDelete Recover4all Professional Recuva Active File Recovery Disk Drill PhotoRec 5.2.3 Recovering the deleted files using Recuva Recuva is one of the tools uses for file recovery. It can recover deleted files from a hard disk, USB pen drive, memory card, etc. (http://www.ccleaner.com/recuva ). Its feature includes Superior file recovery Recovery from the damaged disks Deep scan for buried f iles Securely deleted files Steps to recover deleted files using Recuva: 1. First Start the tool 2. Then select which type of files you want to recover (All files) 3. Now specify the location of the source drive to recover files. (E:) 4. Now select the list of fi les you want to recover munotes.in
Page 86
Cyber Forensics 86 5. Select destination folder/drive where you want to store recover files (Desktop)
munotes.in
Page 87
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 87
munotes.in
Page 88
Cyber Forensics 88
5.2.4 Recovering the Deleted Partitions Partitions are created by logically dividing the hard disk into volumes (Drive) and those volum es/drives are identified by letters like C or D or E etc. Those logical drives can be formatted separately and each drive can use a different file system like NTFS or FAT etc When partitions are deleted knowingly or accidentally, all data will be lost. The system does not delete anything but erases the parameters which define partition set up size and location. munotes.in
Page 89
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 89 By using software that can reestablish those parameters can recover deleted partitions. Deleting primary partitions results in empt y space referred to as unallocated disk space and deleting logical partitions within extended partition results in empty space referred to as free space. An automated task performed by partition recovery tools to locate and recover data By allowi ng a user to select another partition after determining the error on disk and then making that partition active. By attempting to reconstruct the partition table entry after scanning the disk for a partition boot sector or damaged partition information. By attempting to reconstruct the partition table entry after scanning the disk for a partition boot sector or data from deleted partition information. 5.2.5 Methods and tools to recover deleted partitions: Method one: Restart the systems wi th windows install DVD in the system Select the key listed on the screen to go to BIOS Select the menu name boot priority or boot order to set DVD as the first boot device then restart the system and start the installation process Then while installation s elect repair instead of install And type exboot on DOS screen Restart the system to check whether the deleted partition is restored. Method two: Remove the HARD DRIVE after shutting down the system Install hard drive as slave on another system Now attemp t to recover deleted partition Method three: By using third party partition recovery software to recover the drive Follow instructions to recover partition after running the partition recovery program munotes.in
Page 90
Cyber Forensics 90 Tools to recover partitions: Active Partition for windows o Allows r ecovering deleted and damaged logical drives and partitions within Windows, WinPE, Linux environments. o Will detect deleted but non -formatted partitions. o Allows fixing damaged Partition table, Master Boot Record (MBR), GUID partition table . o Can restore data from raw, compressed, and VMWare Disk image. o Will create disk image - backup for data recovery. o Can trace reformatted and damaged partitions. o Will recovers volumes lost due to accidental disk formatting
Acronics Recovery Expert Power data recovery EaseUS Partition recovery Disk Internals partition recovery GetDataBack Advanced Disk Recovery NTFS Partition data recovery 5.3 USING ACCESS DATA FTK AND ENCASE FOR INVESTIGATION
5.3.1 Forensic Tool Kit (FTK) Forensic Tool Kit (FTK) is a commercia l software suite from Access Data. It is a Complete Computer Forensics Solution. It Comes with FTK Imager used for imaging and image analysis and also to recover the file. It can perform Email Analysis, File Decryption, Data Carving, and Data Visualization . It has features such as registry viewer, in -depth easy to read logging, standalone disk imager. Can generate the report in different types of format. munotes.in
Page 91
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 91 Access Data's FTK Imager is a Windows software platform that performs a variety of Imaging tasks, inc luding acquiring the running memory of a system. The software can be downloaded at www.accessdata.com/product - download 5.3.2 Investigation using FTK Creating New Case: Following steps must be c ompleted to start a new case 1. Enter basic case information. 2. Check what you want to be included in the case log. 3. Check the processes that you want to run on the evidence. 4. Select the criteria for adding evidence to the case. 5. Select the crite ria for creating the index. 6. Add the evidence. 7. Review your case selections. 8. Complete the wizard to launch the processing of evidence. Click on File then Select New Case and Specify case name, case number, name of the Investigator name and selec t case path to store evidence the n click on Next button. Note: Case folder based on case name and case path field . munotes.in
Page 92
Cyber Forensics 92 The n ext screen will appear to enter information about Examiner like Examiner Name, Agency Name, Address, Phone No, Email Id , etc.
The n ext Screen is of Case Log option Form for selecting events FTK to log for the current case such as Boo kmarking items, searches and error messages for each case. The case log file name ftk.log will get created automatically; this log file can be used as a p art of the report .
Select what event you wanted in the case log and Click on the Next button.
The n ext Evidence processing Options form will appear allow ing you to which process to perform on evidence like full index, data carving ,hashing(MD5,SHA1) , etc. for example for a large image file if we don’t want to create an index which will take more time then don’t select Full - text index option. munotes.in
Page 93
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 93
munotes.in
Page 94
Cyber Forensics 94
Select the process on the evidence and click on theNext button .
The n ext Screen is of Refine case will appear to exclude certain data from the case.
FTK contains five default exclusion templates: o Include All Items o Optimal Settings o Email Emphasis o Text Emphasis o Graphics Emphasis munotes.in
Page 95
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 95
Select default template you wanted to use and click on theNext button. The n ext screen for Refine index to specify data to index
Here select the type of file you wantindex and click on theNext button. munotes.in
Page 96
Cyber Forensics 96 Add Evidence File: This option will allow you to add evidence , remove evidence ,edit evidence or refine evidence.
From add evidence case form click on Add Evidence andselect one of the option s. o Acquired Image(s) ofDrive : Select this type to add aForensic Image ofa logical or physical drive. o LocalDrive : Select this to add a logicaldrive ( C or D drive) or physical dri ve ( full hard disk) . o Contents of a Folder : Select this type to add all files in a specific folder . o Individual File(s) : Select this to add a single file ( .docx, .pdf, .jpg, and so on) . And after select ing theevidence option from the above list , click on the Next button. The next Case Summary form will appear which allows you to review the evidence directory, number of evidence items, and evidence processes that you selected during the New Case Wizard. munotes.in
Page 97
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 97
After you click Finish , the Processing Files for m appears and displays the status of the processes you selected in the wizard.
Search the Case: Investigator can efficiently Search through suspected media by adding relevant keywords to determine if certain words, expressions or strings exists in f iles documents or emails or not.
\ munotes.in
Page 98
Cyber Forensics 98 There are two types of searching: Live search and index search . Index search uses index files to search. Live search is an alternative to index search if you don’t have time for index searching. Live search is a time -consuming process because it will perform an item -by-item comparison with search terms. To perform Live Search : Click on Live Search in search window and enter the term in Search Term Field and in Item Type select either Text or Hexadecimal . In Item Type Tex t you can select ANSI, Unicode, Regular expression or Case Sensitive. You can add many Search term by clicking on Add button, ,modify using Edit Item , remove by using Delete Item , clear the search list by using Reset button
At last click on Search button, after finishing result will appear in search result list . To perform Indexed Search : Click on Live Search in the search window and enter the term in Search Term Field an d Item Type select either Text or Hexadecimal . In Item Type, Tex t select ANSI, Unicode, Regular expression, or Case Sensitive. You can add many Search terms by clicking on Add button, modify using Edit Item , remove by using Delete Item , clear the search list by using the Reset button. munotes.in
Page 99
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 99
Using Filter : To minimize the number of evidence items to examine, you can apply an existing filter or create a customized filter to exclude unwanted items. Forensic Toolkit (FTK) allows you to filter y our case evidence by file status, type, size, and date parameters. Select View and then File Filter Manager or Click on File Filter Manager icon, then File Filter Manager form appears has various options under File Status , File Type , and Legend.
munotes.in
Page 100
Cyber Forensics 100 File Status: E-mailed Items: Shows e -mail items such as e -mail messages, archive files, and attachments. Encrypted Files: This shows encrypted files that are possibl y in all file types. Graphic Files: Only shows graphic files. KFF Alert Files: This Shows KFF alert files that are possibl y in all file types. No Deleted: Hides deleted items. No Duplicates: Hides duplicate items. No Ignorable: Hides duplicate items, KFF ignorable files, and files that were flagged ignorable. No OLE: Hides items or pieces of info rmation embedded in a file, such as text, graphics, or an entire file. Unfiltered: Displays all items in the case. Legend: Hide: Never shows files meeting selected criteria. If you click this icon in the Legend column, all file statuses and types are mark ed Hide. Show: Always shows files meeting selected criteria unless overridden by hiding. If you click this icon in the Legend column, all file statuses and types are marked, Show. Conditional Hide: Doesn’t show files meeting selected criteria unless overr idden by Show. If you click this icon in the Legend column, all file statuses and types are marked Conditional Hide. Conditional Show: Shows selected criteria unless otherwise overridden. If you click this icon in the Legend column, all file statuses and types are marked, Conditional Show. To create a new filter, in the Selected Filter drown down box enter the name of the new filter. To modify the filter, in the Selected Filter drop-down box, select the filter to modify. Creating Bookmar k: A bookmark helps to group related and similar files like bookmarks of graphics that contain similar image files. munotes.in
Page 101
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 101
Bookmarks can be created by selecting Tools then Create Bookmarks and then enter information about the bookmarks like bookmar k name, Bookmark comment. Then specify the files to add to the bookmark. Select the Include in Report to include the bookmark and Export in the report Reporting the case: Reporting is the final stage of Forensic analysis phase. Reports are about the r elevant information of investigation. The report can be generated in HTML or PDF or other formats. To generate Reports Click on the File then Report In Case Information form enters basic case information, such as the investigator and the organization that analyzed the case. Then select the information that will be used for the generation of the report such as Bookmarks. In the Report Folder field, set the path to output your report. Select a language to use on the report. Select the output file forma t. Click on OK to generate a final report.
munotes.in
Page 102
Cyber Forensics 102 5.3.3 En Case Features of En Case: EnCase software is developed by ‘Guidance Software’. It is a reliable and widely used tool. There are multiple packages in a single software. It supports all popular operating systems. Users can write a script for automated tasks. It can also perform file signature analysis. It has an MD5 database to crack encrypted files with passwords. It supports the Windows platform but it can analyze any operating system. The software g oes through an entire file system, file registry, temporary files, and virtual memory. A specific term can be searched by using regular expressions. It makes many complicated jobs easy. It has a built -in imager with a software write blocker. It is alway s suggested to use a hardware write blocker as a precaution. EnCase provides another independent tool for live acquisition which is very useful in incident response. EnCase gives very good results for Disk imaging, Volume image, memory, logical files. 5.3.4 Investigation usingEncase Steps to Create a Case in EnCase : 1. Create case – Ensure that you have all relevant information – custodians, clients, case name, etc. 2. Change storage paths as appropriate. It set everything to go to a volume or folder dedicated to the case. 3. Save All. 4. Add evidence – E01, LEFs, loose files, etc. Each time you add evidence, you should consider rerunning several of the following steps. munotes.in
Page 103
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 103 1. Confirm disk geometry, sector count, partitions. You’re checking to see if everything is accounted for. There may be hidden partitions. 5. Run Partition Finder if indicated 6. Run Recover Deleted Folders 7. Search case – hash and signature analysis. You will probably repeat this each time you add new evidence. 8. Search case – hash and signature analysis. EnCase Forensic Main Pain is divided into four Panes from where various tabs are accessible.
Tree Pane: Cases, Home, Entries, Bookmarks, Search Hits, Email, History, Web Cache, Devices, Secure Storage, and Keywords tabs can be accessed from the Tree pane whic h is the top left pane in EnCase. ■ Table Pane: Table, Report, Gallery, Timeline, Disk, and Code tabs can be accessed from the Table pane which is the top -right pane in EnCase. ■ View Pane: Text, Hex, Picture, Report, Console, and Details tabs can be accessed from the View pane which is th e bottom left pane in EnCase. ■ Filter Pane: EnScripts, Filters, Conditions, Queries, and Text Styles tabs can be accessed from the Filter pane which is the bottom right pane in EnCase. munotes.in
Page 104
Cyber Forensics 104 Creating a New Case: Click File then New Case and specify case name , examiner name, and folder locations to save the case under the designated folder -- not at the default location. Then click on the Finish button. Use the Save button frequently.
Adding Evidence Files Evidence Files can be added to the case at any ti me via: Add Device button on the button bar, or via selecting the File then Add Device option from themenu. Navigate to the evidence folder and follow the rest of the dialog box prompts.
munotes.in
Page 105
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 105 Keyword search: Investigators can efficiently Search through s uspected media by adding relevant keywords to determine if certain words, expressions, or strings exist in suspected media or not. Select Keywords from the View menu. Place a check in the box in front of Keywords, right -click Keywords and select New Keywo rd. Type the keyword you want to look for in the search expression box and select any other options that are relevant to the criteria of your search. Click on the OK button.
EnCase has the following searching options: Case sensitive: EnCase searche s for keywords only in the exact case specified in the text box. munotes.in
Page 106
Cyber Forensics 106 GREP: Global Regular Expressions Post (GREP) search where the keyword is a regular expression. RTL reading: This is a keyword search in a right -to-left sequence for international language sup port. Active code page: This option allows an investigator to enter keywords in many different languages. Unicode: This enables investigators to search for keywords with international language characters. Big-endian Unicode: This enables investigators to s earch for keywords with international language characters. To perform the search, Click on theSearch button. Place check in front of Search Each file for keywords options and Click on theStart button .
munotes.in
Page 107
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 107 Search hits are shown in group first by device an d second by keywords.
Bookmarks: An investigator can highlight findings in a case by using Bookmark. Bookmark allows an investigator to include some extremely relevant items in the investigation report. Investigators can bookmark files, folders, or sections of files. To view bookmark, click on View and then Bookmark, Creating Bookmark folder For creating a Bookmark folder, select Create new bookmark folder in the Bookmark Files window. Adding a Bookmark to a case in EnCase For adding a b ookmark, right -click on any of thefiles and then select Bookmark Files.
munotes.in
Page 108
Cyber Forensics 108 Right click on the Highlighted text area and then select theBookmark Data for bookmarking the selected area.
Recovering Deleted Folders and Files: To recover files, Right -click on File, select copy/Unerase on option Screen, select the Next button Select Destination Path Select Finish button munotes.in
Page 109
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 109
To recover delete Folder: Right -click on deleted Folder, select copy/Unerase on option Screen, select the Next button Select Destination Path and then click on the Finish button Signature Analysis: Executing signature analysis gives you an advantage in seeing all graphic files in Gallery view, regardless of what the current file extension is. To create a new File Signature: The new File Signature dialog box allows you to enter search expressions in the form of GREP, name of file signature, and the extension and click on the OK button. As shown in fig . munotes.in
Page 110
Cyber Forensics 110
To perform file signature analysis Click on theSearch button. Place check in front of Verify file signatures . Click on theStart button.
munotes.in
Page 111
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 111 View File Signature Analysis Results Click View menu, then File Signatures . Set green Home plate to showall items.
To view disk geometry by hig hlighting the case and Clicking Report on the top menu .
Reporting: Reporting is the final stage of Forensic analysis. Reports canbe generated from bookmarks made in a case.
munotes.in
Page 112
Cyber Forensics 112 5.4 LET US SUM UP This unit helps gain an understanding about recycle bin and partitions and the tools needed for recovery of deleted data and partition and also performing investigation using Acces s Data FTK and EnCase . 5.5 LIST OF REFERENCES [1] The official CHFI Exam 312 -49 Study Guide by Dave Kleiman, Syngress Publication, 2007. 5.6 BIBLIOGRAPHY [1] EC -Council CHFIv10 Study Guide, EC -Council, 2018 [2] Forensic Toolkit User Guide, AccessData Corp. 5.7 UNIT END EXERCISES 1.___________ is a temporary storage place on windows desktop for deleted files where those deleted files are temp orarily stored if they are not deleted permanently. a. Temp Folder b. Recycle Bin c. Bin Box d. My Documents
2. ___________ are created by logically dividing Hard disk into volumes (Drive) and those volumes/drives are identified by letters like C or D or E etc. a. Fragments b. Partitions c. Folders d. Files
3. ___________ is a commercial forens ic imaging software package distributed by Access Data. a. Autopsy b. EnCase Imager c. FTK Imager d. Image MaSter Solo
4. Registry viewer, in -depth easy to read logging, standalone disk imager is the features of ______. a. Autopsy b. EnCas e Imager c. FTK Imager d. Image MaSter Solo
munotes.in
Page 113
Recovery of Deleted Files and Partitions, Using Access Data Ftk and Encase for Forensic Investigation 113 5. An investigator can highlight findings in case by using ___________. a. Highlighter b. Bookmark c. keyword d. Search
6. E01, E02 are the extension of forensic image files generate d by ___________ tool. a. Autopsy b. EnCase Imager c. FTK Imager d. Image MaSter Solo
munotes.in
Page 114
114 6 FORENSIC ANALYSIS OF STEGANOGRAPHY AND IMAGE FILES, CRACKING APPLICATION PASSWORDS Unit Structure 6.0 Objectives 6.1 Introduction 6.2 Forensic Analysis of Steganography and Image files 6.2.1 Steganography 6.2.2 Different types of Steganography 6.2.3 Tools for Steganography 6.2.4 Steganalysis 6.2.5 Tools for detecting Steganography 6.3 Cracking Application passwords 6.3.1 Password 6.3.2 Methods for cracking or attacking passwords 6.3.3 Password cracking tools 6.3.4 Recommendations for improving passwords 6.4 Let us Sum Up 6.5 List of References 6.6 Bibliography 6.7 Unit End Exerc ises 6.0 OBJECTIVES After studying this unit, you will be able to know: What is Steganography Different types of Steganography Tools for the Steganography How to detect the Steganography munotes.in
Page 115
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 115 What is the password and password cracker Various methods of cracking and attacking the passwords Various types of password cracking tools 6.1 INTRODUCTION Investigator performs digital forensics by collecting and correlating and analyzing evidence to know the process and motive behind the crime and to identify cri minals, but anti -forensic techniques such as data hiding, Steganography, cryptography and password protection are major concerns. Hence Computer forensic investigators should know those techniques, their functions. 6.2 FORENSIC ANALYSIS OF STEGANOGRAPHY AND IMAGE FILES 6.2.1 Steganography The word Steganography is derived from the Greek name “steganos” which means meaning hidden or secret and “graphia” which means writing or drawing. So Steganography means hidden writing. It is the practice of concealing messages or files or images within another file/images or videos. Steganography is used for secure communication by hiding information in a file. It is also used for anti -forensic. Steganography is different from cryptography but both are used for improving the security of protected data and prevent the detection of secure communication. Cryptography is about hiding the contents of a message in an unreadable format using algorithms like RSA, AES, DES, etc. The main aim of Steganography is to prevent the detection of a secret message. In Steganography, two types of files are used, one used to hide the text message or another file known as Carrier file and the other one which is inserte d into the carrier file is known as a hidden file.
munotes.in
Page 116
Cyber Forensics 116 How Steganography works:
Fig. Steganography process 1. Alice embeds a secret message into the cover message (original Message) to generate a Stego message. 2. Stego message (message with a secret message) sent to Bob via a secured public channel. 3. Bob receives Stego message. 4. Bob decodes Stego message using a key to get a secret message. 5. Willie (Third person) thinks the message sent as a normal message. 6.2.2 Different type of Steganography : Steganography can be applied to a variety of digital media such as image, audio, video, or text. Image Steganography: The information is hidden in the image files of different formats such as .jpg, .png, and .bmp. Video Steganography: It is a technique to hide files within carrying video files of different formats such as .avi,.mpg4, .wma, etc. Audio Steganography : It is a technique to hide messages in a digital sound format using the following methods o Least Significant Bit(LSB) insertion : Replacing least impact bit with a bit from the embedded message munotes.in
Page 117
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 117 o Adding echo to the audio signal : Adding a slight echo using two different delays to encode the 1s and 0s bits. o Differential phase variations: By modifie d the Initial phase of the sound file with the secret message. o Spread spectrum scheme: Hiding small or narrowband signal, the secret message, in large or wideband cover are used for audio Steganography. Document Steganography: Document Steganography adds whitespaces and tabs at the end of lines. Folder Steganography: In Folder Steganography, the user hides one or more files in the folders. Whitespace Steganography: It is a technique to hide the messages in ASCII text by adding whitespace to the end of l ines. Web Steganography: It is a technique to hide web objects behind other objects and upload them on the server. Spam/Email Steganography: It is a technique to hide embedded data in spam emails. Hidden OS Steganography: It is a technique to hide one operating system within another. C++ Source Code Steganography: It is a technique to hide a set of tools in the files. 6.2.3 Tools for Steganography: A simple copy command available on windows and cat command on Linux OS will help to hide text files behind an image file On Windows OS - copy /b infile.jpg + hidetext.txt outfile.jpg Users can open outfile.jpg using notepad to retrieve text data from the image file. On Linux OS - cat infile.jpg munotes.in
Page 118
Cyber Forensics 118 hidetext.txt > outfile.jpg There are significant amo unts of both open source and commercial tools are available for creating Steganography Content Snow: It is a type of whitespace Steganography tool which appends whitespace at the end of the line to hide information. Command to hide the message “this is whitespace Steganography tool” inside the infile.txt Command to extract information from outfile.txt snow.exe –C outfile.txt Steganos: A steganographic tool that hides files inside a bmp, wav, voc, or text file. Gifshuffle : Steganographic tool for storing message inside all GIF files including with transparency and animation also by shuffling the color map. It provides encryption and compression and works in message concealing and message extraction modes. Command to hide the message “t his is whitespace Steganography tool” inside the infile.txt gifshuffle –C –m “meet me at 10” –p “ hello world“ infile.gif outfile.gif Command to extract information from outfile.gif gifshuffle –C –p “ hello world“ outifle.gif snow.exe –C outfile.txt Outguess: A steganographic tool that allows you to insert hidden information into the redundant bits of data source: that is, jpeg or PNG image formats. Stegomagic : A steganographic tool that hides any kind of file or message inside a text file, .wav file, or 256 -bit color .bmp files but the size of hidden data can be approximately one -eighth of the size of the carrier file. SilentEye : Open Source tool which hides messages into pictures or audios. munotes.in
Page 119
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 119 iSteg: Open Source tool which hides files inside a .jpeg pictures. OpenStego: Open Source tool which hides data within images. Open Puff: Free software from Microsoft for Steganography. Steghide: A tool that hides messages in images and audio files. Invisible secret: A tool that hides the file within another file and later unhides that file . The invisible secret is software that is used to hide the file within another file and later unhide that file. Following are the step to hide the file using Invisible secret: 1. First Launch invisible secrets and Then select the option Hide Files/ UnHide files 1.
munotes.in
Page 120
Cyber Forensics 120 1. Click on the Add file button to select the file you want to hide in the carrier
2. Select the file you want to hide
munotes.in
Page 121
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 121
3. Click on the Next button and Select the Carrier file and the carrier type as jpeg image. Then Click on the Next button
munotes.in
Page 122
Cyber Forensics 122 4. Now specify the password for the Encryption and retype the password and click on theNext button
Finally you will get a Steganographic image. 6.2.4 Steganalysis ·Steganalysis : The process of discovering the existence of hidden information within the cover medium. It is a process of detection and distortion of messages. Steganalyst will try to detect hidden information in various digital mediums such as image, audi o, video, etc.
munotes.in
Page 123
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 123 Methods of detecting the Steganography: Text/Document Steganography detection: Detection by looking for the text patterns or disturbance like unusual patterns used or appended extra spaces or invisible characters by using a simple word processor. Image Steganography detection: Detecting Image Steganography by determining the changes in size, file format, last modification, last modification time stamp, and color palette of the image file. Audio Steganography detection: The statistical me thod can be used for detecting audio Steganography as it involves the Least Significant Bit (LSB) modification and even the method of scanning for high or inaudible frequencies can be used for detection. Video Steganography detection: A combination of Imag e and Audio Steganography detection methods can be used to detect Video Steganography. It mostly requires human involvement by observing Special codesign or gestures. Types of Attack used by Steganalyst: Steganography attack works based on what type of information is available with the attacker, Steganalysis is classified into six types: Stego - only, Known -Stego, Known -cover, Known -Message, Chosen -Message, and Chosen -Stego attack Steg-only attack : In this attack, the attacker has only access to a stego -medium or stego object where Steganalyst will try every possible algorithm for recovering hidden messages. Known -Stego attack: In this attack along with access to Stego and the original object, Steganalyst k nows the Steganographic algorithm. Steganalyst can extract hidden messages with this information. Known -cover attack: In this attack attacker has access to the original and Stego object, Steganalyst can compare the original object and Stego object to dete ct changes for recovering hidden messages.
munotes.in
Page 124
Cyber Forensics 124 Known -Message attack: In this attack attacker has access to the message and Stego object, Steganalyst can detect techniques used to hide the message. Chosen -Message attack: By using some Steganography tools an d known messages, Steganalyst can find Steganographic algorithms used to hide information. Chosen -Stegoattack : This attack takes place when along with access to Stego object, Steganalyst knows Steganographic algorithm used to hide information. 6.2.4 Tools for detecting Steganography Various tools are available to detect Steganography which can be used by forensic investigators. One of such methods is to detect Steganography by comparing the md5 hash values of two files. md5sum.exe program available on the internet to calculate the md5 hash value of any file. As shown in Fig , md5 hash value of the original photo and same photo containing hidden information is calculated which gives different hash values.
Stegdetect : A Software to detect the Steganographic content of an image file. It can detect several different steganographic methods like jseg ,JPHide, invisible secret, outguess , F5, append X and Camouflage used to embed hidden information in JPEG images. It is available for Linux systems. Can be downloaded from https://centos.pkgs.org/7/forensics - x86_64/stegdetect -0.6-2.el7.x86_64.rpm.html Stego file that we will identify is a jpeg image file.
munotes.in
Page 125
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 125 Option –s will change the sensitivity of the detection algorithms. -t sets the tests to run on the image): ./stegdetect -t IMAGE.jpeg • Type ./stegdetect -t j IMAGE.jpeg to check if the image has been embedded with jsteg. • Type ./stegdetect -t o IMAGE.jpeg to check if the image has been embedded with outguess. • Type ./stegdetect -t p IMAGE.jpeg to check if the image has been embedded with jphide. • Type ./stegdetect -t i IMAGE.jpeg to check if the image has been embedded wi th invisible secrets. • Type ./stegdetect -t f IMAGE.jpeg to check if the image has been embedded with F5. • Type ./stegdetect -t a IMAGE.jpeg to check if information has been added at the end of file.
OutGuess is a Steganographic tool that allows you to insert hidden information into the unnecessary bits of data source: that is, jpeg or PNG image formats. Other tools to detect Steganography: XStegsecret: A java based multiplatform tool which detects hidden information from various digital medium sources. It is used to detect EOF, LSB, DCTs, etc. StegSecret: Open Source Java -based multiplatform tool detects hidden information in different digital medium sources. It is used to detect EOF, LSB, DCTs, etc.
munotes.in
Page 126
Cyber Forensics 126 StegExpose: A command line based int erface tool helps in detection of LSB Steganography on .bmp or .png files ImgStegano: This tool helps in the detection of Steganography on .bmp or .png files, to detect image Steganography it uses an enhanced LSB technique. StegSpyV2.1 : It’s a Signature detection program that searches for Stego Signature and determines the program used to hide the messages, it identifies 13 different Steganography programs and also identifies the location of hidden messages. 6.3 CRACKING APPLICATION PASSWORDS 6.3.1 Password: From the beginning of computer systems, some types of passwords are required for authentication purposes like to enter into the system, to change the BIOS setting, to login to computer systems or operating systems to perform the administrative task of operating systems, to protect the documents from unauthorized access, etc. Passwords are in the form of a word, phrase, or string of characters. Password crackers are programs used to unauthorized access to applications or files whic h are password protected. Devices can store or transmit passwords as clear text obfuscated or hashed Passwords. Out which hashed password needs cracking and rest of the password type can assist in cracking. Clear Text Passwords: Passwords stored in plai ntext without any alteration. E.g Windows registry stores automatic login password (Computer \HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Window s NT \CurrentVersion \WinLogon) Cain and Ettercap used by the investigator to sniff the clear -text password . Obfuscated Passwords: Passwords stored after one or more transformations. munotes.in
Page 127
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 127 The password becomes unreadable by applying an algorithm for reversible transformation, it returns a clear -text password after application of the reverse algorithm. Hashed Passwords: Hashe d passwords are similar to Obfuscated Passwords but not reversible. 6.3.2 Methods for cracking or attacking passwords Password crackers are the program to assist users to gain unauthorized access to an application ;it is also used to retrieve lost or forgotten passwords of any application. Password crackers can use various methods to identify password s. Various methods for cracking or attacking passwords include: Password Guessing Dictionary search Brute Force met hod Syllabus attack Rule based attack Hybrid attack Rainbow attack Password Guessing: Attackers are successful because they can guess a person’s password very easily. This can be the result of a blank password selected by the user or a simple password l ike “password” or “drowssap” selected by the user or a password selected based on their spouse, kids, relative, or personal information. Dictionary Search: In this method, password cracking tools are loaded with files having words from the dictionary. Cracking will be successful if the password matches one of the words from the dictionary. Brute Force method: It is a method of trying every possible combination of text/character and testing to see if it is correct or not. Password length increases, the amount of time also increases. Compare to the shorter the password takes less time, the longer password may take a decade; Syllable attack: If passwords do not contain a dictionary word then this method uses the technique by combining syllables from dictionary words use tokens later applying brute force attack. munotes.in
Page 128
Cyber Forensics 128 Rule -based attack: The attacker gets some information like organization password policy such as “Length of password should be less than eight characters” and based on this information attackers customized their tools for password cracking Hybrid attack: It is used if the password is of type dictionary word combing with some characters. Cracking will be successful because most o f the users select a password that is a dictionary word combing with some additional characters Rainbow attack: The attacker uses a rainbow algorithm to crack the password by calculating all possible hashes for characters and storing them in the table. 6.3.3 Password cracking tools: Cain and Abel: Microsoft Windows -based password cracking tools use brute force, dictionary -based attacks methodologies, and other cryptanalysis tools. It works as a sniffer on the network to crack encrypted passwords. OphCrack: Password cracking tools based on rainbow tables and available on Windows, Linux/Unix, and Mac OS X platforms. LCP: Microsoft Windows -based password cracking tool and alternative to popular L0phtCrack tool and it uses brute force, hybrid, rainbo w table, and dictionary -based attacks methodology. John the Ripper: A free open -source password cracking tool to detect weak passwords and available on Windows, Linux/Unix, and Mac OS X platforms. The Pro version of the tool offers more features. CMOSPwd: It is used to decrypt the BIOS setup password stored on CMOS which is used to access BIOS setup. It works with Acer/IBM BIOS, AMI BIOS, AMI WIN BIOS Award 4.5x, Compact old and new version, Toshiba, Zenith, Gateway solo, Phoenix, etc.
