Digital Forensic by Nilakshi Jain

Digital Forensic
Dr. Nilakshi Jain

Associate Professor
Department of Information Technology
Shah and Anchor Kutchhi Engineering College
Mumbai, Maharashtra
Dr. Dhananjay R. Kalbande

Professor and Head of Department
Department of Computer Engineering
Sardar Patel Institute of Technology
Mumbai: Maharashtra
WILEY
Contents
Preface V
About the Authors VII
Acknowledgments IX
Chapter I Introduction to Computer Crimes and Ethical Hacking l

Leaming Objectives
1.1 Introduction to Cyhercrime
1.2 Categories of Cybcrcrimes
1.2.1 Cybercrimes Agai11.it i'l'oplt 2
1.2.2 Cybercrimes Against Property 3
1.2.3 CJ,bercrimes Against Government 3
1.3 Types of Cybercrimes 3
1.3.1 Hacking 3
1.3.2 Denial-ofStrvice Attacks (DoS Attacks) 4
1.3.3 Trojan Attacks 5
1.3.4 Credit Card Frauds 5
1.3. 5 Cyber Pornography 5
1.3. 6 Online Betting 5
1.3.1 Software Piracy 6
1.3.8 Email Spoofing 6
1.3. 9 Forgery/Falsification 6
1.3.10 Phishing 6
1.3.11 Cyber Terrorism 6
1.3.12 Salami Attacks 6
1.3.13 Defamation 7
1.3.14 Cyber Stalking 7
1.4 The Internet Spawns Crime 7
1.5 Worms Versus Viruses 7
1.5.1 Viruses 8
1.5.2 Worms 8
1.6 Computer's Role in Crimes 9
1.7 Cybercrime Statistics in India 10
1.8 Prevention of Cybercrime 11
1.9 Definition of Hacker 12
1.IO Definition of Crackers 12
1.11 Definition of Phreakers 13
1.12 Ethical Hacking 13
V
CONTENTS
xii •
14 r
]. ] 3 Difference between Hacking and Ethical Hacking
14
1.14 Steps of Ethical Hacking
14
1.14.1 Reconnaissance 14
1. 14.2 Scanning 15
1. 14.3 Gaining Access 16
1.14. 4 Maintaining Access 16
1. 14.5 Clearing Tracks 17
1.15 Exploring Some Tools for Ethical Hacking 17
1. 15. 1 Reconnaissance Tools 19
1. 15.2 Scanning tools 19
I. I 6 What to Do if Been Hacked? 20
Summary 20
Key Terms 21
Review Questions
Evidences 23
Chapter 2 Introduction to Digital Forensics and Digital
23
Learning Objectives 23
2.1 Introduction to Digital Forensic 24
2.2 Need of Digital Forensic 25
2.3 Rules of Computer/Digital Forensic 25
2.4 Types of Digital Forensics 26
2.5 Ethical Issues 26
tal Forensic Field
2.5.1 General Ethics Norms for Investigator in Digi 27
ion
2.5.2 Unethical Norms for Digital Forensic Investigat 27
2.6 Digital Forensic Investigations 27
2.7 Introduction to Digital Evidences 28
2. 7.1 The Best Evidence Rule 29
2. 7.2 Original Evidence 29
2.8 Rules of Digital Evidence 30
2.9 Characteristics of Digital evidence 30
2.9.1 Locard's Exchange Principle
30
2.9.2 Digital Stream ofBits
30
2.10 Types of Evidence
31
2.10.1 Illustrative Evidence
31
2. 10.2 Electronic Evidence
31
2.10.3 Documented Evidence
31
2.10. 4 Explainable Evidence (Exculpatory}
2.10. 5 Substantial Evidence
31
2.10. 6 Testimonial 31
Challenges in Evidence Handling
31
2.11
2.11.1 Authentication ofEvidence
32
2.11.2 Chain ofCustody 32
2.11.3 Evidence Validation 33
Summary 34
Key Terms 34
Review Questions 35
CONTEN TS • xiii
Chapter 3 Incidence Response Process 37

Lt'a rning O hjl'Ltiws
37
3.1 lntrodul'. tion
J. 1.1 An lncidmt
37
3. 1.2 An incidmt R,·spomr 38
3. 1.3 An lncid<'llt Rl'spowe Plan 38
38
3.1.4 Goals ~f lncide·nt Rcspowr
3.2 People Involved in Incident Response Process
38
39
3.2.1 Role of Computer Serurity lucidem RcJpomr Temn
3.3 41
Incident Response Procl'SS
41
3.3.1 Initial Response
42
3.3.2 Investigation
42
3.3.3 Remediation 42
3.3.4 Tracking ofSignificant in vestigative information 43
3.3.5 Reporting 43
3.4 Incident Response Methodology 44
3. 4.1 Pre-Incident Preparation 45
3. 4.2 Detection of Incidents 46
3. 4.3 Initial Response 47
3. 4.4 Fonnuwte Response Strategy 48
3. 4.5 Investigate the Incident 51
3.4.6 Reporting 55
3.4.7 Resolution 55
3.5 Activities in Initial Response 56
3.5.1 Obtaining Preliminary Information 56
3.5.2 Documenting Steps to Take 56
3.6 Phases after Detection of an Incident 57
3. 6.1 Recording the Details after Initial Detection 57
3. 6.2 Incident Declaration 57
3. 6.3 Assembling the Computer Security Incident Response Team 57
3. 6. 4 Performing Traditional Investigation Steps 58
3. 6.5 Conducting Interviews 58
3. 6. 6 Formulating a Response Strategy 58
Summary 59
Key Terms 59
Review Questions 59
Chapter 4 Live Data Collection 61

4.1 Introduction 61
4.2 The Facts in a Criminal Case 62
4.2.1 Definition ofEvidence 62
4.2.2 Evidence Admissibility 62
4.2.3 Collection ofDigital Evidences 62
4.3 People Involved in Data Collection Techniques 63
l
xiv ___
:,:.:..,_ • ___ ___ ______ ___ ___ ___ __ c0,n1· ~
~
4..3. I Rolr of First Respomlnit
4.3.2 Role oflnvmig111ors r,3
4.J.3 Role of Crime Sane Terhnirit1m 43
r,1
4.4 Live Data Collection
4.4. 1 Live Data Collection from Windows System 61
4.4.2 Cre11ti11g a Response Toolkit G5
r,5
4.4.3 Saving Information Collected During lnitird Respome (17
4.4.4 Obtaining Volatile Data 69
4.4.5 Documenting and Managing the Investigation 6~
4.4.6 Collecting 1emporai Data 7fJ
4.5 Live Data collection from UNIX System 74
4.5. 1 Creating a Response Toolkit 75
4.5.2 Saving Information Obtained at the Time ofInitial R.espome 75
4.5.3 Obtaining Volatile Data before Forensic Duplication 75
Summary 80
Key Terms 80
Review Questions 80
Chapter 5 Forensic Duplication 81

5.1 Introduction to Forensic Duplication 81
5.2 Rules of Forensic 'Duplication (Thumb Rule) 81
5.3 Necessiry of Forensic Duplication 82
5.4 Forensic Duplicates as Admissible Evidence 83
5.5 Important Terms in Forensic Duplicate 83
5.5.1 Forensic Duplicatf' 83
5.5.2 Qualified Forensic Duplicate 84
5.5.3 Restored Image 84
5.5. 4 Mirror Image 84
5.6 Forensic Image Formats 84
5. 6.1 Complete Disk Image 85
5. 6.2 Partition Image 85
5.6.3 Logicallmage 86
5.6.4 lm11ge Integrity
86
86
5.7 Traditional Duplication
87
5. 7. 1 Hardware Writt Blockers
88
5.7.2 Im,1ge Creation Tools
88
5.8 Live System Duplication
89
5.9 Forem.ic Duplication Tool Requirements
90
5.9.1 AccmData FTK lmager 90
5.9.2 Guidance Software EnCast 90
5.10 Creating a Forensic Duplicate of a Hard Drive 91
5.10. 1 Duplicating with dd and dcfold 91
5. 10.2 Creating a Linux Boot Media 91
5.10.3 Performing a Duplication with dd 92
5.10.4 Duplicating with the Opm Data Duplicator
CONTEN TS . xv
5.11 Creating a Qualified Forensic Duplicate of a Hard Drive

95
5. 1J. 1 CrMting a Bvot Disk 95
5.11.2 Creating a Qrudified Forensic Duplirate with S<lfeBack 96
5.11.3 Cre,1ti11g ,t Qualified Forensic Duplicate with EnGzse 98
Summary 101
Key Terms 101
Review Questions 102
Chapter 6 Disk and File System Analysis 103

Learning Objectives 10:\
6.1 Media Analysis Concepts 103
6. 1. 1 File System Abstraction Model 103
6.2 Partitioning and Disk Layouts 104
6.2. 1 Partition Identification and Recovery 105
6.2.2 Redundant Array ofInexpensive Disks 105
6.3 Special Containers 106
6.3. 1 Virtual Machine Disk Images 106
6.3.2 Forensic Containers 106
6.4 Hashing 107
6.5 Carving 108
6.5. 1 Foremost 109
6.6 Forensic Imaging 110
6. 6. 1 Deleted Data 111
6.6.2 File Slack 111
6.6.3 dd 112
6. 6.4 dcfldd 113
6.6.5 dc3dd 114
Summary 114
Key Terms 115
Chapter 7 Data Analysis 117

