PERSONAL HAND BOOK
I would like to mention one incident happen to me in past year, I started working for one online company selling on eBay. but this company used my id to create a fake account in eBay . and start selling a product . after sometimes company took the money but didn’t ship the product .and I got the criminal case letter from police. I suspected this before. there is something wrong with this company. the way he used to write me an email and talk on the phone was not at all professional.. I started collecting info about the website when it was created (it was only 3 months old ) registered from köln, how old it is. tracing telephone no from which city he is calling. tracing email from which IP address is sent. it was from köln .tracing address in google to verify where it really exists. and there was no address exited with that company name and address given was from Dusseldorf. as evidence, I submitted all this info to local police in Dortmund Germany. then I got an only warning letter and nothing happen to me. and I saved myself. Basically i was trying to give overall idea about what forensics is and how it is implemented .
TABLE OF CONTENT
Target and Aspects …………………………………………………………….01 to 02
Skill set required ……………………………………………………………….03 to 04
Securing and Evaluating the Scene …………………………………………04 to 13
Legal Aspects and Law …………………………………………………………14 to 22
Forensics Tool-set Required …………………………………………………. .23 to 37
Case Study ………………………………………………………………………..37 to 39
Hacks Internet Artifacts ………………………………………………………..40 to 48
Hacks Email Forensics ………………………………………………………….49 to 55
Glossary ……………………………………………………………………………55 to 58
Conclusion …………………………………………………………………………58 to 58
References …………………………………………………………………………59 to 59
TARGET AND ASPECTS
Self-Motivation/Desire to learn -Being forensic expert is not an easy task or daily routine to from morning to evening working in an office. there is always scope to work in and improve knowledge in the field of investigation. it also needs extra time to do analysis, research in own personal time.
Investigator Mindset-this is one of the difficult skill not everyone has from birth. it needs some extra talent who is not afraid of asking a new question and finding the answer . some of the investigations are clueless don’t know where it will go. it also needs the talent to work in a team and working independently.
Communication Skills -Communication skill play key role in the investigation one must know how to present complex evidence in a clear way and easy to understand way for a non-technical person. Good presenting skill is vital. it involves giving evidence in court as an expert witness. As a result, the investigator must be prepared well to answer the cross question asked in court.
Technical Skills – Digital forensics is a technical field so the investigator should have a solid technical background. he or she must have broad knowledge should also have additional knowledge in the spezalized area, for example, must be good in different operating system Apple device or Microsoft or Linux platform or network forensics or malware analysis.
Organisation: One can have a messy desk and be an excellent forensic expert. but he or she must be mentally organised keeping record.
Correct approach: let’s make example during cooking food one method is just to pour everything at the same time and wait for the result, of course, there will be the outcome but not taste enough to fulfil your desire. One need extra care, and right Approche at the right time.
The mindset of hacker : (Dishonest thinking)
“A person should not be too honest. Straight trees are cut first and honest people are screwed first”
SKILL SET REQUIRED
To catch criminal on need to think like criminal like how people think and better understanding of computer logic both aspects is important
In addition to curasity need oral jobs is writing report
Expert must have technical skills such as :
Network Skills including TCP/IP
Reading of traces
Window linux unix and Mac operating system
C, C++ ,phyton ,java and other similar languages
Computer hardware system
Operating system installation ,patching and configuration
Backup and archiving technology
eDiscovery and tools
Forensics softweare application
Data processing skills in Electronic disclosure Environments
Evidence handling procedure and ACPO guidelines
SECURING AND EVALUATING THE SCENE
the forensics expert makes sure safety for all people present in crime site.All the activity should be performed with department policy as well as local laws.
Securing the crime scene the expert should identify all evidence and ensure that the integrity of both the digital and traditional evidence. digital evidence can be easily manipulated. so the first expert should take a photo and secure digital evidence as soon as possible at the scene
Securing and evaluating the scene the steps should be taken:-
follow given policy measures
Secure all electronic devices, including personal or portable devices
Ensure that no unofficial person is allowed at a crime scene
Never take help from the unofficial person he or she can tire to change evidence
Remove all persons except official people to collect necessary evidence
The condition of electronic devices should not be changed
Leave devices off or on if it is already turned off or on
Components such as a keyboard, mouse, removable storage media devices and other items may have evidence such as fingerprint DNA or other evidence should be taken.
if crime scene device power state is not determined then:-
Check if there is any sound ,fan running sound drivers spinning , or check LED is on
Check display screen for symbol that digital evidence is being protected or destroyed word to check for include delete ,format remove copy move cut or wipe
check if the computer is accessed from remote PC or devices .
check if there is any active or ongoing communication with other devices or pC or user with instant messaging application like whtsapp or any other messeging or chat room .
take a note of all devices serial no web camera and determine if there are active mode or inactive mode
make sure all distributed system should be carefully studied during collecting evidence.
No one should be allowed access to any computer or electronic device .Expert should obtain as much information from these individuals as possible including
Name of all users of the computer and devices
all computer and internet user info
all login name and user account names
purpose and use of computer and device and crime location
any automated devices in use
type of internet access
any offsite storage
internet service provider
installed software and documentation
All email accounts
webmail accounts information
data access restriction in place
all instant message screen names
all destructive devices or software in use
myspace, facebook, Pinterest, Quora, or other social networking website account information
Documenting the Scene
Documentation of crime scene creates a record for the investigation. It is important to record location and crime scene, the scene itself the state, power status and condition of computers, storage media wireless network devices, mobile phone smartphones, PDAs and other storage devices.
Never move the computer or any devices it may damage the digital devices.
The initial documentation of the site should include a detailed record using video photography and notes sketch to recreate the details of the scenes later. activity and process on display screen should be fully documented.
Record any network and WLAN devices access point present and capable of linking computers and other devices to each other and the internet.