munotes.in
Page 129
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 129 Smartkey Password R ecovery Bundled Standard: A multifunction password recovery software that recovers the password from Microsoft Excel, Word, Access, PowerPoint, Outlook, ZIP/ WinZIP, RAR/ WinRAR, PDF, MSN, AOL, Google, Mirinda, Opera, Firefox, IE Browser, etc. Passware kit : This tool is a complete electronics evidence discovery solution that can recover passwords of 200+ different types of files. It also supports Distributed and Cloud computing password recovery. Password cracking software based on cracking various applic ation passwords include Office password cracking software: Office password cracking software is used to recover passwords of any Microsoft office documents like Microsoft Word, Excel, Powerpoint, Access database, Outlook email account, OneNote Notebook, etc. It can also recover the password of read -only documents. Office password recovery toolbox, Office password recovery Lastic, Stellar Phoenix Office Password Recovery, Online Password Recovery, Online password Genius, Smartkey office password Recovery, Advanced Office Password Recovery, Office Multi -document Password Cracker, Word Password Recovery Master, Accent Word Password Recovery, Smartkey PowerPoint Password Recovery, PDS Excel Password Recovery arethe tools for cracking MS office files passwords . PDF Password cracking software: Crack PDF, PDF Password Recovery, PDF Password Genius, Smartkey PDF password Recovery, Tenorshare PDF Password Recovery, Guaranteed PDF Decryptor, and Advanced PDF Password Recovery are tools that can crack the password o f password -protected PDF files. ZIP Password cracking software: Accent ZIP Password Recovery, ZIP password Genius, Smartkey ZIP password Recovery, KRyLack ZIP password Recovery, Stellar Phoenix ZIP password Recovery are tools that can crack the password of ZIP archives. RAR password -Cracking Software : Accent RAR Password Recovery, cRARk 5.1, Smartkey RAR password Recovery, KRyLack RAR password Recovery are tools that can crack the password of RAR archives. munotes.in
Page 130
Cyber Forensics 130 Some other popular tools for password cracking are Brutus, RainbowCrack, PWdump7, Fgdump, Wfuzz, KonBoot, Hashsuit, THC - Hydra, Offline NT Password, and Registry Editor, Password Unlocker Bundle, Proactive System Password Recovery, DaveGroh, Active@ Password Changer, etc. 6.3.4 Recommendations for improving password There is some recommendation for improving passwords: Do not use dictionary words for selecting a password. Always select a difficult password, do not use a password that is based on a spouse, kids, relative, or personal information. Use multipl e character sets while selecting passwords i.e. Combinations of alphabets,numbers, and special characters Change your passwords frequently once or thrice a month. Do not use the same password in more than one place, the password should be unique for each a ccount. Use a longer password, it will take more time to crack the password if it is longer. 6.4 LET US SUM UP This unit helps gain an understanding of Steganography and tools needed to detect Steganography and various password attacks and the tools for cracking application password s. 6.5 LIST OF REFERENCES [1] The official CHFI Exam 312 -49 Study Guide by Dave Kleiman, Syngress Publication, 2007. [2] Practical Cyber Forensics Niranjan Reddy Apress -- 2019 6.6 BIBLIOGRAPHY [1] EC -Council CHFIv10 Study Guide, EC -Council, 2018 6.7 UNIT END EXERCISES 1. ___________ is about hiding the contents of a message to an unreadable format using algorithms. a. cryptography b. password c. Steganography d. watermarking
munotes.in
Page 131
Forensic Analysis of Steganography and Image Files, Cracking Application Passwords 131 2. ___________ the practice of concealing messages or files or images within another file/images or videos. a. cryptography b. password c. Steganography d. watermarking
3. ___________ Steganography adds whitespaces and tabs at the end of lines. a. Image b. Document c. Video d. Audio
4. In case of ___________ password, Password stored after one or more transformations but not reversible. a. defau lt b. Obfuscated c. Hashed d. Clear
5. ___________ attack technique works by calculating all possible hashes for character and storing them in the table. a. Brute Force b. Rainbow c. Rule based d. Hybrid
6. ___________ is a Windows based password cracking tools uses brute force and dictionary based attacks. a. Passware Kit b. ERD Commander c. Cain and Abel d. CMOSPwd
munotes.in
Page 132
132 7 INVESTIGATING NETWORK TRAFFIC AND INVESTIGATING LOGS Unit Structure 7.0 Objective 7.1 Introduction 7.2 Capturing logs and correlating to the events 7.3 Network Forensics – Investigating logs and Network traffic 7.3.1 Overview of the OSI Model 7.3.1.1 Layers of the OSI Model 7.3.2 Network Addresses and NAT 7.3.3 Network Information -Gathering Tools 7.3.4 Intrusion Detection 7.3.5 Snort 7.3.6 Monitoring User Activity 7.3.6.1 Tracking Authentication Failures 7.3.6.2 Identifying Brute Force Attacks 7.3.6.3 Tracking Security Policy Violations 7.4 Summery 7.5 References for further reading 7.0 OBJECTIVE When working with these logs, there are a few things to keep in mind: In order to interact with the Security event log, Log Parser has to be able to distinguish between single and multiple events. It's critical to distinguish between benign events and true faults or warnings in order to have a complete picture of your system's state. It is vital to have a good understanding of the indivi dual application you are dealing with while working with apps and the Application event logs. 7.1 INTRODUCTION Networks are subjected to a never -ending barrage of attacks and vulnerabilities. External threats usually originate on the Internet and fall into one of three categories: denial of service (DoS), utilising the victim's munotes.in
Page 133
Investigating Network Traffic and Investigating Logs
133 network as a launchpad to attack othe r networks, or threatening or altering information. Individuals with legitimate access or those who have exceeded their level of privilege can pose an internal threat. This necessitates a forensic expert's knowledge of how the network operates as well as h ow to obtain logged data. Insider and outsider attack monitoring should be a proactive effort, yet many attacks are not noticed until after they have occurred. This will necessitate a review of log files. The attack can only be assessed and reconstructed by reviewing the audit and log data. Many forensic professionals don't make full use of log and audit data because they don't know how to get it or because reading through thousands upon thousands of log file entries takes a long time. 7.2 CAPTURING LOGS AND CORRELATING TO THE EVENTS Capturing and analyzing the log files are necessary tasks for investigating the safety posture of the target network, as they contain information concerning all the system, device, and user activities that happened inside the network. As a security admin, we should understand that almost each device on our network spits out some kind of log. and that we also understand that keeping track of these logs is a very important piece of the puzzle to knowing our security posture. Ho wever, we have to understand the purpose behind capturing logs before we are able to build a decent decision on what methodology we will use to capture the logs. So what's the reason behind capturing logs? Do we have a tendency to mainly make an attempt t o check what's happening with our network so as to identify potential security issues? If that's the case, then we want to analyze which technologies best do correlation and can facilitate seeing things on our network that we would have trouble seeing ours elves. These systems are generally complicated and require a lot of designing effort so as to produce sensible results. We'd like to possess intimate information about our network to understand avenues of attack and very important systems. Therefore, we ar e able to setup rules and alerts. They additionally need maintenance when changes are made to our network. However, if done right, these tools will provide you with a very good look at our network's security, and they can help you notice issues much faster than you might. If alerting and intricate correlation aren't a concern, we could just want to capture the logs for forensic purposes and do some simple alerting. If that's the case, we'll need to look for technologies that prioritise disc space (high native capacity and expandability), log normalisation, and log protection (encryption and no repudiation).The reason for restricted log normalisation (or none if we can get away with it) and log protection is in case you have a security b reach that could lead to a court lawsuit.To be accepted in court, we must be able to demonstrate that the logs are accurate and have not been tampered with.These boxes must also be able munotes.in
Page 134
Cyber Forensics 134 to transport logs conveniently to storage while maintaining nonrepudia tion.We require disc capacity since, if you are concentrating on forensics, you will most likely need to preserve logs for a long time. Another reason people have these devices is to use them as an audit or compliance tool. Though I consider this to be t he least relevant reason for installing log management, I am aware that if it will relieve me of the burden of an auditor, I will use it. Many manufacturers also include thorough audit and compliance information, which is a dream come true for auditors. If this is your requirement, make sure you concentrate on devices with strong reporting capabilities. In terms of reporting, I've found that in my experience with these devices, a gadget is either very strong in one of the above attributes or very strong in reporting. Only a few people are good at both. However, I believe that manufacturers should place a strong emphasis on both.It doesn't matter if you have all the knowledge in the world if the user doesn't know how to access it. And the world's security a dministrators adore configurable dashboards that they can show their bosses (and the auditors I mentioned earlier) so that they receive fewer questions about what's going on in the network. Most log management technologies will have all of the above feat ures in some way, shape, or form, but their strength will vary. Determine what your company's log management focus needs to be when you're doing your risk analysis.For instance, if you are a large corporation with a complex network, you may need to find a good correlation engine. If you're a smaller company with high -value intellectual property, you might want to invest in a box with forensic capabilities to ensure that you can track down violations and recover your losses in court. 7.2 NETWORK FORENSICS – INVESTIGATING LOGS AND NETWORK TRAFFIC 7.3.1 Overview of the OSI Model The Open Systems Interconnect (OSI) paradigm was created by the International Standards Organization in 1984. The concept is intended to offer order by defining a hierarchical struct ure in which each layer builds on the output of the previous layer. The model is still used as a guide to describe how a networking environment works today. 7.3.1.1 Layers of the OSI Model The physical, data connection, network transport, session, presentation, and application layers are the seven layers of the OSI model. Let's look at each of these layers one by one.The physical layer, often known as Layer 1, is the first layer. Bit -level c ommunication takes place at Layer 1. On the cable, the bits have no meaning, but the physical layer determines how long each bit lasts and how it is transferred and received. If no encryption is utilised, a large amount of sensitive information may be avai lable at the physical layer from a forensics standpoint. munotes.in
Page 135
Investigating Network Traffic and Investigating Logs
135 Layer 2 of the Data Link Layer is known as the data link layer. Before delivering data to the physical layer, the data link layer is in charge of preparing and arranging it. Data is organised into fr ames by the data link layer. A frame is a logical structure that can be used to store data. When a frame reaches the target device, the data link layer separates the data frame from the data packet and passes it up to the network layer. The logical link co ntrol layer (LLC) and the media access control layer (MACL) are two sublayers of the data link layer (MAC). Layer 3 is the network layer, which is responsible for logical addressing and routing. The Internet Protocol (IP) lives at the network layer, and i t makes every attempt to convey datagrams from their source to their destination. The Transport Layer -The transport layer, also known as Layer 4, maintains completeness by managing end -to-end error recovery and flow control. TCP, a connection -oriented prot ocol, is one of the transport - layer protocols. Handshaking, acknowledgments, error detection, and session deconstruction, as well as the connectionless User Datagram Protocol (UDP), offer trustworthy communication. Its key advantages are speed and reduced overhead. The Session Layer (Layer 5) is the fifth layer in the stack. Its capabilities are used when starting, controlling, or terminating a TCP session. Here you'll find things like the TCP 3 -way handshake and the TCP 4 -way shutdown. Remote Procedure Ca ll and Structured Query Language are examples of session -layer protocols. The Presentation Layer -Layer 6 is in charge of converting data handed up from lower levels into a format that application layer programmes can understand. ASCII, EBCDIC, and ANSI ar e some of the most used forms. The application layer, often known as Layer 7, is the seventh layer. This layer serves as the window for application services and is known as the top layer of the OSI model. Most users are familiar with the application layer, which houses e -mail programmes, FTP, Telnet, web browsers, office productivity suites, and a variety of other applications. 7.3.2 Network Addresses and NAT The IP address scheme is used for logical addressing in TCP/IP networks. A physical address is a MAC address, whereas a logical address is an IP address. Dotted decimal notation is used to configure IP addresses. Four decimal integers separated by decimal points make up the IPv4 address format. To allow numbers to range from 0 to 255, each of these de cimal values is one byte long. ■ Class A Networks . Class A networks can have up to 16,777,214 client devices and an address range of 1 to 126 addresses. ■ Class B Networks . Class B networks can accommodate up to 65,534 client devices and have an address range of 128 to 191. munotes.in
Page 136
Cyber Forensics 136 ■ Class C Networks .Class C networks can support up to 245 devices and have an address range of 192 to 223. ■ Class D Networks . These addresses range from 224 to 239 and are reserved for multicasting. ■ Class E Networks .These addresses are only available for personal use. They have addresses ranging from 240 to 254 miles apart. Network Address Translation (NAT) was created in response to the Internet's fast growth, and the number of available IP addresses is simply not enough for the g rowing number of residential and commercial networks. Internet Service Providers (ISPs) typically assign a single address to a single subscriber. Companies can purchase a large number of addresses, but they must pay for each one separately. Direct Internet access has its own set of risks. NAT is a secure and cost -effective option. A single device, such as a router, can operate as an intermediary between the Internet and the local network via NAT. This device, often known as a router, offers a pool of addres ses that your local network can use. 7.3.3 Network Information -Gathering Tools Network data collection tools are pieces of software that can be used to collect network data for forensic examination. These tools usually combine the features of a sniffer with an intrusion detection system. Sniffers are strong programmes that work by pu tting the network card in promiscuous mode on the host system. In promiscuous mode, a network device can receive any data it can see, not just packets addressed to it. Switches segment traffic and know which ports to send traffic to and which ports to stop it from. Although this feature provides much -needed efficiency improvements, it does create a barrier when sniffing all possible switched ports. Forensic analysis will usually require the switch to be configured tomirror a port. Some common network monito ring tools include: ■ NetWitness . NetWitness is designed to analyze network traffic and monitor it. ■ Netresident Tool . Captures, stores, analyses, and reconstructs network events such as e -mail messages, Web pages, downloaded files, and other sorts of ne twork traffic. ■ Infinistream Security Forensics .A commercial solution based on sniffer technology that provides high -end tracking of everything. ■ CA Network Forensics .Allows the user to analyse and discover network traffic. This tool collects raw network data and does forensic analysis to look for exploitation, internal data theft, and security breaches. ■ Wireshark . An open source protocol analyzer that can capture traffic in real time. munotes.in
Page 137
Investigating Network Traffic and Investigating Logs
137 ■ Snort .A well -known open source IDS that detects events usin g signatures. Sniffers work at the OSI model's data link layer. This means they are not bound by the same set of rules as apps and services higher up the stack. Sniffers can record everything that happens on the wire and review it later. They enable the us er to examine all of the data included within the packet. Wireshark is a decent sniffer programme. It is not only free to use, but it also runs well on both Windows and Linux. Next, we will discuss the second categoryof network information - gathering tools , intrusion detection. 7.3.4 Intrusion Detection Intrusion detection systems (IDS) play a second crucial function in IT infrastructure security. Monitoring network traffic, detecting attempts to obtain unauthorised access to a system or resource, and notifying the proper personnel so that countermeasures can be taken are all part of intrusion detection. It's a powerful tool to be able to examine invasions and attacks. During a forensic investigation, four sorts of logs are of interest: authentication, application, operating system, and network —but the IDS will be most useful for network logs. There are plenty of good IDS systems on the market. Snort is an example of an IDS that has widespread acceptance in the industry. 7.3.5 Snort Martin Roesch and Br ian Caswell created Snort, a freeware intrusion detection system. It's a network -based intrusion detection system that can run on Linux or Windows. Although the primary software has a command line interface, there are GUIs available. Snort is a network sni ffer that records activity that fits predetermined signatures. Internet Protocol, Transmission Control Protocol, User Datagram Protocol, and Internet Control Message Protocol are all examples of communication for which signatures can be created. A forensic analyst can only benefit from an intrusion detection system if the data is reviewed and evaluated. Unfortunately, an IDS can occasionally generate large amounts of data that are difficult to process. We may use Microsoft Log Parser to capture snapshots o f our IDS logs and show them in several easy -to-read reports to help us analyse the data. We'll create an example IDS report utilising only Log Parser's capabilities. Snort Logs are being gathered. We need a consistent technique for acquiring data before we can process the alert data. The Log Parser is a great tool for managing Snort logs since it allows you to query the file while Snort is still processing it. Many administrators set up scripts to cycle through the Snort logs on a regular basis, but this necessitates halting the service in order for the file to be released and moved by the script. We can utilise checkpoints in the Log Parser to read the most current data from the file. munotes.in
Page 138
Cyber Forensics 138 Despite the fact that Snort offers a variety of output formats that Lo g Parser can use, I've found the CSV format to be the most versatile and consistent. Simply add the following line to the 0 snort.conf file to set Snort to use the CSV output format: To configure Snort to use the CSV output format,simply add the following line in the0snort.conf file: output alert_csv: alert.csv default This tells Snort to produce an alert.csv CSV log file in the configured logsdirectory with the default output fields.The fields below are included by default in the CSV output processor: ■ timestamp ■ sig_generator ■ sig_id ■ sig_rev ■ msg ■ proto ■ src ■ srcport ■ dst ■ dstport ■ ethsrc ■ ethdst ■ ethlen ■ tcpfags ■ tcpseq ■ tcpack ■ tcplen ■ tcpwindow ■ ttl ■ tos ■ id ■ dgmlen ■ iplen munotes.in
Page 139
Investigating Network Traffic and Investigating Logs
139 ■ icmptype ■ icmpcode ■ icmpid ■ icmpseq Snort CSV logs do not include a header row, so we need a separate file to name eachcolumn.To read CSV Snort alerts, you would use a command like this: logparser.exe file:alert.sql -i:csv -headerRow:off - iHeaderFile:AlertHeader.csv -iTsFormat:mm/dd/yy -hh:mm:ss Note that we specify the CSV input format, but instead of using the header row, wespecify a header file using the iHeaderFile option.We also specify the timestamp format soLog Parser can interpret that field as an actual time stamp rather than a string. Building an Alerts Detail Report In our IDS report we likely want to view summaries of the alert data such as: ■ Most common source IP (Internet Protocol) addresses ■ Most comm on target IP addresses We can simply produce interactive HTML (Hypertext Markup Language) reports directly from Snort logs using Log Parser's multiplex functionality and template output format. Alerts by IP Address Each IP address in Figure 7.1 alerts report is a clickable hyperlink that takes you to a detail page with all of the alerts for that IP address. We utilised a two -pass technique to build a summary page (Figure 7.2) and detail page (Figure 7.3) using a proc ess identical to that used for the alert messages. To create a fully interactive HTML IDS report, we repeated the technique for both source and destination IP addresses. munotes.in
Page 140
Cyber Forensics 140
Figure 7.1 Detailed Alert Messages
Figure 7.2 Snort Alerts by Destination IP Ad dress munotes.in
Page 141
Investigating Network Traffic and Investigating Logs
141
Figure 7.3 IP Address Details At this point, you can run the entire report with these Log Parser commands: logparser.exe file:Ch11Alerts -Indexsql -i:csv - iHeaderFile:AlertHeader.csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch11Al erts- Index.tpl logparser.exe file:Ch11Alerts -DetailHeader.sql -i:csv - iHeaderFile:AlertHeader.csv -iTsFormat:mm/dd/yy -hh:mm:ss - headerRow:off -o:tpl -tpl:Ch11Alerts -DetailHeader.tpl logparser.exe file:Ch11Alerts -Detail.sql -i:csv - iHeaderFile:AlertHeader.csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch11Alerts - Detail.tpl - fileMode:0 logparser.exe file:Ch11SrcIP -Index.sql -i:csv - iHeaderFile:AlertHeader.csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch1 1SrcIP - Index.tpl logparser.exe file:Ch11SrcIP -DetailHeader.sql -i:csv - iHeaderFile:AlertHeader.csv -iTsFormat:mm/dd/yy -hh:mm:ss - headerRow:off -o:tpl munotes.in
Page 142
Cyber Forensics 142 -tpl:Ch11SrcIP -DetailHeader.tpl logparser.exe file:Ch11SrcIP -Detail.sql -i:csv - iHeaderFile:AlertHeader .csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch11SrcIP - Detail.tpl - fileMode:0 logparser.exe file:Ch11DstIP -Index.sql -i:csv - iHeaderFile:AlertHeader.csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch11DstIP - Index.tpl logparser.exe file:Ch11DstIP -DetailHeader.sql -i:csv - iHeaderFile:AlertHeader.csv -iTsFormat:mm/dd/yy -hh:mm:ss - headerRow:off -o:tpl -tpl:Ch11DstIP -DetailHeader.tpl logparser.exe file:Ch11DstIP -Detail.sql -i:csv - iHeaderFile:AlertHeader.csv - iTsFormat:mm/dd/yy -hh:mm:ss -headerRow:off -o:tpl -tpl:Ch11DstIP - Detail.tpl - fileMode:0 We may wish to create a summary index page now that we have a thorough alert report. This page should provide access to detailed reports as well as graphs and data su mmaries to provide a rapid overview of the network. ---Ch11Summary -Index.sql --- SELECT TOP 10 sig_id, msg, Count(msg) as Alerts INTO report \index.html FROM alert.csv GROUP BY msg, sig_id ORDER BY Alerts DESC ---Ch11Summary -Index.sql --- munotes.in
Page 143
Investigating Network Traffic and Investigating Logs
143 The query for the pie graph is similar, but does not include the actual message, and thistime processes all records: ---Ch11Summary -GraphTopAlerts.sql --- SELECT sig_id, Count(msg) as Alerts INTO report \AlertsTopAlerts.gif FROM alert.csv GROUP BY sig_id ORDER BY Alerts DESC ---Ch11Summary -GraphTopAlerts.sql --- Finally, there are three queries for the remaining graphs: ---Ch11Summary -GraphTopSrcIPs.sql --- SELECT src, Count(msg) as Alerts INTO report \AlertsTopSrcIPs.gif FROM alert.csv GROUP BY src ORDER BY Alerts DESC ---Ch11Summary -GraphTopSrcIPs.sql --- ---Ch11Summary -GraphAlertsPerHour.sql --- SELECt Count(*) as Alerts USING QUANTIZE(timestamp,360) as Hour INTO report \AlertsByHour.gif FROM alert.csv GROUP BY Hour ---Ch11Summary -GraphAlertsPerHour.sql --- munotes.in
Page 144
Cyber Forensics 144 ---Ch11Summary -GraphTopDstPorts.sql --- SELECT TOP 5 STRCAT(STRCAT(TO_STRING(dstport),' - '), proto) AS Destination, Count(*) as Alerts USING dst as DestinationPort INTO report \AlertsTopDstPorts.gif FROM alert.csv GROUP BY Destination ORDER BY Alerts DESC ---Ch11Summary -GraphTopDstPorts.sql ---
Investigating Network Traffic and Investigating Logs
145 logparser.exe file:Ch11Summary -GraphTopDstPorts.sql -i:csv - iHeaderFile:AlertHeader.csv -iTsFormat:mm/dd/yy -hh:mm:ss - headerRow:off - o:chart -chartType:BarStacked -groupSize:300x150 -values:OFF - chartTitle:"" The final result is a fully interactive IDS report using nothing more than Log Parser. 7.3.6 Monitoring User Activity The forensic process necessitates the monitoring of user activities. Unusual user behaviour could be a symptom of a larger problem with the system, or it could be a genuine security risk. You can identify authentication issues and hacking act ivity by looking at the user activity reported in your system logs. Identifying which activities are innocuous and which behaviour indicates trouble is an important part of detecting meaningful events in your system logs. If a user fails to authenticate o nce a week, for example, you may be very assured that the user merely mistyped his or her password and is not attempting to attack your system. Alternatively, if a user has two unsuccessful authentication attempts every hour for a long time, you should inv estigate more. Tools like Log Parser can help you spot occurrences that could signal a hacking attempt or even a user looking at something he or she shouldn't be looking at. You may also hunt out any security concerns at the file level by activating file a ccess auditing and utilising Log Parser to analyse the data. With the enhanced capabilities of Microsoft's Log Parser software, manually digging through these same log files to search down this data is both onerous and wasteful. 7.3.6.1Tracking Authentication Failures It's always crucial to know how many unsuccessful authentication attempts have happened while performing regular security audits of your servers. This aids you in a variety of ways. To begin with, you can identify individual users w ho have lost their password and have not requested a new one. Second, and more crucially, by evaluating the results and noting an increase in failed logon attempts for a single user or numerous users, you may be able to discover probable hacking efforts ag ainst your server. Finally, you might be able to pinpoint system issues that are causing many users to fail to authenticate at the same time. These issues could be caused by a failure of an authentication server, network connectivity, or system utilisation . Listing Failed Logons Return to the Log Parser to discover how simply your event logs can be used to detail out failed logons over a given timeframe.The following command and query can be used tolist all failed logons on a specific date: munotes.in
Page 146
Cyber Forensics 146 logparser.exe file:Ch11ListingFailedLogons.sql -i:EVT -o:datagrid --- Ch11ListingFailedLogons.sql --- SELECT timegenerated AS LogonTime, extract_token(strings, 0, '|') AS UserName FROM Security WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539) AND to_stri ng(timegenerated,'yyyy -MM-dd HH:mm:ss') like '2004 -09%' --- Ch11ListingFailedLogons.sql --- You may view how many authentication failures occurred on the date you specified, as well as which user IDs had difficulties, by performing this query. We start by declaring that we want to get the timestamp for the event from the time generatedfield in this query. The query then becomes a little more difficult than usual. When an unsuccessful logon occurs, the event's UserID is always SYSTEM. We need to extract some data from the description or strings fields in order to determine the exact ID that the logon attempt was made with. To do so, we use the EXTRACT TOKEN function to tokenize the text and specify that we want the first or 0 token, which is the UserName. We then specify that we want this data to be pulled from the current Security log. We utilise the WHERE clause to filter our data to a certain set of security events that signal logon failures. Table 7.1 gives a full account of each of these occurrences. We specify the date stamp we're seeking for in the WHERE clause in the same way that we did in the previous query. We also need to specify the input and output format, so we add this to the end of the command line using the syntax -i:EVT – o:datagrid . munotes.in
Page 147
Investigating Network Traffic and Investigating Logs
147 Table 7.1 Failed Logon EventIDs EventID Description 529 The logon attempt was made with an unknown username or a knownusername with a bad password. 530 The user account tried to log on outside the allowed time. 531 A logon attempt was made by using a disabled account. 532 A logon attempt was made by using an expired account. 533 The user is not allowed to log on at this computer. 534 The user attempted to log on with a logon type that is not allowed, suchas network, interactive, batch, service, or remote interactive. 535 The password for the specified account has expired. 537 The logon att empt failed for other reasons. 539 The account was locked out at the time the logon attempt was made. This event is logged when a user or computer attempts to authenticatewith an account that has been previously locked out. Identifying Single versus Multiple Failed Logons When dealing with unsuccessful logons, it's occasionally useful to be able to rapidly determine how common logon failures are over time. We covered how to list failed logons in the previous section, but using this query requires manu ally determining how frequently a given user ID has problems. Using a slightly different query, you can use Log Parser to automatically count the number of failed logons for each user. One example of how this can be done is using the command and query bel ow: logparser.exe file:Ch11SingleVsMltplFailedLogons.sql -i:EVT -o:datagrid --- Ch11SingleVsMltplFailedLogons.sql --- SELECT extract_token(strings, 0, '|') AS UserName, count(*) AS Number_of_Events FROM Security
munotes.in
Page 148
Cyber Forensics 148 WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539) AND to_string(timegenerated,'yyyy -MM-dd HH:mm:ss') like '2004 -09%' GROUP BY UserName HAVING Number_of_Events>2 --- Ch11SingleVsMltplFailedLogons.sql --- We're doing a little more work up front with this query, but we're decreasing the manual effort required to find repeated login failures. We begin by using the EXTRACT TOKEN function to extract the real userid associated with the failed logon. The number o f occurrences is then counted and the result is displayed as the Number of Events. We then select the Security event log as our data source and add a WHERE clause that specifies the events we want to monitor as well as the date range for which we want the data. Finally, we add a HAVING statement and a GROUP BY statement to order our findings. We specify Number of Events>2 in the HAVING statement to limit the data to only show us data from events that occur numerous times. 7.3.6.2 Identifying Brute Force A ttacks The likelihood of a brute force attack on your system is a key worry when it comes to system security. The way in which an attack happens is the decisive factor in whether or not it is a brute force attack. When an attacker makes attempt after attem pt to carry out a certain attack action, the entire event is classified as a brute force attack since the attacker is attempting to break into the system via brute force. The Log Parser can assist you in swiftly analysing your security event logs to see if one of these brute force attacks is taking place. You might be able to block a brute force attack before it succeeds if you create queries that watch for the behaviour of a brute force attack. munotes.in
Page 149
Investigating Network Traffic and Investigating Logs
149 Identifying a Brute Force Authentication Attack Someone attem pting to guess the password for one of your users is an excellent example of a brute force attack. Let's imagine the attacker knows from past experience that you have a policy in place that disables an account if the same UserID makes three unsuccessful lo gon attempts within a one -hour span. Given this, the attacker will not risk locking out the account he or she is attempting to hack. However, the attacker will want to make the most of his or her limited time by launching as many attacks as possible in a g iven amount of time. Using the same query outlined previously for discovering multiple unsuccessful logons is an easy approach to check for this type of activity. This query, with a little tweaking, can run an intelligent scan for brute force logon attemp t behaviour.The original query is as follows: logparser.exe file:Ch11SingleVsMltplFailedLogons.sql -i:EVT -o:datagrid --- Ch11SingleVsMltplFailedLogons.sql --- SELECT extract_token(strings, 0, '|') AS UserName, count(*) AS Number_of_Events FROM Security WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539) GROUP BY UserName, Timeframe HAVING Number_of_Events>2 --- Ch11BruteForceAttack.sql --- munotes.in
Page 150
Cyber Forensics 150 The elimination of the date search and the inclusion of a Time Frame value based on the quantized time —generated field were the only meaningful modifications to this query. When we perform this query, we'll get a datagrid with the number of failure occurrences for each username over the course of an hour. A brief glan ce at the results in Figure 7.4 reveals the accounts that may be under attack by brute force. When this type of behaviour is discovered, following up with the user to learn more about what is going on is a good idea.
Figure 7.4 Brute Force Activity 7.3.6.3 Tracking Security Policy Violations Most businesses have some sort of security policy in place to address issues such as account and password security, permissible system access, undesirable behaviour, and so on. These policies specify the particular rules that each user must follow when accessing information technology (IT) systems. A Regular audit is a beneficial activity that admins often do to ensure that corporate security standards are followed. The Windows event logs contain some of the informa tion needed for this type of audit. Tracking user logons for desktop systems is a fantastic example. You can identify whether or not users are violating a policy requiring them to log on to just one machine at a time by combining all of your event log data from many systems and sifting through it with Log Parser. Determining Logon/Logoff Behavior Determining if users frequently log off after their work day or leave their systems logged in is another example that does not involve log correlation. This activ ity is documented as a breach of some firms' corporate security policies. To get this information with Log Parser, we'll need to first figure out all of the logoff events, then see whether there's a logon event for the same day that doesn't have an accompa nying logoff event for the same SID.The following command and query can help us determine thisbehavior: logparser.exe file:Ch11LogonLogoffBehavior.sql -i:EVT -o:datagrid --- Ch11LogonLogoffBehavior.sql --- munotes.in
Page 151
Investigating Network Traffic and Investigating Logs
151 SELECT resolve_sid(sid) AS UserName, eventid, timegenerated FROM Security WHERE eventid='528' AND to_date(timegenerated)='2004 -09-06 00:00:00' AND sid not in ( SELECT DISTINCT sid FROM Security WHERE eventid='538' AND to_date(timegenerated)='2004 -09-06 00:00:00' ) --- Ch11LogonLogoffBehavior.sql --- To retrieve the information we need in this query, we'll have to work backwards a little bit. We start by deciding whatever data we want to include in our report. We should collect the userID, the eventID we're dealing with, and the time the event oc curred in this scenario. The security event log will then be used as our data source. The more challenging element of this query is constructing the WHERE clause. The first two criteria are very straightforward; for a successful logon, the eventID must be 528, and the date for which we want information must be given. To limit our incoming data, we'll need to conduct a select within a select. We're looking for data in which the SID associated with the 528 event does not appear in a query of the 538 events on the same day. Figure 7.5 is an example of what you should expect. munotes.in
Page 152
Cyber Forensics 152
Figure 7.5 Logon Events with No Logoff Event We can isolate those users who have signed on at some time during a specific day but have no associated logoff event for that day by running our query this way. Because it does not account for the possibility of numerous logon/logoff events for each user in a single day, it will not catch all users that log on without logging out. It can, however, help to reduce the number of such secur ity policy infractions. Auditing Successful andUnsuccessful File Access Attempts The audit log for successful and unsuccessful file access attempts is another crucial metric to analyse when looking at overall system security. Individual files or directori es can be audited at the file system level with NTFS (NT file system). This enables you, as an administrator, to assess whether or not critical data has been accessed or attempted to be accessed. File access auditing is frequently deactivated because the audit logs create so much data that sorting through it and extracting events that are crucial to be aware of is nearly impossible. This is where Log Parser may assist you in your attempts to keep your systems secure. Auditing Unsuccessful File Access Atte mpts When NTFS object auditing is enabled, Windows adds events to the Security event log to show which objects are accessed. The object that was accessed, the person that accessed the object, and the date/time the object was accessed are all logged as part of this event entry. You may rapidly collect the events surrounding these object access attempts with Log Parser. Obviously, the items that a user tries to access while they aren't supposed to are of greater importance to administrators. This usually res ults in an unsuccessful file access attempt with effective security implementation. You can rapidly discover these occurrences and export them for study by scanning through the security logs with Log Parser. The following command and query will find all of the failed file access events in your security log: munotes.in
Page 153
Investigating Network Traffic and Investigating Logs
153 logparser.exe file:Ch11UnsuccessfulFileAccess.sql -i:EVT -o:datagrid --- Ch11UnsuccessfulFileAccess.sql --- SELECT timegenerated AS EventTime, extract_token(strings, 8, '|') AS UserName, extract_token (strings, 2, '|') AS File FROM Security WHERE EventID = '560' AND EventTypeName = 'Failure Audit event' AND extract_token(strings, 1, '|') like 'File' --- Ch11UnsuccessfulFileAccess.sql --- When this query executes, it searches the security log for events with the eventID 560 (Success Audit), but it narrows down the results to events with the type Failure Audit. It also checks the accompanying event description to make sure we're only looking at files and not directories. The Log Parser pulls the event time, the username connected with the event, and the filename from that subset. All of this information is then presented in a datagrid format. You can go one step further and have Log Parser ex port the data to an XML file or another format for evidence gathering purposes. Auditing Successful File Access Attempts Many administrators neglect to keep track of both successful and unsuccessful file access attempts. Although failures are the most significant events to watch for, it's equally vital not to overlook the auditing tools provided for successful file access attempts. A scenario in which this can be used would be beneficial. Let's pretend you work as an administrator for a huge corporation with a legal department. The department is now putting together some information for a highly important case, which is being stored on the department's shared drive. During the course of events, word reaches the legal department that the opposing legal dep artment has gotten a hold of the approach that your company's legal department was planning to utilise and is putting together a counterattack. Members of the legal department should have been the only ones with access to the files containing this informat ion. They ask you to track down who has accessed those files. You've already enabled successful file access auditing for the legal department's shared drive if you've planned ahead for this possibility. You may easily extract the information that the legal department requires and munotes.in
Page 154
Cyber Forensics 154 send it to them fast using Log Parser. The following script demonstrates how to accomplish this: logparser.exe file:Ch11SuccessfulFileAccess.sql -i:EVT -o:datagrid --- Ch11SuccessfulFileAccess.sql --- SELECT timegenerated A S EventTime, extract_token(strings, 8, '|') AS UserName, extract_token(strings, 2, '|') AS File FROM Security WHERE EventID = '560' AND EventTypeName = 'Success Audit event' AND extract_token(strings, 1, '|') like 'File' --- Ch11SuccessfulFileAccess.sql --- If you examine the code closely, you'll notice that it's nearly identical to the earlier script you saw for auditing failed file access attempts. The only actual distinction is the name of the event type. We're now looking for a "Success Audit event" in stead of a "Failure Audit event." When you run this script, it will extract all of your security log's successful file access events. To reduce the quantity of data to go through, you may narrow the search to check for occurrences that occur with a specifi ed directory path or filename. 7.4 SUMMERY Security admins need to understand the purpose behind capturing and analyzing log files. If done right, these tools will provide you with a very good look at our network's security. They can help you notice issues much faster than you might if they're used correctly. The aim is to be able to see things that we would have trouble se eing ourselves. Many log management devices are designed to be used as an audit or compliance tool. Many manufacturers include thorough audit and compliance information, which is a dream come true for auditors. Log management tools can also help you track down violations and recover your losses in court. Many attacks go unnoticed until they've already happened. According to security expert John O'Hare, many forensic specialists don't make full use of log and audit data because they don't know how to acces s it or because scrolling through thousands of log file entries takes a long time. munotes.in
Page 155
Investigating Network Traffic and Investigating Logs
155 7.5 REFERENCES FOR FURTHER READING Chapter 9 - Investigating Network Traffic and Investigating Logs, Editor(s): Dave Kleiman, Kevin Cardwell, Timothy Clinton, Michael Cross, Michael Gregg, Jesse Var Salone, Craig Wright, The Official CHFI Study Guide (Exam 312 -49), Syngress, 2007, Pages 441 -467, ISBN 9781597491976, https://doi.org/10.1016/B978 -159749197 -6.50010 -9.