7.1 Preparation Steps for Forensic Analysis 117
7.1. 1 Restoring a Forensic Duplicate 117
7.1.2 Preparing a Forensic Duplication for Analysis in Linux 118
7. 1.3 Reviewing Image Files with Forensic Suites 118
7. J. 4 Converting a Qualified Forensic Duplicate to a Forensic Duplicate 122
7. J.5 Recovering Deleted Files on Windows Systems 124
7.1. 6 Recovering Unallocated Space, Free Space, and SIAck Space 125
7. 1. 7 Generating File Lists 126
7.1. 8 Preparing a Drive for String Searches 127
7.2 Investigating Windows Systems 128
7.2. J Reviewing All Pertinent Logs 128
7.2.2 Performing Keyword Searches 129
CONTENTS
xvi •
7. 2.3 Rt't'irwing Relt't11mt Filt's 129

7. 2.4 /d.mtifying Um1uthorized User Accounts or Groups 130
7. 2.5 Jdmtifyin,~ R,,gue Proressrs . 130
7. 2 ,6 Lookingfar Unusual or Hidden hit's . 130
7 2. 7 Clm-ltingfor U1«1u1horiud .J!ccess Po1;s . 131
7. 2.8 Exami11i11g./obs Run by the Schrdukr rrz,,ce 131
7. 2 ..9 An,1/yzi11g Trust RrLltiomhips 132
72. JO Re1•iewi11g S,·curity ltkntifiers 132
7.3 Investigating UNIX Systems 132
7.J. IReviewing Pt'rtinmt Logs 133
7.3.2 Pnforming Kl')1word Sr11rches 133
7.3.3 Re11i.tu ing Rek1 ,m1 Fiks
1 1 134
7.3. 4Jdmtifying Unauthorized User Aa-ozmls or Groups 134
7.3.5 Jdrntifi.•ing Rogur Proassrs 135
7.3.6 Chrckingfor Un,mthori:ud Accrss Points 135
7.3.7 A,u1(yzi11g Trust Rekuionships 135
7.3.8 De11·di11g Troj,m Lo.ulilbk Keme/ Modules 136
7.4 Investigating Applications 136
7. 4. 1 W~b Browst'rs 136
7.4.2 E-mail 141
7.4.3 /l-f11il Forrnsic Tools 144
7. 5 M.ilware Handling 146
7.5. 1 Basic StJtic A11,1lysis 147
7.5.2 Admnad Static A1111lysis 147
7.5.3 Basic Dynamic Analysis 147
7.5.4 Adwmad Dynamic Analysis 147
7.5.5 .Nia/ware AnalyJis Rt'port 147
Summary 147
Key Terms 147
Chapter 8 Network Forensic 149

Learning Objeccives 149
8.1 Jnrro<luccion ro Nerwork Forensic 149
R.l lJnJc-rsranding Password Crackjng 150
8.2. I Brutr Forrt 150
8. 2.2 D.:pluitution ofSlt)retl RuJUJ(Jrds ISO
8.2.3 lnten:rJ1tio11 ofPa,swortls 151
8.2.4 l'tmu'flrd Dt'cryption Software 151
8.2..5 Soda/ E11gi11uri11g 151
8.2. 6 Prr.1•rntio11 and Rrspomr 152
8.2. 7 Pr~trcli~IJ ''"- Nr1~1ork AgainJI Social tngit~tn 15.2
83 UndC"r.nandmg 1 t'<:hnacaJ Exploiu 152
8.J. I Proto,·ol F.xpluill 152
8.J.2 Appli"lli()n &ploits 153
8.3.J OptTating Systnn Explui11 155
• xvi i
CO NTENT S
19,
lnnc1lh1r1in11 to l111rusi,H1 lktcCLillll Sys1
rn1
8.4 1c; 7
8.•f I ( ~{/c"ri11gs rf l11truJio11 D,·tcrt io11 ,\)1J
/<'m
157
8.5 'Ihws of l111rusio11 lkll 'nio n System 157
8.5.1 A,-ti1 1e IDS 157
8.5.2 Passive IDS 15k
8.5.3 Netu,ork-Rnsed IDS 158
8.5.4 Hust-Bmrcl IDS I S<J
d)
8.5..5 A'nou,ledge-Bmtd IDS (Sig,ltl/11.re B,ur 159
8.5.6 Behavior-Basrd IDS (A11om11/y /3tzsed) I 5'J
cks
8.6 Understanding Netw ork Intrusions and Ana ] ';<J
8.6.J Intrusions versus Attt1rks 1(,()
8.6.2 Recognizing Dirert versus Distributed A111
1rks
I (1 I
8.6.3 Automrlled Attacks 1(>1
8.6.4 Arcid.ent,1' Attarks 16 1
8.6.5 Pm,enting Intemionrd lntem,d St'rurity
Brearhrs
ns 16 1
8.6. 6 Preventing Unauthorized External Intrusio 162
8.6. 7 Planningfor Firewall Failures 162
8.6 8 External Intruda s with /11ter1111/ Access I C,2
8.6 9 Recognizing the ''Fact ofthe Attack"
163
8.6.10 Identif)'ing and Categorizing Attack lypes I (i3
8.7 Analyzing Network Traffic 164
8.8 Collecting Network-Based Evidence ]64
8.8. J What is Network-Bas ed Evidence?
164
8.8.2 What are the Goals ofNetwork Monitoring?
164
8.8.3 lypes ofNetwork Monitoring
165
8.8.4 Setting Up a Network Monitoring System
167
8.8.5 Performing a Trap and 'Trace
ng 167
8.8 .6 Using TCPDUMP for Full Content Monitori
168
8.8. 7 Collecting Network-Based Log Files
169
8.9 Evidence Handling
169
8.10 Investigating Routers
8.10.J Obtaining Vo/a.tile Data Prior to Powering Down 169
8.10.2 Finding the Proof 170
dents 170
8.11 Handling Router Table Manipulation Inci
8.11.J Investigating Routing Table Manipula.tion Incidents l 70
8.11.2 Recovering.from Routing Table Manipulation Incidents 171
171
8.12 Using Routers as Response Tools
8.12.J Understanding Access Control Lists 171
8.12.2 Monitoring with Routers 171
8.12.3 Responding to DDoS Attacks 171
Summary 172
Key Terms 172
Chapter 9 Report Writing 175

9.1 Goals of Report 175
xvi ii • CO NTENTS
9.2 Layout of an lnvesrigarive Reporr 175

9.3 Guidelines for Writing a Report 180
9.4 Sample for W"ricing a Report 185
Summary 186
Key Terms 187
Chapter IO Computer Forensics Tools 189

JO. J lntroduccion co Com purer Forensic Tools 189
J0.2 Needs of Com purer Forensics Tool 189
I0.3 Types of Com purer Forensics Tools 190
10.3. l Hardware Forensics Tools 190
l 0.3.2 Softuiare Foremics Tools 190
10.4 Tasks Performed by Computer Forensics Tools 191
10.5 Srudy of DigicaJ Forensic Tools 194
10.5. ISleuth Kit Autopsy 194
10.5.2 Autopsy 195
10.5.3 SANSSIFT 199
Summary 200
KtyTerms 200
Review Quesrions 200
Further Readings 201

Appendix A: Lab &periments 203
Appendix B: Questfons and Answers 257
Introduction to Computer Crimes
and Ethical Hacking
------------ ·- ---
LEARNING OBJECTIVES
A(h·r rc.tding chi, 1.h.1p1n, )OU will he .1 hlc In :
• l 11hk1-.1.1nd the U.llll.Cpl of \.yhcn rimi..: and 11, • l '1hlu\f.111J tht· u111tq11 ot l,.11.k111 :: ,iii I J [ \
dl~·c..t on 1hc Jibi1.1l wotlJ . t'ffnt llll d1pt.1l \\mlJ .
• ln1.:rprct .rnJ ~pply ,l.llH ii )' llll'l h.llli, m, 1111 • Cndn,1 .11hl tlil' 11rnlo, 11f ldm.1! lt.h kiut:·
,·Jrit)U!. n ·bau·imc,. • fn1c1prcr .111,I ,lj'j,l_v ,nurn _r 111,,h.11 11,111 ru
• J. .kntify the Jiffrn:nt type, of l) hnt I imc,. -"<:lltrt' ~) \tl°lll.
• Explore prJ1.ti1.al knowkJg1..· dhout rd,it,tl • l>1,ri11bui,h Jttferrnt Lllc~nric\ of li,t(kin~.

h.11..- kin~ m('d111doltlgy.
The fim Jw lrs drt theirs th,u commit r/,em; the second faults are theirs rht11 pamu thnn.
- Thoma.s Fuller
~,...~
• ~[ « , Introduction to Cybercrime
ltli I
Crimes in India, w,ing computers as the tool, have been on the rise. With the incn:·J.!ling rrc:-nd uf crimC'\
using compurers, rools are being built ro prevent such crimes from happening. In to<lay's world, Internet h.15
become an integral parr of our evt'ryday life. Everyday, hackers or criminals attack our computer\ to sniff
imo our personal dJca or orher confidential dJra.
The rerm t]'btrt'timt rders ru aimcs committed using computer (Figure I. I). Tradicio,ully. ,~h:r..:rimc:
referi. co the crime involving computer and computer necwork.
According ro rhe law enforcement agency, internet-related crimes can be categorized .i~:
I. Advanced cybercrime/high-tech crime: Atucks against computer hardware and sofr\\are;
2. Cyber-enabled crime: Numerous 'traditional' crimes have taken a new turn with chc arri ..·.11 ofimcmcc.
such as crimes against youngsters, monetary crimn. and even acts of terrorism.
Cyhc:rcrimes have an adverse dfecc on governments, businesses, and even ordinary pc.•ople. Fur ex.unrle.
Botner is a nerwork of interner-connect~d computers that arc infected by viruses and comrollcJ .b .a group.
2 •
Figure 1.1 Cyhcrcrime.
. h / h h· dopr <ligital forcmic cools to rtduce che