The device should be included in the documentation of the scene.
the digital forensic expert must have prior permission from the court or local authority to start analysis and collecting evidence at an electronic crime scene.
the expert must know authority guideline consult superior or contact prosecutor if any question comes.
Digital evidence must be preserved carefully to maintain intigrity of physical devices as well as data it has .
Some of evidence need special collection ,packaging and tansportantion techiniquie . data cannot be damaged because of elecromangnetic fiels such as those genrated by electricity ,managment ,radio frequency and other devices .
Comunicating devices such as mobile pda smartphone and there devices should be properly secured and prevented to transmit any further exchange of data .
if encrypted data storage or other electronics devices if it is improperly powered off then it data might be not assessable .
Steps should be taken during collection of evidence:-
Proper documentation of activity on PC , components or devices
check the power state of pc or laptop or devices in use , check flashlight , fan running,or another sound which indicate a computer or electronic device s powered on .if power state can not be determined then check the monitor is on of of or sleep mode .
after identifying pc is on follow the certain steps:-
Situation 1: -Monitor is on display running programme email Internet etc then take pic record information and proceeded to when PC is on
Situation 2:- monitor is on and screen shaver can be seen then move the mouse slightly without pressing any buttons or moving mouse check if there is any display to change login screen work product or other screens photograph the screen and record the info displayed
situation 3:- monitor is on display is blank if the monitor is off
move the mouse check if there is any change note down, take the pic
situation 4:- monitor is powered off display is blank then turn on the monitor check any changes note the changes take a pic.
If the Computer is OFF
for desktop, tower and microcomputer follow these certain steps:-
1.Documents, photograph and sketch all wires, cables and other connecting devices to PC
- Label the power supply cord wires or USB drives attached to computer as well as the corresponding connection each chord cable
3.thake pc of labelled cord, cable, wires and USB flash drives
- Remove power supply and wall outlets or battery backup devices
- Disconnect all devices, USB drives from computer and document the devices or equipment connected at opposite end
6 Place tape over CD drive or USB drive slot
- Place tape over power switch
8 Record serial number
- record log of computer and all it’s cord cable wires devices and components according to agency policy
10.Packaging all the necessary evidences prevent damages or alteration during tansportation or storage .
If computer is ON
if evidence of crime is visible on PC display , you may need to request assistance from expert who can capture volatile data and preserve .
In some circumstances immediate disconnection of power is required :-
information or activity on screen indicate that data is deleting or overwritten
there might be destructive process is being planned on PC data storage devices
Stop in following situation power disconnection is not recommended.
expert must know to capture and preserving volatile data before proceding
indications exits that any of the following are active or in use :-
open text douments
remote data storage
instant message windows
and other illigial activities
Another form of evidence:-
Check out pieces old paper with possible password or any secrets , impression of prior written proff , hardweare and softwear manual ,calander litratures printer material etc must be documeted and preserved .
Other Electronic and peripheral devices of potential evidence
cordless landlines telephones
hard drive duplicators
Mutifunction machines (printer ,scannner , copier and fax).
wireless access points
Laptop power supplies and acesserioes
telephone caller ID units .
Packaging transportation and storage of digital evidence
Digital evidence may also have latent, traces or biological pieces of evidence and take the appropriate steps to preserve it . Biological evidence process are conducted on evidence.
Packing of all evidence in artistic packaging, cardboard boxes and antistatic containers only paper bags and envelopes. plastic material should not be used when collecting digital evidence. because the plastic material may produce static electricity and allow humidity which can damage source of info.
packaging should prevent it from being bent scratched or other deformed.
label all containers used to package and store digital evidence clearly and properly.
leave cell phone mobile or smartphones in original power state in which they are found.
packaging smartphone or other communicating devices using faraday isolation bags, radio frequency shielding material or aluminium foil to prevent data message from being sent or received.
Transportation Procedures keep
digital evidence away from the magnetic field such as speaker magnets battery etc.
don’t keep evidence for a long time in the vehicle for the prolonged period of time extra heat or cold can destroy the original content of it.
Maintain chain of custody on all evidence transported.
Electronic Crime and digital evidence by crime type:-
for forensic examination, the following info should be documented.
A summary of the case
Password to digital evidence
investigation point of contact info
suspected criminal activity
info like nicknames.
LEGAL ASPECTS AND LAW
Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics
The increasing popularity of cloud computing, made conventional crime detection and difficult the very strengths of cloud computing, which allows everyone anywhere in the world to use publicly accessible software to process data stored in a cloud location, criminals to store incriminating data on a server located beyond the jurisdiction of the courts of their country of residence, preferably in a State with no judicial cooperation treaty with that country. So it becomes hard to forensics expert to look for legal aspects.
Over many years so many approaches had been used to solve the loss of location of digital evidence in cloud computing world.
The normal approach is the place where data is located comes under jurisdiction. The problem in the investigation, even cloud provider doesn’t know where the data is located.
Another approach is flag principal given cybercrime is committed on ships aircrafts and spacecraft are subject to the jurisdiction of flag states , As we all know digital data always change in this case cybercriminal to select cloud computation under pirate flag
the Power of disposal approach make is easy to recover the data from the cloud.this could help to obtain username and password to obtain data . Sometimes this approach is not easy because many devices is protected through Using DRM.
Another sensitive data issue is with data retention, A data retention plan that lacks focus as to what specifically should be stored and for what period of time, can and will result in retaining data that will lead to unnecessary exposure, costs, and harm to a number of different corporate areas. Security, IT infrastructure and legal departments can all be impacted.
Section 202 violation of the Privacy of the written word.
obtaining information without the permission
obtaining credential of laptop locker and different account violate the law can be convicted for imprisonment not exceeding one year or fine unless the act is punishable by section 206
Section 202 b Phishing
Distribution of data which is legally protected shall be punishable not exceeding 2 year or fine.