munotes.in
Page 156
156 8 INVESTI GATING WIRELESS AND WEB ATTACKS Unit Structure 8.0 Objective 8.1 Introduction 8.1.1 Basics of Wireless 8.1.2 Advantages of a Wireless Network 8.1.3 Disadvantages of a Wireless Network 8.1.4 Association of Wireless AP and a Device 8.1.5 MAC Filtering 8.1.6 Cloaking the SSID 8.2 Wireless Penetration Testing 8.2.1 Direct Connections to Wireless Access Point 8.2.2 Scanning for Wireless Access Points with Nmap 8.2.3 Scanning for Wireless Access Points with Nessus 8.2.4 Rogue Access Poin ts 8.2.5 Information Gathering 8.2.6 Passive and Active Sniffing 8.2.7 Investigating Web Attacks 8.3 Summary 8.4 References for further reading 8.0 OBJECTIVE When we are working in wireless network we must understand : The basics of wireless network and advantages and disadvantages of it. The security risk in wireless network . The examples of vulnerability and methods to protect your network . munotes.in
Page 157
Investigating Wireless and Web Attacks
157 8.1 INTRODUCTION Wireless devices are expanding the network perimeter beyond the boundaries of the office walls and into neighbouring buildings and public streets in many corporate networks across the country. Attackers are no longer required to break into an office or see k to circumvent strong firewall measures in order to get network access. They can now take advantage of a corporation that is unaware that its wireless infrastructure security is so weak that it can be hacked in under 15 minutes. You've probably heard sto ries about hackers waiting in cars with a laptop and a powerful wireless antenna, looking for insecure wireless networks to break into. These hackers could be hunting for internal corporate intellectual property to sell to a competitor or data that could b e used for extortion or blackmail. The more difficult you make it for the attacker, the more likely he will abandon your network in favour of one that is less secure. Wireless attacks are taking place! Wireless networks have been compromised at BJ's Whole sale Club, Lowe's Companies Inc., DSW, Wake Forest University School of Medicine, and TJX. The true cost of these data breaches could be in the millions of dollars, but it's difficult to estimate because we have to factor in the money spent by the company to investigate the problem, compensate the victims, fix the vulnerabilities, and account for lost revenue due to low consumer confidence. An attacker may attempt to hack your wireless network regardless of how complex your architecture is. It's no longer a question of "if," but "when" your wireless network will be attacked. Attempts to join your wireless network from the outside can range from basic automatic device pairings to targeted attacks. It can be difficult to tell whether someone is trying to brea k into your network or is just looking for a free Internet connection. Regardless of their motivation, you should make every attempt to keep your wireless network as safe as possible. You may reduce your risk by configuring strong encryption and following safe wireless best practices. As the cost of deploying wireless networks continues to fall, an increasing number of businesses are considering doing so. Since 2006, London has witnessed a 160 percent increase in wireless access points, while New York has seen a 49 percent increase. However, data isn't required to see that wireless networks are becoming increasingly prevalent. When you open your wireless settings user interface, you should see three or four networks in the immediate vicinity. This number mi ght be as high as 15 to 20 if you reside in the city. There are various benefits to deploying a wireless network. Workers may now connect to their company's network from everywhere in the building, from the cafeteria to the conference room, without having to reconfigure their laptops or plug them into a wall jack. This flexibility is advantageous to both the employee and the employer. Installing network wiring throughout the facility is often far more expensive than implementing a wireless solution. This ch apter munotes.in
Page 158
Cyber Forensics 158 covers the fundamentals of wireless networks as well as the tactics used by hackers to attack them. It's critical that you understand how hackers operate so that you can test your wireless networks for flaws. Because of their anonymity and the diffic ulties of tracing down attacks, hackers have an advantage when it comes to wireless attacks. Because once a hacker breaks in, they're on the internal network, bypassing many of the usual network security barriers. The attack surface is enormous and the res ults are enticing. 8.1.1 Basics of Wireless A wireless access point connects a typical wired network to wireless clients by transmitting network data through the air.. Between the wired network and wireless clients, the wireless access point serves as a relay. Many businesses have multiple wireless access points that may hand off the wireless signal to keep clients connected. These access points range in price from under a hundred dollars for home or home office devices to thousands of dollars for enterpr ise access points with advanced security features and specialist configuration and management. Wireless access points merely offer a conduit for data to move from the wired network to the client. Client network infrastructure services must still be provid ed. While most access points now have these functions built in, you may still use your traditional servers to deliver services like DHCP and routing. There are several types of wireless networks, the most prevalent of which is 802.11 b/g. The 802.11b wirel ess standard was the first to be designed for commercial usage. It transmits data at a rate of 11 megabits per second and runs at 2.4GHz (Mbps). 802.11g was a welcome enhancement for users who wanted greater throughput from their wireless infrastructure, i ncreasing data transfer to 54 Mbps. Although interference concerns were common in the 2.4GHz band, backwards compatibility and early acceptance helped this combination become the industry standard for wireless devices. 802.11a, which works on the 5GHz fre quency, was released for companies who needed less interference or couldn't embrace the 2.4GHz band as an acceptable solution. While maintaining the 54 -Mbps transfer rate, 802.11a improved wireless stability by minimising failed connections. The cost of upgrading both the wireless access points and the client's wireless cards to devices that support this standard is the biggest disadvantage. Wireless devices can also connect two distant places by using line -of-sight antennas to convey data from one point to another when a cable would be impossible to establish. Instead of paying the recurring expense of a typical T1 line, a company with a second building less than a mile from the main facility may choose to implement a line -of-sight wireless solution for Int ernet connectivity. To connect wirelessly to a LAN, a client must have a wireless network card that is compliant with the destination network's wireless standard. Wireless networks are becoming a commonplace in most household and corporate networks, with the majority of laptops now containing built -in munotes.in
Page 159
Investigating Wireless and Web Attacks
159 network devices. While wireless LANs have typically been used for mobile devices, several businesses are now installing wireless cards on their desktop computers due to the ease and cost -effectiveness of extending the network. Even with all of the advances in recent years, creating a wireless network on your LAN should not be undertaken without careful consideration. Before incorporating wireless connectivity into your network, you should be aware of the prima ry benefits and drawbacks of doing so. 8.1.2 Advantages of a Wireless Network Wireless networks offer users the following advantages: ■ Ease of accessing the network: Employees are no longer restricted to regions where they can connect to the network via a wall jack. The ability to connect your laptop to the network from any location in the building gives you additional flexibility. ■ Reduce cost of running cable: When compared to the cost of purchasing and installing a wireless device and cards, the labo ur cost of wiring an office or office building might be fairly significant. With the availability of wireless cards for desktop PCs, a workplace may be network ready in minutes. ■ Productivity : Employees can now bring their laptops to meetings or any othe r location where they are needed to work and continue to do so. 8.1.3 Disadvantages of a Wireless Network Wireless networks also have some disadvantages as well: ■ Security: Wireless's biggest problem is its lack of security. Any wireless network can be readily attacked if adequate planning and configuration are not taken into account. ■ Complexity and reliability: While adding wireless access points improves the wired network's accessibility, it also increases the network's complexity. Wireless devices h ave an impact on the network. Therefore, system administrators must be aware of this and address issues like weak signals and failed wireless connections. ■ Network performance : While a wireless connection's claimed speed is 54 Mbps, the real data through put is frequently substantially lower, especially when multiple PCs are utilising the same wireless connection. A wired network connection will nearly always perform better than a wireless connection. 8.1.4 Association of Wireless AP and a Device The client must be associated with the access point in order to send and receive data over a wireless connection. This connection establishes a link between the two devices, allowing the client to obtain an IP address and communicate across the network. The af filiation procedure can be munotes.in
Page 160
Cyber Forensics 160 hampered by signal strength and security settings. Microsoft provides the Windows Wireless Zero Configuration (WZC) programme for the Windows XP and Windows Server operating systems to aid users in connecting to wireless networks . While it simplifies the registration process, it also raises several security risks that you should be aware of. WZC will query for networks that are already connected if a preferred network is not available. Anyone with a wireless analyser may see this data, which can be exploited to create bogus access points to entice clients to connect. WZC will also try to connect to the strongest wireless network available. Knowing this, an attacker can employ high -power antennas to build phoney wireless networks, causing machines to connect to their access point rather than the authentic one. It is advised that you utilise the wireless administration tool provided by the manufacturer whenever possible. If you're using a wireless card from Linksys, Dell, or Netgear, you've probably installed management software from the manufacturer to regulate the wireless device's association. This software is often more secure because it was created by the manufacturer to interact with the associated hardware. Selecting the wirel ess network to which you want to connect is a requirement of any wireless management applications. The Service Set Identifier will be chosen (SSID). The SSID is the wireless network's public name. If security is enabled on the network, you will be asked to enter a password or encryption key. You will not be permitted access to the network if you do not know the key. Your computer will try to join the network if it is open or if you enter the relevant security key. Controlling Access To make the wireless net work as secure as possible, security controls can be put in place to limit an attacker's ability to get access. These access controls can be used separately or in combination to increase security. Depending on the sort of wireless access point you're confi guring, you'll have different access controls. Encryption and Media Access Control (MAC) filtering can be configured on most access points. Encryption Wireless data is being transmitted in the air, and it is vulnerable to non -authorized individuals captur ing and reading it. Wireless networks adopted encryption as a network standard to prevent data from being delivered over the air in clear text. Unfortunately, early solutions to wireless encryption were quickly cracked. Encryption is growing increasingly c omplicated and difficult to penetrate as wireless networking advances. As an alternative to preshared keys, new technology is being adopted, such as certificate -based encryption. The 802.11 protocol specifies WEP Wired Equivalent Privacy (WEP) as an optional security feature for providing authentication and confidentiality on a wireless access point. It was one of the first means of securely transmitting data across a wireless network. When the IEEE committee accepted WEP as a technique, it also state d that WEP should not be regarded as acceptable security and that it should not be utilised without a key management authentication process. WEP uses a symmetric munotes.in
Page 161
Investigating Wireless and Web Attacks
161 key to authenticate wireless devices and encrypt data transactions to ensure data integrity. I n order for authentication to take place, each wireless access point and client must share the same key. After WEP is enabled, a challenge and response authentication process is initiated. Data is encrypted before it is sent from the machine, and it is dec rypted at the access point by WEP. Its security mechanisms were shown to be significantly weak, and it was replaced as the preferred wireless encryption method in 2003. It employs the RC4 stream cypher (Rivest Cipher). Because both the access point and the wireless device use the same key, its authentication mechanism is essentially Shared Key Authentication. WEP keys are always 40 or 104 bits long. The fact that the Initialization Vector (IV) is 24 bits results in the stated 64 -bit and 128 -bit encryption. With WEP's encryption mechanism, an attacker with enough IVs can crack the key and acquire complete network access. WEP networks have been broken into very quickly in research. The Federal Bureau of Investigation demonstrated how to breach WEP in three minutes at an information security conference. Overall, the use of WEP can give a misleading feeling of security to the average user. An attacker can swiftly get complete access to the network in the worst -case scenario, hence this should not be utilised to secure a sensitive network. WEP is no longer regarded as a secure technique for securing wireless access points in today's access points. WPA WPA resolves the issue of weak WEP headers, or IVs, as previously described, and provides a method of ensuring the integrity of messages that pass the integrity check by utilising TKIP (Temporal Key Integrity Protocol) to improve data encryption. WPA -PSK is a special mode of WPA that provides the same strong encryption security as WPA but without the need for a corpor ate authentication server. WPA -PSK is extra -strong encryption in which encryption keys are automatically changed (called rekeying) and authenticated between devices after a set length of time or a set number of packets are transferred. The rekey interval i s what it's called. For two reasons, WPA -PSK is considerably superior to WEP and provides improved protection for home/SOHO users. The encryption key is generated using a rigorous technique, and the rekeying (or key shifting) is completed rapidly. Because WPA employs a per -session encryption key, it outperforms WEP. When a station associates, a new encryption key is created based on randomization and the wireless access point's MAC addresses. Unfortunately, the simplest method of using WPA makes it easier to breach than WEP. When WPA does not use 802.1X authentication, a simpler technique called Pre -Shared Key (PSK) is used instead. A pre - shared key is a password that must be entered by all clients in order to gain access to the access point. WPA with the PSK pre -shared key is supported by the majority of consumer routers. If you use a short -character password with WPA -PSK, or nearly any password, you are vulnerable to an offline dictionary attack, in which an attacker captures a few packets when a valid st ation joins the wireless network, and then uses those packets to recover the PSK used. An assailant can obtain all he requires in munotes.in
Page 162
Cyber Forensics 162 order to estimate the PSK and flee without being noticed. Because the attacker only needs to be near the WLAN for a few second s and the LAN does not need to be highly busy, this might happen. Although password cracking techniques improve all the time, this assault is dependent on the password chosen. The WPA has been defeated. WPA has a mechanism built into most wireless access p oints that turns an 8 -to 63 -character string you type into a 64 -digit or 128 -digit key (as used with WEP). Most wireless access points, however, will not be able to use the entire 64 -bit key in pass mode. The underlying issue is that a pass is easy to gue ss. An eight -to ten - character pass has less than the 40 bits of security offered by the most basic form of WEP, according to the IEEE group that created 802.11i, and a pass of less than 20 characters is unlikely to stop attacks. Wireless cracking tools tha t are expressly designed to recover the PSK from a WPA -protected network (like Kismet) are readily available to download, just like WEP cracking tools. WPA plus 802.1X authentication (also known as WPA -Enterprise) creates a significantly more secure networ k. While deriving a secure, per -session encryption key that is not vulnerable to any casual attack, 802.1X provides robust positive authentication for both the station and the WLAN infrastructure. As previously stated, this is often used with a RADIUS serv er for authentication. 802.1X authentication, paired with WPA's increased encryption, is the finest wireless security solution with the most access points. Rather than pointing out all of the weaknesses in sending data via unlicensed radio frequencies, WPA , which is included with most modern consumer routers, is a good approach to keep your Internet browsing and home network as secure as possible. When you add VPN connections and MAC filtering, you have the same level of security as a house alarm system. It discourages people who do not have a strong desire to gain access. 8.1.5 MAC Filtering Network devices, with a few exceptions, have a burned -in MAC address that is physically unique. This serves as a unique identifier for that particular piece of equipme nt. It is pre -assigned by the manufacturer to the devices and is, in principle, absolutely unique. The MAC address is usually 48 bits long. For writing MAC addresses, a standard format exists, which consists of three groups of four hexadecimal digits separ ated by dots. For example, 00 -07-E9-E3-84-F9 is written using six sets of two hexadecimal digits separated by colons or hyphens. Because each MAC address is unique, it can be used to restrict access to a network. The steps to do so will vary by access point, but will always involve the following: ■ Finding the MAC address of the devices that will be allowed to connect to the network (this can be done by looking at the device itself, or by using the ipconfig/all command in the Windows command terminal, o r ifconfig in the Linux and OSX command consoles). munotes.in
Page 163
Investigating Wireless and Web Attacks
163 ■ In the setup for the access point, enter the MAC address (this will vary by device). In principle, once the MAC addresses have been entered into the access point, those are the only devices that will b e allowed to connect to the network. In practice, a number of complications can arise, including the fact that any time a new system is used in combination with the access point (for example, a visiting client who has to connect to the network), the access point's MAC address must be input manually. This may divert the network administrator's attention away from other network management chores. Information for devices that are no longer in use must be removed on a regular basis by the administrator. Spoofin g of MAC addresses is another issue that exists. While the address is usually encoded on the network equipment's physical medium, software can be used to give a device access point a different MAC address than it actually has. While this has genuine and im portant uses, such as privacy and interoperability, it can also be modified to gain unauthorised access to a system. Because of this significant security flaw, MAC address filtering should not be used in isolation, but rather as part of a larger security p olicy that includes encryption and other authentication mechanisms. 8.1.6 Cloaking the SSID The SSID is the name of the wireless network or access point that the user sees. There are only two ways for a client to learn their SSID: the access point can act ively tell them, or you can passively put it in the client's settings. When the SSID is broadcast over the radio frequency, it is known as Open Network mode. When the SSID is not broadcast over the radio frequency, it is known as the Closed Network mode. A beacon is an automatic transmission of the SSID that occurs every 100 milliseconds and contains synchronisation information like channel, speeds, timestamps, encryption status, and other information. The SSID is not broadcast to the user or administrator programmes in Closed Network mode. As a result, the client must probe the access point, and if the SSID matches, the client will synchronise and begin the authentication process. An open system or shared key authentication can be used for authentication. N o credentials are required for an open system. In wireless networks, the SSID is used to identify the wireless access point and its associated network. It is connected to all packets sent over the wireless connection and can be up to 32 alphanumeric charac ters long. Because many access points in the same area might broadcast the same SSID, its utility as a security or authentication technique is limited. However, in order to reduce network visibility, the SSID can be modified and cloaked (that is, it is not set to be broadcast by the AP). Most APs broadcast their SSID to the nearby region by default. Every 0.1 seconds, this beacon mechanism is used. Most APs come with a default SSID that is well recognised and may be found on a variety of websites. Using a d efault SSID may attract malevolent users who think that the AP's other settings are also set to default (such as the administrative password). Changing the SSID may cause some potential attackers to choose a wireless network with default settings, which is risky. Changing the SSID is a relatively munotes.in
Page 164
Cyber Forensics 164 straightforward task for a nontechnical user, and it is a step toward protecting the AP, albeit a tiny one. It's worth noting that turning off the SSID broadcast doesn't totally hide the AP. It simply reduces its v isibility. 8.2 WIRELESS PENETRATION TESTING Many managers and system administrators are uninterested in learning about the hacking techniques used by hackers to attack wireless networks. The usage of hacker tools and tactics is generally connected with a bad reputation. They frequently regard the deployment of these tools as a validation of hacker techniques and strategies. This mindset may result in an insecure wireless network that has not been thoroughly evaluated to determine its capabilities to preve nt a successful attack. Penetration testing is critical for determining the security of your wireless infrastructure. One can better assess vulnerabilities, overcome weaknesses, and strengthen defences by learning, understanding, and adopting the same atta ck methods as the intruder. It's critical to obtain as much information about the network as possible during a wireless penetration test. Because most vulnerable networks are identified during war driving (the process of scanning for them), the assault cou ld be aimed at a wireless weakness rather than a specific corporate network. When doing a penetration test, you should consider both an internal and external attacker. You can leverage information you already know about the network, such as encryption keys , network design, and signal ranges, with the internal method. This type of test verifies the network's security from the perspective of internal personnel. External testing is carried out without the use of any network infrastructure knowledge. The tester replicates a genuine attack by using tools that an intruder might employ. This test should be carried out by a qualified security professional to guarantee that these tools do not have a detrimental influence on network and server systems. The most impor tant thing to remember during a wireless penetration test is that your goal is to evaluate the wireless network's security. It's a good idea to get management's agreement in writing about the tests that will be performed and the potential network impact. T his way, no party will be surprised. Nothing you do should ever jeopardise or affect a neighbouring wireless network. Without permission, you should not attempt any form of Denial -of- Service attack on the network. You'll be trying to break into various parts of the network. Make sure that the results of the scan and penetration test are kept private and securely stored. All discoveries should be reported to management, along with full explanations and security suggestions. munotes.in
Page 165
Investigating Wireless and Web Attacks
165 A search warrant may be requir ed before you can investigate a gadget that belongs to someone else. You should double -check that the search warrant includes the authority to examine computer equipment, such as wireless access points, on -site. Perform no forensic investigation on equipme nt that you haven't been given permission to examine. 8.2.1 Direct Connections to Wireless Access Point Users who are adamant about connecting to an illegal access point should keep a watch out for security professionals conducting wireless audits and unplug the access point until the scan is finished. Physical wireless scans demand a lot of effort, so they aren't done as frequently as they should be. There are numerous advantages to detecting wireless access points from your wired network. You may create automatic scripts that continuously search your network, saving you time and money. You can scan areas of your network that aren't easily accessible for wireless scanning with tools like Network Mapper (Nmap). You must be connected to the internal network and have the ability to connect to all of the subnets you want to scan in order to run wired network scans for access points. 8.2.2 Scanning for Wireless Access Points with Nmap The Network Mapper (Nmap), a Transmission Control Protocol (TCP) and User Dat agram Protocol (UDP) Internet Protocol (IP) scanner, is one of the more common tools for performing network scans. Nmap supports a variety of scanning techniques, the most essential of which is "stealth" scanning. The intruder's ability to "fly under the r adar" of the target system's administrator is critical to the intruder's success, and stealth scanning has the advantage of passing unmolested and mostly unnoticed via most firewall and network monitoring systems. We may use these scans to see what ports o n our network equipment are open, as well as discover unwanted wireless access points. Nmap is used to determine the target system's operating system. Be aware that OS fingerprinting scans are easily observable and will be flagged by intrusion detection sy stems right away (IDSes). Nmap is a network exploration and security auditing tool that is available for free. It was created to quickly scan large networks, but it also works well with single hosts. Nmap analyses raw IP packets in unique ways to figure ou t what hosts are on the network, what services they offer (application name and version), what operating systems (and OS versions) they're running, what kind of packet filters/firewalls they're using, and thousands of other details. Nmap is available in bo th console and graphical versions, and it runs on most sorts of PCs. Nmap is a free and open -source application. By scanning from the wired side of the network, we will use the text description, vendor name, operating system, and device type provided by Nm ap during OS fingerprinting to detect wireless access points (WAPs). Nmap fingerprinting is a powerful tool for identifying WAP devices. munotes.in
Page 166
Cyber Forensics 166 To determine if an access point was connected to the network, we can run a scan of a local class c subnet using the following command: nmap –A –T4 192.168.0.1/24 This command does a few things. The –A tells Nmap to enable operating system and version detection. The –T4 sets the timing template to 4, which speeds up the scan by setting thetimeout value to 500 milliseconds. When scanning huge subnets, this can be quite valuable for ensuring quick results. Device type: WAP is what we're looking for in the Nmap output. This is our confirmation that we have scanned a network wireless access point. 8.2.3 Scanning f or Wireless Access Points with Nessus Nessus is a powerful and up -to-date open source scanner that looks for security issues on a network. Nessus is very fast and dependable, with a modular architecture that allows you to tailor it to your exact needs. Sca ns can be tailored to seek only the vulnerabilities that matter to you. Each security test is written as a plug -in for a third -party application. This allows you to rapidly add your own tests without having to read the code of the Nessus engine. The Nessus scanner is made up of two parts: a server that performs security checks and a client that serves as the user interface.You can run the server and the client on different systems. Additionally, several clients are available: one for X11, one for Win32, and one written in Java. Using a number of strategies, the Nessus plugin # 11026 was created to identify the presence of wireless access points on the network. It uses the TCP/IP Nmap fingerprint to scan the device, examine the HTTP management interface, and verify the presence of the FTP banner and SNMP information. If one of these procedures concludes that the device is a wireless access point, the scan continues to the next device, identifying it as a WAP. To scan using the #11026 plug -in for Nessus, comp lete the following steps: To make sure the plug -ins are up to current, run nessus -update -plugins. Start a fresh scan and make sure the Access Point Detection plug -in is selected on the Plugins tab of the client's General plug -in section. Ensure that the En able Dependencies box is checked. Because the plug -in requires the system information type via SNMP and HTTP Server –type dependencies to be able to scan, the At Runtime option is checked. munotes.in
Page 167
Investigating Wireless and Web Attacks
167 8.2.4 Rogue Access Points You might want to consider investing in a wireless IDS/IPS solution for enterprise -class access point detection. A wireless IDS/IPS is a network intrusion detection and prevention system that monitors the network 24 hours a day, 7 days a week and can dynamically respond to wireless threats. A wir eless IDS/IPS can also terminate rogue devices by utilising air or port suppression on the switch, do forensic analysis of packets sent and received, and monitor the device's location by triangulating the signal between numerous sensors. Because users may plug in a wireless access point with no configuration and extend the network wirelessly, rogue access points are becoming a rising danger to network managers. This results in a lack of control over where data is delivered and, more importantly, who is list ening. Connect to a Wireless Access Point (WAP). In this section, we'll look at the methods hackers use to break into wireless access points. A hacker will want to learn as much as possible about the target network before launching an attack, and will use a variety of wireless tools to do so. Once the hacker is satisfied with the information acquired, injection techniques can be used to force information through the wireless network, which can be used to crack encryption algorithms. Once the data has been o btained, the encryption key will be acquired, and the hacker will be able to login to the internal network via the wireless access point. These attacks were carried out with tools that were widely available on the Internet and included in live security rel eases. Many of the Aircrack -ng programmes (www.aircrack -ng.org) will be used, as well as Kismet (www.kismetwireless.net), a popular wireless analyzer. While you may be able to find tools for other operating systems, most are written for Linux, so some know ledge of Unix commands will be helpful. 8.2.5 Information Gathering When attempting to acquire unauthorised access to a wireless network, a hacker will first do reconnaissance to learn more about the tools that will be required next. This stage identifies rogue wireless access points, ad hoc wireless networks, and open or badly configured access points that could be used to obtain access. Because all of this information will be used to acquire vital connection data, hackers will want to get as much informa tion about the wireless access points as they do about the connected clients. Kismet It's time to check if our network is up and running. To do so, we'll use Kismet as a starting point. Kismet is a layer 2 wireless packet analyzer that works with raw moni toring mode wireless devices. By intercepting wireless packets and recovering information such as whether they have security enabled or allow SSID masking, Kismet can swiftly detect wireless networks. Kismet can also determine a network's channels as well as its SSID. munotes.in
Page 168
Cyber Forensics 168 This phase will imitate what an attacker would look for while scanning for weak points in a network. When you first open Kismet, you'll see that wireless networks appear on the screen. Kismet organises the network listings by auto -fit by def ault, which can make them difficult to read if there are a lot of them. The first step is to sort the access points by SSID by pressing "s" to bring up the sort menu, then pressing "s" again to sort by SSID. This view groups networks into categories such a s Probe Networks and Ad -hoc Networks, in addition to sorting them by SSID. This is crucial to understand as we continue to gather data on our target wireless network. Highlight a cluster and press the Spacebar to enlarge or collapse it. Let's look at the different columns now that we have our Network List screen sorted by SSID. ■ Name: SSID of network ■ T:Type of network (A =Access Point, H = Ad -Hoc, P = Probe request, A = wirelessclient searching for a network, D = Data network,T = Turbocell network, and G =Group of wireless networks) ■ W: Identifies if network is secured (Y = Yes, N = No) ■ Ch: Channel number of network ■ Packts: Number of packets captured ■ Flags: Method in which IP was gathered ■ IP Range: IP of the network The Kismet colors make identifying networks easier.The following are the possible color combinations: ■ Yellow: Unencrypted network ■ Red: Network is using factory defaults ■ Green: Secured Network ■ Blue: Hidden networks that are cloaking the SSID The network channel and wheth er or not the network is encrypted are two pieces of information we'll get from Kismet in the next stage. It'll also be useful to keep track of whether Kismet was able to identify an IP range or whether the network was Red or Yellow. Both suggest that secu rity is inadequately designed and that the network is vulnerable. Aircrack -ng Aircrack -ng (www.aircrack -ng.org) is a suite of tools for auditing wireless networks.We will be using the airodump -ng, aireplay -ng, aircrack -ng, and airdecap -ng tools from the A ircrack -ng suite. munotes.in
Page 169
Investigating Wireless and Web Attacks
169 ■ Airodump -ng captures raw 802.11 packets to be used with aircrack -ng. Airodump -ng is also capable of logging the coordinates of access points. ■ Aireplay -ng is primarily used to inject frames into wireless traffic, which will later beuse d by aircrack -ng to crack WEP and WPA -PSK keys. Aireplay -ng supports deauthentications, fake authentications, interactive packet replay and ARP request (re)injections. ■ Aircrack -ng can recover keys once enough data packets have been captured. Optimization s to the standard attack algorithms make wireless encryption crackingwith Airocrack -ng much faster compared to other WEP cracking tools. ■ Airdecap -ng is used to decrypt encrypted capture files. It can also be used to stripwireless headers from capture fil es. Our first command will begin sniffing the wireless packets using the Airodump -ng utility. The packets will be captured and written to a file that will later be used to crack the encryption key. From a command prompt, run the following command: airodump -ng –w output –c 6 ath1 This command runs the Airodump -ng command and sets the capture file to output using the –w switch. Since we know from our Kismet scan the wireless network of interest is on channel 6, we use the –c switch to ensure that airodump -ng stays on that channel and captures as much data as possible. Finally, we tell the command to use the interface ath0.The interface may vary, depending on the wireless card you are using. You should now see the Airodump -ng screen. The screen is broken into two sections: the top section shows the wireless access points; the bottom section shows the wireless clients. Now that we have Airodump -ng running, we will look for associated wireless clients. We will need to document the BSSID and Station a ddress to perform packet injection. Injection Wireless packet injection allows a hacker to change packets in the air, forcing wireless devices to generate traffic that can be intercepted and exploited to crack the encryption key. If the network has a lot of traffic, the hacker won't need to inject anything to compel traffic to be generated. If the hacker is impatient, however, deauthenticating an already authenticated client is a quick way to create traffic. This deauthentication compels the client to reau thenticate, resulting in the handshaking packets used by the hacker during the cracking step. We'll utilise the aireplay -ng software to do packet injection as part of our penetration test. This tool can carry out a variety of attacks. Fake munotes.in
Page 170
Cyber Forensics 170 authentication, ARP packet replay, and deauthentication will all be put to the test. First, we will associate the attacking machine with the target network. This will be done using the fake authentication method. To perform fake authentication, we will run the following command. aireplay -ng -1 0 –e TestNet –a 00:0F:B5:29:8C:32 –h 06:18:4D:95:32:61 ath1 This command runs the aireplay -ng command and sets the attacktype to - 1, which is fake authentication. The 0 sets the reassociation timing to 0 seconds. To set the wirel ess network name, the –e switch is followed by the SSID of the wireless network. Then, the –a switch is followed by the MAC address of the access point and the –h switch is followed by the MAC address of the network card used for the injection. We complete the command by adding the wireless interface name. If the command is successful, you should receive the following response: Sending Authentication Request Authentication successful Sending Association Request Association successful The target access point is now paired with your wireless network card. Setting up ARP request packet replay is the next step. This is the most efficient method for generating the necessary traffic to crack the encryption key. The access point responds with new IVs while the attack retransmits the same ARP packet. These packets are crucial in figuring out the encryption key. We will now set up the ARP request replay using the aireplay -ng command. To performthis attack, we open up a new command window and run: aireplay -ng -3 –b 00:0F:B5:29:8C:32 –h 00:13:CE:86:08:A6 ath1 The aireplay -ng command is executed with the -3 attack type, standard ARP request replay. The MAC address of the access point is followed by the –b switch, and the MAC address of the associated client is fol lowed by the –h switch. When we issue the deauthentication command, the ARP request replay will begin flooding the access point with retransmitted ARP packets and creating the IV packets that are required. To generate the deauthenticate attack, we will aga in use aireplay -ng. Once this process is initiated, we should see a substantial rise in traffic on our airodump -ng screen.To run the deauthenticate command, we open up a new command window and run: aireplay -ng -0 5 –a 00:0F:B5:29:8C:32 –c 00:13:CE:86:08:A 6 ath1 munotes.in
Page 171
Investigating Wireless and Web Attacks
171 This command runs the aireplay -ng command using the -0 attack which means deauthentication. The next number sets the number of deauthentication packets to 5, setting this number to 0 sends continuous deauthentication packets. The –a switch is followed by the MAC address of the access point and the –c switch is followed by the MAC address of the client you are trying to disassociate. The final option is the wireless interface name. Now that all of the injection commands have been completed, you can move on to the next step. The data column for the wireless network you're testing should gradually increase. The ARP request replay should also read and retransmit ARP packets to the access point. With 300,000 IVs, 40-bit WEP can be cracked, but 128 -bit WEP may require 1.5 million IVs. Once you've recorded enough packets, you can check to determine if the wireless encryption key is vulnerable to cracking. Cracking We can now test our encryption key to see if it is subject to cracking now that we have a capture file containing the relevant data. Aircrack -ng employs a variety of statistical approaches, including brute forcing the key, to crack WEP keys. Only a dictionary attack is possible due to the intricacy of WPA/WPA2 preshared keys. In a new command window, we will use the aircrack -ng command to attempt to crack the wireless encryption key. For a typical WEP attempt, we would use the following command. aircrack -ng -m 00:11:22:33:44:55 -n 64 output.cap This command executes aircrack -ng with the –m option and the MAC address of the access point we're attempting to crack. This option is optional, but it aids in concentrating the attack on our target access point. The –n switch determines the key's length. If you're not sure what length to use, consider 64 or 128. Finally, we'll offer the capture file, which contains the data gathered by airodump -ng. If the command is successful, the target network's encryption key will be displayed. 8.2.6 Passive and Active Sniffing You will be able to associate your computer with the target network once you have found the target network's encryption key. Your network has been compromised, and now is a good opportunity to reassess the security restrictions on your wireless network. It's likely that hacke rs have already done what you've done and are attempting to steal data from your company's network. When most administrators believe their network has been compromised, the first thing they do is check the logs to determine if anyone who isn't authorised h as connected to the network. While this is a decent starting step in determining whether you are actively connected, keep in mind that wireless data is sent in the air, and an attacker with the encryption key can sniff the network traffic and passively dec rypt it. This implies they'll never be able to connect to the internet! Let's look at the capture file you saved with airodump -ng to use with aircrack -ng to show this. This file was created with the intention of being used with aircrack - ng to decrypt the e ncryption key. Now that we know the key, we can use munotes.in
Page 172
Cyber Forensics 172 the airdecap -ng software to remove the wireless headers and decrypt any encrypted packets, leaving us with a capture file that any packet analyzer, such as Wireshark, can read data from the target network in plain text. To run the airedecap -ng command, we will open up a new command window and run: airdecap -ng –e TestNet –w 145AA34FA1 output.cap This command runs the airdecap -ng command and supplies the following options. The –e switch is followed by the ESSID of the target network. The –w switch is followed by the hexadecimal WEP key. Then the capture file is provided. This will decrypt the capture file and save it to a file name output -dec.cap. If the command is successful, you should see a similar result: Total number of packets read 1658828 Total number of WEP data packets 255816 Total number of WPA data packets 0 Number of plaintext data packets 30 Number of decrypted WEP packets 255816 Number of decrypted WPA packets 0 You can now read the contents of decrypted captured files and network traffic. Because the attacker does not need to connect to the network to get network data after the encryption key is known, this is a passive technique of data capture. If the system administrator fails to recognise and respond to the initial packet injection attack on the access point, the attacker will be able to sniff data unnoticed until the key is changed. If an attacker isn't concerned about being identified on the network, they can connect and try to sniff data directly from the wireless connection. Despite the fact that this technique makes a direct connection with the target network and can be logged by the access point, it will be difficult to detect unless there is a wireless IDS/IPS in place or c onstant scanning to find unwanted MAC addresses on the network. The hacker's ability to deploy more complicated tools on the internal network to obtain further information is one of the many threats linked with active scanning. Instead of being limited to reading only wirelessly transmitted data, tools like Ettercap allow you to sniff wired network traffic from a wireless connection if the computers are on the same subnet. Logging The majority of wireless access points can log traffic and connections. Befor e an incident occurs, it's critical to think about logging requirements. The ability to go back in time to a precise point in time when an event is thought to have occurred allows the investigator to study and decide whether a wireless attack on the networ k occurred. Most access points' logging does not provide the granularity required for successful logging. Using wireless sensors, wireless IDS/IPS systems can be set up to detect munotes.in
Page 173
Investigating Wireless and Web Attacks
173 and log any suspicious wireless activities. These sensors detect and log faulty wireless packets for subsequent forensic investigation. Due to the nature of the technology, investigating wireless assaults is tough. This is precisely why attackers use this method of gaining access to business networks. The best option is to set up your wireless network securely to prevent hackers from quickly gaining access. If a wireless incident occurs, an investigator can use the same tools that the attacker used to figure out how the attack was carried out and how much data was potentially expos ed. Examining event logs on servers and network devices on a regular basis is always an excellent way to spot attacks early and respond correctly. 8.2.7 Investigating Web Attacks Web attacks are a broad and diverse issue that encompasses a wide range of attack types and attack channels. Web assaults are often divided into two categories: attacks on the Web infrastructure and attacks on the Web application. Although there may appear to be a small distinction between the two, infrastructure deals with assaul ts on the Web server operating system and server software (such as directly attacking Apache or the Microsoft IIS server). Server and operating system configuration flaws, buffer overflows, command injection, and protocol -based assaults are all examples of infrastructure attacks. Attacks against Web applications are typically not related to infrastructure, but rather to the site's application code. There's a lot to say about Web application assaults; in fact, Web application security has grown into its own specialist sector within information security. Types of Web Attacks As previously stated, there are numerous sorts of Web attacks, each of which might easily fill its own book. In fact, there are countless books that go into great detail about web attacks . At the application level (attacks like cross -site scripting (XSS), cross -site request forgery (CSRF), parameter tampering, and cookie poisoning) and at the infrastructure level (attacks like code/command injection, buffer overflows, and protocol -based attacks), we'll look at a few common Web attacks. Cross -Site Scripting To completely comprehend cross -site scripting (XSS) attacks, it's important to realise that attackers employ a number of different theories and ways of getting their code into your brows er. From the most basic to the most complicated, this section breaks out the various forms of XSS attacks and related code injection vectors. Injecting a script into a search field is a legitimate attack vector, but what if the value is filtered? Is there a way to get around the filter? The truth is that XSS is a vast field that continues to surprise the world with new and unique methods of exploitation and injection. There are, however, basic underpinnings that Web developers, security researchers, and IT workers responsible for maintaining the infrastructure together must completely comprehend. munotes.in
Page 174
Cyber Forensics 174 XSS is a type of attack that induces a website to display malicious code, which then runs in the user's browser. Consider that XSS attack code, which is usually (b ut not always) written in HTML/JavaScript (a.k.a. JavaScript dangerous software [malware]), does not run on the server. The server only serves as a host for the assault, which takes place entirely within the Web browser. The trusted Web site is just used a s a conduit by the hacker to carry out the assault. The user, not the server, is the intended victim. Once an attacker has a thread of control in a user's Web browser, he can perform a variety of criminal behaviours, such as account hijacking, keystroke re cording, intranet hacking, history stealing, and so on, as explained throughout this book. For a Web browser to become infected it must visit a Web page containing JavaScript malware. JavaScript malware could become resident on a Web page in many ways: ■ The Web site owner may have purposefully uploaded the offending code. ■ The Web page may have been defaced using a vulnerability from the network or operating system layers with JavaScript malware as part of the payload. ■ A permanent XSS vulnerability cou ld have been exploited, where JavaScript malware was injected into a public area of a Web site. ■ A victim could have clicked on a specially crafted nonpersistent or Document XSS connection based on the Object Model (DOM). Persistent, nonpersistent, and DOM -based XSS attacks are the three most common varieties. We'll take a look at each one separately. Persistent (or HTML Injection) XSS attacks are especially common on community content - driven Web sites or Web mail systems, because they don't require specially crafted links to work. A hacker simply places an XSS attack code in a section of a website that other users are likely to visit. Blog comments, user reviews, message board posts, chat rooms, HTML e -mail, wikis, and a variety of other places could be used. Execution is automatic once a person accesses the infected Web page. Because the user has no way of protecting himself, persistent XSS is far more harmful than nonpersistent or DOM -based XSS. Once a hacker has his exploit code in place, he will publi cise the URL of the infected Web page in the hopes of catching unsuspecting people. Even users who are aware of nonpersistent XSS URLs are vulnerable. When most people hear the term "XSS," they instantly think of nonpersistent XSS. Consider a hacker attemp ting to XSS a user on the prominent e -commerce site http://victim/. The hacker must first locate an XSS vulnerability on http://victim/ before creating a munotes.in