If an ind ividual wants ro prevent a cybc~cn nd1 c, <: ., c k~., dtoo~ perso nal Jara, the hard drive .,hould be
· d
_co n i ~ d
any
!Id ·nua l ara or)U in · c. ,.l-.
ter arc incn:a..,ing day by day, cools require to I lt,iJl
vulnerabiliry score. To protc:ct our
clean sed using a solution. A5 th e cn me!) re ate to w m1
against rh e same are being developed fa.,ter.
r~
0;;J Categories of Cybercrimes
Cybe.rcrim es can be broadly di vided into three major categories (Figure 1.2).
Cybercrimes
I Cyber-stalking, Computer
email spoofing, etc. vandalism,
transmitting
viruses, etc.
Figure 1.2 Categories of cybercrime.
1.2.1 Cybercrimes Against People

Cybercrimes committed against people include crimes such as cyber porn, transmission of child por~or
raphy, hara$smenc of an individual through email, false legal agreement scams, etc. The trafficking, di 5tr1·
bution, posting, and dissemination of obscene material, together with pornography and misdemeanour,
consricute important cybercrimes commirrc<l against people. The potential impact of such a criminal offense
to humanity can hardly be explained. Cyber harassment could be a distinct cybercrime. Various harassments
can and do occur in internet, or through the use of internee. This includes sexual, racial, religious, or ocher
harassments. People perpetuating such harassments are guilty of cybercrimes.
INTRODUCTION TO CO MPUTER C RIM ES AND ETH ICAL HACKING • 3
1.2.2 Cybercrimes Against Property

Cybercrime against all forms of property is th e seco nd category of cybercrimc. Crimes in this ca tegory
include computer devilry, meaning dest ru ction of others property and tran smission of harmful viruses,
worms, or programs. An Indian-based upstart engineering company lost its money and repute when the
rival company, an associate degree business major, sca rfed th e technical ca talogue from their computers with
the assistance of a company cyber spy softwa re.
1.2.3 Cybercrimes Against Government

Cybercrimes against Government is the third type of cybercrim e. Cy ber terrorism is a distinct crime in this
category. The spread of internet has shown that this medium is used by people and teams to threaten the
international governments conjointly to terrorize the voters of a rusti c. This crime manifests itsel f into an act
of terrorism once a private 'cracks' into a government or military maintained website.
ftk&ll Types of Cybercrimes

Cybercrimes can be broadly divided as:
I. Violent or potentially violent cybercrimes: Violent or potentially violent cybercrimes are those that
pose a physical risk to some character or people. They can be further categorized as:
(a) Cyber terrorism
(b) Cyber talking
(c) Assaults by threat
(d) Child pornography
2. '!'~on-violent cybercrimes: Non-violent cybercrimes are those that do not directly pose a physical risk
to some character or persons, but indirectly they do pose a risk. They can be categorized further as:
(a) Cyber theft
(b) Cyber trespass
(c) Cyber fraud
(d) Destructive cybercrimes
In chis section, we will discuss hacking, Dos attack, Trojan attack, credit card frauds, cyber pornography.
online betting, software piracy, email spoofing, forgery, phishing, cyber terrorism, Salami attacks, defama-
tion, and cyber stalking.
1.3.1 Hacking
Do not hack, but when you do, it should be ethical!
Eric Raymond, compiler of The New Hacker's Dictionary, defines a hacker as an artless coder. A 'good hack'
may be a clever answer to a programming difficulty and 'hacking' (Figure 1.3) is the act of doing it.
According to Raymond, the following five likely characteristics qualify one as a hacker:
1. An individual who enjoys learning details of a programming language or system.

2. An individual who enjoys truly doing the programming instead of simply theorizing it.
3. An individual capable of appreciating somebody else's .hacking.
4. An individual who picks up programming quickly.
5. An individual who is a professional in a specific programming language or system.
I ii( ii I A l I ( Jlq N', Jr
4 •
~ lly )
N11
Y0:1
Fi~urc 1..l I l.1l'ki11g.
1.3.2 Denial-of-Service Attacks (DoS Attacks)

.-\ Dt'ni:1!-01: St'n i~·e (DtlS) :111 ,h-k is ;i tri.,I t1l 111,1kc :111 llnlinr scrvil·t· 1111availahlc hy ovnloadi11g th e 11r1work
mlt1( frfim muliiplt· s1H1r.:rs. D1)S 1.1rgcts .1 l.lt'gc varil'I)' nf rrsnur.n ·s (Figure 1./4).
Attacke~sends command for his

bots to attack bank.
~{, -~i, ~,,

Compromise Compro~
·sed Comprbmised
PC PC
,..···
9c .
' ' '
Internet
Thousands of requests are sent to the
bank website simultaneously.
Bank
Bank is flooded with requests
and cannot operate effectively.
Figure 1.4 Denial-of-service attack.

I NTRODUCT ION TO COMPUTER CRIMES AND ETHICAL HACKING • 5
1.3.3 Trojan Attacks

Trojans are small particles of malware rh,H allow the hacker to either gain or oht.1in remote access to any
computer. Trojans c.111 neither self-replicate nor automate as they intera~r wit h the hacker ru meet ,rnd fulflil
his/her purpose (Figure 1.5 ).
Trojans need to he instaHed from an e_xecurable file (.exe) or a compiler. Soml'rimes. Trojans ex pl(1ir the
bugs in the browser, media playe r, ere. Once rhe Trojan is installed, the hacker can use chem to access all the
sensiti\'e or confidenrial and personal information or dara.
Trojan
Infection occurs
-'
,-~ ·)
,
....
IP address
and port
IP address
and port
• I
Connection
Figure 1.5 Trojan.
1.3.4 Credit Card Frauds

CreJir card frauds usually occur when an individual discloses his/her confidential data such as credit card
numher, C\/V number, secret code for transacrion, expiry dare, ere., to an unknown person, who could be
a potential hacker. This is ofren rhe case when a card is stolen or lost or when mails are diverted from the
ao ual recipient ro the hacker. This kind of fraud is an identity fraud in which a hacker rakes the necessary
information about the credit card for his/her per~onal purpose.
1.3.5 Cyber Pornography

( :yba pornography refers ro dimibuting pornography over che internee. People create and distribute porn
or olmenc materials over the inrernet. It includes children involved in sexual acts with adults. It is a crim-
inal offeme and is t:la-;~ificd as causing harm co humans. Ir refers to Section 67 ofIT Ace, which is che most
~rrious Indian Law. The 01her laws that deal with pornography are Indecent Representation of Women Act
and rhe Indian Penal Code. It is a serious crime in India, buc not considered so in many other countries such
a~ Uni1ed Srates of America (USA).
1.3.6 Online Betting

Online hl'tting is also called online gambling or internet gambling and takes pl.1,e over the internet. Online
gambling is ,he ba~ic term used for gambling over the internet. Many websites available over the internee
are used for gambling.
66_:•~-----------------------
~ D-.:IG:.:_:,:ITAL FQ
~
1.3.7 Software Piracy
_ _ . r h t f di~rrihuting licensed or paid or copyrighted softwan: for free or _
Sofrw·1re piracy re1t'rs tot e ac o . I I . A d' •lt a n1·1 .
' ' . ·.
cost over the internet. 1t IS COllSI'dert:·d to be the most profit:tb e lusincss. ·Iccor
b ,·
111g to 1he fht\i . n1rn~
. nr~s s()~ '
. (BSA) · . t ·ly 39% of the toral softwares that are current y e tng used across th ,, 1 l\l,dr~
AII iance ' approx11n.1 e . . . f. ~ d T . e &Ohe
. . red Wl1-it it means is rhe unauthonzed copy111g o so tware an reta1 mg It over the in1cr11 , r art
sroIen or p1ra . • . o1. . h . . . ct rorfi .
or at Iower cost. 'fhe 11erce11t·1ge
· of software 1J1racy grew ro 39 ,om t e recent survey earned out in May, 20Js. rtt
1.3.8 Email Spoofing

Email spoofing refers to sendi'.1g emails ~rom an unkn~wn or, fals~ source._~~oofing ~ cans r~at the hacker
Sel1 ds an email from )'Our email address. fhe hacker mes to send spam emails or emails that include
. d ·1 Th h k . I
tive offers, which the individual accept·s and fi_lls certam ~tat s. e ac er_s1~u taneousl_y receives attrac-
all tht
necessary email ids and passwords. In recent tunes, ev~n viruses are transmttte . ov_er ema~ls. These virl!Ses
reside in our device or emails, and are constantly momtored by the hacker. Tl11S will be discussed in detail
in Chapter 12.
1.3. 9 Forgery/Falsification
forgery refers to the action of forging a copy or imitation of~ docu~ent, signature, ?r banknote. 1t is done
to earn a huge profit by selling the forged resource. Forgery 1s nothmg but the creation of a wrong written
document or alteration of an original document with the intention of defraud or deception. Forgery comes
under criminal law, with the penal code as Forgery (Section 463,465, 466,468,469,471,474,476, 477A
IPC). Forgery is a serious crime chat harms any human for his/her personal benefit.
1.3.10 Phishing
Phishing is a fraud type wherein the hacker tries to get personal information, including login credentials or any
bank account information, by pretending to be a genuine entity in email, messages, or other communication
channels. In this type of crime, the victim receives a fake email from a company or organization or a genuine
source. These emails generally include an attachment or an outbound link chat installs harmful malware or virus
on the victim's device or may redirect the victim to a harmful or malicious website, developed to cheat the victim
and get the personal and other financial details or information such as usemame, email-ids, passwords, credit
card or debit card details, etc. Phishing is an attempt to obtain sensitive information from the user or victim.
1.3.11 Cyber Terrorism