Section 202c Acts preparatory to data espionage and phishing
Selling of other personal data or supplying it shall be imprisonment not exceeding of such an offence
Section 203 violation of private secrets,
(In short not allowed to transfer data to the 3rd party )The leak of sensitive data from the doctor, attorney, notary, defence counsel, tax consultant, accountant, auditing company shall be liable to imprisonment not exceeding one year or a fine.
Section 303 Criminal damage unlawfully damages or destroy an object belonging to another or manipulating it to.
eg.Former Distribute.IT co-founder Carl Woerndle shares his experience of the cyber attack that destroyed this business.
DOS attacks and single targeted sites on servers are fairly common for hosting providers, but this attack was different. The hacker had managed to bypass the company’s entire security protocol, get behind its firewall and gain access to its master user access information.
This event was the catalyst for a three-week nightmare ride for all involved with the business and its clients. While Distribute.IT was proactive in its response and compliance obligations, re-building most of its network over the next week, these measures would not be enough to save the business.
Section 303a Data tampering
unlawfully delete suppresses, render unusable or alters data so it’s better to work on the copied image of data
Part II Corporate law /Right of co-determination
Section 43 Gmbh director liability
there should be proper log book maintained both manually and automatically.
the director shall conduct company affair and any damage arising an issue.
Part III Personal Rights
Not allowed to modify data
Not allowed to publish it online for examples
Protected literary, scientific and artistic works shall include in particular:-
works of language, such as writing, speeches and computer, musical works, works of pantomime, work of fine art, Architecture and applied art, photographic works, sketch.
EU (General Data protection regulation )
The Facebook/Cambridge Analytica revelations show the EU has made the right choice to propose and carry out an ambitious data protection reform through the General Data Protection Regulation (GDPR).
Often businesses explain their privacy policies in lengthy and complicated terms Privacy policies will have to be written in a clear, straightforward language.
Businesses sometimes assume that the user’s silence means consent to data processing, or they hide a request for consent in long, legalistic, terms and conditions — that nobody reads The user will need to give an affirmative consent before his/her data can be used by a business. Silence is no consent
The user might not be informed when his/her data is transferred outside the EU Businesses will need to clearly inform the user about such transfers Sometimes businesses collect and process personal data for different purposes than for the reason initially announced without informing the user about it Businesses will be able to collect and process data only for a well-defined purpose. They will have to inform the user about new purposes for processing Businesses use algorithms to make decisions about the user based on his/her personal data (e.g. when applying for a loan); the user is often unaware about this Businesses will have to inform the user whether the decision is automated and give him/her a possibility
STRONGER RIGHTS TODAY TOMORROW
Often businesses do not inform users when there is a data breach, for instance when the data is stolen Businesses will have to inform users without delay in case of harmful data breach Often the user cannot take his/her data from a business and move it to another competing service The user will be able to move his/her data, for instance to another social media platform It can be difficult for the user to get a copy of the data businesses to keep about him/her The user will have the right to access and get a copy of his/her data, a business has on him/her It may be difficult for a user to have his/her data deleted Users will have a clearly defined “right to be forgotten” (right to erasure), with clear safeguards.
STRONGER ENFORCEMENT TODAY TOMORROW
Data protection authorities have limited means and powers to cooperate The European Data Protection Board grouping all 28 data protection authorities, will have the powers to provide guidance and interpretation and adopt binding decisions in case several EU countries are concerned by the same case Authorities have no or limited fines at their disposal in case a business violates the rules The 28 data protection authorities will have harmonised powers and will be able to impose fines to businesses up to 20 million EUR or 4% of a company’s worldwide turnover
Part IV Standards And Best Practices:-
A16.1.1 Responsibility and Procedures
Proper procedures should be taken to ensure a quick effective and orderly response to a security incident
how to implement
Proper planning and preparation of incident response
Steps to monitor, detect analysing and reporting to IT security events and incidents
Steps for logging incident management activities
Steps to handle forensic evidence
steps for assessment of and decision on information security events and assessment of security weakness
steps for response including those for escalation, controlled recovery from an incident and communication to external people or organisations
reporting form to support reporting action
not all information to be provided immediately
reference to an established formal disciplinary process for dealing with an employee who commits security breach.
suitable feedback process to ensure that those person reporting information security events are notified of the result after an issue has been dealt with and closed.
A16.1.2 Reporting information security events
reporting should be done with appropriate reporting channel and as quickly as possible
Employee and contractor should be made aware of their responsibility to report information security events as quickly as possible there should be also posted incident analysis should take place as necessary to identify the source of incident
A16.1.6 learning from information security incidents
knowledge gained from analysing and resolving information security incidents should be used ro reduce the likelihood or impact of future incidents
the evaluation of information security incidents may indicate the need for enhanced or additional controls to limit the frequency, damage and cost of future occurrences or to be taken into account in security policy review process
A16.1.7 Collection of evidence
the internal procedure should be developed and followed when dealing with evidence
Procedure for evidence should provide a process of identification, collection acquisition and be preserving evidence in accordance with the different type of media devices and status of devices eg. power on or off
The Procedure should be taken into account of
i )Chain of custody
- ii) safety of evidence
iii) safety of personnel
- iv) role and responsibility of personnel involved
v)competency of personnel
Wireless Communication And Public safety Act Of 1999 Law that required mobile phones to have GPS tracking capabilities
Electronics Communication Privacy Acts 1986 Law that governs the privacy and collection access, disclosure and interception of content and traffic data related to electronic communications.
Omnibus Crime Control and Safe Street Act of 1968 -the Wiretap Statute, a law that protected the privacy of only the content of telecommunications.
Child Protection and Sexual Predator Punishment Act of 1998 Law the requires communications service providers that become aware of child pornography to report it.