Page 175
Investigating Wireless and Web Attacks
175 specially constructed URL. To do so, the hacker goes through the website looking for any functionality that allows client -supplied data to be transferred to the Web server and then echoed back to the screen. A search box is one of the most common vectors for this. DOM -based XSS is a special type of XSS that works similarly to nonpersistent XSS but doesn't require the JavaScript malware payload to be sent or echoed by the Web site in order to infect a user. The World Wide Web Consortium (W3C) defines the object model for expressing XML and HTML structures in the DOM specification. There are essentially two sorts of parsers in the XML world: DOM and SAX. SAX is a parsing system that is substantially faster and uses less memory, but it is also difficult to use because it is difficult to return to the document nodes (i.e., the parsing mechanism is one -way). DOM -based XSS is a special type of XSS that works similarly to nonpersistent XSS but doesn't require the JavaScript malware payload to be sent or echoed by the Web site in order to infect a user. The World Wide Web Consortium (W3C) defines the object model fo r expressing XML and HTML structures in the DOM specification. There are essentially two sorts of parsers in the XML world: DOM and SAX. SAX is a parsing system that is substantially faster and uses less memory, but it is also difficult to use because it i s difficult to return to the document nodes (i.e., the parsing mechanism is one -way). The exploitation of a client -side input validation flaw, rather than a server - side vulnerability, is known as DOM -based XSS. In other words, DOM - based XSS is caused by an erroneous processing of user -supplied data in the client -side JavaScript, rather than a vulnerability in the server -side script. DOM -based XSS, like other types of XSS vulnerabilities, can be leveraged to steal sensitive information or hijack a user's acc ount. It's important to note, however, that this vulnerability is purely due to JavaScript and the unsafe usage of dynamically derived data from the DOM structure. Here is a simple example of a DOM -based XSS provided by Amit Klein in his paper “DOM -Based Cross -Site Scripting or XSS of the Third Kind”:
Welcome! Hi
Welcome to our system … munotes.in
Page 176
Cyber Forensics 176 If we look at the code above, we can see that the developer failed to sanitise the value of the "name" get argument, which is then written into the page as soon as it is retrieved. In the next part, we'll look at a few additional DOM -based XSS instances based on a hy pothetical application that we constructed to demonstrate that XSS is omnipresent. Investigating XSS When researching XSS assaults, the Web server logs will be one source of information. Look at the server's standard traffic logging and referrer informati on to discover where the incoming page request is coming from. Although it is quite simple to spoof referrer information, many attackers take the risk that you will not notice the referrer information before they travel to the XSS site. Any pages that requ ire login or authentication are of particular importance. When analysing an active XSS attack, a Web proxy such as Paros Proxy (www.parosproxy.org) can be used to examine Web server transactions in real time and see any communications with outside servers . You can also look at the source code of any HTML -formatted e -mail messages to see if there are any embedded scripts or links in the URL of the victim site. Although traffic capture visualisation tools can provide insight into XSS assaults, average traffi c loads make this form of investigation expensive and time -consuming. Cross -Site Request Forgery Cross -site request forgery (CSRF) or Sea Surf attacks are relatively recent in comparison to XSS attacks. As the name suggests, this is a variation on XSS-style attacks, but this time the victim is the one who initiates the exploit rather than the attacker. The CSRF attack is based on the assumption that a site has a specified level of trust with a user. This trust could take the form of a session variable, coo kie, or other token that stays on the victim's system for longer than necessary. When this attack first appeared, it was presumed that the attacker had inside information about the victim's use of these vulnerable sites, and that this was how the assault was launched. We've since discovered that, similar to testing for cookies, it's possible to interrogate for tokens and then launch an attack if the token is detected. There are many ways to initiate a CSRF attack. One classic method uses the image tag to p ost a request containing the attacker’s code.This is the one we will look at in depth. Anatomy of a CSRF Attack In this example, we will make the following assumptions: ■ The attacker wants to reduce the number of users of a competing Web site. ■ The attacker has realized that the page for removing yourself from the site isvulnerable. munotes.in
Page 177
Investigating Wireless and Web Attacks
177 ■ The attacker has a page on his site that looks for the token and generates the attack. The session left a valid access token on the victim's machine when the victim last visited the target Web site, www.worldofwidgets.org. After that, the victim goes to the attacker's website. The attacker's main page checked for the token before launching the attack. The member's e -mail address and a section that requires an uppercas e YES to be input as verification that the member wants to be removed are both on the page for removing the member from the worldofwidgets site. The key parts of this form are shown here:
The attacker can easily integrate the attack into an image request on one of his website's page s once he has this information. A common way is to utilise the get image HTML tag and append the victim's information. Because the request comes from the victim's machine, the token is used to validate the victim's identity and authorise the removal. This tag sends the e -mail address of the victim, in this case FredS@bignet.com, and the confirmation field YES to the remove_member.asp page instead of fetching an image, wh ich is what IMG SRC is supposed to be used for. In this example, the victim may see an acknowledgment screen that would confuse him. If the worldofwidgets site designer uses security best practices, the victim would receive an e - mail letting him know this happened. Pen-Testing CSRF Fields The token is the most important part of any CSRF vulnerability test. It is vital to guarantee that tokens expire or become invalid when they are no longer required if a site employs cookies or session variables. In the ca se of cookies, depending on the type of site usage you foresee, it may be prudent to set the expiration to a reasonable time. Setting the expiration 10 minutes in the future may be a sensible choice if your logs show that the average duration a user spends on the site is 10 minutes. This will prevent numerous CSRF attempts. munotes.in
Page 178
Cyber Forensics 178 When the site is utilised differently or the average user time is too varied, storing session variables that are no longer valid in a log may be the solution. It would also work to have a routine set a session variable to be invalid after a logout or a period of inactivity. Adding a code at the top of every page to test the session variable and requiring a login if the variable is no longer valid would alert the victim to the CSRF attack . If the token is configured to expire in 10 minutes, you should visit the site and wait several minutes after the timeout has passed before attempting to access an internal page that you should not have access to. You can tell if a page hasn't been harden ed against the CSRF attack if it loads or grants you access when it shouldn't. Code Injection Attacks A Code injection attack is possible whenever a scripting or programming language is utilised on a Web page, and all an attacker needs is an opening. The opening is usually in the form of an incorrectly validated input field. A code injection attack's "code" doesn't have to be on the Web page, though. It can be found in the backend as part of a database query or as part of a CGI for the Web site. Between th e Internet and the data, any part of the server that employs Java, JavaScript, C, Perl, Visual Basic, SQL, or any other code is vulnerable. SQL injection attacks are now popular and well reported in the media, therefore they may be the most well-known sort of code injection attack at the time of writing. Every day, however, there are various assaults on Cold Fusion, Active Server, Java, Perl, and Awk -based code. A large part of the problem is programmers who don't examine every single input that a user may possibly enter. Most of these attacks can be blocked if a programmer creates a list of all permissible inputs and then builds input validation methods that only accept good inputs and reject bad inputs. Investigating Code Injection Attacks The Web server l ogs rarely include evidence of a code injection attack. You'll probably observe the different attempts to get the attack right if the Web designer writes failed input information to a log file. You may have to rely on network traffic sniffer records if the re are no logs of erroneous attempts to fill out a form or other inputs. Using an open -source tool like Wireshark to capture server traffic and then scanning for either all requests travelling to the input page or field names on the page may give you a good accounting of the malicious traffic and the sender's IP address. To catch one of the attempts, you may need to gather some fairly huge files. You can significantly minimise the capture file size by setting the capture filter on the sniffer of your choice to only capture traffic travelling to the server. The capture filter in Wireshark would be dst host xxx.xxx.xxx.xxx (the xs are the server's IP address). Before leaving the sniffer running unattended for lengthy periods of time, test to see how big this file grows over the course of an hour or two, and make sure you have enough storage space for the resulting file. You can use the frame contains display filter frame munotes.in
Page 179
Investigating Wireless and Web Attacks
179 contains "homePhone" if you know one of the input fields on a page you're looking at is la belled homePhone. Any packets with data flowing to the input field will be displayed, and their contents can be checked for proper or malicious content. Access logs and transaction data are two other places where evidence can be found. Don't forget to con sider transaction times. You may be noticing symptoms of an attack if you notice a huge volume of transactions in a short period of time or at strange hours. Command Injection Attacks The type of payload provided and the access level used distinguish comm and injection attacks from other injection attacks. Command attacks will largely target trusted interfaces, such as CGIs, as well as deeper -level scripts or programmes run by administrators. The passing and execution of system commands at or just above the operating system level is known as command injection. Microsoft Internet Explorer has been the target of multiple successful command injection attacks, thanks in part to helpful code that attempted to repair faulty Web sites. For several years, these assaults were the scourge of Microsoft Internet Explorer coders. Parameter Tampering Parameter tampering, which is the alteration of unprotected data in the URL or a hidden field of a Web page, is one of the oldest types of Web - based assaults. This type of attack is usually directed at a business website that has prices or other data tied to a Web page. For example, if the attacker is at a sporting goods Web site and is thinking of buying a tennis racket that costs $80, he might see the price reflected in the URL in this way: http://sales.sportswidget.com/order.htm?SKU=”4321A”&price=80.00 If the attacker changes the price in the URL line before pressing Enter, and the site does not verify the price, he could buy the racket for $30 this way: http://sales.sportswidget.com/order.htm?SKU=”4321A”&price=30.00 Another popular form of parameter tampering is the changing of hidden fields within theHTML itself. Here, again, if the attacker views the source of the Web page and sees the price of the rac ket being held in a hidden field, he could save the source code, make the modification, and then load the file and send the new price, hoping it won’t be caught later. In this way, the following:
could be ch anged to:
munotes.in
Page 180
Cyber Forensics 180 Newer solutions, such as Paros Proxy, are great for both investigators and attackers since they allow you to change the HTML code that is received and delivered on your computer. This makes param eter tinkering a breeze, and it also makes testing Web form pages a breeze. Unfortunately, like with many security solutions, those that are beneficial to security professionals are also beneficial to attackers. Cookie Poisoning Cookie poisoning is a part icular form of parameter tampering in which the attacker obtains the contents of a cookie saved on the victim's machine. The attacker can either get sensitive information about the victim or update information for any purpose he wants by reading the inform ation in these cookies. Cookies are used by many websites to store session information or short -term variables that are used to track a user's travel across a site. In principle, these cookies are invisible to the end user, and while the Web site may encry pt cookies in some situations, many are not and are extremely easy to read. As a result, attackers value the information stored in these cookies. It would be as simple as looking for the cookie from the sports store in the previous example and modifying th e victim's cookie so that the list price of a racket is $90 instead of $80 when he checks out to induce anger and unhappiness. Investigating Cookie Poisoning To identify and investigate cookie poisoning, have the cookie issuing server save session variabl es and cookie contents to a log file, and then compare those cookies to the transaction logs to make sure the transaction finished with the identical data saved in the original cookie. If you go the extra step of watching referrer information during transactions, you can discover that the attack was not only caused by a poisoned cookie, but also by an XSS assault. Buffer Overflows/Cookie Snooping One of the side benefits to an attacker who performs a buffer overflow attack on a Web page is the direct reading of cookie data that is currently stored in memory. Many apps save cookies right with the browser's other variables. This is logical because the cookie is a variable. The attacker can read the unencrypted cookie data by executing a buffer overflow and having the payload read the working storage area of memory. This information can range from session information to Social Security numbers or bank codes. Investigating Buffer Overflows Depen ding on the type of buffer overflow and the error recovery strategy employed by the programmers, evidence of buffer overflows can be found in system logs, event logs, and programme logs. A buffer overflow can usually be observed reasonably quickly if you u se a traffic sniffer or munotes.in
Page 181
Investigating Wireless and Web Attacks
181 intrusion detection system and filter the Web page traffic and look at the input data. Buffer overflows are usually huge files with repeating data strings that pop out at you when you see them. Test field input procedures to see if they trim or reject entries that are too large while studying a website that you suspect may be vulnerable to a buffer overflow attack. DMZ Protocol Attacks, Zero Day Attacks One of the best practices network administrators employ to shield the remainder of the network from the portions that need to be open to the Internet is to place Internet -facing equipment in a separate "Demilitarized Zone," or DMZ. Internal and external DMZ protocol attacks are the most common. Internal assaults take advantage of the protocols used by systems in the DMZ. The protocols that the DMZ utilises to communicate with the internal network systems are used by external assaults. If an attacker gains access to a DMZ Web server, he may discover that the Web server uses a trusted In ternet work Packet Exchange (IPX) channel to communicate with a database server, which is also in the DMZ. This URL can be exploited to exploit the database by abusing the Web server. This is the best example of an internal attack. Once within the DMZ, th e attacker can utilise any protocol to get access to the company's internal network or intranet. It can be perplexing to think of an external attack as a word for attacking an interior network. Consider the attack from the perspective of being inside the D MZ and attacking outside the DMZ into the rest of the corporation if it helps. When these assaults deliver a malicious payload that isn't in the signature database of the network's antivirus or intrusion detection/prevention systems, it is referred to as a Zero Day attack. If the attack or vulnerability hasn't been made public yet, it's also referred to as a Zero Day attack. Example of an FTP Compromise: Attacks against FTP servers have been popular among attackers for quite a few years now. These attacks allow the attacker to transfer large amounts of data in either direction faster than other methods, and they allow attackers to steal information masked as other normal FTP traffic. A classic example of the FTP Bounce attack is shown in the Figure 8.1.The attack usesthe following steps: 1. The attacker creates a script that logs into the victim's FTP site and either requests or transmits a file to an intermediate FTP server, which is usually an open server in a public place like a school or library. 2. The attacker then creates a port between the attacker's system (which is usually operating an FTP server as well) and the intermediate FTP server using a script for the intermediate FTP server. After that, the attacker logs into the intermediary server and ru ns the two scripts. 3. When the attacker runs the scripts, an FTP link is established between his system and the intermediary system, and then a link is established between the intermediate system and the victim machine. munotes.in
Page 182
Cyber Forensics 182 4. The attacker can send or request FTP files or data from the victim server after the connections are established, and all logs on the victim server demonstrate that the attack originated from the intermediate machine. Figure 8.1 An Example of FTP Bounce Attack Methods FTP-based assaults come in a variety of forms today. Even some of the older techniques can still work depending on the age of the FTP software and the security settings on the server! Intrusion Detection People who believe that intrusion detection systems prevent intrusion s are making the most common mistake. They don't stop or deter invasions in any manner; all they do is report when one happens or is attempted. Snort is an open source intrusion detection system that has become a benchmark against which commercial intrusio n detection systems are measured. Snort, which is available at www.snort.org, can be used to capture network traffic and provide traffic analysis alerts. It can even be set up to act as a full intrusion prevention system, blocking malicious communications. Snort accomplishes these duties by comparing rule sets to incoming traffic. These rule sets can be downloaded from the Snort website or other security sites, and they are updated on a regular basis to reflect new attacks. If you're thinking of installing Snort, make sure you read and understand the documentation beforehand. Advanced rule sets can be rather complicated, and they may or may not apply to your network architecture. It's customary to utilise Snort as a live traffic analysis tool, but you can al ternatively employ a known good. Snort installation to evaluate captured traffic files. You can tell Snort to read any .cap(TCPdump -formatted) file and generate warnings from the file. Snort will typically output any warnings or alerts to the screen unless you designate an output file in which to save them. The following code is an example of Snort alerts. As you can see, most alerts even offer links to Web sites for more information on the suspect traffic. These external references are indicated by munotes.in
Page 183
Investigating Wireless and Web Attacks
183 Xref =>. [**] [1:587:8] RPC portmap status request UDP [**] [Classification: Decode of an RPC query] [Priority: 2] 09/15 -19:06:06.81952 210.114.220.46:653 -> 192.168.1.102:111 UDP TTL:47 TOS:0x0 ID:41887 IpLen:20 DgmLen:84 Len:56 [Xref => http://www.whitehats.com/info/IDS15] [**] [1:1971:4] FTP SITE EXEC format string attempt [**] [Classification: Potentially bad traffic] [Priority: 2] 09/16 -15:55:52.235847 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16648 IpLen:20 DgmLen: 76 DF ***AP*** Seq: 0xCF7869CC Ack: 0xEBCD7EC0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237391678 29673183 If your profession requires you to investigate significant quantities of network traffic, you may wish to put up a known good Snort env ironment on your examination machine so that you may compare traffic captures to your tested and validated rules. One of the most basic tools in an expert investigator's toolkit is this way of immediately evaluating network traffic for probable criminal be haviour. 8.3 SUMMARY Attackers are no longer required to break into an office or seek to circumvent firewall measures in order to get network access. Wireless networks have been compromised at BJ's Wholesale Club, Lowe's Companies Inc., DSW, Wake Forest University School of Medicine, and TJX. This chapter covers the fundamentals of wireless networks as well as the tactics used by hackers to attack them. Because of their anonymity and the difficulties of tracing down attacks, hackers have an advantage when it comes to wireless attacks. The results are enticing Once a hacker breaks in, they bypass many of the usual network security barriers. A wireless network that was safe last year may not be as secure this year. The best way to prevent a wireless attack i s to ensure the corporate wireless access point, wireless clients, and network configuration are as secure as possibly possible. Wireless networks can be more vulnerable to attacks than those on wired networks 8.4 REFERENCES FOR FURTHER READING Chapter 11 - Investigating Wireless Attacks, Editor(s): Dave Kleiman, Kevin Cardwell, Timothy Clinton, Michael Cross, Michael Gregg, Jesse Var Salone, Craig Wright, The Official CHFI Study Guide (Exam 312 - 49),Syngress, 2007, Pages 487 -509, ISBN 9781597491976, https://doi.org/10.1016/B978 -159749197 -6.50012 munotes.in
Page 184
184 9 EMAIL TRACKING AND EMAIL CRIME EXAMINATION Unit Structure 9.0 Objectives 9.1 Introduction 9.1.1 E -mail Anatomy 9.1.2 Working with E -mail Systems 9.1.3 Protocols Used in Email Communication 9.1.3.1 Simple Mail Transfer Protocol (SMTP) 9.1.3.2 Post Office Protocol (POP3) 9.1.3.3 Internet Mail Access Protocol (IMAP) 9.2 Email Crimes 9.2.1 Phishing: 9.2.1.1 Types of Phishing: 9.2.1.2 Case Study: Bypassing Two -Factor Authentication 9.2.2 Spamming 9.2.3 Mail Bombing 9.2.4 Mail Storm 9.2.5 Sexual Abuse of Children in Chat Rooms 9.2.6 Child Pornography 9.2.7 Harassment 9.2.8 Identity Fraud 9.2.9 Chain Letter 9.2.10 Sending Fakemail 9.2.11 Email Harvesting 9.3 Investigating E -mail Crimes 9.3.1 Examining the E -mail Message 9.3.2 Copying the E -mail Message 9.3.3 Printing the E -mail Message 9.3.4 Viewing the E -mail Headers 9.3.5 Examining the E -mail Header 9.3.5.1 Microsoft Outlook munotes.in
Page 185
Email Track ing and Email Crime Examination
185 9.3.5.2 E -Mail Messages, UNIX, and the sky is the limit from there 9.3.6 Tracing an E -mail Message 9.4 Tools and Techniques to Investigate E -mail Messages 9.5 Handling Spam 9.6 Network Abuse Clearing House 9.7 Protecting Your E -mail Address from Spam 9.8 Anti -Spam Tools 9.9 Summary 9.10 Reference for additional perusing 9.0 OBJECTIVES Targets in this section: This part would cause you to comprehend the accompanying ideas: Working with E -mail Systems E-mail Crimes Investigating E -mail Crimes Tracing an E -mail Message Tools and Techniques to Investigate E -mail Messages 9.1 INTRODUCTION During the 1960s Email was imagined however was utilized to a restricted limit and in a confined way; it just got well known by 1993. Email correspondence started the business transformation since it associate d the planet. Albeit numerous cutting edge kinds of correspondences are created, email actually stays the principal well known inside the corporate world. As email correspondence thrived, it turned into a significant piece of our own and expert lives. Emai l is a vital piece of e -disclosure and scientific examination, particularly with the increment of cybercrime. In this section, we will investigate diverse email wrongdoings and how their examination happens, by taking a gander at various contextual analy ses. Email assumed a genuine part inside the examination of the Enron embarrassment, which we will see thereafter Email Anatomy The email comprises of two segments: Header and subsequently the Body. Each email includes a header, which might be a segment that contains data about the wellspring of the email and along these lines the way it went to prevail in the objective. The body o f the email is the thing that we read munotes.in
Page 186
Cyber Forensics 186 inside the email; it contains the message as well as any connections, which the sender has sent. Working of Email System The email framework might be a blend of equipment and programming parts, which incorporate the sender's and collector's customer and worker PC. The working of an Email System is displayed in Figure 1. • An email customer is a Message User Agent (MUA), which is a product that sends and gets email. It changes the message over to an email message and sends it to the Message Submission Agent (MSA). • In the Simple Mail Transfer Protocol (SMTP), the MSA decides the objective and resolves the area name to decide the completely qualified space name of the mail worker. • The Domain Name System (DNS) worker ch ecks the space against the rundown of mail trade workers in light of the solicitation. • The message is then sent to the Mail Transfer Agent (MTA), after which it is conveyed to the post box by the Mail Delivery Agent (MDA). • The message is gotten by the be neficiary's MUA utilizing either Post Office Protocol (POP3) or Internet Message Access Protocol (IMAP).
Fig.1Working of Email System
munotes.in
Page 187
Email Track ing and Email Crime Examination
187 Conventions Used in Email Communication Messages serve a major and basic part in electronic correspondence in the present advanced world. We have a bunch of conventions set up to make this electronic association conceivable and to send information between at least two associations. 1. Simple Ma il Transfer Protocol (SMTP) The Simple Mail Transfer Protocol (SMTP) is a web convention that permits you to send and get email over the web. • The Simple Mail Transfer Protocol (SMTP) is a book based, application -level convention. • For SMTP, the port numbers are 25 or 2525, or 587. Ports 465, 25, 587, and 2526 are utilized for secure SMTP (SSL/TLS). 2. Post Office Protocol (POP3) This is a convention for recovering email from email workers by means of the web. • All approaching me ssages are taken care of by the POP3 worker. • Each worker is restricted to a solitary letter box. • POP considers disconnected admittance to interchanges, decreasing the measure of time spent on the web. • The POP3 convention is normally utilized on two port s: port 110, which is the default non -encoded POP3 port, and port 995, which is utilized when encryption is required. 3. Internet Mail Access Protocol (IMAP) To get to the email on the mail worker, you'll need to utilize the web message access conventi on. • The far off worker stores and oversees email. • It permits clients to download and dispose of messages without understanding them. • Support for numerous letter drops is accessible. • Appropriate for connections. • The IMAP convention runs on port 143, with SSL/TLS -encoded IMAP running on port 993. 9.2 EMAIL CRIMES As the quantity of computerized residents expanded to millions, so did the quantity of violations connected to email. New clients, then again, are not munotes.in
Page 188
Cyber Forensics 188 given any directions or tips on the bes t way to be protected on the web. Large numbers of these people in the end become obvious objectives for programmers and fraudsters who misuse their data and, much of the time, request cash. Email violations incorporate phishing messages, extortion message s, badgering messages, etc. Email has customarily been utilized to advance middle class wrongdoing, yet it is presently now being utilized to spread illegal intimidation and by stalkers to impart dangers. Phishing Phishing tricks are for the most part messages that lead to the assortment of fundamental and delicate data, for example, financial balance numbers, charge card numbers, and government managed retirement numbers, and the abuse or unlawful offer of such data. The assault is most ordinarily conv eyed as a mock email correspondence that seems to come from an individual accountable for a definitive position or a known or individual associate, yet it can likewise seem to come from an individual responsible for a legitimate position or a notable bank, shopping entryway, inn, and so on This happens when a cybercriminal tricks a casualty into opening an email by having all the earmarks of being a confided in association. The collector is then convinced to tap on a noxious connection or archive, which may bring about the establishment of malware (a malevolent programming), compromising all touchy information on the machine. Phishing is every now and again utilized as a component of a more extensive attack, like a high level diligent danger (APT) occasion , to acquire admittance to business or administrative organizations by alluring and focusing on guiltless faculty. Numerous laborers are compromised in this segment to bypass security borders like firewalls, endpoint security, and email security, dissemina te malware inside a shut climate, or get restricted admittance to all watched information and data. An association that succumbs to such an assault is probably going to endure critical monetary and reputational harm. Contingent upon the broadness, a phishing endeavor may transform into a security emergency, making it hard to recuperate and recover piece of the pie. Sorts of Phishing: Phishing Attacks: There are a few kinds of phishing assaults: • As the name infers, skewer phishing by and large focuses on a particular individual or association. Phishers scour the web for any accessible data on their objective so they may assemble a conceivable and genuine looking email to extricate data (if not cas h) from their planned casualties. • Whaling is a sort of lance phishing assault focused on chiefs or other high-profile focuses inside an organization, government, or other private associations, like a COO, CEO, or another person with admittance to monetary information or resources. A typical illustration of whaling is CFO extortion. It as a rule targets high -profile focuses to munotes.in
Page 189
Email Track ing and Email Crime Examination
189 take vital and touchy information from a partnership. These are individuals who have absolute admittance to delicate data. • Smishing is a sort of SMS phishing that happens through instant message on cell phones. Vishing, or voice phishing, is a comparative technique that utilizes the telephone. • Deceptive Phishing: For this situation, the sender camouflages (causes it to seem bona fide ) email ids as an authority and unique organization's email address, captivating and asking individuals to tap on the fake connections provided in the email. Ordinarily, cybercriminals focus on their casualties utilizing mass email systems. • Pharming, othe rwise called DNS -based phishing, is the change or altering a framework's host records or area name framework to divert URL inquiries to a counterfeit site. Thus, customers have no clue about that the site into which they are putting their own data is a falsification. • Content -infusion phishing happens when tricksters/phishers present unsafe code or misleading substance into certified sites that demand clients' passwords or individual data. This phishing endeavor is progressing as a feature of the substance caricaturing attack. • Search motor phishing happens when tricksters or phishers foster destructive sites with captivating stunning offers and list them in web indexes. As the aphorism goes, "Unrealistic," clueless casualties are attracted to such locales w hile directing their own web look and erroneously accept these destinations are genuine, incidentally uncovering the entirety of their own data. The unforgiving the truth is that there are a great deal of phish in the ocean! A phishing attack is the begi nning stage for by far most of information break endeavors. Lamentably, regardless of how protected or the number of various assurances an organization takes, some phishing messages will consistently crawl and advance into a casualty's inbox. Also, those m essages are exceptionally effective — by far most of people on earth can't recognize a shrewd phishing email. This is the place where client mindfulness and representative instruction become an integral factor and are basic. Contextual analysis: Bypassing Two -Factor Authentication Programmers effectively bypassed Google's two -factor validation (2FA) and accessed Gmail accounts. Programmers utilized this astute mission to acquire admittance to many Google and Yahoo accounts to bypass two - factor validation . Here's the means by which the attack worked (the time is significant):
munotes.in
Page 190
Cyber Forensics 190 1. A programmer makes a sham Gmail login page. 2. The programmer sends the casualty a phishing Gmail security cautioning (Your Gmail account has been restricted for security reasons. To reactivate the record, you should login (blah, blah, blah, ) 3. The casualty taps the phishing join and is shipped off a sham Gmail confirmation screen. 4. The casualty enters a login and secret word. 5. The programmer acknowledges the login and the casualty is t hen furnished with a 'Kindly info 2 -Factor Authentication code:' brief. 6. Hackers in a far off area open a genuine Gmail page and sign in with the casualty's seized login and secret phrase. 7. A real Gmail acknowledges the login and sends a SMS message with t wo-factor verification to the casualty's telephone. 8. The casualty enters the 2FA code from the SMS onto the phishing site. 9. The programmer acquires the 2FA code and transfers it to a real Gmail account. 10. The programmer acquired admittance t o the casualty's Gmail account.Source: motherboard.vice.com/en us/article/bje3kw/how - programmers sidestep gmail -two-factor -validation. Spamming Spamming is the demonstration of sending spontaneous business email correspondences (UCE). Garbage mail is a more continuous word for spam. Spammers gather email addresses from Usenet, bots, posts, DNS postings, or potentially Web pages. Spammers are shrewd, persuaded hooligans who are knowledgeable in innovation. They will go to any length to access email re cords, unstable workers, and unreliable switches. Spammers bring in cash while staying mysterious by utilizing their insight and all around made instruments. Spam is ordinarily shipped off countless email addresses simultaneously. Much of the time, the e-sender letters' location is faked, permitting spammers to hide their personality. The From and Reply To fields in an Internet email header empower the spammer to give mistaken or deceiving data to urge the beneficiary to open the email. Spam might be o rdered into two classes dependent on its substance: spontaneous mass email (UBE) and spontaneous business email (UCE) munotes.in
Page 191
Email Track ing and Email Crime Examination
191 (UCE). Spam is sent by means of a faked email address or through business mass -mailing programming. A spammer is an individual or element who conveys spam messages. Mail Bombing Mail bombarding is a clear assault that has been drilled for quite a while. It involves sending various duplicates of an email to a beneficiary with the aim of doing as such. The objective is simply to overpower the email worker. This is refined by either flooding the worker associations or spilling over the client's inbox to where the person in question can't get to additional messages. Flooding worker associations would be a imed at the general framework, while flooding an inbox would be aimed at a particular person. Mail bombarding is unsafe and oppressive, regardless of whether it is aimed at a particular individual to keep different clients from getting to the mail worker. Mail Storm A mail storm is a circumstance that emerges when PCs start to impart all alone. This system produces a lot of garbage mail. This may happen accidentally because of email message auto -sending when arranged to countless mailing records, the utilization of pr ogrammed answers, and the utilization of various email accounts. Pernicious programming, for example, the Melissa and IloveYou infections, can likewise cause mail storms. Mail storms upset an email framework's typical correspondence. Sexual Abuse of Chil dren in Chat Rooms The developing utilization of texting, Web discussions like Facebook, and talk rooms has expanded the chance of rape. It is ordinary for pedophiles to use web visit rooms to physically mishandle young people by starting associations wi th them. This normally involves become a close acquaintence with the youth, fabricating a steady association, and afterward progressively acquainting the kid with porn through photographs or recordings that may contain physically unequivocal material. Kids might be misused for cybersex from the outset, and after trust is set up, this may develop to actual maltreatment. Kid Pornography Kid porn is characterized as any material that shows youngsters' sexual action. The obscurity and simplicity of move man aged by the Internet have brought about a worldwide issue with kid porn. Kid porn misuse can bring about long haul torment and other unsafe outcomes. Those in the kid porn business some of the time target impeded youths by promising money or different moti vators. Youngsters who are casualties of sexual abuse may experience the ill effects of trouble, enthusiastic brokenness, fear, and uneasiness for the remainder of their lives. munotes.in
Page 192
Cyber Forensics 192 Badgering Badgering may happen in numerous sorts of media, including the In ternet. Garbage mail, physically unseemly email correspondences, and dangers passed on the web (through email and texting) are generally instances of provocation. Provocation of this nature is a criminal offense. Another kind of badgering is the unseemly a dmittance to physically express, bigot, or in any case shocking data at work. This incorporates sending undesirable interchanges to an associate that may contain unseemly data. Character Fraud Data fraud is developing progressively normal because of its effortlessness and benefit. This lead involves taking somebody's personality to get unscrupulous monetary advantage. It is, truth be told, burglary. To take a personality, email correspondences with unrealistic offers, fake Web locales, and different kind s of phishing are utilized. Numerous gatherings have some expertise in data catch and monetary gaming by offering this data to parties that will direct unapproved buys or monetary exchanges. Networking Letter Another sort of misuse that has easily move d from the actual world to web is junk letters. A networking letter is an email that was sent consecutively starting with one email client then onto the next. It will typically encourage the beneficiary to advance further duplicates of the email to various beneficiaries. These junk letters every now and again offer prizes or otherworldly advantage for sending the email and may likewise undermine misfortune or harm if the recipient doesn't communicate it. The authenticity of a networking letter is now and ag ain obscure since the first sender's header data is lost during retransmission. Sending Fakemail Fakemail is any email that has been manufactured or controlled here and there. It is oftentimes utilized in spamming to hide the beginning location. Email ca ricaturing is a technique for sending adulterated or fake mail. Entering another person's email address in the or boxes permits you to send a phony email. These may likewise incorporate data about the message's starting point. Fakemail might be effectively produced by interfacing with TCP port 25 with any telnet customer. At the point when this is finished, the PC is quickly associated with the SMTP (Simple Mail Transfer Protocol) daemon working on that host. Fakemail would then be able to be sent by sending SMTP guidelines to the SMTP daemon. For instance, you send a fake email to Enter the accompanying message into Bill.Gates@Microsoft.com: Username HELO EMAIL: president@Whitehouse.gov> munotes.in
Page 193
Email Track ing and Email Crime Examination
193 TO: Bill.Gates@Microsoft.com> RCPT TO: Bill. Gates@Microsoft.com> Information This is a note to thank you for your help with assisting me with winning the political decision. President Bush surrendered. Fakemail might be shipped off anybody and will hope to have come from the location determined via the "Post of fice FROM:" box. Fundamentally, fakemail is utilized to perpetrate criminal misrepresentation. Email Harvesting The obscure and generally criminal behaviorutilizes a mechanized programming to filter pages and assemble email addresses for spammers to use in sending spam messages. 9.3 INVESTIGATING EMAIL CRIMES To explore email violations and infractions, you should make the accompanying strides: Study the email mes sage, duplicate it, print it, see the email headers, look at the email headers, assess any connections, and follow the email. Coming up next are the means in the insightful cycle: 1. Inspecting the email message 2. Replicating the email message 3. Printing the email message 4. Review the email headers 5. Inspecting the email headers 6. Inspecting any connections 7. Following the email 1. Inspecting the E -mail Message At the point when it is resolved that a wrongdoing was perpetrated by means of email, gather and protect the proof expected to demonstrate the offense in a courtroom. Proof can be accumulated by investigating the casualty's PC. This may be the email that t he casualty got. Likewise with any advanced measurable work, an image of the machine's hard circle ought to be taken first. It is helpful to get any passwords needed to open ensured or scrambled documents while investigating the casualty's framework. A t the point when actual admittance to the casualty's PC is unimaginable, a printed munotes.in
Page 194
Cyber Forensics 194 duplicate of the culpable email (with the whole header) ought to be made. Albeit the novel IP address of the worker that sent the message might be produced, this is troubles ome and far -fetched. Much of the time, the IP address of the source post in the email will compare to the guilty party's host. 2. Replicating the E -mail Message An email request might be dispatched when the hazardous message is duplicated and printe d. Any email application, like Eudora or Outlook Express, might be utilized, and straightforward advances can be given to move the email message from the Inbox envelope to a circle or other source. To repeat an email in Microsoft Outlook or Outlook Expre ss, play out these means: 1. Supplement an arranged USB streak crash into the framework. 2. Explore to the USB key utilizing My Computer or Windows Explorer. 3. Start by opening Microsoft Outlook. 4. Keep the Folder List open when opening the envelope containing the tricky message. 5. Resize the Outlook window with the goal that you can see both the replicated message and the floppy plate symbol. 6. From the Outlook sheet, drag the message to the circle en velope connected with the USB key. Replicating the email message is likewise conceivable with order line email applications like Pine. The methodology is ordinarily novel to every product. 3. Printing the E -mail Message It is a smart thought to print t he email message whenever it has been replicated. The essential benefits of printing are that a straightforward method can be distantly passed on to a client and that it produces results that might be utilized in court. The accompanying directions represen t how to print an email message from Outlook Express: 1. Navigate to My Computer or Windows Explorer and save a duplicate of the casualty's email message. 2. Launch the email programming and open the message. 3. Select Print from the File menu. 4. After you've picked your printing choices in the discourse box, click Print. munotes.in
Page 195
Email Track ing and Email Crime Examination
195 5. Open the email message in an order line email customer, for example, Pine or Eudora and pick the Print alternative. 4. Review the E -mail Headers A message header and a subjec t body make up an email message. The powerful catch of the email header may represent the deciding moment a request utilizing email. The email header is fundamental since it contains data about the e -beginning. mail's This will uncover the IP address from whence it began, the strategy used to communicate it, and maybe who sent it. The message is contained in the e -subject mail's body. The email header might be gotten subsequent to replicating the email message. This method varies relying upon the email appl ication. Recovering the E -mail Header (Microsoft Outlook) 1. Launch Outlook and explore to the replicated email message. 2. To open the Options discourse box, right -click the message and select Options. 3. Select the header text and copy it. 4. Copy and glue the header content into any word processor, then, at that point save the record as Filename.txt. 5. Press Alt -P> to catch a screen shot of the header. This picture ought to be printed. 6. Make a duplicate of the email message and save it as messa ge. 1.msg 7. Exit the application. Recovering the E -mail Header (Hotmail) 1. Navigate to Hotmail and sign in utilizing your Web program. 2. Open the fitting email message. 3. Select Preferences from the Options menu. Snap Mail Display Settings for variant No.8. 4. Select Advanced Header starting from the drop menu. Go to Message Headers and pick the Advanced alternative for variant No. 8. 5. Select and duplicate the message heading content. 6. Save the document as Filename.htm subsequent to choosing the message header content. 7. This can likewise be cultivated by putting away the information related with the header's "see source." 8. Press Alt -P> to catch a screen capture of the header. This picture ought to be printed. 9. Exit the application.
munotes.in
Page 196
Cyber Forensics 196 Recovering the E -mail Header (Yahoo) 1. Launch Yahoo. 2. On the right, select Mail Options. 3. Navigate to the General Preferences interface and pick Show All Headers On Incoming Messages prior to saving the message. 4. Save the document as Filename.htm subsequent to choosing the message header content. 5. This can likewise be cultivated by putting away the information related with the header's "see source." 6. Press Alt -P> to catch a screen shot of the header. This picture ought to be printed. 7. Exit the application. 5. Inspecting the E -mail Header Email headers are a helpful wellspring of data. They can reveal to you the working framework and adaptation of the email send er's working framework, the email program utilized and its form, the usernames on the framework used to send and get email, just as the framework hostname and Internet Protocol (IP) addresses. The most productive approach to get the important email for a ssessment is to ask the individual who got it. It is typically desirable over have somebody at the objective site send you an email message if conceivable. Frequently, programmed deals records and framework re -mail or rundown highlights are adequate to get an email header for correlation. Do this for each site that you are allowed to assess. Email headers may likewise be caught by deliberately sending an invalid email to the objective site.This will result in a "skip" returning as undeliverable. Albeit th is isn't generally the situation, the ricochet may contain some inside data. The email applications, working frameworks, inward hostnames, and inner framework sorts are uncovered by dissecting the header. The extraordinary sender's IP address gave inside t he email header is the main data fundamental when examining an occasion dependent on an email. The email header likewise incorporates other data, for example, the date and time the message was sent (a timestamp), any connections and their arrangement, and the message content. The header may likewise contain data that might be utilized to recognize the customer machine remarkably. In this part, we will walk you through the cycles needed to examine the email header. The header is caught by following the met hods laid out in the former segment. In the event that the email message header is effectively examined, it can give significant data. Figure 1 shows an illustration of an email header. munotes.in
Page 197
Email Track ing and Email Crime Examination
197 6. Inspecting any connections Email header investigation gives us data about the aggressor, for example, SMTP worker subtleties, the assailant's and casualty's IP addresses, the timestamp when the email was sent, and connection record data. Numerous business and web programs for examin ation are accessible, including www.ip -adress.com, emailtracker ace, MailXmainer, MX Toolbox, and others. The ip -adress instrument will be utilized to look at an email header and fathom the different fields demonstrated in the header. When the IP is reso lved to be genuine, the entirety of the data is assembled, and the related Internet Service Provider (ISP) is called, and the client data for the IP is mentioned. The ISP hence sends the client data to the examiners, who, with the help of neighborhood law implementation specialists, track out the culprit.