Cb . is
Y er terronsm · a PIanne d acttv1ty
· · m· the cyber space via computer networks. It includes the use Ofmail
e
as a communication medium. The term 'cyber terrorism' is a controversial term that includes actions of
deliberateness, disruption of networks over a large-scale especially personal desktops or devices which arc
attac~ed to the_ internet by usin_g t~ols such as viruses 'or malware. Examples of cyber terrorism include
hackmg of medJCaJ database, which mvolves changing or deleting the faces, leading to a wrong treatment.
1.3.12 Salami Attacks

Salami attack is a combination of many small anaclcs cha d ch fcybercrime. Ir~
. Ii . t can go un etected due to e nature o mer
aIso known a~ salanu s cmg or penny shavino wh th __.___ . da b ·v:. the cust0
· c · h b k/ . ··-"""' ere e a l ~ uses an onlme ca ase to set f0·ine-
mrormatton sue a_,; an credit card details ded . uscul
• ucrs nun e amounts from every account over a period o
1N1R ODUCTIO N TO CO M PUTE.R CRIM ES AND l:T HI CAL HA CK IN G . 7
1h :.~c :11nln1111s, unnnriccahly 1aken from collec1ive acco11111s, add up w a large amount of money. Most people
fail ro report sud, deductions, ofirn lct1i11g it go lwca usc of the amount involved, which could be a fraction of
:1 cl'nt, so as to avoid suspirion from tl1<: u11suspec1ing cw,tomLT. A salami anack is a sin.ill attack that can be
repeated many 1i1rn:s dl1cimrly. Thus, 1he ovnall imparl of I he auack is huge. For exam ple, stealing the round-off
;1111ou111s fnim 1hc i111ncsr in hank acrnums. Even 1hough it is lcss 1han I cent per accoun t, when multiplied by
millions of acrn11111s over many mo111hs, the adver.\ary can rerricve quire a large amount. It is also less likely to be
notio:ahlc since )'O lli' average customer would assume 1hat the amount was rounded down to the nearest cent.
1.3.13 Defamation
Internet is an integral part of our life. It acrs as a medium for interacting with people across the globe.
Defamation implies causing harm to a reputed individual in front of ochers. Harm ca n be inflicted by oral
words, visuals, or any od1er mea ns. Cyber defamation is a new concept, and it involves defamation of a
perso n or individual by a new or virtual medium. Cyber defa mation is considered to be a cybercrime. Cyber
defamation nor only affects the welfare of the community, but also the victim.
1.3. 14 Cyber Stalking

Cyber stalking refers to the use of an electronic medium to threaten someone or an individual or a group of
people or certain organization. This may include wrong allegations, threatening calls or messages or emails,
wrong accusa tions, any kind of defamation, wrong identity theft, and many more. Cyber stalking is a crim-
inal offense under various harassment laws. It is a kind of online stalking. Cyber stalkers could be strangers,
people who you may know, people who know you, ex-business partners, enemies, and many more.
[ccl] The Internet Spawns Crime

The internet is a network of communication and content services that is globally accessible. As internet
provides a lot of options for buying and selling, crimes are on the rise in this environment. A computer
represents a tool of crime as in murder or fraud, the object of crime as in stealing of processor chips,
or the theme of crime as in hacking and spreading viruses. The involvement of computers on criminal
rule has been much ampler than the narrow field of activities such as hacking and spreading viruses,
both not easy for traditional criminal concepts, and facilitating particular types of crimes such as child
pornography.
Criminal commandment is not just about whether a particular work should be considered criminal
or nor. Ir is a law enforcement that investigates those that carry out criminal acts and prosecutes them;
it is a procedure more significantly difficult in a computer environment. The implementation of internet
technologies is not uniform, particularly between developed and developing nations. Wireless communica-
rion technologies have quickly eclipsed wire systems in many developing countries, where the inheritance
communication was greatly underdeveloped. Differential technological use may mean dissimilar patterns of
threats and vulnerabilities in terms of cybercrimes.
Worms Versus Viruses

Worms and viruses are malicious programs that can cause harm to our system. However, both these terms
are very different.
IJ IGII AI. f· OfU: NSIC
8 •
1.5.1 Viruses . . .. .
. . . . . . . .. . . I · . .- . , ·) · .. ~ol'iwarl' 1har is clcsignl'd 10 d11pl1 c u, c. md (. I his is
A virus (vllLll 111fr1r111.1111in ll'M)IIH t ,\ 111H t 1 ,\ llj_,t is ,1in· s1ornl .in 1hl' r o111p111u. .. (',omp111 t:1 . . _. . _. •
. • • 1· · .· . . , 1..1111 . tin, v11 uscs ,llt,ich
done by 1'( pli1:a11ng 11.~l' f ll)I() \/;ti ICIIIS P10t, • s_ ' ' ' • I , . I -· · , ' (, , ' , ..1s. •It
H 1, t,1 v m g 111 1.: cuons
0
. . l'J , . ... 1·11 , from ont· worb1:trll)n 10 :11101 . . . l'.1· I ·1 I

thtlllSl' IVl'S (() 'I prorram (II :1 I l, !i jll l ,I\ I !,
. A· ' ' • . . . , ·11 li·ii·~hncss ~lllll t' m:t)' c.1usc slighily 1rn1a1111g c11 t·c1.~ w 11 e 011ers
ll',IVl' Is. (llllljlllll'I' VlrllS l:tll 1:111gl I • .. • ' . . .. • ' . , 11 · /'I I . ·I
· AlI11 I i S-1 '-di viruses :ire fo nd of ,111 ,c xn
. 1·-IW,11.l,, tH l'IIt~- 111.1) c I c, w 1H 1 means a
c·tn thr11 ·1gc I1:HlIW.ll'<.'. , st) , [ • · 'fi
'. ' • · -r , . I·· .. J 1 ii \Vt ' run or rl'k:isc rh e mal1c1011s program . t 1s s1 gn1 tcant
Vll'US cannot a1u:cr 0111' rnmpulll llll l SS ' l
111 1111 , • . · f . ·d .
to m:1kt· :1 IHll<.' rhar :1 virus c:1111w1 spn:.1d without h11111a11 ac11o n, sud1 as runnin g the in cctc p1 ogram
(Figure J .6).
Figure 1.6 Virus.
1.5.2 Worms
A worm (write once read many) is similar to a computer virus by design. It is considered to be a secondary
category of virus. A worm spreads from computer ro computer, but unlike virus it has the capability to travel
wirhout any human action. The main threat with a worm is the capability to replicate itself on our system.
So rather than our computer sending a single worm, it could send hundreds or thousands of copies of itself
and cause a huge devastating effect. For example, a worm sending out a copy of itself to everyone listed in
the address book, then the worm replicates it~elf to each of the receiver's address book and it manifests itself.
Since the worm copies itself and also travels across networks, it consumes more system memory and network
bandwidth, causing web servers and individual computers co stop responding (Figure 1.7).
INTR ODU CTION TO CO MPUIEI~ CRIM E.S A NI ) 1.1111 CA I 11/\ CKIN Ci . 9
Alie;)
dola
--"~
Figure 1.7 Worm.
Computer's Role in Crimes

Computers can play a vital role in crimes as shown in Figure 1.8. They can extract evidences, instrumen-
tality, illegal imporrs, or the fruit of a crime.
1. They can act as a communication tool.
2. They can be the target of the attacker for criminal activity.
3. They can also be tangential to crime.
Computers as storage Computers as

Computers as targets communications
devices
tools
involves an attack on
-data lntegrHy. ~
Integrity, data
canfldentlaffly, ~ y
.,•"'
using the comp~, to
store staren pa8hklrd
lfatt,~lt
or ...UilPfflb,.t.
Figure 1.8 Roles of computer in crimes.

DIGITAL ~ORENSI C
10 •
Ciwn hdow art' imt:111ct'~ whc:rr computer\ are med in l rimt· .,cc11.irins.
l. Wi11w~~l'S c.an view I he s11~pcds pirt un: 1>11 1he ~l rct·n I hrm1gh d1l: use 0 ~- u!mputl'r~. . . .
2. J)NA ll..'~ling GIii bl' pcrl<>lllll'J u.,in~ wmputl·r~. U,in~ I )NA tc~1111g, (flllllllals can be 1dcn11ficd lrolll
pJ~l Lrimc:s :1nJ book1·d.
J. Mini <.ompull'rs and l.1ptop~ arc: ml'd in policl' vl'hidc., 10 Jl'tTrminc the 1...riminal records. The police
c:1r~ arc im1alkJ with wirdl'~S intn11c1 rnnneniom th.1L arl' linked with sa1cllirc:s to perform the work
with greata d'fici<:ncy and in :Ill c:a~icr manna.
4. Fing<'rprinr, <.:HI bt' 1aken 11~ing :1 wmpu1t·r and ir <.an ht' w,cd ro determine whether the person is
linkc:d to any <.a~c in illl' pN.
5. A computer can abo Jc1erminc: how :1 fire was c:1uH·d :111d what an:dcranr was u~ed in the fire. This can
be Jone u~ing the rnmputl·r inw~tigation device:.
6. Compute1 s are al,o U\CJ at traffic jum.1ions to find 1hc vehicle idrntification number (VlN), whether
the car is s1olcn, etc. In ca~c of a nimc, the p<.'rson c;in be arre~tcd immt'<liately.
7. The dJtJh;V,t'\ of criminals arc maimaincd in compurers. With jus1 a push of button, we can obtain all
the informa1ion about the c.:riminal. Also a list can be maimaincd of all citizens with prior tickers, bad
behaviour, and felonie~.
8. Simulations can be crea1cd by the use of computers.
Sim Cybercrime Statistics in India

lotal cyb~rcrimcs, in~luding fishing_mali_ci~~s code, web~itc intrusion, denial of service, scanning, etc., that
ou:urrc<l 111 the l:m eight years are given m Iable 1.1.
Table 1.1 Year-wise cybercrimes in India (Statistics presented in the Lok Sabha 2018)
Cyb" 111tllClt1 Cybn- security inddents Website hacking Spam