Communication Assistance for Law Enforcement Act of 1994 Law that requires telecommunication and electronic communications service provider to ensure that government entities pursuant to al lawful authorization, have access to all wire and electronic communications and call-identifying information.
Cable Communication Privacy Act of 1984 Law that restricts cable operators from using their systems to collect personally identifiable information and from disclosing such data inappropriately.
USA Patriot Act of 2001 law that sought to deter and punish terrorist acts in the US and worldwide and to enhance law enforcement surveillance powers by raising the restriction on governments and law enforcement access to communications data.
Telecommunication Act of 1996 Law that requires telecommunication company to obtain the consent of the customer before using customer property network information.
Privacy act of 1974 Law that protects individuals privacy by regulating the collection, maintenance use and dissemination of information by government agencies it also seeks to limit the collection of personal data by the government.
e-Government Act of 2002 Law that requires government agencies to perform privacy impact access-ments on computer and information technology system that are designed to collect maintain and disseminate information about individuals in identifiable forms.
Computer Security Act of 1987 Law that sought to improve privacy protections and establish min-
minimum acceptable security practices for federal computer systems that contain sensitive information.
National Bureau of Standards Act of 1901-Law that established the National Bureau of Standards, which was responsible for maintaining and developing the national standards for measurement and providing private industry and government with the methods with which to make these measurements consistent with the existing standards of accuracy and uniformity. Today, this agency is known as the National Institute of Standards and Technology (NIST)
Federal Property and Administrative Services Act of 1949-Law that established the General Services Administration (GSA), which is responsible for the development of policy for the management of government property and records.2018.
First Amendment-The provision of the U.S. Constitution dealing with freedom of religion, freedom of the press, the right to assemble, and the right to petition the government for a redress of grievances
Subpoena duces tecum-A subpoena used to command the production of evidence.
Children’s Online Privacy Protection Act of 1998-Law that applies to children younger than 13 years
of age and protects them from the collection and misuse of their personal information by commercial websites.
Child Online Protection Act of 1998-Law (declared unconstitutional in 2007) that tried to control the dissemination of information to children by prohibiting websites from knowingly making the available harmful material to minors.
Sarbanes-Oxley Act of 2002-Law that sought to improve the accuracy and reliability of corporate disclosures so as to protect investors from fraudulent business practices.
Corporate and Criminal Fraud Accountability Act of 2002-Title VIll of the Sarbanes-Oxley Act which identifies criminal penalties for altering documents.
Enron scandal-A 2001 scandal in which the energy trading firm’s personnel showed shareholders that
Enron was making a profit when the company was actually billions of dollars in debt.
Worldcom scandal-A 2002 scandal in which, by falsifying business records, Worldcom employees
were able to show billions in profits, even though the company was actually in debt.
Tyco International scandal-A2002 scandal in which Tyco executives syphoned millions of dollars
from the company through fraudulent stock sales and unauthorized business loans.
Corporate Fraud Accountability Act of 2002-Title IX of the Sarbanes-Oxley Act, which concerns
the actions of “tampering with a record or otherwise impeding an official proceeding.”.
FORENSICS TOOL-SET REQUIRED
Digital evidence can be collected using standard seizure tools and other materials.
first responder use caution during collection of evidence, packaging or storing digital devices to avoid altering, damaging , or destroying the evidence.
Avoid using any tools or material that produces or emit static electricity and magnetic effect as they may damage or destroy evidence.
Tools and material for Collecting digital Evidence
Camera (photo Video)
Evidence inventory logs
paper evidence bags
evidence sticker labels or tags
crime scene tape
forensics expert should have radio frequency-shielding material such as faraday isolation bags or alumunium foil to wrap cell phone,smart phone and ther mobile comunication device after they have been shielding meterial which prevent it from receiving a call ,text message ,or other comunicaions signal that may alter the evidence .
Popular Computer forensics Tools Sets:-
To make more fruitful research and investigation developer have created many forensics tools.
There is various factor required to select tools including budget and level of expertise in the team.
Some of the forensics tools are classified in various categories:-
Disk and Data capture tools
The action or process of gathering data using some automatic software, device or sensor
The process by which hidden file can be viewed in short Interval of time and less effort. for eg. some log file, analysis during internet Artifact.
File analysis tools
The process by which we determining file type depending on its content eg. extension name or filename
Registry analysis tools
Like entering in the dark and forbidden cave of Window, MAC or Linux OS
The registry is a Veritable gold mine of information for investigator and Administrator
Internet analysis tools –
Tools capture HTTP traffic between pc and server to analyse incoming and outgoing data eg. Wireshark,
Email analysis tools
Tools used to check analysis on email like the content of the email header file originating IP address
Mobile device analysis tools
Extracting info like call details record, GPS record, App Data, SMS, Checking Metadata for the photo and video as Evidence.
Mac OS analysis tools
because of High-security Analysing Mac, OS is bit challenging but still, some tools can be used to recover MAC data for analysis and finding out Evidence from the crime scene
Network forensics tools
For example, If there is any expected happening in network Infrastructure then this tools can be to find something meaningful. eg. Honeypot, Cannery token etc
Database forensics tools
Study of databases and their related metadata investigating techniques to database.
Oxygen Forensics Detective:- Oxygen Forensics Detective is a package of forensic extraction and analysis software for retrieving evidence from cell phones,smartphoness, and tablets. Oxygen Forensics Detective allows users to explore databases files such as .SQLite, .sqlite3, SQLite dB, .db, and .db3 using a built-in SQLite viewer. This suite of software supports extractions on mobile devices running on Android, iOS, Blackberry, Windows, and Symbian operating systems. This software also processes SQLite files to provide information about SMS, calls, app caches, and app data. Oxygen Forensics Detective also provides features like a built-in HEX viewer, a Plist Viewer, geo locational data viewer, file browsing and search functionality, Android rooting, and password extraction. Oxygen Detective also supports remote acquisitions on Windows phones, a screen lock disabler that disables the lock code for Android-based LG devices, and locked device acquisition for Android-based Samsung devices. Oxygen Forensics Detective allows for the extraction of common device information, cached browser data, call logs, contacts, photos, videos, device logs, encrypted backup files, deleted files, and account passwords from mobile devices.