Fig.1 Sample Header with explanation 1
Fig.2 Sample Header with explanation 2
munotes.in
Page 198
Cyber Forensics 198 Email Tracking result as shown in the figure
Contextual investigation: Email Hoax A decent inn got an alarm when a 40 -year-old miserable person composed a phony email to the inn, causing the workers to remain alert for longer than seven days. On June 1, an email with the title "Bombs in Hotel" showed up in the inbox of the lodging's ema il ID from an aggressor utilizing yahoo.com email. Coming up next are the email's substance (unedited): Greetings, 3 bags loaded up with 20 Kg of RDX has been put in your lodging. In the course of the most recent 3 days, we have effectively avoided all your security frameworks. The detonator for each of the 3 explosives will be constrained by a cell phone. At the point when I call the numbers, the explosives will go off and annihilate your inn. You have 24 hours to convey Rs 5 Crores else witness the an nihilation of your inn. You will send 2 Bank DD's every one of Rs 2.5 Crores to the accompanying location: (his significant other's Bangalore, India address referenced here) Try not to sit around idly, the explosives will be set off at precisely 2 pm on Wednesday, June 2, 2010. This email isn't a deception. You are encouraged to view it appropriately to stay away from a great many dollars of harm and death toll. The dread alarm is genuine, this is my last admonition! In any case, the phony email sen der was captured in Bangalore after the lodging's associate security chief cautioned Cyber Crime unit authorities. The messages and other data were provided to us by inn the board. Since the records were Yahoo's, we reached Yahoo and got data on the reco rd, which was set up for the sake of xxxx@yahoo.com. Hurray outfitted us with the IP address data. munotes.in
Page 199
Email Track ing and Email Crime Examination
199 Utilizing ip -adress.com, we performed header investigation and found that the IP address had a place with a digital bistro in Bangalore. It was an Airtel w eb association, and with Airtel's assistance, we situated out the real area of the digital bistro from where the messages were sent. We then, at that point dispatched a group of experts to direct more examinations. The culprit had sent two sham messages to the inn. His significant other had deserted him, leaving him down and out, as per examinations. This propelled him to send an email to her, so he made an email address in her name. He further mentioned that 7,000,000 USD (the Rs. 5 crores referenced in the email) be shipped off her nearby home location. 7. Following an E -mail Message The beginning host framework's IP address can help you in deciding the proprietor of an email address that has been utilized in a presumed occurrence or wrongdoing that is being examined. This data is vulnerable to imitation. Continuously twofold check any proof you find. An assortment of sites can help with tracking down the proprietor or dependable element connected with the space name. A portion of these are: www.arin.net The American Registry for Internet Numbers (ARIN) might be utilized to decide an area name dependent on an IP address. It likewise furnishes the contact data related with a space name. http://www.freeality.com/This site gives an assortment of search prospects, including email addresses, telephone numbers, and names. Clients may do invert email look on the site, which may help in deciding the subject's actual personality. This site likewise gives switch telephone number and address queries. www.google.com The Google web crawler might be utilized to discover practically any data. The Google Groups and Advanced Groups Search highlights empower you to look through a solitary newsgroup or all newsgroups utilizing catchphrases, message IDs, or creat ors. A lot of data might be recovered by putting an email address connected with the examination's theme into the "Writer" field, including any articles that the suspect has posted. www.internic.com This site has a similar substance as www.arin.net. These sites help examinations by following the email message and giving pivotal proof, like a presume's contact data. 9.4 TOOLS AND TECHNIQUES TO INVESTIGATE E - MAIL MESSAGES To build up the legitimacy and get proof connected to email, the legal specialist may utilize an assortment of instruments and methods. This part goes through a couple of these instruments and approaches. munotes.in
Page 200
Cyber Forensics 200 Utilizing Logs to Analyze E -mail It is basic to check and confirm the email address, source, and way in any request including email. Framework logs are utilized to affirm the course that email has voyaged. Through their logs, switches and firewalls give fundamental approval of the email worker and the way gave inside the email header. Despite the fact that it is doable to just satire an email header, it is almost difficult to undercut all organization hardware and workers along the email's transmission way. You may check the legitimacy of data include d inside the email header by joining organization and framework logs from the source, objective, and delegate gadgets and workers along the way of the email. In the event that there are any irregularities among frameworks and logs, all things considered, t he email header has been altered. Analyzing Network Equipment Logs It is attainable to approve the timings and IP addresses included inside the email header by investigating organization and firewall logs. Switches and firewalls may both be arranged to screen and log approaching and departure traffic as it goes through them. Switches and firewalls regularly create log documents in this interaction. These log documents oftentimes contain email message ID data just as the source and objective locations of the workers used to convey email. Inspecting UNIX E -mail Server Logs Sendmail is the chief program for sending email on a Linux or UNIX framework. The logs and the arrangement record (sendmail.cf) both giv e significant data. Syslog is utilized by both Linux and UNIX to monitor what has occurred on the framework. The design document/and so forth/syslog.conf indicates where the syslog administration (or daemon known as Syslogd) conveys its logs. The syslog setup document incorporates valuable data like the logging need, where logs are conveyed, and what different activities might be finished. Sendmail may create occasion messages and is regularly set up to record essential data, for example, the source and o bjective locations, the sender and beneficiary locations, and the message ID of the email.Thesyslog.conf document will legitimately show the area of the email log record. This is frequently/var/log/mailog. This document frequently contains the source and objective IP locations, date and time stamps, and other data that might be utilized to affirm the data in an email header. Analyzing Microsoft Exchange E -mail Server Logs The Microsoft Extensible Storage Engine is utilized by Microsoft Exchange (ESE). While looking at email got utilizing a Microsoft Exchange worker, the agent is principally worried about the framework's munotes.in
Page 201
Email Track ing and Email Crime Examination
201 EDB documents, STM data set records, designated spot records, and transitory documents. EDB data set documents are utilized by more e stablished forms of Exchange. Both EDB and STM designs are utilized in late forms of Microsoft Exchange worker (2000 and past). EDB and STM data set records are utilized to create email message extra room. To safeguard the pre-arranged email, including the MAPI (Message Application Protocol Interface) metadata, an EDB document is utilized. The STM data set contains records that are not MAPI -arranged. To monitor and execute changes to the data set document, Microsoft Exchange utilizes an exchange log. In t his way, the exchange log might be used to recognize whether an email was sent or gotten by the email worker. To demonstrate the past point in time when the information base was last saved to plate, Exchange worker uses designated spot records that are com posed into the exchange log. Designated spots let the framework chairman (and hence the measurable examiner) decide whether any information misfortune has occurred since the past reinforcement was performed, permitting the framework head (and along these lines the criminological agent) to recuperate lost or erased messages. Microsoft Exchange utilizes transitory documents (or TMP records) to store data that is gotten while the worker is too occupied to even think about dealing with it right away. RESx.l ogs is utilized to safeguard data set flood data. The framework doesn't erase these transitory records and they can be recovered. A following log on the Exchange worker might be seen utilizing the Windows Event Viewer. Microsoft Exchange has a message -following capacity with a verbose mode. It is additionally conceivable to see the message content connected with the email in this mode. The occasion watcher additionally gives helpful data about email messages sent and got through the worker. On the off c hance that the Exchange investigating or symptomatic logs are empowered, they can likewise give supportive data. The Window Event Viewer is utilized to peruse these log documents. For every email letter sent or got, countless occasions are logged. Besides, the Event Properties discourse box will give additional data. Specific E -mail Forensic Tools Specific criminological instruments, like FINALeMAIL, Sawmill -Group Wise, and Audimation for Logging, are proposed especially to recuperate email and connections. When joined with information recuperation apparatuses (like FTK or EnCase), a system might be worked to find and recuperate any log records, email data sets, individual email stockpiling documents, and disconnected sto ckpiling records. munotes.in
Page 202
Cyber Forensics 202 Email recuperation programming will recover information from an email worker or a customer PC. You might have the option to approve an email or set up that it is reasonable phony by looking at the gathered log and worker data with the c asualty's email message. Email Examiner The E -mail Examiner utility aids the recuperation of erased email and different messages. After the erased things organizer has been purged, this program reestablishes erased email. Email Examiner can assess mo re than 14 email data set sorts on Windows 95, 98, NT4, 2000, 2003, ME, and XP. AOL, Calypso, EML Message records, Eudora, Forte Agent, Juno 3.x, Mozilla Mail, MSN Mail, Netscape Messenger, Outlook Express, Outlook Exchange, Pegasus Mail, PocoMail, USENET Groups, and an assortment of extra organizations are upheld. FINALeMAIL FINALeMAIL is proposed to look through an email data set for erased email messages. It is particularly helpful for recuperating email messages when the information area data has bee n lost or erased. This covers cases when damage has happened because of infection contamination, cancellation, or plate reformatting. This program might be utilized to reestablish singular messages or entire data set records back to their unique state. Sta ndpoint Express and Eudora data set configurations are upheld by FINALeMAIL. Organization E -mail Examiner Organization Email Examiner can dissect a wide scope of email information base arrangements. The instrument shows and cycles the entirety of the email accounts in the data store or information base, just as the entirety of the related meta -information. The program works with both Microsoft Exchange and Lotus Notes information stores, including Microsoft Exchange Information Store variants 5.0, 5.5, 2000, and 2003, and Lotus Notes Information Store renditions 4.0, 5.0, and 6.0. Coming up next are a portion of the instrument's key highlights: A independent, straightforward User Interface (UI) Bookmarking Support to trade information into Paraben's email inspector An progressed search work Organization E -mail Examiner is intended to work pair with Paraben's E - mail Examiner, and the yield is in a similar arrangement. Organization E - mail Examiner may send out an entire mail store and even believer it to an other arrangement. munotes.in
Page 203
Email Track ing and Email Crime Examination
203 R-Mail R-mail is an email recuperation program that can reestablish erased email correspondences. This program is expected to recuperate Outlook Express email. The program can repair.dbx documents that have been harmed by erasure. It's anything but, a licensed email rec lamation procedure that can remake broken *.dbx records to recuperate lost email messages. The program stores recuperated email messages in.eml design, which might be brought into Outlook Express. This procedure is particularly valuable when a suspect has deleted email correspondences intentionally. Following Back Email following starts with checking the email header. Check the data included inside the email header (containing the subject, date, Sent From, and Received To addresses). The Sent From line contains the source IP address of the host that sent the email just as the sender's email address (which might be caricature without any problem). The Received To lines show to each host that the email has been prepared by finishing up with the date and ti me that the email was taken care of. Continuously remember that, except for the Received segment, all lines in the email header can be faked. This is the reason the header data from different sources should be approved. On the off chance that the header data has been approved, the first email worker ought to be used as the essential source to follow back to (utilizing the procedures recorded before in this part). Following this, it is practical to move toward the court and look for a court request to ga ther the log records from the source worker. This data may be utilized as proof to build up the sender's actual personality. Following Back Web -Based E -mail Online email suppliers (like Hotmail or AOL) may every now and again make following the sende r troublesome. The administrations permit clients to send and get email from anyplace on the planet. A considerable lot of these administrations are free, and no confirmation or proof of character is required while enlisting for a record. Accordingly, coor dinated criminal gatherings habitually set up fake email accounts with bogus data. The extraordinary IP locations can in any case be recovered to find a suspect. Most Web -based email suppliers (counting Hotmail and Yahoo) track the IP address of any host that utilizes their administrations. Moreover, most Web -based email frameworks will give the exceptional IP address in the header data. Looking through E -mail Addresses You can use web indexes to expand the amount of data you have on the suspect. Most Internet web search tools will give additional data about the suspect by contributing contact information, (for example, email addresses, the speculate's name, telephone number, or areas). munotes.in
Page 204
Cyber Forensics 204 When searching for email addresses, the accompanying web indexes are habitually utilized: http://www.altavista.com/Altavista's landing page has a "Group Finder" alternative. It has two inquiry alternatives: telephone and email. By contributing the indivi dual's initials or the entire last name, you may discover their email address, telephone number, and surprisingly a record verification. www.infospace.com InfoSpace gives a converse query alternative to help you in following an email way. You can utilize email registries and freely available reports to assist you with your exploration. http://www.emailaddresses.com/This site offers a free email address registry. The catalog contains a wide scope of data and empowers for looking by area just as converse qu eries. Google (www.google.com) Many people presently use Google as their essential web search tool. The utilization of the web search tool has brought forth a whole subculture known as Google Hackers. Email Search Site The site www.EmailChange.com offers a free email address change register and web search tool. It very well may be utilized to chase down speculates who have exchanged email addresses. By entering the suspects' earlier email addresses into the hunt site, their new email addresses are often recognized. 9.5 HANDLING SPAM www.EmailChange.com gives a free email address change vault and web search tool. It could be utilized to find presumes who have changed their email addresses. The speculates' new email addresses are typically found by putting their past email addresses into the pursuit site. On the off chance that you get spam from a specific location consistently, you might have the option to report the occasion to the FTC (The United States Federal Trade Commission) by messaging a du plicate of the spam message to spam@uce.gov. The FTC additionally has an online objection structure accessible at www.ftc.gov. You should incorporate the email header when recording an objection. The email header gives the data that buyer security specia lists need to react to a spam grievance. A duplicate of the spam can be given to the ISP to make them aware of the spam issue on their organization and help them in lessening future occasions. 9.6 NETWORK ABUSE CLEARING HOUSE The Network Abuse Clearing House (www.abuse.net/) was set up to help Internet clients report harmful conduct. It is planned to help in the munotes.in
Page 205
Email Track ing and Email Crime Examination
205 administration and minimization of organization abuse. The quantity of reports of misuse has developed pair with the quick extension of Internet wrongdoing. The Network Abuse Clearing House has a complete data set of all objections got. This data set might be gotten to utilizing the accompanying techniques: • Using a mail sending administration • Using a web index • Throu gh the utilization of a space name query • Using a WHOIS worker Abuse.net is neither a boycott or obstructing rundown, and it doesn't reject or boycott email. 9.7 PROTECTING YOUR E -MAIL ADDRESS FROM SPAM Email spammers utilize a data set of email addres ses assembled by means of address reaping on the Internet. Email locations might be acquired by means of mailing records and Internet news bunch postings, just as Web destinations, Internet talk rooms, and surprisingly the enrollment registry of an online business. To shield email addresses from spammers, limit the occasions (assuming any) they are distributed in broad daylight. Space keys and other encoding methods can be utilized to restrict others' capacity to mishandle email accounts. These advances u tilize cryptographic cycles on email interchanges (for instance, by adding a computerized signature) to help the recipient in affirming the beginning and validness of an email. They approve the area first, then, at that point match it to the space determin ed in the sender's "From" field. In the event that an email is genuine, it is conveyed to the client's letter box. Else, it will be returned. The whole activity happens on the worker level. 9.8 ANTI -SPAM TOOLS In this segment, we'll examine a few apparatuses that have been created to assist you with limiting SPAM. Enkoder Form Enkoder Form is expected to ensure against email reaping. It permits you to scramble email addresses into JavaScript code, which is apparent to real programs however undetectable to many robotized spam programs. It aids the insurance of email tends to displayed o n HTML -coded Web pages. Email locations can be encoded utilizing the essential structure accessible at http://hivelogic.com/enkoder/structure. Round out the structure with your data and afterward click the Enkode It button. A JavaScript code is created t hat might be promptly embedded into the HTML code of a Web munotes.in
Page 206
Cyber Forensics 206 page where the email address will be shown. A Web program may see the recently created interface. eMailTrackerPro eMailTrackerPro looks at the email header to decide the IP address of the PC tha t sent the email. It will likewise give data about the sender's geological area. In light of this usefulness, this device is particularly significant for abstaining from spamming and mocking. This program is available at www.emailtrackerpro.com. By sendi ng a manufactured message to the recipient, an email falsifier (spoofer) might be planning to cause trouble, start a monetary wrongdoing, or even slander the individual being caricature. eMailTrackerPro Advanced Edition incorporates an online email checker , which permits you to see all email messages on the worker before they are communicated to your PC. The underlying area data set of the product tracks email interchanges to a specific country or space of the world. eMailTrackerPro additionally upholds h yperlink osmosis through VisualRoute. Aggressors can in any case evade this by utilizing a Web -based email anonymizer administration. For standard email correspondences, open mail transfer workers can be used. The IP address of the anonymizer firm, not the presume's location, will be shown. SPAM Punisher SPAM Punisher is an enemy of spam program that assists you with discovering a spammer's ISP address. It recognizes counterfeit locations consequently and works with various email customers (counting A OL, Hotmail, Microsoft Outlook, and Eudora). SPAM Punisher parses email headers for IP locations and afterward endeavors to figure out which IP addresses are phony. It then, at that point permits you to handily email a protest to the pertinent maltreatment address. Spam Punisher's protest formats are completely adaptable. Spam Punisher is viable with Windows 9x/ME/NT/2000/X P. 9.9 SUMMARY In this section we took in the accompanying: • Phishing tricks are by and large messages that lead to the assortment of basic and delicate data, for example, Visa numbers, government managed retirement numbers, and financial balance subtleties , which are then abused or sold unlawfully. • Spam is spontaneous and undesired email that enters our inbox. Spammers send 'Garbage Mail' to a great many beneficiaries' inboxes. munotes.in
Page 207
Email Track ing and Email Crime Examination
207 Greylisting, Content Filtering, and DNS Blacklisting are some enemy of spam strategies. • Email bombarding is a procedure where the assailant fills the casualty's letter drop with an enormous number of messages in a brief timeframe. The's aggressor will probably overpower the post box with traffic. • Email legal sciences is the pa rt of digital crime scene investigation that examinations and looks at the substance and segments of messages utilizing apparatuses and systems. • Email headers are a significant wellspring of data since they incorporate the metadata that is joined to each email and help the legal sciences specialist break down and look at the email ancient rarities. • Email header investigation furnishes us with data about the assailant, for example, SMTP worker subtleties, the aggressor's and casualty's IP addresses, the t imestamp when the email was sent, and connection document data. • If the evidence email is demonstrated to be spam, the experts will mastermind snare to capture the culprit. This is alluded to as the snare technique. 9.10 REFERENCE FOR FURTHER READING 1. Practical Cyber Forensics_An Incident based Approach to Forensic Investigation,Niranjan Reddy, Apress Publisher,2019. 2. The official CHFI Exam 312 -49 study Guide, Dave Kleiman, SYNGRESS Publisher, 2007. 3. Digital Forensics and Incident Response, Gerard Johanse n, Packt Publishing,2020. 4. EC-Council CHFIv10 Study Guide, EC -Council Publisher, 2018. 5. https://emailheaders.net/forensic -email -search.html 6. https://pdfs.semanticscholar.org/8625/a3b17d199e5cabbb796bad0df56 a7979c77c.pdf 7. http://jpsra.am.gdynia.pl/upload/SSARS2016PDF/Vol1/SSARS2016 - Charalambous.pdf 8. https://cyberforensicator.com/wp - content/uploads/2017/01/SSARS2016 -Charala mbous.pdf
munotes.in
Page 208
208 10 MOBILE FORENSICS, REPORTS OF INVESTIGATION , BECOME A PROFESSIONAL WITNESS Unit structure 10.0 Objectives 10.1 Introduction Mobile Forensics 10.1.1 Acquisition Protocol 10.1.1.1 Case Study: Unlocking with Face ID or Touch ID 10.1.2 Android OS 10.1.2.1 Rooting an Android Device 10.1.2.2 Android Debug Bridge 10.1.2.3 Methods for Screen Lock Bypass 10.1.3 Manual Extraction 10.1.4 Physical Acquisition 10.1.4.1 Tools for Image Extraction 10.1.4.2 Case Study: Image Extraction of an And roid Device 10.2.4.3 JTAG 10.1.5 Chip -Off 10.1.6 Micro -read 10.1.7 Challenges in Mobile Forensics 10.1.8 iOS OS 10.1.8.1 iOS Device Boot Process 10.1.8.2 Jailbreak vs. No Jailbreak 10.1.8.3 iOS file system and Architecture 10.8.3.4 i Tunes iPhone Backup 10.1.9 Case Study: iPhone Backup Extractor 10.1.10 Case Study: Dr. Fone iPhone Backup Viewer munotes.in
Page 209
Mobile Forensics, Reports of Investigation, Become a Professional Witness 209 10.2 Writing Investigative Reports 10.2.1 Understanding the Importance of Reports 10.2.2 The Requirement of an Investigative Report 10.2.3 Report Classification 10.2.4 A Sample Investigative Report Format 10.2.5 Report Writing Guidelines 10.2.6 Consistency and Other Important Aspects of an Good Report 10.2.7 The Dos and Don’ts of Forensic Computer Investigations 10.2.8 Best Pr actice for Investigation and Reporting 10.3 Becoming an witness 10.3.1 Introduction 10.3.2 Understanding the witness 10.3.2.1 Qualifying As an witness 10.3.2.2 Types of Expert Witnesses 10.3.2.3 Testimony and Evidence 10.3.3 Testifying As an witness 10.3.3.1 Layout of a Courtroom 10.3.3.2 Order of Trial Proceedings 10.4 Summary 10.5 Reference for further reading 10.6 Frequently Asked Questions 10.0 OBJECTIVES Objectives in this chapter: This chapter would make you understand the followin g concepts: ● Stages of Mobile Forensics ● Android Operating Systems ● Challenges ● iOS OS ● Writing Investigative Reports ● Becoming an witness munotes.in
Page 210
Cyber Forensics 210 10.1 INTRODUCTION MOBILE FORENSICS Mobile Forensics could also be a department of Digital Forensics. it's set the acquisi tion and evaluation of cell gadgets to urge better virtual proof for forensics investigations. Acquisition Protocol There are a few of unique issues for cell acquisition: • Always lookout of cell gadgets with gloves as fingerprint could even be amassed fro m it. • Make a remember of all open packages walking at the tool and examine the documents/textual content with inside the clipboard. • Use a Faraday bag to accumulate the cell tool. • All information inclusive of tool call, IMEI range, serial range etc., got to be mentioned with inside the chain of custody shape. A vital component in recent times is tool encryption; if the proprietor of the tool is gift on the time of acquisition, the tool passcode/sample lock information must be received. There had been s ome information memories approximately producers not cooperating with regulation enforcement while the passcode isn't to be had. The producers refuse to release gadgets, mentioning confidentiality then on. Apple has been with inside the knowledge for this, and it's been observed that even the Apple representatives cannot release an iPhone for everybody without restoring the iPhone. Android OS Android is an open supply working device based totally on Linux Kernel, advanced through Google for cell gadgets. Th e T- Mobile G1 become the first Android handset the world noticed and once you consider that then Android has come a protracted manner. Its releases are codenamed on famous confection gadgets inclusive of Kit Kats, lollipops, frozen dessert sandwiches, etc . The lower back cease of Android programming is administered in Java and packages are run during a Dalvik digital device. Further, a totally unique identification secret's furnished to enforce protection measures, and packages can get entry to tool garage best if legal through the buyer . User -granted permissions are wont to limitation get entry to to device capabilities and consumer information. albeit the protocols of Android Forensics are very similar to Computer Forensics, there are numerous variations with inside the strategies hired, particularly as Android helps extraordinary document structures. From an Android tool, we attain information inclusive of Call Data Records (CDR), Contacts, Messages, Apps statistics, GPS locations, passwords, Wi -Fi netwo rks, etc. munotes.in
Page 211
Mobile Forensics, Reports of Investigation, Become a Professional Witness 211 The Android listing could also be explored through the ‘adb shell’ that we will use and reveal. Android’s principal partition is usually partitioned as YAFFS2 (Yet Another Flash File System), which is meant maintaining in thoughts embedded struc tures are usually smartphones. Android helps ext2, ext3, and ext4 document structures which could be synonymous to Linux; and it additionally helps vfat, that's utilized by Windows structures. Rooting an Android Device Android may be a Linux -primarily bas ed totally OS this is often tweaked to optimize it for contact display gadgets. Rooting Android unlocks its middle module to a consumer, which allows get entry to to the covered regions of the tool. Earlier, rooting become a commonplace place exercise with Android builders who desired to seek out out all of the capabilities of the tool. Over the years, rooting has find yourself a famous exercise with numerous tech savvy Android customers who want to personalize their tool with custom ROMs, attain updates, a nd found out third -celebration packages. Rooting permits the forensic investigator to profit root privileges at the tool. But rooting an Android tool involves that the examiner installs a third -celebration software program to the telecel smartphone that wo uld purpose adjustments to the tool country, and there could also be a threat of an flawed rooting approach like accidently deleting or editing information at the tool, which will cause unreadable information codecs. albeit rooting an Android tool to accum ulate proof offers an investigator root privileges, it can't be taken into consideration a legitimate technique for proof acquisition, and therefore the proof amassed through rooting the tool isn't admissible during a courtroom docket of regulation. Rootin g an Android tool to make an photograph of an Android tool is proven with inside the bodily acquisition segment afterward this bankruptcy. Advantages of Rooting: • Access to middle device documents. • Ability to require away bloatware. • Enhances battery performance. • Special apps could also be established. Disadvantages of Rooting: • If rooting isn't administered well, there could also be the threat of bricking the tool. • Security of the tool is compromised. • Warranty is void. munotes.in
Page 212
Cyber Forensics 212 If the investigator root s the tool and later reveals the suspect to be harmless, that individual will now not be capable of avail any offerings for the tool if the tool is below the reassurance . So, the investigator wishes to form amends for any claims now not supported through a legitimate assurance once you consider that he had changed the tool. Android Debug Bridge This is a command -line device that permits us to connect an Android tool to a pc host device through a USB cable. it's a completely flexible device because it perm its the buyer to hold out numerous duties inclusive of putting in , debugging, and getting obviate apps, etc. Also, through the utilization of the adb instructions, we'll flash a custom recuperation’ after which thru recuperation, we'll found out root docu ments to root an Android tool. Adb is a component of the Android Software Development Kit (SDK) platform equipment package. ADB includes 3 additives: • Client – which sends out instructions. Client could also be invoked through issuing an adb command the utilization of a command -line terminal. • Daemon (adbd) – runs instructions at the tool, and it runs as a history manner. • Server – manages conversation among the patron and daemon. It runs as a history manner on a pc device. Adb comes with many benefic ial instructions that assist the examiner to talk with the tool. as an example , to listing the gadgets linked at the device, kind ‘adb gadgets’ to place in an utility in an Android tool thru device shell kind ‘adb found out filename.apk’; similarly, to un install an utility from the tool, kind ‘adb uninstall filename.apk’. Methods for Screen Lock Bypass If the Android tool is locked, its photograph acquisition turns into a nightmare for forensic examiners. With protection requirements stronger than ever, t he want for higher practices to pass the display lock is required Newer Android variations are proof against beforehand successful display lock pass techniques. However, there are a couple of techniques a forensic examiner can utilize. • Commercial displ ay lock pass equipment – Offer maximum fulfillment price amongst with rock bottom threat of data loss. There are many equipment which will be used for every Android and iOS, as an example , dr.fone – release, iSkysoftToolBox, Pangu FPR Unlocker Tool, etc., which supply software program offerings that pass display lock. It helps many fashions and is simple to use . munotes.in
Page 213
Mobile Forensics, Reports of Investigation, Become a Professional Witness 213 • Flashing Custom Recovery/ROM – this system is extra famous amongst builders for Android phones. It entails flashing the tool with a custom recuperation. It might be very vital to flash the tool with an appropriate custom recuperation this is often precise to the tool version. However, it is vital to recognise the threat concerning this technique; flashing with a no compliant recuperation mode c an smash the knowledge or even brick the tool. Team Win Recovery Project (TWRP) and Clockwork are famous recuperation techniques. Also, right here we're flashing ROM information, and not like disk forensics, we in no way use a write blocking tool in cell f orensics. Manual Extraction Manual extraction could also be taken into consideration because the primary line of strategies utilized in forensic exam and stays the utmost noninvasive one. this is often likewise a completely fundamental approach, which ca n be followed through regulation enforcement officials or professionals who aren't tech savvy. Experts can detect what information they need and extract it as in line with will, because it saves time and therefore the complexity of imaging. AF Logical OS E through NowSecure may be a superb device for this. The fashionable steps worried are those: 1. Push AFLogical -OSE_1.five.2.apk through adb/USB connection/ OTG force on cell tool. 2. Install AF Logical OSE. 3. Open app and detect parameters for extraction and detect ‘OK.’ 4. Find documents in ‘forensics’ folder and export them on pc device for evaluation. Call statistics, Contacts, and Messages exports are created in .csv layout, which is on the market through many packages. An data document can also be retrieved, that's in .xml layout and includes information approximately the tool and therefore the packages saved in it. Here we are the use of the Santoku Operating device. Santoku is an open supply working device for cell forensics, evaluation, and pro tection. And right here we've used a Sony Xperia telcel smartphone walking on jelly egg four.2 apk for demonstration. 1. Use adb gadgets command to listing all of the linked gadgets. ADB drivers are constructed into the Santoku OS . 2. Download AFLogical O SE apk from https://github.com/ nowsecure/ android -forensics/downloads. Push the apk onto the tool to place in it at the tool. to try to to that, kind the command: adb –d found out AFLogical -OSE_1.five.2.apk munotes.in
Page 214
Cyber Forensics 214 3. we will see that AF Logical is established at the Android tool 4. Open the utility and detect the parameters for extraction. Click on seize after choosing all of the parameters 5. Once information extraction is administered , name statistics, Contacts, and Messages exports are created in .csv layout, which is on the market through many packages. An data document can also be retrieved, that's during a .xml layout and includes information approximately the tool and therefore the packages saved in it. These documents could also be discovered withinside th e File Manager ➤sdcard ➤ forensics folder We can use those csv documents for evaluation. Physical Acquisition This is the other line of a forensic approach utilized in cell forensics. The forensics investigators use equipment to accumulate a forensic photograph of the ce ll tool. center635 Tools for Image Extraction Various equipment which could be getting used for photograph extraction of an Android tool are as follows: • BusyBox – frequently referred because the “Swiss navy knife of Embedded Linux.” BusyBox may be a sof tware program utility that applications many Unix equipment. it's composed over 300 instructions and may be a nifty little device ready to many operations. • Ncat – Ncat may be a networking software that allows information switch the community from the ins truction . it's a part of the Nmap mission and is meant to be a dependable lower back -cease device. • dd – Data Definition (dd) is one the oldest imaging equipment, that's a command -line device in most cases utilized in Unix Operating Systems. it's a easy software beneficial in copying information from one place to the other . It comes as a neighborhood of the GNU/Linux ‘coreutilis’ package. It can accumulate information withinside the RAW layout, which can be additionally analyzed in many extraordinary for ensic suites. • Kingoroot – Kingoroot is an Android utility used for rooting of the Android tool. Case Study: Image Extraction of an Android Device We have amassed a cell tool from against the law scene, and as a Forensic Investigator we're getting to roo t the tool to urge tremendous consumer get entry to and accumulate dd snap shots of the tool for additionally evaluation. We are the utilization of an Ubuntu working device model 16.five for obtaining the photograph of the tool Sony Xperia telecellsmartpho ne. munotes.in
Page 215
Mobile Forensics, Reports of Investigation, Become a Professional Witness 215 Before beginning ensure you've got following equipment and apk established in your device: • Adb drivers: you'll down load those from HYPERLINK "https://developer.android.com/studio/releases/platform -equipment" l "downloads"https://developer.android.c om/studio/releases/platform - equipment#downloads • Kingoroot: you'll down load this apk from https://root - apk.kingoapp.com/ • BusyBox: you'll down load this apk from https://www.appsapk.com/busybox -app/ • Netcat: you'll down load this from https://nmap.org/ ncat/ 1. Here we've created directories /Android/sdk/device and saved our KingoRoot.apk and BusyBox.apk therein . 2. After successful found out of adb drivers, join your Android tool in your device and start terminal. Type the next command within side the terminal to listing linked Android gadgets. adb gadgets 3. To root the tool, we will found out KingoRoot.apk on our Android tool. Type the command: adb –d found out KingoRoot.apk 4. Similarly, to place within the BusyBox app in your tool, kind the command : adb -d found out BusyBox.apk 5. Once all of the packages are at the tool, we test if found out become successful through establishing them 6. Open KingoRoot app and click on onon One Click Root and wait till the rooting manner completes. 7. After success ful rooting of the tool, the SuperUser app might be established in your tool 8. Start the BusyBox app and provide it root get entry to after which click on at the Install alternative 9. Now to start the adb shell, kind the next instructions to urge root ge t entry to: adb –d shell su 10. To listing directories, kind ls /information. we will best get entry to those directories with root privileges 11. to ascertain an inventory of walls, kind the next command. Here we will create a dd photograph of mmcblk0 par tition as it is the bodily disk withinside the tool and carries all of the specified information cat /proc/walls munotes.in
Page 216
Cyber Forensics 216 12. Now we would like to line up a connection among the tool and therefore the pc device. we'll use port 8888 right here to modify information among those . We then run the next command at the pc device: adb ahead tcp:8888 tcp:8888 The cell tool will examine the command and ship information. To concentrate to the conversation, we use netcat on port 8888. 13. to make the dd photograph of mmcblk0 p artition: Type command dd if=/dev/block/mmcblk0 | busyboxnc –l –p 8888 Here if is that the enter interface that reads the disk after which we will pipe that information into busybox. nc is netcat command that's wont to switch information at the community. –p command denotes the port range wont to switch information. –l command is employed to form the Android tool concentrate for a connection coming at the telecellsmartphone on port range 8888. 14. After a connection has been activated, the knowledge from th e tool might be piped right into a document android.dd. to undertake this, kind command: nc 127.zero.zero.1 8888 > android.dd It will take time to achieve the photograph; it relies upon upon the reminiscence of the tool. Once the imaging is whole, the pho tograph document could also be analyzed in extraordinary software program; right here we used the Autopsy device for evaluation. Physical Acquisition This is the other line of a forensic approach utilized in cell forensics. The forensics investigators us e equipment to accumulate a forensic photograph of the cell tool. center635 Tools for Image Extraction Various equipment which could be getting used for photograph extraction of an Android tool are as follows: • BusyBox – frequently referred because th e “Swiss navy knife of Embedded Linux.” BusyBox may be a software program utility that applications many Unix equipment. it's composed over 300 instructions and may be a nifty little device ready to many operations. • Ncat – Ncat may be a networking softw are that allows information switch the community from the instruction . it's a part of the Nmap mission and is meant to be a dependable lower back -cease device. • dd – Data Definition (dd) is one the oldest imaging equipment, that's a command -line device in most cases utilized in Unix Operating Systems. it's a easy software beneficial in copying information from munotes.in
Page 217
Mobile Forensics, Reports of Investigation, Become a Professional Witness 217 one place to the other . It comes as a part of the GNU/Linux ‘coreutilis’ package. It can accumulate information withinside the RAW layout, which can be additionally analyzed in many extraordinary forensic suites. • Kingoroot – Kingoroot is an Android utility used for rooting of the Android tool. Case Study: Image Extraction of an Android Device We have amassed a cell tool from against the law s cene, and as a Forensic Investigator we're getting to root the tool to urge tremendous consumer get entry to and accumulate dd snap shots of the tool for additionally evaluation. We are the utilization of an Ubuntu working device model 16.five for obtainin g the photograph of the tool Sony Xperia telecellsmartphone. Before beginning ensure you've got following equipment and apk established in your device: • Adb drivers: you'll down load those from HYPERLINK "https://developer.android.com/studio/releases/pl atform -equipment" l "downloads"https://developer.android.com/studio/releases/platform - equipment#downloads • Kingoroot: you'll down load this apk from https://root - apk.kingoapp.com/ • BusyBox: you'll down load this apk from https://www.appsapk.com/busybox -app/ • Netcat: you'll down load this from https://nmap.org/ncat/ 1. Here we've created directories /Android/sdk/device and saved our KingoRoot.apk and BusyBox.apk therein . 2. After successful found out of adb drivers, join yo ur Android tool in your device and start terminal. Type the next command withinside the terminal to listing linked Android gadgets. adb gadgets 3. To root the tool, we will found out KingoRoot.apk on our Android tool. Type the command: adb –d found out Ki ngoRoot.apk 4. Similarly, to place within the BusyBox app in your tool, kind the command: adb -d found out BusyBox.apk 5. Once all of the packages are at the tool, we test if found out become successful through establishing them 6. Open KingoRoot app an d click on onon One Click Root and wait till the rooting manner completes. munotes.in
Page 218
Cyber Forensics 218 7. After successful rooting of the tool, the SuperUser app might be established in your tool 8. Start the BusyBox app and provide it root get entry to after which click on at the Install alternative 9. Now to start the adb shell, kind the next instructions to urge root get entry to: adb –d shell su 10. To listing directories, kind ls /information. we will best get entry to those directories with root privileges 11. to ascertain an inventory of walls, kind the next command. Here we will create a dd photograph of mmcblk0 partition as it is the bodily disk withinside the tool and carries all of the specified information cat /proc/walls 12. Now we would like to line up a connection among the tool and therefore the pc device. we'll use port 8888 right here to modify information among those . We then run the next command at the pc device: adb ahead tcp:8888 tcp:8888 The cell tool will examine the command and ship information. To concen trate to the conversation, we use netcat on port 8888. 13. to make the dd photograph of mmcblk0 partition: Type command dd if=/dev/block/mmcblk0 | busyboxnc –l –p 8888 Here if is that the enter interface that reads the disk after which we will pipe that in formation into busybox. nc is netcat command that's wont to switch information at the community. –p command denotes the port range wont to switch information. –l command is employed to form the Android tool concentrate for a connection coming at the telece llsmartphone on port range 8888. 14. After a connection has been activated, the knowledge from the tool might be piped right into a document android.dd. to undertake this, kind command: nc 127.zero.zero.1 8888 > android.dd It will take time to achieve the photograph; it relies upon upon the reminiscence of the tool. Once the imaging is whole, the photograph document could also be analyzed in extraordinary software program; right here we used the Autopsy device for evaluation. JTAG Joint take a glance at mo tion organization or JTAG may be a complicated information extraction technique utilized in cell forensics. JTAG within the beginning become created through the electronics enterprise as how of finding out and verifying designs and published circuit forums . JTAG is munotes.in
Page 219
Mobile Forensics, Reports of Investigation, Become a Professional Witness 219 that the acronym that acquired reputation as an IEEE widespread entitled Standard Test Access Port and Boundary –Scan Architecture. JTAG offers an interface through which a pc can speak directly with the chipboard. It entails connecting the proof cell tool’s Test Access Port (TAP) to a JTAG emulator to urge entry to uncooked information. Steps included in JTAG forensic exam are the subsequent: 1. Identification of TAPs: you'll become conscious of TAPs through studying documented gadgets. If the TAPs are unknown, check out the tool PCB for capacity TAPs, after which manually hint or probe to pinpoint suitable connector pins. 2. Solder wires to TAPs: this ends in an appropriate connector pins or makes use of a solderless jig. 3. Connect suitable JT AG emulator with twine leads for the boast tool. 4. Acquire bodily photograph dump. 5. Disconnect the wires and reassemble the tool. 6. Analyze photograph with forensic software program. JTAG emulators are the twine among PC’s software program equipment an d DSP forums at some point of improvement. It connects the host PC through parallel interface or USB port. The JTAG emulator offers a easy manner to supply the development device software program an instantaneous connection to a minimum of one or extra DSP gadgets at the goal board. a couple of JTAG emulators are XDS110, XDS200, XDS560, etc., for a C2000 microcontroller. Advantages: • JTAG may be a complicated, but non -invasive, technique of forensic exam. • It could also be used with many sorts of cell ga dgets a bit like the Windows phones. • The method is far less complex than Chip -Off (see subsequent segment). Disadvantages: • In case of tool encryption, the fulfillment price is far less. • JTAG assets are tough to locate over internet . Chip -Off Chip -Off is taken into consideration the ultimate resort. because the call suggests, it entails getting obviate the reminiscence chip of the cell tool and planting it onto a specific hardware for information acquisition and reading its contents. With the Chip -Off approach, examiners attain a binary photograph of the reminiscence chip, that's analyzed through munotes.in
Page 220
Cyber Forensics 220 specialised software program. this is often a sophisticated forensic technique that even works for bricked and/or broken gadgets. The nonvolatile reminisce nce issue is eliminated and positioned on a hardware reader through which information is received. Here are the steps involved in Chip -Off forensic exam: 1. The reminiscence chip is eliminated through de -soldering it. 2. The chip is cleaned and repaired ( if important). 3. chip is established on unique hardware apparatus, and knowledge is received. Advantages: • Useful for exam of gadgets in broken situation. • High chance of data acquisition if tool is locked. • Gives forensics investigators the freedom t o craft information acquisition manner. Disadvantages: • Heat and adhesive wont to deduct the reminiscence chips also can additionally harm the circuit card . • Reassembly of the tool after exam might be very tough and typically unsuccessful. Micro -read Micro -read exam entails the usage of a excessive -powered microscope and observes output on the gate stage. The tool reminiscence chip is shaved in extraordinarily skinny layers, and then the knowledge is examine little by little from the availability the u tilization of an microscope or different tool. it's a fantastically state -of-the-art approach, and only a couple of entities provide Micro -examine exam offerings. Use of this system is for excessive -price gadgets or broken reminiscence chips. Being this ty pe of complex, and expansive approach, it is reserved for best excessive -profile instances. It might be very tough to locate industrial equipment for Micro - examine. this is often probably a extra approachable approach withinside the on the brink of destiny . Challenges in Mobile Forensics With smartphones evolving at a mind -blowing price cell forensics is extra difficult than ever. Every Android model launch comes with up so far capabilities and protection improvements, which normally hinder with the foren sic manner. As a fresh Android model is launched, the forensic equipment utilized in forensic exam frequently find yourself redundant. munotes.in