2011 28,127 21,700 2,480
2012 36,92/4 27,605 8, 1so
2013 41,319 28,48 I 54,677
2014 44,679 32,323 85,659
2015 49,455 27,025 61,628
2016 52,363 30,056 52,851
2017 53,000 22,230 50,665
2018 (Till St:ptcmbcr 2018) 28,547 20,589 35,687
INTRODU CT ION TO CO MPUT ER CR IM [S AND LTIII CAI. HA CKIN G • 11
1h/1ll Whar /11111µ1•111 /11 All

2 0 18In ternet Minut e
facebook ·
Google 913,000 18 Million Youilti

Loytm /(•XI
J.1Mll/lon M, 011(19,01 4.J Ml/lion
Statch VidrotVltwtd
. .t• •I f'll"j\
iJ iWWW
266,000
Hout,
Ouffltl
' 315,000
Ware/Nod Apps Dow11IOflded
$B62,B23
Sl)fflr OnNM
114,000
Scro/lJng lnslagrom
'~l
2.4Mi/llon 481,000
S11a,x Tweets Sen/
CrMltd
25,000 1.1 MIiiion

G/fs Sfnl via \ .. SWI~
Mrssmr,,r
·• •-.-1..... I
,0 , 38 Ml/lion
Me1109e1
,
t
\
\ 187 Million ,.,,,
I fma//1 Sent
' ti. tv<;( . ,
~
/
,,, t 184011 \ ..
, Volct-Fint f 111W1 , ~
~ ~
'
t. ~
I
Dfv/cnSltipptd
•-1 ·~ ·
t
~
i ~ Ji
'I
\ .,. c,~a,tdBy:
,,)//, ('Wtl
"# -, Otfl (l(ll/y( /wd, f
·-- . ,___ ..._..,..vi:...--.. .
[if~ ] Prevention of Cybercrime

Prevmtion is always brtta 1h,111 rure,
Ii is always bener to cake certain preca111 ions while working on che inrernet.
The SP's mantra for onlinc security are as follows:
1. l'rl'caucion
2. Prevention
3. Pro1ellion
4. Preservation
5. Pcrscvc·rance
Given below are a few steps chat can he followed 10 prevent cybercrime.
I. ldt'n rification of exposures through education will help companies and firms meet these challenges.
2. One should avoid disdosing any personal information to strangers, a person whom they do not know,
viJ tmJil or while charting or through any social networking site.
3. One must avoid sending any phowgraph to strangers online, as incidents of misuse or modification of
phowgraphs are on che rise.
-----------------
DIGITAL FORENS IC
12 •
· · . c,... ,are ro 0oinrd ·w·tinsc virus arrJi..:ks should be maintain

• .
ed by .all netizens
. •
4 . An up d ate d anu-v1rus ~011 ,, • ';:,' · .
case of virus conramm at1on .
. b k fd · ta should be ta.ken reaubrl y to avoid dara lo.~s.
in
l .- ·h ·
f \1 so, a ,lC up o a ::., · 1 er ro any me r at ts not
5. A person should never send his/her credit card number or debtr card num
secured, ro guard against frauds. . . .
er, prevent any kmd of harass-
6. Parents should keep a watch when rheir children are access ing mtern to
~ . , .· . .
ment or deprivation . u1es. It ts the
7. \'7ebsite owners should keep a watch on di e ncrwor k tra01c, and c~1eck for an~ irregula~
e number of
responsibiliry of the webite owners to ad()p t pnliLics for prevenrmg cybercnmes as t
internet users are growing every day. .
~ from rn_rernal network.
8. Web servers running on public dorn:iin 111mr he segregated phrsically and _Pr?recre
Sl(es. .
9. Ir is berter to use a security program by rhe corporate body to control m_formau? n on
of nemens.
JO. Serice sracurory laws need to be passed by the Legislatures, keeping in mmd the 1nter:st
_o~ . of co~pute r
11. IT deparrment ~hould pass certain guidelines and nOLifications for th_e ~Jrotecn
s relating to
system and should also come up with stringent laws to breakdown the cnmmal act1v1t1e
cyberspace.
the international
12. Cybercrime is a major chreat to all the countries worldwide; steps should be taken ar
level to prevent cybercrimes from happening.
remedy, and
13. Complere justice must be provided to che victims of cybercrimes by way of compensatory
offenders muse be punished wich the highest punishment.
Definition of Hacker
Very ofren,
The one who is curious about the workings of any computer software is termed a hacker.
e systems and
the hackers are a unit of smart programmers. Hackers have advanced knowledge of operativ
and are therefore
programming languages. They need data concerning varied security holes among systems
they need to be
the reasons for such h0les. Hackers perpetually acrempt to increase their data and share what
discovered. Hackers never have dangerous intention like damaging or stealing knowledge.
~ Definition of Crackers
. Crackers cause
People who break into different systems with malicious intentions are referred to as crackers
provided by
issues to victims by an unaut_horiz~d- access, ~esrroying necessary information, stopping services
the server, and more. By their mal1C1ous acttons, crackers are often simply known.
nals while
Hackers try ro do constructive work, while crackers just destroy systems. Hackers are professio
'
crackers are criminals (Figure 1.9).
-·~,_'./; "$. . . ~...

Hacker !
-
t· ,/'~
>"
A
Lots of knowledge and - Lo1s of knowledge and

Experience Experience
Good guy Bad guy
Strong ethics Poor ethics
No crime Commits Cl1me
Fights criminals ls the criminal
Figure I .9 Hacker versus cracker.

INTRODU C TION TO C OMPU TE R C RIM ES AND ETHICAL HACKING • 13
Definition of Phreakers
Phreaker is the one who gains illegal access co rhe telephone system as shown in Figure 1.10. Phreakers are
corn,idc-rt·d the original computer hackers and they are those who break into rhe telephone network illegaJly,
typically ro make free long distance phone calls or to tap phone lines.
Figure 1.10 Phreakers.
Phreakns are people who specialize in auacks on the tdcphone system. The word, which became popular
in die mid-1980s, is probably a combination of the words phonf' and f,'{'(tk (Phreakers are also known as
"phrc,1ks" or "phone phreaks"). In the early days, phreakcrs whistled or used an instrument to mimic the
tom·s of the phone sysrem and tht·n used to route calls and identif), payment, especially as a way to avoid
p;1ying for an expcmiVt' call. Modern phreaking involves breaking into and manipulating the phone compa-
ny\ computer ~ysrem, making it a specialized kind of hacking.
Recrnr examples of phrcaker from the Web:
In focr, the friends' first business venrure rogerher was marketing blue boxes to aspiring phreakers.
- Laura Yan, Popu/.m Mt'Chanics, "An Early Hacker Used a Cereal
Box Whistle to Take Over Phone Lines," 20 May 2018
Ethical Hacking
I lacking has bt'rn a locality of computing for nl\Hly 5 dt·cades and it is a really broad discipline, which covers
a brge v;1ri('ty of' topics. The primary famed t'\ll'nt of lucking had taken phtce in 1960 at Massadmsetts
ln!.1it11te or 'k chnology and at idenri1::1l 1ime, the tt'rm "Hackd' was originated. Hacking is the act of
ltndi11p, the pos~ihlc entry pninrs that exist in a very ~ysrem or an electronic network and at lase getting
i1110 dwm. Hacking is rypic:1lly done ro achiew unauthorized access to a system or an electronic network,
tit her to hurt tlw sysrems or ro steal St'nsitive data out thm!· on the pc. Hacking is typically lelr-11 as long as
it is hl'ing dnnc to lll'l'k our wt',1knesl!CS in a JX or network system for testing purpose. This type of hacking
is what we have a tendency to dt•cision moral lucking. An expert who does the act of hacking is called a
"I lad,t'r". l L:itkers :trl' people who get informarion to know how systems operate, how they are designed,
and dll'n commit to pby with these ~ystt'.111S.
f
l
f l I ( i I I I\ L I <If.' I f-J ',I('
14 •
f, ·
·~:·i Diffe ren ce between Hacking and Ethical H~ckin_g __________ _
--~-------------- -- - ---- - ------ --- ---- ------- -- ·-
\\~n~,',!~,r b.i,lilf 1,.-t~n- ( , l ~1.:-.,kH~!~ 1111•' ,,,nw- 1 t hi, .11 h.h k_ing rcfrr~ ll) d'.r rnc!hnJ, ilngy
,,1~·\ ~,,:cm iM , -i-,,, . . 1'-'I'" '-\'mm.-r.:i.11f,,1in, . Jl'•'i'tl'J w l11hl l,1,,phnlcs 1n llll 1um.1t1 1rn .,y.q,·m,.
1 11
H.kl,·t~ ..:~,, ~.-,. i;,. . i [,';~;.~. ,, h,) li,._· ,.ui,,,:, h~''L'~
t\' ._·..i:,.- J.u~u;:..:- h-' rnt:,r:n .. ti,,n .in.I J:N'h .
----
~,~~" r.,,\ .m:- u."--J tw t,,th lu,la:- .rn.f nhi..:.il h.1l I.ct\. The 1,nly difkn:rh"(' is th .H h.ll.kcrs w.t· inol.~ to
i !-f-.'.;J \., f , !,._~{;\\\' in~-~n~uli,m. \\ h(·,,.l)o ,·1hi ...1I h.i.:J..(r~ 11., ,· s.ll11l' 10,1ls {() satcp.1.ml !oplrm~ from "hal kC'n
: \\ :(h m.1i :..:i,,t; inc.:-nt~ . hhi ..-.1I h.tJ,inf i~ lq:.1I Jlh l h.1 ...king i~ d,-111<.' \\i th pcrmi~.,ion from the clirnr.
Steps of Ethical Hacking