Xplico is an open source, GUI-based Network Forensic Analysis Tool for Unix-based systems. It is used to extract application data contained from an internet traffic capture or packet capture.
Digital Detective Blade v1.13 Digital Detective’s Blade software is a GUI-based forensic data recovery tool for Windows systems. Blade has a few major features: data recovery profiles, Intelli-Carve®, and mobile phone data recovery.
Blade Standard supports all major forensic image format standards such as JPEG, MPEG-4, DD (raw image format), AFF, Smart/Expert Witness, Access Data FTK, and Encase E01. It also features tools such as regular expression searches, user-created recovery profiles, support for logical, virtual, and physical disc formats, carving of mobile and PC memory dumps, and validation through proprietary Intelli-Carve® software.
Kernel Data Recovery Kernel Data Recovery is a GUI-based data recovery tool for Windows systems. It can be used to recover deleted or corrupted data from supported databases such as MS SQL Server 2008/2012/2014, MS SharePoint Server 2007/2010/2013, MS Access, DBF, MySQL, and Paradox.
SysTools SQL Log Analyzer SQL Log Analyzer is a GUI-based log file parser tool that can analyze offline databases using MDF files on Windows systems. This software parses and filters through MDF files to view .ldf activity on databases to view SQL data such as queries made, table names, transactions, names of users, and time stamps.
WinHex WinHex is a hex editor used to examine file contents and their underlying hex values on Windows systems. Although, WinHex is capable of more than just examining hex code. It also has the ability to compare files, clone disks, create drive image backups, encrypt files, create checksums for data integrity, and securely wipe hard drives.
NetCat NetCat is an open source back-end tool for reading and writing data across networks. NetCat uses both TCP and UDP to establish a network connection over IPv4 or IPv6. NetCat can be used to remotely send and retrieve encrypted digital files. This software allows for remote acquisitions, however, NetCat clients must be installed on the both the machine that is sending data and the machine that is receiving data.
Windows Forensic Toolchest Windows Forensics Toolchest (WFT) is lightweight forensics software designed to make an as little impact as possible on a suspect machine, making it a preferred tool for live data acquisition of volatile data on Windows systems. WFT is quite useful for analyzing a SQL Server Database, as it is capable of extracting volatile data from the database for analysis of recent activity, error logs, and even lost data recovery.
SQLCMD offers a variety of powerful command-line options that allow a large variety of customization. The implementation of SQL scripts was designed to help with incident response. It allows for quick action in response to data loss or a security breach of a database. In the hands of knowledgeable users, SQLCMD can be a powerful tool for analysis as well as process logging.
Forensic Toolkit (FTK) Developed by Access Data, Forensic Toolkit (FTK) is considered one of the best forensics tools in the industry. From its wide variety of features and extensions to its continual growth and support, FTK has grown into a very powerful forensic tool with more benefits than just imaging and analyzing computer file systems.
The SIFT Workstation is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation.
ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive.
Arsenal Image Mounter mounts the contents of disk images as complete disks in Windows. Arsenal Image Mounter includes a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are “real” SCSI disks.
forensics for threat detection and hunting.
generate physical memory dump of window machine 32 and 64 bits can also run from USB flash drive.
- Remove passwords on EnCase v6 and earlier files,
- Find out if compression (and what level) was used
- Change EWF/E01 metadata
- Requirements: Microsoft .NET Framework v4.0
It enables large capacity disks to be formatted as FAT32
Guymager is a free forensic imager for media acquisition. Its main features are:
- Easy user interface in different languages
- Runs under Linux
- Really fast, due to multi-threaded, pipelined design and multi-threaded data compression
- Makes full usage of multi-processor machines
- Generates flat (dd), EWF (E01) and AFF images, supports disk cloning
- Free of charges, completely open source
Live RAM Capture
It Extracts Acquiring volatile memory from a computer running a debugging protection or anti-dumping system
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Magnet RAM Capture
Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF), AFF is an open and extensible format to store disk images and associated metadata, and Expert Witness Compression Format (EWF).
It capture Network potocol and do analysis
Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs).
- View the Exchange data on stand-alone workstations.
- Open healthy as well as corrupted EDB files.
- View user mailboxes and public folders.
- Access EDB files through the network.
- Search for specific items in user mailboxes and public folders.
- Filter the mailbox data based on various criteria.
- Open any number of EDB files absolutely free of cost.
View MBOX emails and attachments
Kernel OST Viewer
This tool generates free preview of all OST file items including emails, calendar, deleted items, attachments, contacts etc. OST reader tool supports viewing healthy & corrupt OST files. Along with it, the software allows opening email and attachments.
File and Data analysis
Advance prefetch analyser:-
Read window prefetch files
Analyse MFT :
Parse the MFT from an NTFS file system result is analysed by other tools
Crowd Response :-
CrowdStrike Antivirus Resource Monitor is a small utility written for Windows to measure the resource usage of your existing AV solution.
This utility was designed to calculate date/time values from the various timestamps that may be found inside data files which need to decode a date or verify the date provided to you by forensic software
eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize, signature used etc
Passware Encryption Analyzer is a free tool that scans a system to detect protected or encrypted documents, archives, and other types of files. This application provides detailed information about any protected items found, including protection methods and encryption types
read-write and edit Exif data in a large number of files type
can check different operation on file like encryption , repair damage, signature , hash value, file identifier .