Page 221
Mobile Forensics, Reports of Investigation, Become a Professional Witness 221 Apart from the software program, with this type of great range of gamers withinside the marketplace, a forensics examine r also can additionally encounter extraordinary sorts of hardware. Device specs have find yourself complicated and range amongst groups. This provides to the prep paintings of a forensic examiner as they need right equipment to urge entry to the hardware. as an example , we've visible the upward thrust of USB Type –C connectors now being utilized by producers with many gadgets. Encryption in gadgets has received essential momentum after information leak scandals around the sector. People have find yourself aware of their privateness rights and knowledge a want to shield their information. Manufacturers have began bent bolster their protection modules, that's preferred through the client. Such a excessive stage of protection has find yourself an enormous impe diment for forensic examiners because it turns into very tough to pass protection of the tool. While cell gadgets walking older Android model are nonetheless available through a gaggle of strategies, more moderen gadgets frequently do not have any assist f rom even industrial equipment. Not all of the knowledge is at the tool, as cloud garage has find yourself a famous and favored alternative for telecellsmartphone customers. Manufacturers provide very tempting applications so as that customers save their in formation at the cloud, and customers locate it maximum convenient, too. All this another time may be a hurdle on the time of data extraction; if account credentials are gift with the forensic professionals, then information could also be received otherwis e there could also be no get entry to thereto . Apart from Logical and Physical Acquisition, the superior forensics strategies inclusive of JTAG, Chip -Off and Micro -examine are fantastically invasive and need meticulous expertise and specialized schooling . These techniques are also very pricey and are not available to all or any and varied as only a couple of groups provide those offerings. Researchers have expressed their problem approximately the developing complexities of breaking thru the encryption of the gadgets. Chip -off gives a 90% fulfillment price as many hardware producers are making it tough for examiners to hold out an intensive exam. But if records has taught us something, it is that answers are created as troubles seem: the destiny is complet e of obligations and possibilities. iOS OS iOS may be a cell working device created and advanced through Apple Inc. that currently powers among the business enterprise's cell gadgets, inclusive of iPhone, iPad, and iWatch. The iPhone firmware working device is based totally on Mac OS X. Every iOS tool combines hardware, software program, and offerings designed to paintings collectively for optimum protection. iOS protects the tool and its information at rest (i.e., information isn't shifting from tool to tool or community to community), inclusive of the entire thing customers do locally, on networks, and with key net offerings. munotes.in
Page 222
Cyber Forensics 222 iOS gadgets offer superior protection capabilities and they are clean to use . Many of these capabilities are enabled through de fault, and key protection capabilities like tool encryption aren’t configurable, so as that customers can’t disable them through mistake. Other capabilities, inclusive of Face ID and Touch ID, beautify the buyer enjoy through making it more easy and additi onal intuitive to steady the tool. iOS Device Boot Process Bootrom permits the tool also and initialize all of the peripherals of iOS and a couple of hardware additives. There are 3 extraordinary modes for the boot procedures for iOS gadgets: • Normal boot manner • Recovery mode • DFU mode Normal Boot Process In a regular boot manner, the Bootrom will run and test the signature of the Low -Level Bootloader (LLB) and executes it if the signature is matched. After executing LLB, it'll test the signature of iB oot (Apple degree 2 bootloader for all iOS gadgets) before handing it over to the iBoot, which in flip exams the kernel signature and executes it. The kernel is signed which can prevent any unsigned code to be completed. Recovery Mode When the iOS tool is close to the “Recovery Mode,” the Bootrom is completed first; it exams the iBoot signature and if it suits, it'll execute it. then , iTunes sends Apple’s signed “kernel” and “Ramdisk” to the tool, after which the repair manner is initiated. Process no uns igned code could also be completed at some point of any a neighborhood of the “Recovery Mode.” DFU Mode In Device Firmware Upgrade (DFU) Mode, the Bootrom is loaded after which the iBSS (a stripped -down model of iBoot) is despatched to the iOS tool. Then the iBSS signature is checked and completed through the Bootrom. then , Apple’s signed kernel and repair disk are despatched to the tool and completed through iBSS after a signature test. Once that's administered , the repair manner is initiated. Process no unsigned code could also be completed at some point of any a neighborhood of the “DFU Mode.” Jailbreak vs. No Jailbreak iOS jailbreaking is beneficial for the motive of getting obviate software program regulations imposed through Apple on iOS through the utilization of a sequence of kernel patches. Jailbreaking permits root get entry to to iOS, permitting the downloading and found out of additional packages, munotes.in
Page 223
Mobile Forensics, Reports of Investigation, Become a Professional Witness 223 extensions, and topics which could be unavailable thru the authentic Apple App Store. Additiona lly, it is feasible to use different SIM playing cards apart from the certified issuer. A jailbreak is best feasible withinside the DFU mode, that's a standing of the iPhone working device. The device could also be overwritten on this mode, with changed iP hone firmware like Cydia utility. it's feasible to down load packages with Cydia (it isn't a licensed AppStore), which are not legal through Apple, as an example , OpenSSH, Netcat, or Terminal. A jailed iPhone may be a tool with out changed software prog ram and altered working device. Apple permits the found out of packages which could be legal best from Apple over the AppStore on a jailed iPhone. A Jailbroken iPhone is above a jailed iPhone from the attitude of a forensic examiner, because it isn’t feasi ble to place in OpenSSH and Netcat to form a connection over Wi -Fi/WLAN during a jailed iPhone. iOS file system and Architecture All Apple cell gadgets use the HFSX document device. HFSX is case touchy, due to this that that if there are documents with e qual out in the device, due to their case sensitivity, the document device will differentiate among the two documents. this is often the foremost distinction with HFSX and HFS+ document structures. Logically, iPhone has walls. One is for storing the iOS pr ecise documents, accountable to load the working device inclusive of kernel snap shots and configuration documents. The different partition is employed for the garage of consumer -precise settings and packages inclusive of flicks , music, photos, contacts, and extra. The 2nd partition is extra vital from a forensic factor of view because it carries all of the capabilities a consumer can perform on an iPhone and therefore the information for those capabilities, as an example , name records, touch listing, qu ick messaging provider (SMS) messages, emails, audio and video, and photos. Since iPhones’ hardware and dealing structures are closed supply and proprietary, fashionable motive forensic strategies and equipment will now not paintings thereon . iTunes iPh one Backup iOS tool backups could also be controlled with the Apple iTunes software program. If the iOS gadgets are synchronized, iTunes creates a backup. All the knowledge of the gadgets is saved withinside the backup, and it is also feasible to encrypt the backup. it's straightforward for an examiner to locate and use the iPhone backup if the backup isn't encrypted. Case Study: iPhone Backup Extractor As a forensic investigator, we're getting to decrypt an iOS tool backup taken through iTunes. This de vice is understood as iPhone Backup Extractor. iPhone Backup Extractor may be a industrial device, however we'll use its 30 -day trial model for recuperation of photos, messages, motion pictures, name records, notes, contacts, Screen Time passcode, munotes.in
Page 224
Cyber Forensics 224 WhatsApp messages, and different app information from iTunes and iCloud Backups. We have taken an encrypted backup through iTunes for demonstration. Encrypted backup additionally backs up numerous account passwords used at the iOS tool. 1. Start iPhone backup ext ractor device, and it will show an inventory of backup to be had thereon tool, and detect the backup of your iOS tool. If the tool’s backup is encrypted, a forensic investigator can use numerous password -cracking equipment to retrieve the password. Additio nally, you'll upload your iCloud account to look at your iCloud backup. 2. Here we'll see that iPhone Backup Extractor equipment has fetched photos, contacts, messages, WhatsApp messages, name records, etc., efficiently 3. Here we'll see Decrypted WhatsApp chats withinside the Preview segment. This device become capable of fetch snap shots and attachments withinside the chats as properly Similarly, we view Photos, Messages, Contacts, etc., withinside the Preview segment. Here we'll see that the Snapchat app is likewise established at the tool. The paid model of this device offers information approximately different apps inclusive of Snapchat, Instagram, etc., which had been established at the iOS tool at some point of backup. Last, withinside the info segme nt, we'll see information about the iOS tool inclusive of Backup information, hardware statistics, Mobile tool identifiers, account statistics, production information, and SIM issuer information 10.2 WRITING INVESTIGATION REPORTS One of the utmost essen tial elements of any forensic engagement is that the manufacturing of an investigative document. This record is written to talk the ultimate results of virtual forensic evaluation and exam. If you can't document your findings, nobody will recognize or reco gnize what you've got discovered or its significance. Understanding the Importance of Reports In forensic investigations, the investigative document is of critical significance. In maximum instances, document writing capabilities are overlooked. Produci ng a properly -established and logical investigative document improves the possibilities that a jury might be satisfied which you recognize what you’re doing which the proof is legitimate. A document must now not best speak the knowledge , however additiona lly gift professional opinion. During a crook research, the reviews additionally find yourself the availability for the practise and presentation of the research for trial. The goal of any investigative document is to record the knowledge and proof. If you find proof that does not assist your munotes.in
Page 225
Mobile Forensics, Reports of Investigation, Become a Professional Witness 225 case you still want to document it. Related reveals inclusive of diagrams and photos need to be protected for the document to be powerful. Investigative reviews need to stipulate the fees purchased the professional’s offerings and listing all of the civil or crook instances wherein the professional has testified for the previous 4 years.The document must now not contains the instances wherein the professional acted as a witness . A witness may be a witness who isn't a ttesting withinside the potential of an professional witness. Always contains reveals inclusive of the CV of the investigator performing as a witness that lists all courses that the witness has written at some point of the previous 10 years. Ensure which y ou retain the simplest requirements for writing and attesting. Not best will reviews be saved during a deposition financial organization or library or maybe be to be had at the web , however additionally your testimony is usually administered below oath. The Requirements of an Investigative Report An investigative document is made with the motive that it are often utilized during a courtroom docket of regulation. It must be succinct and recognition at the venture or purpose of the research.The investigato r’s favorite motive is to get statistics and, as a result, proof on a selected count, to urge better widespread files, or recover sure document sorts and any date and timestamps.The purpose of the research might be described through your patron.Your patron are going to be inner to the corporation you work for or the other investigator or legal professional. Spending time documenting the goal will typically shop time and reduce the worth of the exam. Always confirm that the investigative document specifies t he venture of an research. Your document must float in a uniform order, reflecting that of the knowledge as that they had been determined at some point of the research. An define or an association based totally on appendices and an boast is suggested to a ssist in assembling substance for the document.The document must be written during a logical way that states the effort , gives the outcomes of the research, and units forth the conclusions and proposals A coherent presentation must be wont to collect th e knowledge and proof. Report Classification Your initiative in writing a document must be to become conscious of the document’s supposed target market and purpose. The investigative document must be established so as that individuals who don’t have a excessive stage of technical expertise can recognize it.When studying this record a nontechnical reader must be capable of recognize the findings and lawsuits of the case. Reports are typically classified into: ● Verbal reviews ● Written reviews munotes.in
Page 226
Cyber Forensics 226 Reports also wi ll be classified as being: ● Formal in nature ● Informal When you supply a correct document verbally it must be established for presentation orally to a board of directors, managers, or a jury. Always arrange the document to suit within the time body given. A supplementary record that carries predicted questions and applicable solutions wishes to be organized for the humans to whom you're offering and to resource your presentation. This record is understood because the exam plan and is made through the legal professional for the investigator’s advantage. Changes to the exam plan inclusive of those concerning explanation or definition could also be asked through the investigator for motion through the legal professional if an expression or period of time is mis used. Do not contains gadgets that are not related to the testimony. An casual verbal document is far less established than a correct document and is brought in individual (most usually in an legal professional’s office). This document is meant to be a in itial document and it wishes to be strictly managed to stop inadvertent launch. It must comprise the weather of the research which have now not been finished, inclusive of any assessments or evaluation that has now not been concluded, interrogatories, reco rd manufacturing, and depositions. An casual document is likewise a initial document.This form of document may be a excessive -threat record that carries touchy statistics which may show useful for the opposing celebration.The opposing celebration also can additionally acquire the record in discovery. Discovery is that the strive made to achieve proof previous to an ordeal .The statistics are often a written request for admissions of reality, deposition, or questions and solutions written below oath. A formal document may be a document sworn below oath (inclusive of a sworn statement or declaration). Always confirm that your phrase utilization, grammar, spelling, and knowledge are accurate while writing formal reviews. As this document is formal in nature, the favored fashion will use first -individual narratives with a herbal language fashion. An affidavit are often wont to preserve the issuing of a warrant or be offered as proof during a proper courtroom docket taking note of . Always supply your complete interest to writing a record withinside the formal written fashion. It is prudent to incorporate the substance of written, casual reviews in an casual, verbal document. Summarize the way and method inclusive of the matter device, device used, and finding s, with inside the verbal, casual document. Never smash a written, casual document with out formal written steering from an legal professional, as this motion are often taken into consideration because the destruction or concealing of proof. munotes.in
Page 227
Mobile Forensics, Reports of Investigation, Become a Professional Witness 227 A Sample Inve stigative Report Format The following segment gives a possible format of an investigative document. The presentation of correct textual content is adequate to having the power to speak definitely. As such, continually supply your complete interest to form at and presentation of statistics during a document whilst you're writing. it's additionally really helpful to constantly adhere to a unmarried format at some point of the document. This creates consistency. Two principal techniques exist for developing a format shape: decimal numbering and felony -sequential numbering. Here is an instance of the decimal numbering device: 1.0 Introduction 1.1 the character of the Incident 1.1.1 the small print of the Victim 2.0 First Incident 2.1 the primary Witness 2.1.1 Witness Testimony – Witness No. 1 3.0 Location of Evidence 3.1 Seizure of Evidence 3.1.1 Transportation of Evidence 4.0Analysis of Evidence 4.1 Chain of Evidence 4.1.1 Extraction of knowledge 5.0 Conclusion 5.1 Results 5.1.1 Expert Opinion Legal -sequenti al numbering makes use of this layout: I. Introduction 1. Nature of the Incident 2. The Victim 3.Witness to the Event 4.Location of Evidence munotes.in
Page 228
Cyber Forensics 228 II. Examination 5. Chain of evidence 6. Extraction of Evidence 7. The Analysis of Evidence The felony -sequenti al numbering device is employed in pleadings and is legendary amongst attorneys. Roman numerals are used for the foremost thing of the document and Arabic numbering helps the statistics element. The maximum critical issue of any investigative document is that the usage of powerful language to talk the statistics definitely.To try this, signposts must be protected within the document. A signpost is a manual to the readers of the record that focuses their concept on an element or series of a fashion . Signp osts spotlight the first factors which you would like to hold through developing a logical improvement of the statistics within the document.This makes it more easy for the reader to know the record. For instance, the steps within the record are going to be added the utilization of a signpost inclusive of “The initiative on this segment,” or “The 2nd step withinside the exam”.These act because the signposts for the series of statistics. Try to influence clean of redundant statements inclusive of “This document is submitted”, or “As the top results of the research, I need to document as follows”.The use of right fashion and tone and concept regarding the usage of accurate layout, punctuation, vocabulary, and grammar is critical whilst you’re writing a docu ment. Report Writing Guidelines Whatever you write for your document, you want to do not forget that its presentation wishes to float during a logical order if it is to hold the statistics you've got amassed withinside the way which you desire.To reap this it is important to plot the document before writing it.This allows you to make your argument piece through piece. The document must comprise a right float of sentences which may be organized to resource the event of concept during a clean and unambiguo us way from the begin to the cease of the record. Each paragraph must be correlated tomirror the ambitions of the entire record and offers the reader with an impression of precise relation. The use of headings with information beneath Neath is suggested . These information must be set in paragraphs, every limited to a specific material . Any use of jargon, slang, or technical phrases must be prevented during which feasible. If important, put together a thesaurus containing slang or technical phrases. When writing, hire lively voice in situ of passive . active encourages conciseness and accuracy in writing and comes munotes.in
Page 229
Mobile Forensics, Reports of Investigation, Become a Professional Witness 229 throughout as being extra forceful. Always prevent from trite and superlative phrases. When a specific abbreviation is employed for the first time with inside the document it is really helpful to place in writing the entire shape of the equal. Comprise acronyms withinside the Glossary protected on the cease of the document. Most attorneys do now not have an thorough technical expertise. As a ou tcome , it is feasible to confuse them while the utilization of of acronyms. Using Supporting Material A properly -written investigative document tells a tale wherein one has got to reply numerous questions inclusive of who, while, in which, why, and therefore the way. While answering those questions, helping substances inclusive of figures, tables, information, and equations are required within the event that they assist the story spread in an powerful shape. The helping fabric could also be noted direc tly withinside the textual content and included withinside the writing to beautify the effect. it's really helpful to range figures and tables withinside the equal order as they're added withinside the document. as an example , tables could also be numbere d as Table 1,Table 2, and so on. within the equal manner, figures could also be categorized as Figure 1, Figure 2, and so on. Numbering the material avoids confusion and makes it more easy to acknowledge . To lessen narration and emphasize vital informati on, positioned tables and schedules in appendices. Captions are favored over easy titles, because the entire statistics provides to the conciseness of the presentation. If charts are used, they need to be categorized, inclusive of axes and units. during a paragraph, if any desk or determine is cited, that determine or desk must be inserted after the paragraph. One can also accumulate all helping fabric after the reference segment. Consistency and Other Important Aspects of an Good Report Whenever you're w riting a document do not forget that consistency is significant . Create and keep record templates to resource you. an appropriate investigative document layout must contains the next sections: ● Abstract or precis ● Table of contents ● Body of document ● Conclusi ons ● References ● Glossary ● Acknowledgments munotes.in
Page 230
Cyber Forensics 230 These sections are often adjusted to in shape the motive of the document. The summary or precis must gift the essence of the document as an abbreviated or condensed shape of the research. That is, it must gift the important thing thoughts expressed within the document. A properly - designed desk of contents must offer brief reference to all vital capabilities of the research. Any appendices protected within the document want to be indexed and defined with inside the desk of contents The document frame must comprise the first factors which you would like to hold . It must ask the motive of the document. References and appendices listing the substance noted with inside the document, inclusive of output from equipment an d interview notes. A presentation can observe any layout which you and therefore the alternative events are snug with. The Main Features and Aspects of an honest Report A suitable document will typically have the next capabilities: ● It will offer an thorou gh clarification of the techniques, exam strategies, mate - rials, or system used. it'll additionally element any analytical or statistical strategies, information/series, or reasserts inside numerous subsections that resource the reader in growing an exper tise of the research manner. ● Any suitable document offers a properly -prepared presentation of the knowledge amassed. the knowledge series manner may be a essential issue of an efficaciously administered forensic exam. In preparing the lab document, informa tion inclusive of observations must be recorded during a laboratory pocket book for later reference. All the tables used for offering information must be categorized. ● Include any calculations which you create . it's right exercise to summarize the commonpl ace place call of the calculations (e.g. Secure Hashing Algorithm for SHA -1) wont to confirm the integrity of the proof and therefore the dates that those during which finished at some point of the research within the document. Briefly describe an equivale nt old equipment and their mentioned supply which are used for this calculation. ● List a declaration detailing any provision for uncertainty and mistakes evaluation. There are continually obstacles of experience and there could also be no foolproof manner t o shield the integrity of data . as an example , while retrieving a timestamp from a pc device you want to country that the timestamp could also be reset effortlessly which this statistics on my very own must now not be relied upon. ● Give special causes to your outcomes. These must be indexed during a logical order the utilization of subheadings containing textual content which addresses the motive of the document. Where feasible, use tables and figures within the textual content to beautify its presentation . make sure that any reader with out a expertise of the case munotes.in
Page 231
Mobile Forensics, Reports of Investigation, Become a Professional Witness 231 can recognize the research and therefore the outcomes totally during this document. ● Present a dialogue of the outcomes and end. Discussing outcomes and conclusions is critical. The importance of the studies must be mounted on this segment of the document. Provide solutions to questions inclusive of how the case progressed, what troubles happened, and any troubles that had been addressed. ● List your references. Include the humans and courses mention ed with inside the document. Plagiarism will smash the credibility of your document. Site all supply fabric, Web webweb sites, the reviews of others, and any works that are not your very own. ● Include any required appendices. An appendix must be wont to reference any longer fabric this is often referenced with inside the document. you want to contains charts, diagrams, graphs, transcripts, and copies of device output. Arrange the appendices withinside the order that they appear within side the document ● Provi de acknowledgment during which it is warranted. Thanking those individuals who helped at some point of the introduction of a document will make it far more likely that they will assist you within side the destiny. List humans who've contributed to the eval uation of data , proofreading, or another beneficial hobby. Acknowledgment is optional, however recommended. The Investigative Report Format There are as many document writing codecs as there are groups or agencies. When a previous document is to be had this is often desirable to the events, observe the layout it utilized in place of re -developing one. Review the knowledge to make a decision the relevancy and as a result what information to contains and which to get rid of previous to writing the document . Carefully study any information and confirm that they are applicable. The document need to contains all of the applicable proof. This consists of proof that does not assist the document’s end. you want to keep your objectivity within side the document an d record the findings in an independent and proper way. attempt to locate flaws in questioning or exam, as it is probable that just in case you don’t, an individual else will. Do now not broaden an schedule besides for locating the truth at some point of d ocument writing. There are essentially 4 sections to an investigative document. These are: ● Section 1 This segment consists of the chief information inclusive of the investigating officials, the thanks to touch them, and therefore the place of the operatin g papers. ● Section 2 This segment covers the history and precis of the document. It includes a precis of the complainant’s allegations, discretionary munotes.in
Page 232
Cyber Forensics 232 statistics which may resource the reader in expertise the case, the ultimate results of the case, and there fore the listing of allegations. ● Section 3 This segment introduces the first allegation. It gives the knowledge , offers an evaluation and dialogue of the knowledge , and, during which suitable, offers a recommendation. Conclusions could also be declared o n this segment, and this segment also can additionally contains the disposition to record any remedial movements that the accountable authority took regarding any substantiated allegations. during this segment, you want to attend to each allegation withins ide the equal layout if one exists. Further sections could also be added to the record at this factor, relying at the allegations. ● Section 4 The concluding segment lists and describes the interviewees, the files reviewed, and every one different proof that has been amassed. Before writing the document, do not forget that numerous forensic software program equipment, inclusive of Forensic Toolkit (FTK), DriveSpy, ILook, and EnCase, can generate reviews.These equipment can create reviews in textual content la yout, a phrase processor layout, or HTML layout.The previous record is that the aggregate of the document generated the utilization of forensic equipment and therefore the authentic investigative document. The “Do’s” and “Don’ts” of Forensic Computer Inve stigations The seven maximum essential dos and don’ts so one can follow to any forensic research are: 1. Ask questions Inquire on the character of the request.The extra expertise you've got concerning the research, the additional powerful you'll be. 2. Doc ument methodically No count how easy the decision for, write it down —even just in case you experience that you simply may now not perform that a part of paintings. 3. Operate in suitable religion Generally, you want to observe commands out of your advanced or felony recommend withinside the direction of an research. It are often feasible that a couple of investigative movements are going to be unlawful. Bring this to the choice events’ interest. 4. Don’t get in too deep If any of the next situations are aut hentic, you'll want to form an vital willpower on whether or to not maintain in your very own or to call in several events ( inclusive of regulation enforcement): a. The research entails against the law. b. The research is anticipated to cause extreme subj ect or termination of an worker. munotes.in
Page 233
Mobile Forensics, Reports of Investigation, Become a Professional Witness 233 c. The research involves that files are organized and maintained for a courtroom docket or a central authority investigative frame, and observe felony discovery regulations. d. Large -scale investigations over quite one juri sdictions must be administered through skilled investigators. 5. plan to analyze Involve individuals who are important to the research and don’t make all of the alternatives your self. 6. Treat the entire thing as personal no matter who is aware of —or the rumors that sur - face—maintain all statistics personal and reveal the statistics best to parents who want to acknowledge . 7. File it Keep your documentation and reserve it safely. Always document it during a managed way. Best Practice for Investigation a nd Reporting Any suitable document will solution the 5 Ws: who, what, why, while, and during which . Remember to record who become worried within side the case and who asked it. Document what become administered and why.When and during which did it arise? an appropriate document must provide an evidence for the pc and community procedures and record all salient elements of the device. A properly -carried out research must additionally observe the SMART method. This is: ● Specific Detail every issue. ● Measur able Ensure which you log file sizes, instances, and different applicable fabric. ● Achievable Ensure which you've got the assets to reap your objectives. ● Realistic Report the knowledge , don’t speculate. ● Time -primarily based totally Work to time constraints and deadlines, and confirm which you recorded all of the activities as they've happened at the device. Reports are essential to a search as they provide the way to alternate the findings and different proof to the important humans. A document are often f ormal or casual, verbal or written, however it continually wishes to be grammatically sound, so confirm which you employ an appropriate spelling and prevent from any grammatical mistakes.When writing the document, prevent from the utilization of jargon, sl ang, or colloquial phrases and confirm the readability of writing, as that's essential to the fulfillment of a document. Writing a document is like questioning.The presentation of the document need to float logically to hold the statistics during a establ ished shape. Discuss the outcomes and conclusions. Remember that the previous record munotes.in
Page 234
Cyber Forensics 234 may be a aggregate generated the utilization of forensic equipment and therefore the authentic investigative document. Also, while engaging within the research, don't forg et: Document the entire thing! In virtual investigations, the utmost essential component to do not forget is documentation, or keeping chain of custody. Documentation need to be maintained from the beginning to the cease of the enagement. Having an flawed chain of proof is worse than having no proof in any respect Document the device’s hardware configuration. After you've got moved the device to a gentle place during which the proper chain of custody could also be maintained, it is essential to require as d ocumentation photos of the device hardware additives and therefore the way the connections and cables are organized. Also, record the device date and time. this is often extraordinarily vital. An wrong date and timestamp can permit the refuting of proof a nd obtain in-tuned with into query the integrity of the findings. albeit the entire thing else takes place perfectly, the mere reality that it got up to now will effect the entire research. Document filenames, dates, and instances at the device and make a timeline. The filename, introduction date, and final changed date and time are of critical significance from an evidentiary point of view while admitting virtual proof. The filename, length, content material, and introduction and altered dates need to be documented. Finally, you want to record all the findings. it's vital to record the findings sequentially because the issues are recognized and proof is discovered. A right file of all of the software program hired in assessment of the proof must be organi zed. One must be legally certified to use the software program thanks to the very fact pirated software program is of no use during a tribulation of the case. Document can also contains the software program license and display pictures to reveal how softwa re program become used within side the proof series manner. 10.3 BECOMING AN WITNESS Introduction A cybercrime research and constructing of the case document is aimed closer to at least one cease end result: acquiring a conviction of the cyber crook duri ng a courtroom docket of regulation. No count how suitable the proof you attain —log documents displaying unauthorized get entry to to the community, difficult disks seized from the suspect’s pc containing simple warning signs of the crook hobby, community statistics monitoring the intruder lower back thru Internet servers to his or her pc —none of this proof can stand on my very own . Under maximum judicial structures, bodily and intangible proof need to be supported through testimony. Someone need to testif y on while, in which, and therefore the way the proof become received and affirm that it is the equal while it is offered in courtroom docket because it become while it become amassed. munotes.in
Page 235
Mobile Forensics, Reports of Investigation, Become a Professional Witness 235 Even though you want to affect each case as aleven though you had been looking forward thereto to go to courtroom docket, actually attesting in courtroom docket could also be a disturbing enjoy. If you’ve in no way been during a court docket before , it's ready to experience very similar to your first day at a fresh college. You’re unusual with the environment, don’t recognise the strategies, and may even make errors so one can purpose you to balk later. Even whilst you recognise what to assume, it's ready to nonetheless experience like you’re strolling into the principal’s office (or at instances like you’re strolling onto the playground to be crushed up).Testifying typically isn’t a pleasant enjoy, albeit it's ready to be made more easy thru expertise and luxuriate in .With sufficient practise, the event may even be some thin g you’ll do not forget proudly . Understanding the witness Testimony in courtroom docket is furnished through witnesses, which may be humans who've first hand expertise of against the law or incident, or whom provide proof at some point of an ordeal , tri bunal, or taking note of .When proof is technical in nature and hard for laypeople to acknowledge , professionals are often required to testify to supply an evidence for the character of the proof and what it manner to the case. during a cybercrime case, p olice investigators and IT employees are often required to require the witness box .Two sorts of witnesses could also be referred to as to testify in crook movements: ● Evidentiary witnesses ● Expert witnesses An evidentiary witness may be a one that has dire ct expertise of the case. As an example , a community administrator is perhaps referred to as to testify on what she or he located at some point of an assault at the community, or an investigator is perhaps referred to as to testify on the proof that she o r he located on a pc that became seized pursuant to a seek warrant. An evidentiary witness can best testify on information (what she or he noticed, heard, or did) however cannot supply authoritative reviews or draw conclusions. A professional witness is n ot the same as an evidentiary witness therein he or she is going to supply opinions and draw conclusions approximately information within side the case. The professional witness also can additionally do not have any direct involvement within side the case however has unique technical expertise or know -how that qualifies her or him to supply expert reviews on technical subjects. Expert witnesses from time to time put together reviews that outline their reviews and provide motives for each opinion. Even thou gh knowledgeable witness can gift conclusions, she or he's constrained within side the reviews which will be expressed. as an example , knowledgeable in pc generation also can additionally testify that a threatening e mail become traced to an account that become owned through the defendant, and therefore the way evaluation of the defendant’s munotes.in
Page 236
Cyber Forensics 236 pc confirmed that it become actually dispatched from that device. The witness cannot gift a end that the defendant is thereby responsible as sin. After all, someone is taken into consideration harmless till demonstrated responsible, and therefore the neutrality of the professional witnes s must observe that philosophy. The professional in computer systems additionally couldn’t communicate approximately the mind -set of the defendant because it become being dispatched, as psychology isn’t the witness’s know -how. A witness is constrained to attesting approximately what she or he noticed, heard, or did, and professional witnesses can communicate best to the present and/or appr oximately statistics this is often within the scope in their expertise and luxuriate in . The prosecution and protection legal professionals are accredited to possess professional witnesses testify during a case, albeit they aren’t continually deemed imp ortant through one or both facet. As such, professionals aren’t utilized in maximum trials. In many instances, the burden of proof is evaluated and a plea bargain is reached. A plea bargain is an settlement wherein the defendant pleads responsible to a les ser crime to possess extra extreme expenses dropped. Even while a case does visit trial, frequently the evidentiary testimony is all that a prosecutor or protection legal professional wishes to argue the guilt or innocence of a defendant. for each case get ting to trial, a legal professional need to decide whether or not the knowledge might advantage from knowledgeable opinion, or whether or not the evidentiary testimony and proof can stand on its very own. The professional witness must additionally now not be pressured with professionals that function consultants, which each facts also can additionally use to acknowledge extraordinary sorts of proof. as an example , during a tribulation concerning a automobile twist of fate, the protection legal professiona l also can additionally touch knowledgeable in protection requirements to acknowledge problems related to the air baggage utilized during a selected make and version of automobile. Although the professional offers readability in expertise elements of the case, she or he isn’t knowledgeable witness thanks to the fact: ● The individual hasn’t been subpoenaed or sworn in as a witness. ● No testimony has been given in courtroom docket. ● The courtroom docket hasn’t identified the individual as knowledgeable . As we ’ll see within side the next segment, whether or not an individual is targeted as knowledgeable witness is in most cases on the discretion of the decide taking note of the case. The professional witness offers statistics approximately his or her qualificat ions, and every the prosecution and therefore the protection evaluation the individual’s training, enjoy, and different credentials. Either facet also can additionally project the individual’s qualifications in courtroom docket, or they'll each agree that the individual may be a professional during a selected area. Ultimately, munotes.in
Page 237
Mobile Forensics, Reports of Investigation, Become a Professional Witness 237 however, it is the maximum amount because the plan to apprehend the individual as knowledgeable . Qualifying As an Expert Witness The requirements for qualifying as knowledgeable wi tness range around the sector. during a few countries, professional witnesses need to be registered as professionals during a selected area. within the USA and Canada, professionals need to typically show their know -how through offering their credentials i n courtroom docket. To decide whether or not someone qualifies as knowledgeable witness, and whether or not their testimony is admissible, entails a fashion of exam, cross -exam, and being identified through the courtroom docket.The legal professional cal ling the capacity professional witness will typically examine his or her qualifications into the file, and/or also can additionally ask a sequence of questions.These questions are designed to reveal the individual’s credentials as knowledgeable . Such ques tions may consist of: ● What ranges, diplomas, or certificate do you've got? ● What positions have you ever ever held within side the area? ● What lectures or publications have you ever ever taught on this area? ● What extra schooling or publications related to th is area have you ever ever taken? ● What memberships in agencies related to this area do you've got? ● What books or papers have you ever ever written pertaining to the area? ● What is your beyond enjoy as knowledgeable witness on this area? The high -satisfacto ry of your solutions to those questions will assist to make a decision whether or not you’ll be identified as knowledgeable during a selected vicinity. However, in searching at those questions, don’t experience that you simply got to have an outstanding so lution to every one. as an example , just in case you had training and luxuriate in however didn’t have any coaching enjoy, you'll nonetheless be declared knowledgeable . The key component is that the general know -how, now not whether or not you've an impr essive solution to each and every this type of questions. After all, the first time every one testifies in courtroom docket, the answer as to if or not you've got testified before may be a resounding “no.” Once the witness has been referred to as to the s tand and tested, the courtroom docket might be requested to easily accept her or him as knowledgeable .The opposing facet will then have the likelihood to easily accept the witness as knowledgeable or project its admissibility. If a project is formed , the opposing facet can cross -study the witness on his or her qualifications. munotes.in
Page 238
Cyber Forensics 238 The opposing facet also can additionally project the professional witness’s credentials in an attempt to have that individual’s testimony deemed inadmissible, or prevent her or him from declaring reviews and conclusions approximately the proof.The legal professional making this project features a heavy burden in trying to exclude proof or testimony at any degree of litigation. Not best need to she or he assault the credibility of su ch witnesses, their testimony, and any proof they’ve furnished, however additionally need to achieve this with constrained expertise.The legal professional are often knowledgeable in regulation, however have minimum or no know -how within side the world of the witness. As we’ll see in later sections of this appendix, an legal professional also can additionally use a number of procedures and assets while cross - inspecting a witness and difficult her or him as knowledgeable . Such procedures can contains appro aches of asking questions, and hints which could be frequently successful in tripping up a witness’s testimony.To recognize technical elements of the case and ask extra powerful questions, the legal professional also can additionally rent his or her very o wn professional, who could also be consulted before the trial and/or at some point of the lawsuits. Because the difficult facet’s professional is in no way sworn in as a witness, the identification of the professional also can additionally in no way be reg arded to the opposing facet, and will in no way be cross -tested. Although this might assist a legal professional’s case a extraordinary deal, charges worried with hiring knowledgeable could also be prohibitive, so as that they aren’t utilized in maximum in stances. Once the opposing facet has cross -tested the witness, the courtroom docket can pay attention arguments from each facets on the matter of whether or not the individual must be identified as knowledgeable . additionally to difficult that the know -how of a witness hasn’t been mounted, which the individual is thereby unqualified to supply reviews on problem count, arguments are often made that the individual’s know -how is constrained. Challenging the constrained know -how of a witness could also be adm inistered at some point of cross -exam. If the individual’s know -how is deemed constrained, she or he also can additionally nonetheless be capable of supply reviews, however the individual’s testimony might be given little weight. Regardless of whether or not the witness’s qualifications are challenged, the previous selection rests with the decide. If the decide is happy that the witness has enough training and luxuriate in to testify and shape reviews on problem count related to the case, the courtroom do cket will apprehend that the individual may be a professional.The vicinity of know -how that’s identified are often wide (inclusive of being knowledgeable in pc generation) or constrained to a slim area of experience (inclusive of being knowledgeable on a s pecific piece of software program). Just thanks to the very fact someone may be a professional during a single trial, doesn’t always imply that she or he might be identified in the other trial. Being declared knowledgeable applies best thereto unique cas e, and doesn’t convey ahead to another instances therein you'll testify within side munotes.in
Page 239
Mobile Forensics, Reports of Investigation, Become a Professional Witness 239 the destiny. for each trial, the way of being identified as knowledgeable need to start another time . Experts Who aren't Witnesses Lawyers are taught in no thanks to inv ite a question that they don’t recognise the answer to. However, despite the very fact that she or he has know -how in practising regulation, the legal professional could have constrained expertise of generation or different specialised fields.To make amend s for this loss of experience , professionals are often used as consultants. Regardless of whether or not a consultant consulting with the legal professional testifies in courtroom docket, the prosecution or protection legal professionals also can additio nally use her or him to supply extra perception to a case at some point of the direction of an ordeal .The legal professional also can additionally visit professionals previous to an ordeal and/or at some point of lawsuits. In many instances, the professio nal will write reviews that designate technical elements of a case in layman’s phrases, and document any errors obvious in witness statements that comprise technical statistics or within side the processing of proof. due to the statistics furnished through the professional, the legal professional can higher put together for the capacity testimony of witnesses, and crossexamine them on technical elements of a case. Because the representative is in no way officially utilized in courtroom docket (i.e., sworn i n to supply testimony), one facet may in no way recognise the decision or lifetime of a representative being utilized by the choice facet.Becoming an witness • Appendix A In a few instances, professionals also will be found in courtroom docket.The profess ional will concentrate to testimony, offer statistics on technical anomalies or different information in what a witness testifies to, and may even offer a couple of observe -up questions that the legal professional can use.When the opposing facet tries to q ualify a witness as knowledgeable , the representative can help in clarifying regions of the witness testimony, and propose questions for cross -exam which may disqualify the witness as being knowledgeable . Experts in numerous fields are also used for the motive of finding out proof so one are often used within side the case. as an example , DNA proof also can additionally play a key function during a homicide trial, or one concerning sexual attack or paternity. A DNA professional is perhaps employed to see blood or semen samples. Through the finding out , the validity of this proof could also be decided, and might display that it suits a defendant or has been tainted during a few manner. Through such assessments, the guilt or innocence of somebody are often mounted, and might assist to make a decision whether or not the case must be dismissed. Needless to say , if any of the outcomes had been utilized in courtroom docket the individual might then be referred to as a witness, and altogether likelihood undergo the way of being certified as knowledgeable witness. munotes.in