Li~~ .,'.I f"-"-,J rr'-':---'(t-S. ,·th i~-.il h.,d..: inf t()t) !us .1 set of di~rincc ph.1,cs. It helps h:ickcrs 10 m.1ke a ~tructured
cdii ...--...I hJ~·ki:1f .at.h.:k hen :-.1me rrtX,-S.S use for Jt(J(:king the systems in ill eg.11 way.
Ditfrr._>1:r xYuriry m.ining m.rnu.1ls e:\ plJin the prncess of et hical hacking in difTcrcnr ways, but the
<nri~ rn.,-~ .:. rn lx- --·Jt,1-·,)ri;-:N inw che fol10wing five phases as shown in Figure 1. 11:
A@l..'::J'T".&SS.8n."e .:s "'-~~ mo.--e l:i t-.e ga;n:r.g access pnase, true In 1he final phase, anackers
r-2-" r"tP ~-~
~~--e
~,~~ ~ .p-ae,
&"\;j ~-~.!:,Y\ O."\ ~
a:-:acks are leve;ed aga,nst the
ta.--ge:s envnerated m the secood 4 anemp1 10 conceal 1he11 success
and avoid derec11on by securily
!A-~~ -;OJ •..rt~ a;:~
2 p~.ase professionals
Gaining Access Covering tracks
Scanr.t"g a'1d
Maintaining Access
Ernimera!Jon
1
Ta,e l"",e tn~om-..il!OO you gathered
,r.fa""\'.)lc a:-\0 act,ye>y a;..-iply tool.s
~'\d tecr.f'!QUES to ga:ner more
3 In the fourth phase, hackers
attempt to ensure they have a way
bacil. into the machine or system 5
~~11 r.fcrnia~-on oo the targe!s. they've already compromtsed.
Figure 1.1 l Steps of ethical hacking.
1. 14. 1 Reconnaissance
Re'-·on.naiss.mce i_s th~ phase where che anacker gachers information about a target using active or passive
me.ms as shown ~n Figure 1.12. The _rools ch~t are widely used in this process are NMAP, H ping, Maltego,
and Google Dorks (these Tools are discussed m lacer part of this chapter).
1. 14.2 Scanning
In sca, nnin°.
. t>d· the anacker
. beoins
·. 0 co acme
·, IY pro be a target machine
· or network for vulnerabilities char can
l)e exp 1oHe as s11own m Fwure l 13 The c00 I · ch'ts process are Nessus, Nexpose, Wireshark, an<f
NMAP ( -I d. d~ · · s used m
•·• too s are 1scusse m 1acer part of chis chapter).
INTRODUC TION TO COMPUT ER C RIM ES AND ET HI C A L HA C KIN G 15
•
■ Reconnaissance refers to the proparatory pha se whure an attacker aeoka to

gather Information about a target prior to launching on attack
■ Could be the future point of return , noted for ease of entry for an allack whon
more about the target Is known on a broad scale
■ Reconnaissance target range may Include the target organization's clients,

employees, operations, network, and systems
Reconnaissance Types
Passive Reconnaissance Active Reconnaissance

• Passive reconnaissance involves • Active reconnaissance involves
acquiring Information without Interacting with the target
directly Interacting with the directly by any means
target
• For example, searching public • For example, telephone calls to the
records or news releases help desk or technical department
Figure 1. I 2 Reconnaissance.
Scanning refers to the pre-attack phase when the

attacker scans the network for specific information
on the basis of Information gathered during
reconnaissance
Scanning can include use of dialers, port ■c11nners,

network mappers, ping tools, wlnerabllity
scanners, etc.
Attackers extract information such •• live machlnu,

port, port status, OS details, device type, ayatem
uptime, etc. to launch attack
Figure 1.13 Scanning.
1. 14.3 Gaining Access

In this process, the vulnerability is located and you attempt to exploit it in order to enter into the system as
shown in Figure 1.14. The primary tool that is used in this process is Metasploit.
lll G I f J\I I cl l/ 1 N',ir ·
16 •
TllO ittl/ac; kfl l CH II Uillll car:, :r,u ~ ill

Gaining access rotors to Itm point
where the attacker obtains access the oper111t11u liylitllm l11v11t,
10 Ille operallng system or
a11pllcatlon level, c,r n11twor'k
11ppllcallon1 on the computo, or lovet
8
network
·1 ~ .A [ x1rn1plna lncl11d1:J
The attacker can escalate prlvllogoa lo ~

paHword c,acklng , IJ1Jllor
overflows, rloninl ol
obtain complete control of the systom. sorvlco , aeaslon hijacking ,
In the process, Intermediate systems ate.
that are connected to It are otso
compromlsod
Figure 1.14 Gaining access.
1. 14.4 Maintaining Access

shown in figure 1.1 5, AfLer
1t is rhe process where the hacker has already gained access inLo a sy1,rem as
system when he/she nt'eds acc,ss
gaining access, the hacker installs some hackdoors in order ro encer into 1he
.
in this owned system in future. Merasploit is rhe preferred rool in rhis process
Maintaining access rete,s to the pha se whon the altocker hies

01 to retain his or her ownership of the 1y1tam
Attackers may prevent the system from being own11d by othar

attackers by securing their exclusive access with B1ckdoor1,
02 RoolKlt1, or Trojan,
Altackers can upload, download, or manipulate data,

03 applications, and conflguralion1 on the owned 1y1tem
Altackars use the compromiled 1ystem to launch further

04 1lt1ck1
Figure 1.15 Maintaining access.
1. 14.5 Clearing Tracks

-~-~i 11 p~c'.ce.,s i~ actual/~~~- unethical activity. Jc .has _co do with the deletio
n of logs of all the at·tivitirs ch.it
c.1ke pla.u: during the h,tLkrng process as shown m Figure ) . )6.
LJ ( TIO N TO CO M PUTE R C RIM ES A N D ETH ICA L HA CKIN G • 17
1NTROD ::.:....------ - - --------=-~=:..:..:..:..:::..__________:___.:__:_
--- - - - ----------
01 Covering tr acks refe rs to the activi ti es c,1rried oul by :111
8 ,--·------------------
altacker lo hide malicious acts
Th e a!tacker's inlentrons include· Continuing access to 1110

02 vrctrm s syslem, re marn ing unnoticed and uncaught,
deleting evidence !hat might lead lo his prosecutron
-- - - ---
03 Th e allacker overwril es the server, syslern , and applrca lron

logs to avoid suspicion
Attackers always cover tracks to hide their Identity
Figure 1.16 Clea ring tracks.
(8 ~ Exploring Some Tools for Ethical Hacking

As wirh any projec r, ir is troublesome in accomplishing the rask if you do not have rh e correct cools for
erhical hacking. Simply beca use the correct tools are used does not mean that you simply can discover all
vulnrrabilities. Jr is necessary to understand the pri vate and technical limitations. Many securi ty-assess ment
tools generate fa lse positives and negatives (incorrectly identifying vulnerabilities). Others may miss vulnera-
bili ties. If you are performing tests such as social engineering or physical-securi ty assessments, you may miss
weak nesses. One too l will take a look at everything, as some conce ntrate on specific rests. T herefore, you will
wan1 a group of specific rools that you simply will invoke for the task at hand . The more tools you have, the
easier your ethi cal hacking effo rts are.
1.15.1 Reconnaissance Tools

1.15.1.1 Nmap
Nmap or "Netwo rk Ma pper" is one of rhe mos r popular and ,,,idely used security auditin g tools. Is a free and
opt'1Hu1m e uriliry Ihai- is utilized fo r security auditing and network ex ploration ac ross local ;rnd remote hosts.
So me of Lhe mai n fea tures in cl ude:
1. Host detection: N map has che abili ty to identi fy hoses inside any network that have cerrain ports open,
or rim ca n se nd a response to IC MP and TCP packers.
2· IP and DNS information detection: Ir includes device type, Mac addresses, and even reverse DNS names.
3. Port detection: Nmap ca n detect any port open on the target network, letting you know rhe possihle
ru nning se rvict"S on ir.
4· OS detection: Provid es full OS version detection and hardware specifica tions of any host connected.
S. Version detection: N map is also able ro ger appli c:ui on name and version number.
1 15
·, - '. .2 Google Dorks
. trall1-
\X. hdc 111v e~- t 1. g:11111g
. . :1 Iot Ofc l 'I' secun.ry new b'1es rorger
peo pIe or co mpanies, c .
t l1c 11nporrance of- usmg J•
t1o nal ·sn' 1.l·I1 cngmt·s . 1·or rcco n an d llll .