SQLite Manager :
Firefox add-on enabling viewing of any SQLite
Networking forensic analysis tools
Phone Analyzer :
Explore the internal file structure of Pad, iPod and iPhones
ivMeta is a tool designed to extract useful forensic metadata from iPhone video.
SAFT is a free and easy-to-use mobile forensics application developed by SignalSEC security researchers. SAFT allows you to extract valuable information from device in just one click!
- Autopsy was designed to be an end-to-end platform
- Timeline Analysis – Advanced graphical event viewing interface (video tutorial included).
- Hash Filtering – Flag knew bad files and ignore known good.
- Keyword Search – Indexed keyword search to find files that mention relevant terms.
- Web Artifacts – Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.
- Data Carving – Recover deleted files from unallocated space using PhotoRec
- Multimedia – Extract EXIF from pictures and watch videos.
- Indicators of Compromise – Scan a computer using STIX.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.
DEFT Zero is a light version of Deft specifically designed to the forensic acquisition of the digital evidence.
Windows Registry Recovery :
Extracts configuration settings and other information from the Registry
- Application analysis
Extracts various data from the KaZaA application
Parliament Attack cyber case study (India)
Bureau of Police Research and development at Hyderabad handle some of the top cyber cases, including analysis and retrieving info from a terrorist who attacked the parliament in India .
The laptop recovered from a terrorist attacker who was gunned down on December 13 2001. the first attempt was failed in Delhi to trace evidence in a laptop then Hyderabad department recovered it. they found striker of home minister made it on the laptop and pasted it on their car for entry in that restricted region with fake id card with government logo with three lions.
During the careful examination, the seal was also crafty made along with the residential address of Jammu Kashmir . after carefully detection proved that it was all forged and made on the laptop .
Case -2 Illegal money transfer :
the accused in the case working BPO call centre handling the business of the multinational bank. the culprit had got PIN number and other confidential information of the bank customers, using these detail accomplice through different cyber cafes, transferred huge sums of money from the account of different customers to fake accounts.
One receiving complain the entire business process was scanned and a system analysis was conducted to establish the process of the data theft.
the investigator was successful in arresting two people as they had a local bank account for illegally transferring money.
During the investigation, the system server logs of the BPO was collected. the IP address was traced found cyber cafe from where illegal transfer where made.
The email account of arrested where scanned other vital info where found like Identity of other accused.Some email accounts of the accused contained swift code which was required for internet money transfer. All 17 Accused in the case was arrested in short span of time. The total amount was 19 million was transferred. During the investigation, they found a weakness in present security systems of the call centre.
Case 3: Intellectual Property Theft
The complaint (Software based company in Bangalore) alleged that some of the company former employee has access of company IT system had changed the source code of the software under development.
The Investigation team found scanned the log of emails. they found IP address ans ISP provider for further investigation on IP address. The address was from a different company in Hyderabad based company. the analysis revealed that original source code, as well as its tampered version, had been stored from this system.
Investigating team arrested in India and underway to arrest other two are present in US.
Here is the list of some of the famous attack in a 21st century for further research.
1.Yahoo victim of the biggest data breach in History
2.Adult friend finder October 2016(Hacker collected data of 20 years that include name id password etc)
3.eBay 145 million users compromised
- Equifax 209000 user credit card data is exposed
- Heartland Payment System 134 million credit exposed through SQL injection
- Target Stores credit and debit card info of 110 million people leaked
7.TJx companies, Inc. 94 million credit cards exposed
- Uber 57 million users and 60k drivers exposed
9.JP Morgan Chase 76 million household 7 million small business impact
10.US office of personnel management 22 million current and former federal employee leaked
- Sony’s PlayStation network 77 million PlayStation network account hacked estimated loss of 171 million $
12.Anthem theft personal info on up to 78.8 million former customer
13.Stuxnet attack in a nuclear power program.
HACKS INTERNET ARTIFACTS
Internet artifacts refer to the data saved by the browser on the user’s history. They are important for digital forensics, because they can be used to make a timeline of the user’s events on the browser and the Internet in general. In the case of Mozilla Firefox the history data is stored in SQLite files. SQLite files are used to store databases. These files can be found in the Firefox Profile folder. The path to the folder depends on the operating system:
|Windows XP||C:\Documents and Settings\%username\Local Settings\Application Data\Mozilla\Firefox\Profiles|
|OS X||/Users/$username/Library/Application Support/Firefox/Profiles/|
In order to read the SQLite files the SQLiteman porgram could be used. It is available for Mac, Windows, and Linux at: https://sourceforge.net/projects/sqliteman/. A sqlite database is opened using Ctrl-O (or going File → Open).
First, the Firefox profile has the formhsitory.sqlite database. This database contains all the data that the user has entered into forms. This could include usernames, emails, addresses, search queries, etc. It would not include passwords as those are stored somewhere else. After opening a database, an SQL query is needed to get information. In this case run the command:
SELECT * FROM moz_formhistory;
The command retrieves information from moz_formhistory table in the formhistory.sqlite database. The * means it returns all the information.
In the above example, both a username and an email can be seen along with the number of times they were used.
The downloads.sqlite database has information on files downloaded using Firefox. This includes the name of the file, where it was downloaded from, where it was downloaded to, when the download started, and when it ended. This database does not contain information on files that were downloaded through an add-on or the cache, only files handled directly by the Firefox download manager. Use the following query:
SELECT * FROM moz_downloads;
The cookies.sqlite database stores all the Firefox cookies. The cookies could tell when was the last time a user visited a site, whether they were logged in or not, and whether the site set or requested the cookie. Use the following query:
SELECT * FROM moz_cookies;
The places.sqlite database has the most information related to the user’s activity. It contains all the websites the user visited along with the time they visited them. The sites are stored in the moz_places table while the time is stored in the moz_historyvisits table. So the query will have to match the entries in one table to the other one. Also, the time is recorded in PRTime which is the number of microseconds since January 1st 1970. The following query will not only list the sites with the time, but also convert the time into a readable format:
SELECT datetime(moz_historyvisits.visit_date/1000000, ‘unixepoch’), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
The Firefox cache stores the images, scripts, and other parts of a website that has been visited. So if the same website is opened then it will load faster. Cache is not stored in a SQLite file. Instead, another program has to be used. In the case of Windows, download MozillaCacheView from https://www.nirsoft.net/utils/mozilla_cache_viewer.html. When this program is opened it will automatically read the current contents of the Firefox cache.