Page 240
Cyber Forensics 240 Although professionals are often utilized during a case without ever acting as a witness, professional wit - nesses are also normally used within side the potential of a consult. The legal professional w ho referred to as the witness also can additionally request the individual still be within side the court docket to supply perception into technical problems, or help in several approaches. Because the courtroom docket has already identified the individual as knowledgeable , there could also be a bonus of being capable of re -name the witness to the stand to supply additionally testimony on information as they get up at some point of the trial. Types of Expert Witnesses A professional witness testifies wit h regards to problem count wherein she or he has know -how, so it must come as no wonder that thanks to the very fact there are such tons of extraordinary subjects, there are numerous extraordinary sorts of professional witnesses. Although professionals exi st in many fields, variety of the additional commonplace place ones utilized in trials consist of: ● Civil litigation Experts ● Criminal litigation Experts ● Computer forensic Experts ● Medical and psychological Experts ● Construction and architecture Experts Crimi nal Litigation Experts Criminal litigation professionals are wont to help within side the prosecution and protection of individuals worried in against the law. Criminal litigation entails movements con to people who've dedicated unlawful acts, who're intr oduced to courtroom docket through the authorities to deal with expenses of breaking precise legal guidelines. to assist in expertise technical information of a case, examine and gift proof, and perform different capabilities that would fine be addressed t hrough knowledgeable during a associated area of experience , professional witnesses are used. The specialties of crook litigation professionals utilized in courtroom docket range significantly. There are professionals in nearly any area you'll believe wh o are often wont to provide an evidence for any sort of proof or thing of a case. In crook instances, the majority of execs utilized by the prosecution might be participants of the police, or others worried within side the research. As we’ve mentioned, the person who administered a pc forensic exam will frequently be referred to as as a witness, and may be certified as knowledgeable during a selected vicinity of generation. Similarly, during a case concerning a automobile twist of fate, a policeman skilled as an twist of fate reconstructionist will acquire proof on the scene of a visitors twist of fate, and reconstruct the aim , outcomes, and different activities that caused the twist of fate from those munotes.in
Page 241
Mobile Forensics, Reports of Investigation, Become a Professional Witness 241 clues. The protection may additionally use professional s to help their function within side the trial. These professionals are often wont to perform assessments and evaluation information of the case, additionally to supply opportunity interpretations of the proof. By supplying this know - how to a case, the kno wledge of the case find yourself clearer to the decide, jury, and different events worried within side the case. As we cited formerly, professionals are also wont to offer technical consulting to felony recommend, which they function a aid for explaining technical information. This perception will show beneficial now not best at some point of the trial, however additionally at some point of discovery and depositions, Civil Litigation Experts In addition to crook instances, professionals are utilized in civil litigation wherein one celebration sues the other to reclaim what they experience is owed them. In doing so, civil litigation courts offer a discussion board for resolving those disputes. Different sorts of civil litigation can contains any range of lawsuits among people and/or corporations, inclusive of: ● Libel and slander ● Land disputes ● Probate of wills ● Wrongful dismissal ● Malpractice ● Personal injury ● Wrongful demise ● Contract disputes ● Other disputes among people and/or corporations In searching on the various felony movements which may arise in civil courtroom docket, you'll see that now not all of them contain suing for economic settlements. In many instances, civil litigation tries to make a decision the rights of an man or woman, the scope of an sett lement, or the goal of a contract. as an example , if someone died with out a will, the courtroom docket are often required to make a decision the requirements of the deceased, and therefore the thanks to fine divide the property among the individual’s spo use, kids, and different fascinated events.To decide the knowledge of a case, and are available to an equitable selection, professional witnesses are often wont to assess and help in expertise the knowledge of the case.These professionals are frequently th e equal sorts as those that are often utilized during a crook trial, inclusive of forensic accountants, clinical professionals, and different experts who consider any area which may offer perception to elements of the case. munotes.in
Page 242
Cyber Forensics 242 Even though civil courtroom do cket isn't the same as crook courtroom docket, the 2 frequently overlap. In addition to the use of the equal kinds of professionals in each regions of regulation, a case this is held in crook courtroom docket can also additionally later seem in civil court room docket. A famous instance of that is the O.J. Simpson trial wherein he changed into acquitted of the murders of humans, however changed into later discovered accountable in civil courtroom docket and ordered to pay damages in a wrongful demise in sha pe. Just due to the fact an man or woman is attempted in crook courtroom docket doesn’t imply he or she will’t be sued later in civil courtroom docket. Computer Forensic Experts As you properly recognise from studying this book, pc forensics is the gathe ring, exam, renovation, and presentation of virtual proof. Computer forensic professionals accumulate and study capacity proof at some point of an research, inclusive of information that’s been deleted, encrypted, or broken. Any steps taken at some point o f this manner are documented, and methodologies are used to save you the proof from being altered, corrupted, or destroyed. As we’ve careworn at some point of this book, any case concerning pc forensics must continually be handled as aleven though it had b een going to courtroom docket, and that any documentation and proof will subsequently be grew to become over to a prosecuting legal professional. In crook instances, the protection legal professional may additionally rent his or her very own professional to check the proof, and decide whether or not any mistakes had been made at some point of the exam of the pc.The professional will even record the movements she or he took, on the way to typically be integrated right into a very last document that’s submit ted to the legal professional.This professional will also be required to testify in courtroom docket, however this time on behalf of the protection legal professional. While serving as a professional for the protection, the pc forensic professional must continue to be independent and carry out among the equal capabilities as that of the prosecution. Any examinations she or he plays might contain inspecting, maintaining, and offering proof, and may also require gathering extra proof that changed into ignor ed at some point of the research. In doing so, the professional might try to locate opportunity motives for the presence of information, inclusive of figuring out whether or not a Trojan horse, botnet, or different malicious software program changed into g ift at the device. Because she or he is operating on behalf of the protection, it's far vital that any patron –legal professional statistics this is inadvertently received is saved non -public and now no longer divulged with out consent of the legal profes sional or below order of the decide. Computer forensic professionals will also be utilized in civil litigations. Because statistics coping with a case can be saved on computer systems or different gadgets, pc forensic professionals can be used to look for information inclusive of e mail, munotes.in
Page 243
Mobile Forensics, Reports of Investigation, Become a Professional Witness 243 textual content messages, chat logs,Web webweb page records, calendar documents, spreadsheets, files, snap shots, and different documents on a device. Examining this information can also additionally monitor information tha t discover an adulterous affair, fraud, malfeasance, downloading or traveling unlawful or worrying fabric (inclusive of pornography), or different sports that might decide the out - come of a lawsuit. Because the information received thru pc forensics con sists of files, spreadsheets, and different documents that comprise statistics out of doors of the pc professional’s scope of expertise, extra professionals could be used to provide an explanation for what has been discovered. In such conditions, the resea rch and resulting crook or civil litigations will frequently use different professionals which might be desirable to the proof. Medical and Psychological Experts Like pc forensic professionals, clinical and mental professional witnesses may be utilized i n each civil and crook litigation. Medical and mental professionals respectively offer perception and help in bodily and intellectual problems that can be worried in a courtroom docket case.They can be utilized by both facet in a courtroom docket case to c arry out assessments, examine present diagnoses, or testify approximately technical information associated with proof. Medical professionals are medical doctors or fitness experts which might be devoted to specialised fields of medicine.They can be used to carry out DNA or toxicology assessments, testify to the volume of accidents suffered through a sufferer or plaintiff, or offer statistics on diseases, disabilities, practices, and/or strategies. Some of the alternative regions wherein they offer special ised help consist of: ● Dentistry, that can consist of forensic dentistry and chew marks ● Drugs, which can also additionally contain attesting approximately prescription medicine or unlawful tablets taken through a man or woman. This form of professional ca n testify approximately extraordinary kinds of tablets and their outcomes, or carry out and examine drug assessments on an accused individual or people worried in a case. ● Malpractice, wherein mistakes made through medical doctors or clinical experts are ev aluated, reported, and offered in courtroom docket. Psychological professionals are medical doctors and clinical experts who concentrate on regions of intellectual fitness, mental, and psychiatric fields.They can be used to assess and testify to the compe tency of an accused individual or man or woman worried within side the case, inclusive of while it wishes to be decided whether or not someone is suit to face trial, or to set up the intellectual country of someone while against munotes.in
Page 244
Cyber Forensics 244 the law took region. In hea rings concerning kids, they will additionally be used to set up whether or not a figure is unfit, or must be allowed to have unsupervised entry to kids. Some of the regions wherein they offer specialised help consist of: ● Diagnosis and remedy of intell ectual illnesses ● Medications and psychotropic tablets ● Standards of care ● Emotional misery and outcomes of against the law or occasion Since clinical and mental experts can be utilized sooner or later of an exploration, they will be needed t o affirm with respect to insights they outfitted ahead of time or confirmation got through them. For example, if a scientific or conduct analyst had been utilized to expand a profile of a chronic executioner and victims identified with the case, the insigh ts in the past outfitted to police may appear as evidence in a tribulation.The expert would then need to affirm, to give a clarification to the systems that had been utilized, and give a clarification to data that will not be unquestionably perceived to th e court agenda. Construction and Architecture Experts Criminal and common prosecution likewise can contain issues that adapt to genuine property and the way wherein a developing or shape changed into constructed or designed.To offer insight and contribut ions in those examples, creation and design proficient observers can be utilized. A portion of the elective locales wherein they offer particular assistance comprise of: ● Building and hearthplace codes ● Project the executives ● Defects underway or format ● Accid ents and assurance Development and design experts additionally can offer measurements on how occurrences concerning homes occurred. For example, if a developing changed into besieged, experts will be utilized to give a clarification to how the bomb change d into situated in a spot that may convey down the building. In criminal and common cases, experts additionally can offer discernment regarding how various sorts of damage had been because of terrible creation, botches in how the building changed into plan ned, or various issues that prompted money related misfortune, injury, or death. Testimony and Evidence Declaration and confirmation fall connected at the hip with one another in a court agenda case. Proof every now and again wishes a couple of account to put it into the setting of the case, and is predicated on witness munotes.in
Page 245
Mobile Forensics, Reports of Investigation, Become a Professional Witness 245 declaration to do that.When an individual providing specialized data of a case offers declaration, it can fall into one in all classifications: ● Technical declaration ● Expert decla ration Specialized stories are articulations given underneath pledge that blessing data of a specialized sort. In offering the measurements, the observer should be actually right while deciphering confounded and clinical issues to simple expressions and thoughts. In various expressions, comparably to validating around the case, she or he should moreover prepare the jury and additionally choose so they perceive the pertinence of those specialized data. Since it's far basic that the ones inside side the cou rt agenda perceive what's being referenced at the remain, there are some of variables you may transfer in your declaration to make it extra conceivable to laymen, comprehensive of: ● Refrain from the utilization of language. ● Explain the which means and imp ortance of expressions and abbreviations. For example, "EnCase is legal programming program that changed into used to collect data from the pc. It's an exhibited item which the FBI has utilized for parcels years." ● Provide a thesaurus of specialized express ions and thoughts to crime suggest. This will likewise be used by the court agenda journalist while interpreting your declaration. ● Provide charts and photographs so one can allow the jury as well as choose to higher perceive what's being talked around. It is oftentimes gainful while bearing on specialized measurements to talk in a slow, gentle manner of speaking. Despite the fact that you should convey slow adequate that the court agenda columnist can viably decipher your announcement, and the choose and jury can notice the improvement of your declaration, you shouldn't impart so progressive that it appears you're belittling the ones inside side the room. Rehearsing the beat and wooden of your voice on pals and own circle of family members sooner than auth enticating can help with sorting out the fine way of talk me unquestionably. Since numerous people will not perceive sure innovation being referenced, and could find it intense in regards to your declaration, you should endeavor to utilize analogies whil e clarifying extreme ideas. For example, "IP addresses are similar as road addresses.The equivalent way your property adapt to will we various people perceive in which you live, IP addresses likewise are exact addresses that become mindful of one pc to others on a local area." By the utilization of a familiar idea, people can extra easily identify with what's being expressed. munotes.in
Page 246
Cyber Forensics 246 Except if you're confirmed as an expert, you should ensemble from introducing any audits roughly the case, as they'll be considered inadmissible.You must country the data, and arrangement inquiries with out providing any private or master ends. Master observers furthermore ordinarily supply specialized declaration, in any case are fit for make greater on their criticism through communi cating audits and ends. Master declaration is articulations given underneath vow through a distinguished as an expert in a chose observer's region. In providing data so one can help a jury as well as choose higher perceive the case, the observer can likewi se moreover unequivocal a proficient assessment related with their area of specialized or concentrated expertise.The extent of this mastery is mounted while qualifying the observer as an expert, and figures out what the observer is and isn't permitted to e xpress eventually of the preliminary. Any surveys which may be out of entryways of the person's skill are thought about prohibited. Rules of Evidence The suggestions that direct whether somebody might be recognized as an expert observer, and the suitabili ty of verification, are managed through the legitimate rules of the ward of the court agenda wherein the confirmation could be added.Thus, investigators must wind up familiar with the applicable lawful guidelines.These guidelines are finished resolution an d are normally systematized directly into a record named Rules of Evidence. In the USA, Congress kept the Federal Rules of Evidence (FRE) as a firm of necessities that choose how verification is offered and considered permissible in court agenda. Since na tion and government lawful rules are uncommon, numerous states have furthermore followed their own special units of guidelines, various which can be same to the ones inside side the Federal Rules.The FRE conveys a decent estimated scope of guidelines, none theless the ones adapting to surveys and expert declaration are characterized underneath Article VII. The guidelines underneath this Article envelop: ● Rule 701, Opinion Testimony through Lay Witnesses ● Rule 702,Testimony through Experts ● Rule 703, B asis of Opinion Testimony through Experts ● Rule 704, Opinion on Ultimate Issue ● Rule 705, Disclosure of Facts or Data Underlying Expert Opinion ● Rule 706, Court Appointed Experts Rule 701, Opinion Testimony by Lay Witnesses Rule 701 addresses eviden tiary observers who aren't in court agenda to offer proficient declaration. Along these lines, the extent of declaration is munotes.in
Page 247
Mobile Forensics, Reports of Investigation, Become a Professional Witness 247 obliged to exercises that unfolded, and to what somebody saw, heard, or did. Any surveys and inductions that the observer makes are compelled to the ensuing models: ● They should be normally basically dependent on their conviction. ● They are valuable to achieving a perfect aptitude of the declaration or resolve of a reality in a difficult situation. ● They aren't fundamentally founded abso lutely on clinical, specialized or concentrated skill. Albeit this standard permits the observer to have an assessment at the exercises she or he mind nessed, it does limitation the assessment to a thin extension. For example, if a mugger held a firearm in your mind and expressed, "Give me the entirety of your cash.You don't have to pass on," a reasonable conviction of this event may be that he changed into going to kill you in the event that you didn't supply him your money. Such audits are bereft of any p articular skill and manage explaining the event, and what you accepted changed into happening. Rule 702,Testimony by Experts Rule 702 addresses declaration through proficient observers who might have surveys basically dependent on clinical, specialized, or concentrated mastery. As we referenced ahead of time, for this standard to follow, the observer should be ensured as an expert sooner than she or he affirms in court agenda. Rule 702 states the ensuing: "If clinical, specialized, or diverse specific apt itude will help the trier of reality to perceive the evidence or to choose a reality in a tough situation, an observer affirmed as an expert through mastery, expertise, experience, tutoring, or preparing, can likewise furthermore affirm thereto inside side the state of an assessment or in some other case, if (1) the declaration is basically founded absolutely upon enough data or data, (2) the declaration is the produced using trustworthy ideas and procedures, and (three) the observer has carried out the ide as and methods dependably to the data of the case." In looking at this standard, you may see that the component of providing proficient declaration is to help in aptitude, sorting out, and in regards to evidence and data offered inside side the case. The measurements the expert offers should be essentially founded absolutely on data or data and should utilize reliable ideas and strategies. In various expressions, any methods utilized might be repeated. Logical methods that now not, at this point mainstre am also can not be utilized for proficient declaration. For example, suppose an expert principally based absolutely his decisions that the respondent changed into mindful on physiognomy, that is a pseudoscience wherein criminal direct might be chosen funda mentally dependent on a litigant's facial appearance, head shape, and changed materially capacities. Since this is certainly not a reliable or mainstream science, the audits, ends, and most likely the litigant's finished declaration may be prohibited. munotes.in
Page 248
Cyber Forensics 248 Rule 703, Basis of Opinion Testimony by Experts Rule 703 is some other chief principle for proficient observers and the surveys they will unequivocal in testi -fying.This rule expresses: "The data or data inside side the one of a kind case whereupon an expert bases an assessment or deduction can be the ones seen through or made respected to the expert at or sooner than the paying attention to. On the off chance that of a sort reason capably depended upon through experts inside side the interesting region in sha ping surveys or deductions upon the issue, the data or data need now presently don't be allowable in verification so with respect to the assessment or surmising to be conceded. Realities or data which may be in some other case prohibited will now presently don't be uncovered to the jury through the defender of the assessment or induction with the exception of the Court discovers that their probative cost in supporting the jury to evaluate the expert's assessment widely offsets their biased effect." The est ablishment of this standard is that experts have get section to confirmation or insights past to an affliction. In such occasions, the expert can likewise also shape an assessment on those data, in any event, assuming they're currently not, at this point u tilized or are forbidden in court agenda. For example, a psychological expert is likely cognizant that a respondent being investigated for responsibility for porn had before feelings for baby attack. Regardless of whether the jury isn't permitted to focus roughly those previous feelings, the therapist might need to utilize this measurements to shape a learned assessment that the litigant is a pedophile.The proficient couldn't bring up the prior feelings in court agenda, notwithstanding may need to country a n assessment that changed into molded through this insights. Rule 703 is questionable to a couple, as confirmation that could't be used in court agenda is being used in a sideways way.The verification the expert utilized doesn't totally offer an indirect access to documenting evidence, despite the fact that there might be a couple of legitimacy to this contention. On the off chance that the jury has issue contrasting the expert's surveys, the choose might need to offer them with insights and evidence that the expert utilized, in any event, assuming it changed into in some other case unacceptable. Indeed, even aleven however the expert's assessment is thought about basic to a hardship, and may even offset the biased effect of sure verification, this isn't to make reference to that restricting features are feeble to an expert's conclusions.The witness can regardless be cross -tried to extend the legitimacy of their audits, and the contradicting aspect can name their own special expert observers to offer freedom ends and surveys at the data of the case. Nonetheless, an issue with this strategy is that after experts are known as to project or offer clashing surveys to a previous expert, the stop final product is that the jury can wind up compelled or even unengage d. Since the surveys communicated can in the end be disposed of, it's far alluded to as garbage declaration. munotes.in
Page 249
Mobile Forensics, Reports of Investigation, Become a Professional Witness 249 Rule 704, Opinion on Ultimate Issue Rule 704 offers with the capacity of felony recommend to item to reviews made through knowledgeable, and what an expert can testify to inseure conditions. In maximum instances, a legal professional cannot item to an opinion made through knowledgeable, due to the actual fact its validity must be determined through the info of the case. in numerous phrases, cross -exam and proof within side the case must assist evolve a variety concerning whether or not the professional is accurate. However, an objection could even be made if the professional testifies approximately the intellectual country of a defendant during a ver y crook case, and whether or not the defendant had this intellectual situation whilst committing the crime or while the utilization of it as a protection.The professional isn’t accredited to make this sort of end, because the knowledge of the case must det ermine this trouble, now not the reviews of a witness. Rule 705, Disclosure of Facts or Data Underlying Expert Opinion Rule 705, Disclosure of Facts/Data Underlying Expert Opinion Rule 705 addresses problems raised in Rule 703 concerning information and knowledge that had been used to shape an expert opinion being disclosed to the jury. during this rule, the professional can also additionally offer an opinion without liberating statistics or proof that helped to shape that opinion. He or she is going to be capin an edge to reveal those information if the decide instructs her or him to achieve this, or might be required to reveal sure information at some point of cross -exam.This rule states that “the professional can also additionally testify in phrases of o pinion or inference and supply motives consequently with out first attesting to the underlying information or information, except the Court involves within the other case.The professional can even additionally in any occasion be required to reveal the unde rlying information or information on cross - exam.” Rule 706, Court Appointed Experts Rule 706, Court Appointed Experts Rule 706 offers recommendations on how professionals must be appointed through the courtroom docket. The rule offers statistics coping wi th: ● How they're appointed ● The economic repayment they acquire ● Disclosure, which sincerely states that the courtroom docket can even additionally tell the jury that the courtroom docket appointed an witness ● That felony recommends (i.e., the prosecution and protection) may additionally name their very own professional witnesses munotes.in
Page 250
Cyber Forensics 250 Authentication of Evidence The regulations of country courts can also additionally range from those of the federal courts, and thus the regulations for proof in crook trials may additionally range from those for civil trials. Generally, proof should be authenticated, which on this context typically manner that some witness should testify to its authenticity. within the case of virtual proof, this might be a witness who has privat e expertise of the proof (e.g., someone who shared the pc with the accused and located the record or document in query at the pc). it should even be the primary responder who noticed the proof on display while responding to the incident, or knowledgeable w ho tested the pc and proof after it become seized. In phrases of while a reproduction of the info became made the utilization of forensic software program, attesting approximately how the software program authenticates a information photograph is typically all that’s important. one of the utmost vital elements of constructing ready to introduce proof in courtroom docket is deciding which witnesses will testify on its life and validity, describe the situations of its discovery, and affirm that it's now not b een tampered with. Certain sorts of proof are from time to time held through the foundations of Evidence to be self -authenticating. this manner testimony on authenticity isn’t required and typically refers to things like public files below seal, licensed c opies of public statistics, authentic courses, and also the likes of . it's likewise feasible for each facets at trial to evolve to stipulate on the authenticity of slightly of proof, wherein case it does now not should be authenticated thru testimony. Whe n each facets conform to the stipulation of a reality (inclusive of the very fact that the proof is authentic), the decide will endorse the jury that they're to presume that the reality is authentic and it isn't always a count that has got to be proved or disproved at trial. Evidence Processing Computer forensic requirements had been advanced that follow to the gathering and renovation of virtual proof, which differs in nature from maximum different kinds of proof and as a result calls for extraordinary techniques of managing. Following strategies which might be right, popular, and, in a few instances, prescribed through regulation in coping with proof is critical to the a hit prosecution of a cybercrime case.The right managing of those strategies comes int o play at extraordinary factors in a tribulation: ■ If proof isn't always amassed and treated in keeping with the right requirements, the decide can also additionally deem the proof inadmissible while it's far offered (typically primarily based totally at the opposing legal professional’s movement to supp ress) and the jury participants will in no way get a threat to assess it or don't forget it in making their selection. ■ If the proof is admitted, the opposing legal professional will assault its credibility at some point of wondering of the witnesses who testify concerning it. Such an assault can create doubt in jury participants’ minds munotes.in
Page 251
Mobile Forensics, Reports of Investigation, Become a Professional Witness 251 so one can purpose them to brush aside the proof in making their selection —and possibly even taint the credibility of the complete case. The complete research could be of little price if the proof that indicates the defendant’s guilt isn't always allowed into the trial or if the jury offers it no weight.Thus, right managing of proof is one of the maximum vital problems going through all crook investigators and, due to the i ntangible nature of virtual proof, cybercrime investigators in unique. Because that is such an vital subject matter —now no longer best for investigators, however additionally for prosecutors, judges, and justice device experts worried in cybercrime instanc es—many agencies and courses are dedicated totally to problems regarding virtual proof: ● The International Organization of Computer Evidence (IOCE) changed into mounted in 1995 to offer a discussion board for regulation enforcement businesses round the sec tor to alternate statistics approximately pc forensic problems; its U.S. issue is the Scientific Working Group on Digital Evidence (SWGDE). ● The International Association of Computer Investigative Specialists (IACIS; www.cops.org) is a nonprofit corporatio n this is devoted to teaching regulation enforcement experts within side the vicinity of pc forensics. ● The International Journal of Digital Evidence (www.ijde.org) is a web guide dedicated to discussions of the principle and exercise of managing virtual proof. ● Computer Forensics Magazine is posted through DIBS, a maker of pc forensic system. Computer Forensics Online (www.shk -dplc.com/cfo) is a Webzine this is run through legal professionals and technical experts that specialize in pc regulation. Vario us similar resources that target pc criminology are to be had, and extra wide -principally based absolutely offices comprehensive of the American Academy of Forensic Sciences (www.aafs.org) adapt to pc wrongdoings and virtual verification close by various c riminological points. A gander at any of those resources will screen that virtual verification overseeing is a major topic that may easily fill various books (and as of now has). It is far past the extent of this reference section to cowl every thing of ge t-together and keeping up with virtual confirmation. Admissibility of Evidence There are some of necessities for confirmation to be allowable in court docket.The verification should be skilled (i.e., trustworthy and believable), it should be appropriate (it tends to show a truth of the case), and it should be texture (it proves a difficulty this is in question inside side the case). Furthermore, to be acceptable in U.S. courts, evidence should be gotten legally.That is, it should be gotten agreeing with the lawful rules administering look for and seizure, comprehensive of legitimate rules communicated inside side the U.S. what's more, country constitutions. In munotes.in
Page 252
Cyber Forensics 252 the event that evidence is gotten through an unlawful look for, despite the fact that it demonst rates the blame of the litigant, the verification is mulled over to be "polluted." This is alluded to as the "summit of the poisonous tree" convention, or the exclusionary rule. Case guideline in a couple of purviews units one of a kind guidelines for th e tolerability of clinical evidence. Under the Federal Rules of Evidence, Rule 402, all relevant verification is allowable other than as in some other case outfitted underneath the U.S. Constitution, through Act of Congress, or underneath the Federal Rules of Evidence themselves (e.g., verification got disregarding a presume's protected rights). Rule 401 characterizes pertinent confirmation as "any evidence having a tendency to make the existence of any reality this is of impact to the self control of the movement extra presumably or considerably less most likely than it'd be without the proof."This is alluded to as the significance investigate. Another boundless every now and then carried out to clinical evidence is the general fame investigate, moreover alluded to as the Frye inescapable, which holds that a deliberate methodology should be commonly famous inside side the region sooner than the results of the methodology might be conceded as verification. Digital Evidence Albeit the guidelines of evidenc e concerning virtual data aren't basic, it's far constantly generally secure to surpass the negligible necessities for suitability. At the point when specialists avoid potential risk to ensure the uprightness of verification, above and past what the court agenda may find alluring, presently not, at this point best will the chance of getting the confirmation rejected through the choose be forestalled, be that as it may also the effect at the jury could be extra good. Associations comprehensive of the IACIS o ffer necessities administering criminological test techniques for their members. Appearing in court agenda which you clung to such inordinate necessities in taking part in the exploration will improve your case. Most pc legal offices and experts concur o n a couple of basic prerequisites concerning the overseeing of virtual verification, which might be summed up as follows: ● The one of a kind verification should be saved in a nation as close as achievable to the country it changed into in while found. ● If in any regard plausible, a real copy (photo) of the special should be made for use for test all together now no longer to hurt the uprightness of the exceptional. ● Copies of data made for test should be made on media which may be forensically clean this is, t here should be no previous data at the plate or distinctive media; it should be totally "clean" and checked for independence from infections and deformities. munotes.in
Page 253
Mobile Forensics, Reports of Investigation, Become a Professional Witness 253 ● All evidence should be very much labeled and reported and the chain of guardianship protected, and each progression of the legal test should be archived in component. Testifying As an Expert Witness Affirming as an expert observer might be a scary and upsetting appreciate, especially if it's your first time.You can be strange with the court agenda, its configuration, what's expected of you, and what will occur in court agenda. In spite of the fact that you can procure a couple of training from the lawful expert who will name you as an observer, often you get next to zero practice and experience like yo u're genuinely tossed inside side the place of extreme peril. Albeit the court agenda can appear to be master and respectful, the minutes among occasions and breaks in court agenda might be earnestly tumultuous. Administrative work wishes to be handled, uncovers need to be coordinated, witnesses need to be ready and state -of-the-art, and individuals stressed in an affliction end up involved in a whirlwind of leisure activity at the rear of the scenes. Albeit this tumult can get out into the preliminary, w hat greatest people see while coming into a court agenda is an arranged and calm climate. Every individual stressed in an affliction have their own personal locale inside side the room and their own special obligations to do, comprehensive of the resulting : ● Judge This is a court agenda true that is both delegated or chosen to direct the court agenda, and make decisions on issues in preliminaries and hearings. ● Court journalist This is a court agenda official that translates the declaration and contentions ma de inside side the preliminary, which turns into a genuine document of the claims. ● Court representative This is a court agenda official that plays regulatory commitments, comprehensive of swearing in witnesses, overseeing uncovers, and acting various commi tments for the court agenda. ● Bailiff This is a court agenda official that is responsible for maintaining control and decency inside side the court agenda. In a couple of locales and nations, the bailiff can likewise furthermore as an option be court agend a security, and be designated as a novel constable of the police.The bailiff has authority of the jury and could accompany them inside and outside of the court agenda, and can also do various commitments, comprehensive of bringing in witnesses prepared out of entryways the court agenda. ● Prosecutor This is the lawful expert addressing the nation (or the Crown in Canada and the United Kingdom) in hooligan court agenda occasions. In doing as such, the examiner addresses the people and is responsible for taking lawful offense movement contrary to the litigant and setting him, her, or them being investigated. munotes.in
Page 254
Cyber Forensics 254 ● Defense lawful expert This is the lawful expert addressing the litigant in a hooligan court agenda case. ● Plaintiff This is the individual suing a respondent in common prosecution. In common case, each the offended party and the litigant may also have their own personal crime suggest. ● Defendant This is the individual accused of illegal (in evildoer court agenda) or the individual being sued (in common court ag enda). ● Jury This is a bunch of occupants which have been settled on to focus evidence and render a decision. ● Witnesses These are individuals bearing witness to exercises that occurred or confirmation offered as uncovers inside side the preliminary. ● Spectat ors These are members of the overall population or potentially media looking the trial.They can likewise moreover incorporate mates and own circle of family members of the respondent, or intrigued occasions who've come to take a gander at the claims. Of th ose jobs, filling in as an observer might be one of the most extreme horrible to satisfy. Without the declaration and confirmation an observer offers, it'd be unrealistic to harvest a conviction. Despite the fact that authenticating might be awkward in an y event, when you have long periods of appreciate as an evidentiary or expert observer, seeing around the way calms bunches of the pressure. In the areas that notice, we'll talk components of the court agenda, preliminary claims, the methods that investiga tors and assurance legitimate experts can likewise also utilize, and what you may accept while attesting.The less amazements and the extra coordinated you're, the less difficulties you'll coincidentally find at the stand. Layout of a Courtroom Courts are generally determined in a chosen way, with seating arrangements and installations coordinated for exceptional capacities. Dissimilarities can be self -evident while assessing courts which may be utilized for uncommon capacities or legal designs, comprehensi ve of while assessing own circle of family members court agenda to a military court agenda military, or the ones of different nations. In any case, regardless of whether those varieties are noticeable, likenesses in capacity can ordinarily be distinguished . As demonstrated in Figure A.1, a court agenda configuration can incorporate severa man or lady added substances, comprehensive of the resulting: ● Judge's seat This is a table area where the choose is situated to manage the preliminary munotes.in
Page 255
Mobile Forensics, Reports of Investigation, Become a Professional Witness 255 ● Witness stand T his is an encased seating area wherein the observer offers declaration. ● Court journalist's table This is in which the sworn claims of the preliminary are deciphered. ● Court agent's table This is in which court agenda measurements are kept up with. ● Jury hol der This is seating for members of the jury. ● Prosecution's work area This is in which the examiner is situated. In a common case, this will be the offended party 's work area. ● Defendant's work area This is in which the litigant and their lawful offense boa rd (i.e., security lawful expert) is situated. ● Podium This is in which the investigator and assurance legitimate experts will stand while formally tending to the court agenda and assessing/cross -reviewing observers. ● Well of the court agenda This is the ess ential area of the court agenda wherein claims of the preliminary take locale. ● Bar This is a railing separating the exhibition from the appropriately of the court agenda. ● Gallery This is a spot where members of the overall population, media, and various on lookers are situated. A court agenda serves in light of the fact that the arranging area of a hardship, and has a dramatic layout.When looking at Figure A.1, you may see that it's far expected to house an objective market, as most extreme preliminaries ar e available to public observers. Albeit public preliminaries offer obligation concerning how they're completed, the format of a court agenda is moreover enlivened as the centuries progressed vintage exercise of it being a state of public entertainment.The organization of a court agenda is intended to offer most perceivability to the ones looking the preliminary (regardless of whether they be choose, jury, or onlookers), and to acknowledgment their advantage at the developments and entertainers stressed insi de side the court agenda way. To help harvest this, the added substances of a court agenda are layered to different heights.Theconclude's seat is found better compared to various seating locales inside side the room. It allows her or him to lead over the court agenda from a vantage factor that disregards the entire thing, nonetheless it furthermore passes on that the choose is a definitive and executing discover that has control over the room.The testimony box will likewise be raised notwithstanding is decl ine than that of the choose's seat, driving each body offering declaration to appearance up on the choose, in any case keep on being at eye stage with the lawyers who remain at a platform inside side the appropriately of the court agenda while investigatin g and cross -reviewing observers. Less seen are the court munotes.in
Page 256
Cyber Forensics 256 agenda authorities who sit down on the foot of the choose's seat. Albeit the court agenda columnist ordinarily remains not noted sooner or later of the preliminary while translating the claims, the c ourt agenda representative is gener -closest companion noticed best while swearing in witnesses or acting distinctive court agenda capabilities.To the aspect of the choose, a jury holder offers the ensuing fine doable seats. In a jury preliminary, the atten dants could be fit for see and focus the entire thing inside side the preliminary since it performs out toward the front of them, actually like the observers who sit down inside side the exhibition to the backs of the lawyers and the blamed. Technology in the Courtroom Despite the fact that subculture has directed the design, age has moreover motivated the court agenda. More current courts are every now and again developed with age in considerations, while more seasoned ones can be retrofitted to house PC frameworks and show virtual verification extra easily. Since there aren't anyt any prerequisites for the inventory of age, what you can see can run fundamentally among courts. Indeed, even in more seasoned town halls, a definite amount of age could be bl essing. Amplifiers are utilized inside side the observer holder, choose's seat, and platform to allow voices to be heard sooner or later of the court agenda, and lawyers will much of the time use PC frameworks to keep their notes and various measurements a cquainted with court agenda. Albeit more moderen courts are intended to have an enough scope of electrical retailers, this ordinarily isn't the situation in more seasoned town halls. All things considered, those and some different contraptions acquainted w ith court agenda can likewise also require additional lines as well as power bars to be taped or hung all through the floor.This might be a touch sudden to look while walking around the testimony box, and venturing over a mat or conduit tape overlaying ele ctric strings. In more moderen or retrofitted courts, there might be an additional reconciliation among age and the equity gadget. A portion of the unrivaled age you can situate in those courts can likewise furthermore comprise of the ensuing: ● Document co mputerized digicam This is an instrument on which documents or a little to medium -length thing might be situated all together that an overhead advanced digicam can hold onto its photograph.The advanced digicam can likewise moreover mission the photo to a p resentation (actually like an overhead projector may) or communicate it to video show units arranged on the whole inside side the room. ● Display video show units These are utilized to show previews, media introductions, or diverse yield from a pc or a reco rd computerized digicam.These might be level board shows which may be set at the choose's seat, at the observer compartment, at the court agenda official's desk(s) (i.e., court agenda agent, court agenda correspondent), on crime suggest's tables, and among sets of hearers inside side the jury holder. munotes.in
Page 257
Mobile Forensics, Reports of Investigation, Become a Professional Witness 257 ● Annotation video show units These are video show units put on the platform and witness compartment that grant in plain view drawings to be made, comprehensive of charts or various measurements that enhance wha t's shown on various video show units inside side the court agenda. ● Real-time record This grants translated declaration to be coordinated to the choose's seat and suggest tables. ● Translation and listening devices These grant any declaration in some other language to be spoken directly into a mouthpiece, deciphered through some other individual, after which broadcast through infrared or diverse innovation to listening contraptions (i.e., headsets, and so on) which may be worn through the choose, attendants , lawful offense suggest, court agenda authorities, and others immediately connected with the preliminary. ● Videoconferencing This involves cameras steady inside side the court agenda which may be focused at the choose, witness, and lawful offense suggest o n the platform. Different cameras will likewise be establishment in various rooms of the town hall, comprehensive of the choose's chamber or a room utilized for declaration through individuals who've been pardoned from verifying inside side the court agend a. Utilizing the previews caught through those cameras, video conferencing would then be able to be utilized for pretrial meetings, distant observer declaration, or various claims. For example, a baby who changed into physically mishandled is most likely p ardoned from going through their victimizer inside side the court agenda, and be fit for affirm from a distant spot. ● Computer -equipped suggest tables These are tables used by the indictment and assurance legitimate professionals.These can be discretely fur nished with electric retailers and ports that grant associations with show video show units or various abilities to be had through the court agenda. ● Printers These license measurements showed on video show units to be distributed, notwithstanding data from any or exact PC frameworks inside side the court agenda. Since the degree of age to be had in a court agenda can likewise moreover run, you can need to talk over with the arraignment concerning whether sure framework could be close by to your declaration . For example, on the off chance that your declaration is predicated on showing the previews or various archives found on a troublesome circle, it'd be valuable to perceive whether they might be shown on video show units as of now inside side the court age nda, if a pc projector and show are to be had, or in the event that you might need to convey your own personal framework. By being coordinated and aptitude what's to be had to brought to the table your declaration, you may avoid conditions that make bearin g witness to tumultuous and upsetting. munotes.in