. t' I ga l I1enng. 1n rI11s . Ie D orks ca n tne your best fn
. c.ise, 'r- roog - .
end .
lot in )'llllf' i111d n·r,11111.,i.~s:1 111.:r. Cooglc I )ork
. I •, 'tHl' Uh l l'.tll I1c II' v, nt ·1 • . ~ ,Ire
I hi:': h.1,-.· ~ -n t WI'\' :- 1th l - ~ • • • . ·. ,· 11 th 11 nt.l)' he useful lor your S<'C'lll'II )' invl'~ ti ,.11 •
. "'' ' l ' '·k II' 111\ SI 1't'I t ,1111 Ill 1()I Ill.I 10 . • . . . I . 1
,. 1011
~,m,"y w,n:-. 1,, que1, ,o, !, '::· . . . I t lmos t ·111y1hi11g on the 111t crnrl, 111<· 11d111g individ
1
· I·
~e .ll\'h tn !;.11\t'). indn, ,1 l,,t 1)1 1nf-orrn.ltlll1l ,1 ,nu · · • 11,1,
'-·1\mr'\.,lnlt"; . .md
thrir d.1t.1.
f I
, ,mt' fX'\'td.1r ,,pt'r.H MS ust'\ ,,, ,· . I ' ,1' I)nr k'11 11] · l' 1ll1)\""'
;l l'l' ,IS l ·v.,.
!'Cr ,11 m ',n,,1,, ,.,
1. File-typt: Yo11 ,':Ill use this J,H-k ltl t111d .111y ~ind ,ll" l~k l)'(pcs. t ·t loP ell')
l, Ext: lt .-.in help Yt"'II r,, find (1lt's with s1wc.il1 < l'Xtcn_s,ons t."~" · x ·. · .ti,' ··, .
J. lntCl.i: It <.lll pcrl\)1 lll q11nics ,me! helps,,, Sl':11\:h lor speed,~- ll'.X I 111 .'i ll C:Ill}' p,1gt.
lntitle: It will sc.m--h f,, r .rny sprcit,, wtil\h inside the p,1gc rnl~. .
-4. • • f ·:I
; . Inu.rl: h " ill kh,k out l,,r 11wnt11)1ll't w, H t ~ 1m '-·· .,
' ,le tltl' URI of ,111)' wchs1tc.
, ·
, . . J l , · i , .. l h . -~:w h cn oinl's· however. ilwy :11·c indexed and you c:111 get valu-
l l)g tilt~ ,trt· 1101 ~upp~,M"l.) h' 'l Hh t Xtl ) ~t. l :-, . :. ~
.1b!~ inform .1rion fro m Ihesl' (~nogk Dork~. ;1~ y tHI .,cc 111 hgu1\' 1. 1/ :
filetype :log
Ne ~ MNv Setlings Toof!.

All
np· Search to, English results only. You can specify your search language In Preferences
Aztec ffi Lead (@aztec.log) - Ligaviewer is the best lnstagram viewer

http.sJilvtewer.oom/aztec.log •
az.tec tog. A..:.'"tec m Lead - My presets and project files
*XI @suzy.log lnstagram Profile I Picbear

ptebear.club/suzy.log ... Translate this page
MJr 1~ 101 e . Cheek 4 J.I @suzy.log lnstagram prome 90 07 . 07 - suzy.
mogu.log - Picbear
picbear.club/mogu log ... Translate this page
Mar 1:: .::o\6 . C.t'h: Ck mogu @mogu log instagram profile. t 1 ( Hil8 .ti~) *L.iJit,O)~O).'.f
bntishsnorthatr Sapporo Japan
jisoo.log (XI* 5! :J.) lnstagram Photos and Videos I instidy.com

instidy.com{jisoo.log ... Translate this page
~ l l 9-~~El ~ ~ E.I :J ~ Jlsoo.log (;i:I ~ ~ .J.) lnstagram Prolile
Figure 1.17 Valuable informarion from Google Dorks.
1. 15. 1.3 Maltego

h is a tremendous tool to rrace down footprints of any target you wish co match. This piece of software
package has been developed by Paterva, and it is a part of the Kali UNIX system distribution.
Using Maltego can enable you to launch intelligence activity testes against specific targets. One
of the simplesr things this software package includes is about their "decision 'transforms". Transforms
are offered without charge in some cases, and on others, you will realize industrial versions solely. !hey
are going to assist you ro run a unique quite tests and knowledge integration with external applicanons.
-r O \ TO COtlffUTE R C RIME S ANO 1:lHI CAL HA ( ''" IN LJ • 19
,,
\ .,. , ,""\ ['11. L-
,rJer n.-t· \ 1.tlct'gL), ~-iHl wis! 1 w open .l f1er .1Lcount on rh eir wrb,~itc, Jf1e, th at, y oi1 wi ll laun ch J
1,1
111
,,l.1.:t'tllen! m.H:h~nc' M run ir.m 5!-o rms on rhl' ~argct fro m Assncia1c in Nursing l'XisLing 11nc. Onu: you havr
~ ,~.'. 11 ~ ,,ur
cr.111~f~1 rn1s. ~':!re~u _ ~-rn
app _lwg111 ru,,1ning .di rhc I r:msfc:1m1s f~om M.d1cgo !le~·ver~. !;_in:il_ly,
~{.,let~:,, cJn :.ho" ~L1U rhe n:: sult ~ tor rhc des ired 1.ugcts, such as IP. dom:uns. AS 1111111 ha~. and f;ir adJu1on .d.
_1S.2 Scanning tools

1
I.15.2.1 Nex~ose
\ ;:>)..pos~ rn1nernh1li~· sc.rnner. de~·~l? ped by Ra pid • whi ch is an open-source tool is developed by Rapid?
7
i~ nJ is usc-d w s'"-:rn rhe ,·ulner:i bdmes ,rnd pnforms va rious nerwork check,1, as:
1. \ expose is em plo~·ed ~o watch rhe ex posure of vulnerabilities in rime period , acq uaint ilself to new
h.u.irds \\i th re•cent intormario n.
1~ l~ner.1ll~·. most of the n1lne-rabiliry scanners caregorize che risks employing a high or medium or low scale.
j. \ exp0.5c' CLrnsiders rhe .~ge of rhe vulnerabiliry like rhat malware kit is employed in it , whar blessings
Jft'J unir urilized b~· ic t'K ., and fix rhe difficul{)· supporred irs priori ry.
4• :--:c.'l;:pose mc>chJnic:illy derecrs and scans rhe new devices and assesses the vulnerabilities once rhey
acccSS the nerwork.
;. \ expose m:1,· be> inregrared with a Meraspoilr framework.
1.1 5.2.2 Wireshark

\\i rt"ShJrk is the world's leacling and extensively used nerwork protocol analyzer.
I. \\1reshark is emplo~'ed across varied streams, like instructional establishments, government agencies,
enterprises, ere.. to appear into the networks ar a microscopic level.
l . \\i r~ark encompasses a special feature am fond of ir captures the problems on-line and performs the
mah-sis offline.
3. \\ireshark runs on va ried plarforms like W'indows, Linux, masOS , Solaris, ere.
4. \Xi.reshark has the potential of deeply inspecting several protocols \\~rh additional supplemenrary all the time.
;. :\mong rhe proteetio n practitioners roolkir, Wireshark is that the most powerful rool.
1.15.2.3 Nessus
\ essu.s is a parenred and branded vulnerabili{)' scanner developed by Tenable Nerwork Security.
I. This tool has been put in and employed by countless users throughout the planet for vulnerability
asses.smenr. configura1ion problems etc.
2. >lessus is emplo~·ed ro forestall the nerworks from rhe penetrations created by hackers by assessing the
Yulnerabilitie:s at the earliest.
3. Nessus suppom wide-range of OS, applications, DBs, and lors of more nerwork devices among cloud
infrastructure, physica l and virrual networks.
4. Nessus is capable of scanning rhe vulnerabilities which permit remote hacking of sensitive information
fro m a sys tem.
What to Do if Been Hacked?
I. Cut-off your internet connection: If you rhink that you simply are being hacked, the primary factor
lo trv to do is ro cur-off inremer from your system so as to prevent any more intrusion.
----------------'----~-:-=-:=~~:~=~~
DIGITAL FORENs
~2~0~:_· r. • II· ·1,,,,i,.tllv. Il.lVl' 11 ttiI_11-cvcr we

·I . 1
windows
n111.,t
firewall
.
. i , k11cy to l n-'c ·u1I Vl)'S a c 11v.11c
so a s lo
f'
urcwa ~-I
pu1 in
:I
II I Ji , lr(ware 500lt
fir<'w aII
"
1. Jurn on urc:wn . ., . Wl' . i 1 .1 , • •
· .1 .._.luriiy ._ l,tor bcrwet·n exrern,1 network and You
I'·'' ,_,1gl'. r llllll
1
l . . . ,II
p111p,J. l' nfIt n.1c·.Hrs •as .111 assou.11e •
is,1 . r
i.~ ,lllllrllt'I' ~lll. lrt cl101cc ro lll~l.1 . . .
i111,·rn.1l ~ysrt·tm. r I 1.5 .1 kcent '1pplv tO conract your ISP w11h1n tht' case of
C . ' l d .' t ·r~ for ;Jll)' mali cious intrw,ion .
J. on.. •·u·t your internet scrvict' I I . it>r: ,.,t1l1c
SUJ)P y ·111 po1n t
.1~ :l rc,1111 of they IH' l ' L t lL'II' own
h.11 I-ill!,: •
n~~:li~h~-~j!_JS~u~m~m~a~r~y~ - ----~-: .-;---;--:-::---;:I1mwvt ·i<~)l~l~i~n~ro~y~o:u~r~p~ri~v~a~cy~.~;;-pe