In the above example, one of the images from the cache is opened. In the image’s URL is in the data. The URL is then searched to get the original image.
Saved Session Data:
Whenever the Firefox browser is not closed properly then a file called sessionstore.js is created. This file stores information on all the closed tabs and windows of the browser. When the browser is reopened it will read the file in order to restore the tabs and windows, before then removing the file. Sessionstore.js is a JSON file. While they can be viewed with any text editor they would be hard to understand. So a program like JsonView, which can be downloaded here: http://www.softpedia.com/get/Programming/File-Editors/JSON-Viewer-Mitec.shtmlm, is used to parse and organize the data.
Firefox stores the bookmarks data in the places.sqlite database. The name of the bookmark is in the moz_bookmarks table. The number of times it was used and the URL it links to is stored in the moz_places table. So the following query should be used:
SELECT moz_bookmarks.type, moz_bookmarks.title, moz_places.url, moz_places.title, moz_places.visit_count FROM moz_places, moz_bookmarks, WHERE moz_bookmarks.fk =moz_places.id AND moz_bookmarks.type <> 3;
Firefox stores the extensions data in a JSON file called extensions.js. It will contain data on what extensions the user has, when they were downloaded, and whether they are enabled.
In the following picture, it can be seen that the webextension uBlock is installed. It could also be found that the extension is enabled.
Many cibercrimes have involved the use of emails, either as the means or the evidence of the crime. Emails could contain evidence of many types of crimes such as:
- Domestic violence
- Identity theft
- Child exploitation and abuse
- Drug dealing
- Intellectual property theft
- Organized crime
Basics of Email:
There are two types of email systems:
- Client/Server Email: The client sends or receives the emails. The server stores the messages until the user retrieves them. In this system, the emails are downloaded onto the user’s computer.
- Web-based Email: The email account has to be accessed through a Web browser. The emails are stored in the email service provider’s server.
Email systems use a variety of protocols:
- SMTP (Simple Mail Transfer Protocol): It is part of the TCP/IP, which is the primary protocol for sending messages through the Internet. SMTP is responsible for sending emails over either a network or the Internet.
- POP3 (Post Office Protocol 3): POP3 is used to read the email. It stores the emails in a single folder until the user downloads them. After an email has been downloaded, it is deleted from the server by POP3. However, a user could choose to keep the emails on the server after downloading for a period of time. This means the investigators should not ignore this server even if the user already downloaded the email.
- IMAP (Internet Message Access Protocol): IMAP is used to read to retrieve and read emails, like POP3. Unlike POP3, IMAP gives the user the option to store emails on various folders on the server. POP3 is still more widely used than IMAP.
An email is made up of a domain name and a username. The domain name is everything after the @ symbol, while the username is everything before it. For example, in the email firstname.lastname@example.org, “example” is the username while “yahoo.com” is the domain name.
Parts of an Email:
An email contains a body and a header. The body is the actual content of the message. The header is either in the condensed version or the full version. The type of header field used will determine the data the investigator can retrieve.
- From: This field contains the sender’s email address, which could be faked. It could also contain the sender’s name, which could also be faked. The reason they could both be faked is because SMTP does not verify email headers.
- To: This contains the receiver’s address, and possibly their name. Once again this could have been spoofed.
- Subject: This field could be blank. It could also contain misleading information.
- Date: This includes the date, day of the week, time, and time zone. This field is recorded by the sender’s computer’s clock. However, it is not accurate if the sender’s clock is not set correctly.
- X-Originating-IP: This field reveals the sender’s IP address. An IP address can either be static or dynamic. A static IP address is a permanent address for a specific computer. A dynamic IP address is used by a computer for a period of time. When the time is up, the IP address is placed back into a pool of available iP addresses, where any computer could end up taking it.
- Received: This field is in the format “from [IP address] by [server name] with [Internet protocol], day of the week (first three letters), date [format: day month (first three letters) year], at [time (format is hour:minute:seconds)] time zone”. Some email systems do not include the IP address of the sender. Also, emails can contain more than one Received field if the email goes through several servers. This is because a server is responsible for creating this field. Multiple Received fields can reveal whether or not the sender’s IP address is faked. The investigator just has to check if the location next to the word “by” is the same as the location next to the word “from” in the Received field below it. If they do not match, then the sender’s IP address has been faked.
- Return-Path: This is where the email should be returned to if it could not reach its destination. If this does not match the address in the From field, then the sender faked their address.
- Message ID: This contains the name of the server and a unique string that the server assigned to the message. This string can be used to track the message.
- Received-SPF: The receiver of an email puts the email through an SPF query. This query checks if the sending server is allowed to send an email to the receiver’s domain. If the result is “fail” the message is rejected. If the result is “neutral” or “pass” then another spam filter decides if the message should be counted as spam.
- Authentication-Results: This field makes a recommendation to the user on the validity of the message’s origin and content.
- Content-Type: This indicates the type of data in the message, such as text, audio, video, or images.
- X-Mailer: This specifies the email system used to send the message. Examples include Microsoft Outlook and Verizon Webmail.