Page 258
Cyber Forensics 258 Order of Trial Proceedings The preliminary way in actuality begins offevolved while a suspect is captured or a warrant is given for a presume's capture. After the capture, the respondent is taken sooner than a Justic e of the Peace (a choose or, in a couple of cases, the city hall leader of a town or town) inside a definite period —regularly inside 48 hours —and charged. This arraignment is a relaxed way wherein the Justice of the Peace mentions to the respondent what co sts had been recorded contrary to her or him, Mirandizes the litigant, and units or denies bail. An underlying paying attention to ordinarily takes locale inside certain days. In this paying attention to, the arraignment should blessing adequate evidence t o convince the conclude that the litigant should visit preliminary. In a couple of occurrences, the litigant is going sooner than an amazing jury instead of a decide.This is a secret continuing wherein the terrific jury goes to a choice whether nearby dow n a prosecution. Then, an appropriate arraignment can be held, at which the litigant can enter a supplication for the costs contrary to her or him. Prior to the genuine preliminary, there is regularly a pretrial show or paying attention to at which movem ents might be documented (e.g., asking for an exalternate of setting). At last, the case is going to preliminary. In the event that the respondent argues now not, at this point capable to the costs, a jury is picked through the voir critical way, sooner or later of which each feature gets to reprimand limit attendants and strike, or avoid, a definite range.The choose trains the jury at the pertinent guideline, after which the lawful experts each supply a hole announcement. Since the heap of proof is at the indictment, the arraigning legitimate proficient gets to head first with a hole presentation. After the insurance lawful expert's setting up presentation, the indictment considers witnesses.With each witness, the arraignment poses inquiries; this way is known as immediate examination.Then the security legitimate proficient is approved to impugn the observer roughly the subjects that had been presented up eventually of direct test. A short time later, the indictment can divert, and afterward the security can recross.This way happens with each observer till each lawful experts are finished pondering that observer. An examiner or IT master validating as to private skill of the evidence inside side the case (an evidentiary observer) could be authenticating as a n arraignment witness and accordingly could be on the double tried through the investigator and get tried through the assurance legitimate proficient. Master observers can likewise moreover affirm for both aspect, nonetheless should be guaranteed as expert s past to verifying all together that any surveys they've can be ensured inside side the declaration. At the point when the indictment has offered every one of its observers and confirmation, the security legitimate proficient commonly makes a developmen t to ignore the case as a result of loss of verification. On the off chance that this development is without a doubt, the preliminary is finished and the respondent is going free. On the off chance that now no munotes.in
Page 259
Mobile Forensics, Reports of Investigation, Become a Professional Witness 259 more, the assurance gives its case, calling ob servers to testify.These witnesses are get tried through the examiner, etc, inside side the equivalent way on the grounds that the indictment witnesses. After the assurance has offered its case, the arraignment is approved to name answer observers, and the insurance can counter the ones witnesses. At last, while the entirety of the replies are done, the legitimate experts offer their leftover expressions (which aspect is going first depends upon at the court agenda) and the choose offers additional orders to the members of the jury, who're then, at that point despatched out to accomplish a decision. Subpoenas A Subpoenasis a crime record this is given through the court agenda to illuminate you which you are needed to stand by court agenda to offer verific ation as a witness.The court agenda can likewise furthermore summon you for the benefit of the indictment, the insurance, or each. In looking on the summon demonstrated in Figure A.2, that is a genuine summon with the relevant data disposed of, you may see that it conveys a lot of insights concerning an affliction, comprehensive of the resulting: ● The call and adapt to of the individual being gathered to court agenda ● The date and time you're needed to stand by court agenda ● The call of the litigant ● What the respondent is accused of ● The adapt to in which the preliminary will take area ● The call and reach out to measurements of the official in cost of the case ● The call of the legitimate proficient summoning you ● Instructions to convey any books, reco rds, composing, or diverse uncovers related with the present circumstance with you The summon is hand -brought to you through a request official or distinctive court agenda official, who will utilize measurements at the summon and distinctive touch insights that you can have once in the past given to the agent or legitimate proficient. Whenever you have got been presented with the request to appear to be in court agenda as an observer, you're needed to stand by. On the off chance that you neglect to pause, e vildoer costs can be squeezed contrary to you, and on the off chance that you are indicted you can confront detainment as well as a fine. Depositions A Depositions is the way of pondering observers past to a hardship, and it's far utilized inside side the pretrial scopes of each respectful and criminal cases. In a statement, the observer is underneath vow and is munotes.in
Page 260
Cyber Forensics 260 expected to illuminate the truth as aleven however inside side the preliminary. Legitimate suggest can study and cross -study the observer, and can even utilize this as a likelihood to discover measurements that can be utilized inside side the later preliminary. Since the affidavit doesn't need a public conversation board, it can now at this point don't generally be held inside side the court agenda, notwithstanding as an option in a gathering room or whatever other setting that has been settled upon. All through the affidavit, a court agenda correspondent or a transcriber documents the inquiries and articulations made, all together that they might be protected for fate reference. Albeit the statement doesn't refresh authenticating eventually of the preliminary, besides there are huge circumstances for why the observer can't pause (comprehensive of death sooner than the preliminary starts off evolved ), the insights amassed inside side the testimony can later be used in preliminary. Lawyers can likewise furthermore utilize proclamations made in an affidavit to uncover inconsistencies in later declaration, subsequently disparaging the observer through s howing mistakes among garbled explanations committed to underneath vow. Affirming in a testimony is ordinarily substantially less formal than the actual preliminary, despite the fact that the equivalent behavior of showing respect for the court agenda and individuals stressed inside side the way applies. Along these lines, demands for a harm might be made each time required. In spite of the fact that it can be considerably less formal, you should not the slightest bit expect something is off the record. An y criticism made sooner or later of the affidavit could be recorded, so you should ensemble from articulating something you don't require saved for any kind of family down the line till you're farfar from the court agenda journalist and the spot in which t he statement is held. When an affidavit has been deciphered, an observer is given the likelihood to check its substance for any mistakes and to make redresses. It is indispensable which you look at the record altogether, because of the reality after you analyze and signal it, it's anything but a legitimate file.When inspecting the record, you should look for blunders in dates, occurrences, amounts, or specialized data which can appear to be later eventually of the preliminary as proof.The extra right it's far the substantially less danger a misstep could be utilized to negate dependable articulations made later in court agenda. Swearing vs. Affirming When filling in as an observer, you're extremely expected to advise the reality.To guarantee that you may accomplish this, one in all short proper systems is completed in that you guarantee to be genuine. They are: ● Swearing in ● Affirming munotes.in
Page 261
Mobile Forensics, Reports of Investigation, Become a Professional Witness 261 For various intentions, most extreme observers inside side the Western World are confirmed. This involves both holding you r legitimate hand at the Bible or taking a Bible for your appropriate hand and holding up your left hand. In the wake of doing as such, you're then, at that point mentioned whether you vow to advise the truth "so help you God." In a couple of courts, the p oint out of God isn't utilized, despite the fact that most extreme keep up with to accomplish this. In pledging to educate the truth, you're presently an observer and might keep up with the task of providing declaration. In case you're a skeptic or have n on common beliefs that restrict you from pledging to God, there might be also the decision of putting forward.When you affirm, you will be mentioned to hoist your hand while committing to a vow to promise to advise the truth. In doing as such, no Bible or point out of God is utilized. Whenever that is completed, you're confirmed, and you have completed a declaration of genuineness that incorporates the equivalent load as being confirmed. Asserting or promising to advise the truth happens immediately after you've been referred to as an observer and brought the stand. Whenever you've entered the observer holder, the choose or court agenda agent will find out if you might truly want to be confirmed or affirmed.Which you select is totally just about as much as you, and has no effect or predisposition inside side the exercises that notice, while you're bearing witness to. Whether or not or not you've been confirmed or attested, on the off chance that you lie you might be accused of prevarication. Being insisted or sworn in can emerge in both common or hoodlum claims, notwithstanding testimonies and affirmations (which we'll talk subsequent).The object they're used in such a great deal of districts of guideline is simple: It is fundamental for the observer to adv ise the truth. On the off chance that the truth wasn't offered to the court agenda, a right determination of exercises can not be made, and a right decision can not be made. Affidavits An oath is an appropriate presentation of information.When you're an observer in a convict preliminary or common question you will be needed to offer a sworn articulation that diagrams the data as you understand them.This offers a put down model of your formal declaration.This composed account states what you saw, heard, or in some other case perceive to be the truth. In expressions of an expert observer, this will be insights this is inside your area of expertise. It is endorsed through you to approve that the entire thing you have got composed is true, and through some oth er person who has you are making an oath.The vow is which you both swear or affirm that the entire thing said inside side the record is authentic.The vow is taken through an individual legitimate through the court agenda, comprehensive of a legal official public or a court agenda official, which formalizes the record as being real and lawful offense. munotes.in
Page 262
Cyber Forensics 262 Lawful Etiquette and Ethics Similarly as with any real gathering, there are certain codes of conduct that should be followed. As per lawful offense manners and morals, you're expected to conduct your self with a chose phase of polished methodology while going to court agenda. Manners is the guidelines of socially beneficial direct and graciousness, while morals are moral ideas or values.Together, they layout how somebody acts inside side the court agenda. Courts should be grave, mirroring the outrageous idea of the conversation board they offer. Directing your self such that proceeds with this environment demonstrates appreciate now not, at this point best to the court agenda itself, in any case moreover to people who should join in and include their destinies decided in preliminaries. Similarly as you will act in a limit and obliging way at a dedication supplier, service, or distinctive proper event, you shou ld show the equivalent phase of appreciate inside side the court agenda. A portion of the ways to deal with uncover this appreciate comprise of: ● Dress minimalistically in big business clothing (comprehensive of a fit, dress, or diverse moderate attire you may put on to a venture get together or grave occasion). ● Arrive early and be to be needed to affirm while known as. ● When speakme to the choose, check with her or him as "your honor." ● Do now at this point don't murmur or impart inside side the court agenda aside from it's far genuinely significant. In the event that measurements should be traded, it's far higher to byskip a know to the lawful expert or diverse individual you're deliberating with. ● Bring best the notes you may use at the stand. Do now presentl y don't convey magazines or distinctive considering texture to byskip the time. The crime behavior and good lead you show in a court agenda applies now not, at this point best to the ones going to as members of the jury and lawful offense suggest, be that as it may furthermore (and especially) to witnesses.The way you act inside side the court agenda and at the testimony box could be situated through others inside side the court agenda, and could affect the way they comprehend your believability as an observer underneath direct and interrogations. Direct Examination Direct test alludes back to the way of an observer being pondered through the lawful expert who known as her or him to the stand. Since the lawful expert who known as you to the stand needs yo u to offer appropriate declaration, any inquiries which may be mentioned are for the intention of inspiring data roughly the case. In various expressions, the legitimate proficient poses those inquiries that will help you offer verification. The primary gu ideline for giving direct declaration (or any sworn declaration) munotes.in
Page 263
Mobile Forensics, Reports of Investigation, Become a Professional Witness 263 is to constantly advise the reality.Witnesses should now presently don't be reluctant to make reference to "I don't perceive" or "I don't remember" while that is the reality.Telling the fact of the matter is basic to providing data to the case, and neglecting to illuminate the fact of the matter is an outrageous check. Lying beneath pledge is an evildoer offense known as prevarication, and it can achieve detainment and fines being forced on you. Notwithstanding this most extreme crucial and central detail of being an observer, there are some of fine practices for authenticating in court agenda. Recall that the jury will inspect the believability of each observe and decide if to concur with th e declaration essentially dependent on that appraisal. Here are a couple of ways to deal with enhance your validity as an observer: ● Be on schedule or scarcely right on time for court agenda Although we referenced this and the accompanying variable insid e side the past section, going to court agenda early allows you an opportunity to assemble and investigate the configuration of the court agenda, the course you'll walk around of your seat inside side the court agenda to the testimony box, etc. Showing up past due has a horrendous effect at the jury and diminishes out of your validity. ● Dress expertly Appearance does check, and your validity could be more beneficial through traditionalist endeavor clothing. ● Don't seem like stressed Juries accept people to ac t stressed while they'relying.You may not be fit for control the manner in which you experience, notwithstanding with practice you may control any seen signs of apprehension, comprehensive of dull motions. ● Keep a fabulous stance Juries will contemplate som ebody's edge language while drawing closer, leaving, or sitting inside side the observer compartment. Standing and sitting up immediately convey certainty, while slumping can appear as aleven however you're awkward and are trying to camouflage something. I n spite of the fact that you should be agreeable at the stand, don't disregard about what your mother exhorted you roughly sitting up quickly. ● Remain quiet and don't get angry The contradicting lawful expert may endeavor to cause you to blow your top; doin g as such will hurt your believability with the jury.Witnesses must not the slightest bit contend or be wry in response to a legitimate proficient's inquiries. Essentially, you should melody from showing antagonism nearer to the respondent, as this may cau se it to have all the earmarks of being you have got a private timetable contrary to the person. Keeping quiet and supportive of fessional will work on the case. ● When significant, arrangement with "sure" or "no" Although this is going inseparably with our resulting factor, while noting a question to munotes.in
Page 264
Cyber Forensics 264 the agreed or poor, you should ceaselessly utilize the expression "sure" or "no." On the stand, people regularly make the blunder of gesturing or shaking their head to answer, snorting arrangements, or the utilization of expressions comprehensive of uh -huh, that's right, no, or equivalent phrases.Whenever this happens, the lawful expert pondering you should precise you and let you know to answer with sure or no, that can get dreary and disturb one and all rapidly . ● Don't volunteer more measurements Answer the inquiries you're mentioned, notwithstanding don't offer additional insights or veer off the topic. Try not to offer talk confirmation (what various people expressed to you), as it's normally unacceptable. ● Avoid making absolutes for your assertions Making an outright statement comprehensive of "I constantly ..." or "I not the slightest bit ..." can make an unfriendly situation in later cross -test, which can be utilized to show you wrong. All things considered, practically zero is total. In any event, articulating "the sunlight based consistently sparkles inside side the sky" is wrong while you remember shrouds and evening time. ● Don't talk the case with each body be that as it may the legitimate proficient When g oing to court agenda as an observer, you can invest little energy inside side the genuine court docket.You'll ordinarily be restricted from coming into the court agenda till being known as, and suspensions and breaks will allow you to withdraw court agenda for a period. During those minutes, you'll be revealed to other people who can likewise moreover affirm; victims and respondents for a situation; and presumably even the media. Since you probably will not perceive who limit of those people are, you should not the slightest bit talk the case with each body. Doing as such can corrupt the declaration of others or offer tricky insights to the erroneous people. ● Consider the question mindfully sooner than you arrangement Be positive you perceive the inquiry, and on the off chance that you don't, request that the legitimate proficient duplicate it. Try not to start replying till you're positive that the legitimate proficient is finished asking the question. ● Speak certainly and hopefully An amazing observer doesn't yell, nonetheless talks noisily adequate to be heard through the choose, jury, and lawful professionals.Testimony as an evidentiary observer should be obliged to "just the data, ma'am, basically the data." Don't give assessment or hypothesis; in an autono mous, objective way, genuinely illuminate what you most likely did or found. ● If the choose or lawful expert beginnings offevolved to talk, forestall speaking When you're authenticating, legitimate experts or the choose can likewise moreover add to achieve a higher aptitude of a chose factor, or keep you from uncovering measurements this is inadmissible.When the two of them talks, immediately forestall your declaration and concentrate to what exactly they're articulating. munotes.in
Page 265
Mobile Forensics, Reports of Investigation, Become a Professional Witness 265 ● Avoid retaining arrangements Althoug h it's imperative which you assessment the notes and totally perceive particulars of your declaration ahead of time, preparing answers for anticipated inquiries could cause your declaration to appear to be prearranged and questionable. ● Remain free and conv ey to the data Remember that as an observer, you're offering data of the case. Never misrepresent, not the slightest bit surmise, and not the slightest bit oversee answers for a lawful expert's inquiry to favor one feature or the other option. Basically advise the truth, regardless of whose feature the arrangement can likewise also advantage. Cross -Examination Cross -test is the way of providing the restricting aspect in an adversity the likelihood to reprimand an observer. In any preliminary, the indictm ent has the legitimate to denounce observers known as through the insurance, and security has the appropriate to reprimand observers known as through the arraignment. It is the movement of the cross -assessing lawful expert to dishonor the restricting aspec t's observer. Lawyers can likewise also utilize mental methodologies to attempt to ruin witnesses.When authenticating, be careful now no longer to fall into their snares. Be coordinated for and outfitted to avoid such cross -test strategies as: ● Rapid -heart hplace inquiries with out a chance to answer among questions ● Leading questions ("Isn't it bona fide that what you saw changed into ...?") ● Repeating your expressions with a bend that changes their which implies ● Pretending to be wonderful, then, at that poin t turning contrary to you at the same time ● Feigning bewilderment, shock, or shock at what you've expressed Prolonged quietness intended to reason torment in trusts you'll say extra The greatest indispensable part with an end goal to remember while expose d to those methods is this: Don't think about the lawful expert's techniques literally; she or he is basically doing a movement. Our suggestion to the observer is to just do your action; keep up with your cool and country the data. You can utilize some o f clues to adapt to a lawful expert's strategies eventually of cross -test. Attorneys will oftentimes attempt to profit a rhythm to their inquiries, starting through posing inquiries with some time among them, after which shortening the time among inquiries till they're being shot in a word succession.This limits the time you need to consider an arrangement, and it will expand the chance of being stuck in a snare. Numerous occurrences, a question could be mentioned one way, after munotes.in
Page 266
Cyber Forensics 266 which mentioned an uncommon way later. In the event that you convert your answer, the lawful expert will utilize this to ruin your declaration. A simple way to stop those quick hearthplace questions is to pressure a delay sooner than replying. By unobtrusively tapping your foot 3 occ urrences sooner than giving an arrangement, you supply your self one moment to assume, and furthermore you control the rhythm of the inquiries and arrangements being given. Since you're sitting in an encased observer holder, it's not possible for anyone to see you discretely tapping your foot and stopping the legitimate proficient'sendeavor at quick hearthplace pondering. Consistently concentrate to the inquiries being mentioned, and be equipped to answer. A legitimate proficient can likewise furthermore ask a question, anticipate an arrangement, after which rehash what you've expressed in any case turn the expressions. Doing as such can exalternate the which method for your assertion and might turn what you've expressed to the lawful expert's like. In the event that the lawful expert rehashes it as an inquiry (comprehensive of through beginning with "Along these lines, you're articulating that ...") and furthermore you're currently done paying interest, you can in actuality consider something you not the s lightest bit expressed. Never be reluctant to make reference to, "That is presently no longer what I expressed" in those conditions, and emphasize your previous presentation. Another not unusualplace strategy is to start pondering you with variables of settlement. In doing as such, the legitimate proficient taking part in the cross -test appears to be wonderful and brings the observer's ensure down.The witness will normally be additional agreeable, and the lawful expert can then both destroy going before p roclamations through asking notice up inquiries, or pose fundamental inquiries which can reason the observer to offer expressions so one can be great to the restricting aspect's capacity. Regularly, when your secure is down, the lawful expert will flip from being lovely to at the same time assaulting what you've expressed or transforming into confrontational.This can befuddle you and withdraw you feeling a touch double -crossed the essential time it occurs, and it allows the lawful expert to take the lead ha nd in pondering you. Other mental ploys can contain articulating almost no or nothing in any regard. Whenever you've finished replying, the legitimate proficient can likewise also delay asking the resulting question, settling on as a choice to stop for an extended period. Since the all -inclusive quiet might be awkward, the observer can likewise furthermore encounter that she or he should say extra. If nothing is added, the legitimate proficient will subvert your input through articulating, "Goodness, I'm gr ieved, would you say you are done?" A considerable lot of the strategies legitimate experts use are done sooner or later of the preliminary way, comprehensive of while an observer is being affirmed as a professional.When troublesome an observer, the lawful expert will request an arrangement from requests to test data of the observer's capabilities and look at their phase of ability. In trendy, the troublesome festival is given a sensibly detached rule inside side the inquiries mentioned roughly somebody's q ualifications, and judges and legitimate experts calling you can allow a line of pondering to munotes.in
Page 267
Mobile Forensics, Reports of Investigation, Become a Professional Witness 267 keep up with till it appears to be the observer is in effect unreasonably assaulted. How crime suggest undermines the observer's power will go, as lawyers have ph enomenal sorts of cross -assessing observers. One method this is utilized to different reaches is to check your qualifications, after which subvert them through rehashing data in a mean manner of speaking. For example, if a pc expert moved on from network s chool, the legitimate proficient may rehash the call of the school in a snide tone, after which ask, In this fashion, you not the slightest bit visited a college?" equally, inside the event that you {simply|that you just} simply had a CompTIA confirmation, the lawful knowledgeable might rehash "CompTIA?" as on the off likelihood that you simply} just had been creating it up. it's a simple strategy that issues nearly no mastery around a haul. Top of Form They can likewise furthermore phony to be an ardent advocate of equity, or an individual who truly cares and accepts of their benefactor's honesty. Albeit this could be credible of a couple of court agenda authorities, actually lawyers will watch clients regardless of whether they're liable or innocuous. In spite of this, they'll utilize a strategy of professing to be ethically offended, confused, or paralyzed through an announcement. Since lawyers likewise are ordinarily horrendous entertainers, this might be extra upsetting than startling while it takes pl ace.The endeavor is made to play into the arms of the jury, and show up reasonable through showing up terrible. Refusing to Answer While filling in as an expert observer, you is presumably mentioned an inquiry that you do now presently don't have to answ er. A lawful expert can likewise moreover ask an inquiry this is humiliating to you, or which you situate irrelevant to the case. In such conditions, you may find out if you're needed to answer the question. On the off chance that the choose agrees that th e inquiry isn't material to the situation or imperative to answer, the person can have the option to help you currently no longer to answer on the off chance that you would prefer not to. On the off chance that the choose educates you to answer the questio n, in any case, you haven't any genuine inclination in any case to go along, or danger being referenced with hatred of court agenda. Another situation wherein you can decline to answer is at the same time may reason you to concede to illegal. Under the fi fth Amendment of the U.S. Constitution, and underneath the wellbeing of the Charter of Rights and Freedoms in Canada, you do now presently don't have any desire to affirm in the event that your declaration will implicate you.This is because of the reality through replying in a way that isn't implicating, you're essentially constrained to commit prevarication. Utilizing Notes and Visual Aids What in the event that you're needed to affirm as an observer, nonetheless your memory isn't so phenomenal? What in the event that you're terrified munotes.in
Page 268
Cyber Forensics 268 of failing to remember essential data, especially measurements that is hard to remember, comprehensive of numbers? Is it crime for you as an observer to take notes with you to apply as a kind of perspective while validating ? Police authorities and various observers use notes as a memory asset sooner or later of court agenda declaration the entirety of the time.There are endowments and disadvantages in doing as such. A few hearers is likely propelled through the truth which you're concentrating from notes, because of the reality they could concur with the composed expression extra than a predicated on individual memory all alone. On the elective hand, others may assume you're being trained or welcomed on in the event that yo u check with notes; they concur with that if what you're articulating is the truth, you will remember it with out notes. An essential consideration in seeing if or not to apply notes is the truth that if a mind ness does as such, the notes could be gone i nto confirmation and brought into the care of the court agenda during the preliminary. In the event that you do choose to apply notes, thusly, guarantee that the wallet or paper on which they're composed doesn't create different notes that check with subje cts now not, at this point related with the case, because of the reality the restricting legitimate proficient can question you around something inside side the notes. Visual guides are some other not surprising spot detail, especially in examples that c ontain verification comprehensive of virtual previews, or require guides of a place.When identifying with apparent guides, comprehensive of pictures or graphs, be just about as engaging as possible. Maybe than hoisting your hand and articulating, "Here we see," you should endeavor to acknowledgment the eye on the thing you're talking roughly, comprehensive of through articulating "In the lessening legitimate hand corner." Not best does this make it less hard for the ones looking your declaration to perceive what you're talking around, be that as it may it also makes it less hard to perceive inside side the record of the declaration. Testifying As an Expert Witness ● A court agenda is in which a hardship takes locale, and it incorporates a choose's seat, test imony box, court agenda columnist's table, court agenda representative's table, jury holder, platform, and tables for the indictment and assurance. A bar (that is a railing) is utilized to part the exhibition in which observers sit down from the appropriat ely of the court agenda. ● Technology in courts can run, so you should get mindful of what framework is to be had and regardless of whether you might need to offer any arrangement of your own personal to show uncovers. ● A summon is a crime record this is giv en through the court agenda to advise you which you are needed to stand by court agenda on a rigid date and time to offer evidence as an observer. munotes.in
Page 269
Mobile Forensics, Reports of Investigation, Become a Professional Witness 269 ● Being sworn in calls for which you area your hand on a Bible and vow to God which you'll advise the truth for your declaration, while advancing earnestly involves a guarantee which you'll illuminate the truth. ● Depositions are a way of pondering observers past to an adversity, and are utilized inside side the pretrial scopes of each polite and law breaker occasio ns. ● Courtroom decorum should consistently be followed, comprehensive of treating one and all inside side the court agenda with appreciate and identifying with the choose as "your honor." ● Direct test alludes back to the way of an observer being pondered through the lawful expert who known as her or him to the stand. ● Cross -test is the subsequent one line of pondering an observer faces, wherein the contradicting feature in a hardship or paying attention to has the likelihood to welcome inquiries. ● Once an o bserver is cross -tried, the lawful expert who known as the observer has the likelihood to divert, and ask furthermore questions.The contradicting lawful expert can then recross, and moreover pose additional inquiries. ● Witnesses aren't needed to answer an inquiry underneath promise if doing as such will implicate them. In the event that this doesn't follow, and the observer in any case doesn't have to answer, she or he should ask the choose if answer the question, after which stand through the choose's choi ce. ● Notes which may be utilized as reference texture while bearing witness to beneath promise are gone into confirmation. 10.4 SUMMARY Mobile Forensics Summary In this liquidation we discovered the resulting: ● Mobile Forensics is a branch of Digita l Forensics. It is set the buy and assessment of cell contraptions to improve virtual verification for measurable examination. ● Android is an open stockpile working gadget fundamentally dependent on Linux Kernel progressed through Google for cell contrapti ons. ● Rooting Android opens its center module to a shopper, which permits get passage to the covered areas of the instrument. ● ADB is an order line gadget that permits us to join an Android instrument to a pc have gadget through a USB link. It is an absolu tely adaptable gadget since it allows a shopper to do various obligations munotes.in
Page 270
Cyber Forensics 270 comprehensive of introducing, investigating, and disposing of applications, and so forth ● Joint investigate movement association or JTAG is a convoluted data extraction procedure use d in cell criminology. JTAG offers an interface through which a pc can talk immediately with the chipboard. It involves associating the verification cell device's Test Access Port (TAP) to a JTAG emulator to get passage to uncooked data. ● Chip -Off involves disposing of the memory chip of the cell device and plant it onto a chose equipment for data securing and perusing its substance. ● Micro -look at test involves the utilization of an extreme controlled electron magnifying lens to analyze yield on the entryw ay stage. The apparatus memory chip is shaved in exceptionally thin layers, and after that the data is inspect gradually from the stockpile the utilization of an electron magnifying lens or diverse device. ● iOS is a cell working gadget made and progressed through Apple Inc. that as of now controls among the business undertaking's cell contraptions, comprehensive of iPhone, iPad, and iPod Touch. • There are 3 unprecedented modes for the boot strategies for iOS contraptions: Normal boot way, Recovery mode, an d DFU mode ● iOS jailbreaking is valuable for the thought process of disposing of programming program guidelines forced through Apple on iOS using an arrangement of portion patches. Jailbreaking grants root get passage to iOS. ● All Apple cell devices utiliz e the HFSX record gadget. ● Logically, iPhone has dividers. One is for putting away the iOS exact archives, liable for stacking the functioning gadget comprehensive of part depictions and arrangement reports. The diverse parcel is utilized for the carport o f buyer exact settings and bundles comprehensive of films, music, photographs, contacts, and extra. Investigated reports Summary The fragment on explored surveys covers: # Why a researched archive is required. # Report characterizations and specs. # What is assessment and it's anything but a criminological report. # How to expressly state a measurable insightful archive in what should involve. # The capacities of a stupendous archive. munotes.in
Page 271
Mobile Forensics, Reports of Investigation, Become a Professional Witness 271 # The thought process of an insightful report is to talk the res ults of the test. It permits the introduction of verification as declaration and helps withinside the statement of expert assessment. Understanding the Expert Witness Summary ○ Witnesses are people who've firsthand skill of illegal or episode, or who give v erification sooner or later of an affliction, court, or paying attention to. ○ An evidentiary observer can best affirm as to data (what she or he saw or heard) and can not supply surveys or reach determinations. ○ A proficient observer can likewise also don' t have any immediate association withinside the case, notwithstanding has exceptional specialized mastery or ability that qualifies her or him to offer master surveys on specialized subjects. ○ To qualify as an expert observer, the observer could have their accreditations surveyed through the court agenda, and went into the record in the wake of being confirmed. On the off chance that the contradicting feature needs to project, the observer is cross -tried. The choose assesses the insights got through this wa y, and may then capture or reject the observer as an expert in a chose region. ○ A request great purchase is a settlement wherein the respondent argues dependable to a lesser wrongdoing to have additional outrageous costs dropped. ○ A educational plan vitae is a record that traces somebody's preparation, appreciate, and various certifications. It is an indepth outline of the capabilities that make you an expert in a chose region. ○ Criminal case proficient observers are utilized to help withinside the arraignm ent and assurance of individuals stressed in illegal. ○ Civil case proficient observers are utilized to help in common court agenda cases in which one man or lady and additionally undertaking sues to cure a debate and recover what they experience is owed th em. ○ Computer legal experts collect and study limit evidence sooner or later of an exploration, comprehensive of data that has been erased, encoded, or broken. ○ Medical and mental experts separately offer discernment and help in real and scholarly issues t hat can be concerned in a court agenda case.They can be used by both aspect in a court agenda case to do evaluations, analyze present analyses, or affirm around specialized data related with confirmation. ○ Construction and design experts can offer insight and help in issues concerning genuine property, building and hearthplace codes, botches underway and format, and various issues concerning homes. munotes.in
Page 272
Cyber Forensics 272 ○ Technical declaration is explanations given beneath pledge that blessing data of a specialized sort ○ Whether somebody might be recognized as an expert observer, and the suitability of confirmation, are each governed through the lawful rules of the court agenda's ward (i.e., nation or federal).These guidelines are finished rule and are commonly arranged directly i nto a record named Rules of Evidence. ○ Under Rules of Evidence, confirmation offered in court agenda should be validated, which implies that an observer should vouch for its realness. ○ If verification isn't constantly amassed and treated with regards to th e right prerequisites, the choose can likewise moreover consider the confirmation unacceptable while it's far advertised. This can be basically founded absolutely on a development to stifle from the restricting lawful expert all together that members of th e jury will not the slightest bit get a danger to survey it or remember it in making their determination. 10.5 REFERENCE FOR IN ADDITION STUDYING 1. Practical Cyber Forensics_An Incident primarily based totally Approach to Forensic Investigation,Niranjan Re ddy, Apress Publisher,2019. 2. The authentic CHFI Exam 312 -forty nine observe Guide, Dave Kleiman, SYNGRESS Publisher, 2007. 3. Digital Forensics and Incident Response, Gerard Johansen, Packt Publishing,2020. 4. EC-Council CHFIv10 Study Guide, EC -Council Publisher, 2018. 5.https://www.researchgate.internet/guide/258726589_iPhone_forensics_a _ practical_overview_with_ce rtain_commercial_software/ 6.https://www.researchgate.internet/guide/281100878_An_Open_Source_ Toolkit_for_iOS_Filesystem_Forensics/ 7.https://www.researchgate.internet/guide/258726387_iPhone_forensics_b ased_on_Macintosh_open_source_and_freeware_tools/ 8.https://www.researchgate.internet/guide/261454188_A_Novel_Method_ of_ iDevice_iPhone_iPad_iPod_Forensics_without_Ja ilbreaking/ 9. https://developer.android.com/schooling/articles/protection -tips/ 10.http://www.binaryintel.com/offerings/jtag -chip-off-forensics/jtag - forensics/ http://www.binaryintel.com/offerings/jtag -chip-off- forensics/jtag -forensics/ munotes.in
Page 273
Mobile Forensics, Reports of Investigation, Become a Professional Witness 273 11.Boni,William, and Gerald L. Kovacich. Netspionage:The Global Threat to Information (Butterworth -Heinemann: 2000). 12.CSI, the Computer Security Institute; http://www.gocsi.com/ www. gocsi.com/ . 13.Mokhiber, Russell, and Robert Weissman. “Corporate Spooks.” March 6, 2001; www.commondreams.org/views01/0306 -03.htm (accessed August 2, 2007). 10.6 FREQUENTLY ASKED QUESTIONS The accompanying Frequently Asked Questions, answered through the writers of this book, are intended to every degree your ability of the Exam Objectives offered on this insolvency, and to assist you with real ways of life execution of those ideas. Q: I'm an observer in a hooligan case, and highlight established that a mate of mine has been referred to as a hearer to the equivalent case.What must I do? A: Tell your buddy to tell the court agenda that she or he knows about one of the observers. During the jury decision way, legal hearers are mentioned if there's any purp ose(s) that should save you them from being an attendant. This might need to comprise of understanding the respondent, being concerned withinside the exploration, getting observers, or various issues that may affect the eventual outcomes of the preliminary . By having a seeking to one of the observers, somebody will be dispatched from jury obligation. Q: I'm a piece of an episode response gathering, and I really have end up stressed in an inci -mark so one can more then likely visit court docket.Who would i be able to convey to roughly this? A: Although you can impart conventionally around the case to each body, you should endeavor to avoid having any discussions roughly it with each body who isn't connected to the situation. In various expressions, despit e the fact that you may impart to the legitimate proficient in cost of the case, you shouldn't convey to amigos, far and wide others, or collaborators around the points of interest of the case. By telling an individual who isn't concerned, there might be a danger this insights will be surpassed straightforwardly to other people, comprehensive of members of the media. Moreover, you can accidentally convey to a mindful individual of or is related with the respondent, or can be a limit member of the jury. Q: How would I perceive while and in which I'm claimed to affirm for a situation? A: When you're brought to be an observer, you'll be presented with a summon through an official of the court docket.The summon has measurements at the spot of the preliminary , and while you're to stand by court agenda to affirm. Except if the lawful expert who has known as you munotes.in
Page 274
Cyber Forensics 274 shows in some other case, you might need to stand by the town hall every day that the preliminary keeps up with in the event that you're re -known regard ing the stand. Q: My non mainstream beliefs restrict me from the activity of setting my hand at the Bible and committing to God that I'll illuminate the reality.When being known as to affirm, how should I respond? A: When you're known regarding the sta nd, you have got the decision of swearing or advancing. When sworn in, you may safeguard your hand on a Bible and vow to God which you'll advise the truth. Certifying doesn't need this.When being attested, you earnestly guarantee that any declaration you s upply could be reliable. Q: Why is it essential that every one the product program used by guideline implementation authorities be ensured and enrolled? Law requirement spending plans are oftentimes close; why now presently don't utilize freeware as parce ls as plausible? A: Some freeware and shareware hardware which may be to be had at the Internet are appropriate gear, and the rate is in all actuality legitimate. Be that as it may, there are a couple of dangers in the utilization of those applications f or legal capacities. To begin with, you not the slightest bit perceive unequivocally the thing you're getting while you down load a free programming (and furthermore you in actuality can't ask to your money lower back on the off chance that it doesn't comp ositions well). Downloads might be kindled with infections or Trojans that could hurt the constructions on that you use them. Utilizing unlicensed programming program (unlawful duplicates) is even worse.The contradicting lawful professional(s) could have a region day if they discover that the police utilized pilfered or "acquired" programming program withinside the research.This direct can crush the validity of the people who did the criminological test or in any event, achieve dropping the case. Moreover, with very much purchased and enrolled programming program, you'll be fit for get specialized help from the vender if significant. Producers of pc scientific programming program as often as possible give decreases to guideline authorization organizations, m aking it less hard to have sufficient cash the right gear for the action. All things considered, authorities and organizations probably wouldn't propose setting aside money through looking for their duty weapons from a second hand store; that is because of the reality those are basic gear of the substitute and should be pretty much as trustworthy as attainable. For the cybercrime agent or expert, the equivalent is true of the criminological programming program this is utilized to procure and keep evidence t hat could make or harm a law breaker case. Q: On my announcement, I composed an off -base date and didn't perceive my misstep till after the affirmation changed into despatched to the examiner. Presently I've been summoned to affirm roughly the informatio n.What must I do? munotes.in
Page 275
Mobile Forensics, Reports of Investigation, Become a Professional Witness 275 A: Notify the specialist and examiner immediately around the mistake sooner than any statements and sooner than the preliminary beginnings off evolved. By being genuine and expressing the mistake early, you may avoid any inconsequential inquiries eventually of the preliminary around irregularities withinside the insights you've advertised. Q: Why is documentation so essential? Doesn't simply the verification impart? A: In numerous pc -related evildoer examples, the verification commun icates in a language that limit of the members of the jury (and regularly the choo se, investigator, and guideline implementation authorities) don't perceive. At one time, juries had been likely to just acknowledge the declaration of expert observers with out inquiry, nonetheless as the overall population has end up extra actually best i n class and expert declaration has been known as into question in exorbitant profile occurrences comprehensive of the O. J. Simpson case, juries have end up extra distrustful of experts' faultlessness and are considerably more liable to just acknowledge th e restricting legitimate proficient's requesting circumstances which lift questions around confirmation handling procedures and scientific strategies.This is the design record the developments of guideline implementation authorities and specialists each progression of the way. Documentation is similarly fundamental to invigorate the memories of people who should affirm withinside the case. Frequently, preliminaries are delayed for quite a long time or possibly years, and by the point an official or speciali st is expected to stand up, she or he has treated various occurrences.