How to Conduct an Email Investigation:
The first step is obtaining the email. The computer forensics investigator should first make a copy of the digital evidence. The copy should of course include the full header and any attachments. Keep in mind that even if the receiver deletes the email, it can still be possibly found in the sender’s computer. Even if it’s deleted there, it can be found in the backup tape of a network server, or in a computer’s temporary files, or in a computer’s unallocated space.
The email’s body and header should be searched for evidence. The investigator should also check attachments, people who have received copies of the email as secondary recipients, and people to whom the message was forwarded. In the header, the most important information is the IP address. The PING command can be used to check if the IP address is accessible (ie: “ping 188.8.131.524”).
A query tool known as WHOIS allows a computer forensics investigator to find out the contact and location information of the owner of an IP address. To use WHOIS, the investigator should type the IP address retrieved from the email into this query tool, and the tool then retrieves information about the ISP. A static IP address is easy to trace back to the computer. To trace a dynamic IP address, the investigator should also provide the date and time the criminal used the IP address. Domain names can also be used for a WHOIS search. However, in this case the investigator should know exactly what they are looking for, because many different results could come from this query. [Mar15]
Problems Encountered by Computer Forensics Investigators:
- Proxy Server: Criminals may use proxy servers to hide or mask their IP addresses. If someone uses a proxy server, that user’s identity is not revealed because the proxy server gives its own identity instead.
- Tor: It is a communication system that allows people to communicate without losing their privacy.Instead of the message taking a direct route, the data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at a single point can tell where the data came from or where it is going.
- Avoidance: With this technique, a user’s actions are displaced to times and places where the surveillance is assumed to be absent. For example, Al-Qaeda used this technique to distribute its propaganda videos. Websites and message boards were used to distribute these videos. Different websites uploaded the videos, then the videos would remove themselves after a period of time, and then they would be uploaded on different websites. This technique made it hard for authorities to track where the videos were being uploaded form.
- Piggybacking: When there is surveillance, the information that needs to pass through undetected can be attached to a legitimate object. One way this can be accomplished is with steganography where the data could be hidden inside a sound or image file. In this case, only someone with the appropriate software can see the hidden message.
- Blocking move: This is when the individual either blocks access to the communication or renders parts of it unusable. For example, encryption is considered a blocking move. This is because only the ciphertext is sent over the communication channel, and it is not usable to a third party. The intended recipient should have the decryption key.
- Pizzini: Small slips of paper, either handwritten or typewritten, that are used for communication in order to avoid the surveillance of telecommunications and electronic communications.
Bandwidth: the amount of data that can be sent over a network connection in given period of time
BIOS: basic input output system . the set of a routine stored in the read-only memory system
Blog: series of online journal entries posted on the website
Buffer: block of memory that holds temporary memory
cables: a collection of wires or glass fibre used to communicate or transfer data
CAT-5e transmitting data at high-speed cable are commonly used for voice and data application
CAT6 – cable standard for gigabyte ethernet and other interconnection that is backward compatible
Chat room – An internet platform that allows multiple users to communicate with each other with audio, video text or symbols
Compact flash card – a small removable mass storage device that relies on flash memory technology.
Compressed files: a file that has been reduced to original size by using some special algorithm
Cookies: small text file in computer browser there it stores information about user and website
CPU – central processing unit for microprocessing chip that continues several thousand of transistor
Deleted file: file no longer associated with master file table. still in media but not assessable by the operating system
DHCP dynamic host protocol responsible for dynamically allocating IP address.
Digital Evidence: information stored or transmitted in binary form.
Documentation: written notes audio, video, printed forms, sketches or photographs that form a detailed record of a scene the evidence recovered.
Dongle: A copy protection or security device supplied with software
DSL digital subscriber line. High-speed data communication over existing telephone
Electromagnetic field: field is produced by electric charge.eg speaker, transformer etc
Electronic storage device: any medium that can be used to record information electronically example include HD, videotape, CD, DVD flash card, floppy disk and zip file etc.
Encryption: Any procedure used in cryptography to convert plain-text into cypher-text to keep text secret and safe.
EPROM: Read the only memory can be erased if the power supply is cut off.
Ethernet: Standard LAN Access method that connects the electronic device to a network cable.
Faraday: unit for measuring charge that is approx 6.02*10°23
Firewall: It allows or block traffic into and out of private network or user’s computer and is the primary method for keeping a computer safe from unauthorized access .
GPS global position system used to take exact location of the device
Host: A computer on a network provides service to together computer in same network eg. HTTP , SMTP
IM instant message: type of communicating device in real time over the internet
IP internet protocol Address: 32-bit binary number that uniquely identifies a host connected to the internet eg. 127.0.0.1
ISP: internet service provider that to access the internet
Latent: present but not visible with the nacked eye but capable of becoming visible
MAC Address : Unique physical address given by company manufacturer to each device preset in network
PDA : personal digital assistant
Peripheral : any device is not part of computer system eg. CD ROM drive internal modem
Phishing : internet fraud though an email linking to website and other source .
Port: physical interface through which computer communicate with other device .
RAM: random access memory that store data and can be assessed by the processor without
Remote: file device and other resource that are not connected directly to PC
Server. a computer that provide service to the computer
SIM card used in mobile phone to make a phone call it handles user authentication with network
Virus: software programme capable of spreading and reproducing itself when connected.
VoIP: voice over Internet Protocol
We can see that one need to have strong background to perform analysis ,target aspects with necessary skills , must now which steps should be taken to reach at result taking agency policy measure in account . Legal Aspects is also very important . one must know local law related to crime scene . Case study makes more to think like and act like criminal . At the end some of tle live forensics hacks like internet artifacts and email hacks . Now would like to close my writing thanking Professor Markus Schäffter
Professor f. Datenschutz & IT-Sicherheit
Hochschule Ulm, Fakultät Informatik and my other ClassMates
Computer Forencics by :-marie-Helen Maras