==~-r~ l~t~1s~ -1~ni i~n~r~n:,s:
J I1 Ins • · -
Crimin.ili1..11io11 is a soci.11 phenomenon. '~' uc . · · rhcm out with this piece of package. Nowadays,
wi11w,.,'-·J an i11nc,1.,ing trt'nd. in. n the last few >'.'-';_1rsl. 11. . . r k,·rs' hindrance has become a task fo1_· everyone.
. . ' I 1' 1 ·I I where d1°1t,I ··~ '
Crime 111vl·.~11g,1non ;111;1Y.' ~ is _' '- l 111 • · . ~ Of It is nor rhe responsibility of the supervisor of our
·1 v1t.il rol~ ier_ m s ,·onlp,·iily. After all, he/she will insrall every_prorection
1;,rensi,: inve.,rigari,rn · pl.1ys · · 1I· fh ·re 1s the ..
I 1111111
pn·dicri11g ,lJld .w.1 ) 'Zill~ -' ~ ; s. t: within the company's network; however, 1f you let Ia
.·11111·-.•1iy,v.·1rc 11ro,,ra111. As ti v1nrsc!I were not e_nougl.1, d I h/ h
·' " d 10 deadly disease in ue ro your care essness, e s e wi I
corpor.llillllS from .1rounJ the wor1cl derermme_ nor be ready ro srop ic. The same goes for your PC
make 11ro1•rJ111.~ rh.1r mi1•l11
0 Jevclop knowledge from d I I h k
reccprion. Keep in min t 1at t 1ere are new ac er
Your PC so ,, as to amass d:11:1 for his /I1cr d,Ha_bases. c d l d
tricks ever)' day. Thererore, you nee to )e rea y.
Ir !>l1ould nor be as d.111gaous ,1s ;1 dea diy <l1.~easc;
Key Terms
• Hor: For 'robor' - a program med for a ,.,pecific • Cookie: Cookies are text files sent from your Web
li111crion such as keeping a pon open or launching browser ro a server, usually to customize informa-
;i flood of packers in a clisrribur cd denial-of-ser- tion from a websire.
vice arrack. • Cracking: To break into a secure computer
• Craddng: Malicious or crimin.11 hacking. system, frequently to do damage or gain finan-
Una111hori:a·d penc1ration of computer systems cially, rhough sometimes in political protest.
and networks, ahusc of privilege, unauthorized • Firewall: A sysrem using hardware, software, or
use of services. both ro prevent unaurhoriz ed access to a system
• Hastcr egg: Undornmcnted, unaurhorizcd program or machine.
funcrions in :1 proJuc:1i~>11 program; a kind ofTrojan • Hash: A hash is a number generated by an algo-
lwr...c. rirhm from a string of characters in a message or
• Identity d1eft: Creating a folse idenriiy using other string.
.,omcone d~e's idenriry, idcnrifying informal ion (e.g., • IRC: Internet relay chat is a protocol used by both
name, soci.1/ ,.,ccuriry numhcr, binhJay) co create groups and for one-on-on e conversations. Often
new cn:di1 cards or c.~1ah/i.\h loan.~which then go into u1 ilizcd by hackers ro communic ate or share files.
drfau/1 and aff~ct 1he original vicrim's credit record. • Malware: A software program designed to hijack,
• Malware: M.1/i cious snfrwarc, including Trojan
damage, or !>teal informatio n from a device or
l111rse.s, viruse.,, worms, logic bombs, exploits, and system.
rime l>on1h.s.
• Packet sniffer: Sniffers are programs designed to
• l..ombie: A progr.,m imerred into a vulnrrabJe
derect and capture certain types of data. Packet
.,y_i;1cu_1 I~ await furrher ins1ruccion~; usually part
sniffers are designed to detect packets rravelliog
of :, d1.s1nlmicd dr11i;1l-of-11ervire (DDoS) arrack. online.
,NJR ODUCfiO N 1 0 C OMP U TE P CRUv1 ES AND ETHICAL H.4.CK IN (j • 21
Roorkit: A roor k11 i\ a set of ~ofrwa re progra ms • Spea.r phishing: A more tocuseJ type of phishing.
• d 10 PJin Jdrn1 n1~traror -levrl ac cess Lo a sys tem targeting a small er group of targers. from J dcp,ut-
u~ ~ hI . I
,,1 ur
,111
malv.a rt', \\, 1 c .,,mu taneou.,Jv ca mou-
J ~- rnent wirhin a co mpam· . or oro:rn1z.:1ti
::,
on down ro
1l.1µ1 n~ 1hl· tJkt'OH' I. an indi vidual.
Rev iew Questi ons
13. \"vln· do hack er~ do hack? \X hat i) th e mot iw

1
I. \\ h. 11 ".1 u1 mput r r uimr~ b plain .
2. j 1q Jn J n,pl.lin 1hr va ri om t)' pe<i of cyher rh cfr. hchind th eir hacking?
J hplJ 1n th e term 1.. ~·l1r 1 term , ism' w1rh examples. 14. Who is known as an echi(J.! hacka ?
4. \\ 'liJI are 1hr d1fTerr11 1 c.n egori e-; of cybcrcrim r? I 5. ' Whar is foot printing and how doL'5 one
5, I )J\flll f.;lmh l1L·nvce n virw,c<, ,rnd worms. pr rform foot pri111ing? \X1har are th e ,·Jriou s
6. \\'h.H "l \ he-1l rim e~ h .pl ain in de1ail. techniques for foor prinring?
.., \\ li.1t 1, .1 v1 11" ~ Wha t .ire th e types of viru \es? I 6. Explai n rhe va ri ous rypc~ of hacker) and ,.., hi r h
8. \\ k11 J\ th e 10 1<' of 1.o mput cr in cy hercri rnc\? rype i:-. moq dangerous. Jmti t~·-
9, I ,pl.1111 ho\, L} lw ru im t'i ca n ht prevent ed. 17. Ex plain different t~·pes of ethic.ii hal kt>r~.
JO. I xpl.1111111 J c1.1il '1ntc:111e1 \pa wn c.rime,·. 18. What are 1he ,·.iri ous tool ~ a,·ailahle l~1 r er hi cd
I J. \X l,,11 1~ .1 v.. 0 1 mi \X'hat a re th e.: t)' pn of worm \? h.11.:kin g?
12. \\]1,ll 1~ dw d ifl<1t n((.' h<·tw1:c n h,Kk 111g .rnd 19. 1:xpl.iin <;(er~ ol h.Kkin g with cx:Hnpk .
lJ,1tk111w
Int rod uc tio n to Digital Forensics and
Digital Evidences
LEARNING OBJECTIVES
· After read ing 1h1.s chapt er, you will be able 10:
• Undc-tmncl the t t111cept of digit.ti forem ic and • Understand th e concep1 of digital evide nces
iu t"ffrc.t on th t' digital wo rld . and ir.s role.
, Jnrerp rer anJ apply va ri ous digiral foren sic • Apply evidence~handling proce dure ro borh
proce~~ rnodck obtain ed validated evidence.
L'nJ('1 ,tJnd the rulc.s and regul::irions in digita l • ldenri ~· the different challenges in evidence
forem,c~. handling.
It rrr1mr f'S 11 11rry 1 1muJ 1111l 11111/(I to u11dtrt,1l·r rl,r 1111,11)1HS ,frhe ol,1 1ious.
- Alfred North Whitehead
m Introduction to Digital Fore-nsic

- ---
l-orrnu1._ "l tc fllt:' 1\ .1 well l' '> tJhlis heJ \L. lr'llLt' d1;u pby) a LrtrtLJ
.I ro le.: in L.rimin al jw,cice ~ys lem . . . T he origin
"fore11:. 1, ··, whi ch mea ns open u, urr . Foren~ic
,if d,r 1\ord / o r tm 11.. t,lll he 11 .Kl'Ll bJt.k 10 rht' l .11 1n \\ tird
iL~ h1fem a :.ue nu · ,~ .1ppl1rd in horh crimin,tl
and ci\·il .1c1io ns.
','-fr-11 u I\ 11fw, 1dt i 1eJ w .1~ furt'm
J l, r 1d,11 r r lkLll \rh furtll\11.. \ mrJ m

lq:!,Jl u r 1e!Jcc' J 10 co urt ~.
l >1g11.tl f,nr11 · 1l ~ I!. Jl-.u 1tf c-11 lJ 10 d !I Ji g11JI l tl rt' tb i l
-.ricnce, ,1 bf.Inch of co mput er foremiL ~l ienu ·
tt'nc-J 111 d,giral Jev icc-s, oftt' n in rc{1tio11 ro .1
th.i, 111d 11lln rlw 1n 111 1..t 11c11 1 Jn d ,n~pnrion ol mJ reru l dc t' d1Jllt' lll?,c:
L.ll1 on~ ']echno logv (ll.-1 ) working c-nvirn 11menrs fa ce tl1
' d)t•111111 w llilurm .ir,un clnJ ( .om 111un1
" 1 prul,,ngn l , 11111pt 11r1 11 -.t' lo r Jll rv 111
0 th.If ,lft' rh)I ,.,ork -reLued . l ht'r
aui viry port r.1y,il-; m~1y LOn, i~, :,r
11111 \\ ·, 111g d,l l1 11c rrtd lu, u11n uw11 pu rpu'><" J nd ucili, in g on li nc -;c-a rd1
engin es tor work rd:1re- J rnforrna -
, a,1 \pr', rlt '- LO nnl v rhc' .1 lkwe-r 11cnt1u11
rJ J ('fl \trlc~ .
11'11 1 IJ,,.,..tvc I h11,\\ ~tllf~ \ i •,\HJII\ Jrr
1, ,ll h.111 <..t' l llt' llh 1n )00.1l 1tC'IWU1k111 ~ . nic,htle
\X 11 h rl 1t rrr11- 1~n1u 111 I( J. dtt"l l' h.l\r hrr- 11 , 111111lt ,1ncou
r.r 'lll lur,om rl1 .tl h.t\ r; lrlUcJ ~tll 1he 111frm
n:.1tin11 llo\'\ w1rh1n tH~.l ·
It, li1tr ,li,1,;; ~loud u1 111p 111 1ng, ;md w1 1.1
1
',(· t lllll ~ nl tlfj;J l ll / ~ll l\ l lJI
d.11.1 r hC' IIKH" ,l!ii ll ~ ,lllt\'t ty in ICT-t:)t.. l!St"tl
IJ J/,J lfl,it , 1lrn h..t, \.\l"'J.kc-nrd d1 1.
I ( .e1 JIHiJ 1t(' tworh'.I. . n\ comm on t•m pln! e1• un
l' l I .. iJ 1111
• 111r 111 ~ tJ ~ Jl '<J 11 ,I 1,1 ,111 11 h 1t';t 't'. ,n d1 r mi ,u'" u , l n1 npu1
11 1 1111 1 , rn r11 .1n.1~;r 11 ..d ,H. 1 ounr 111Jorm.uinn,
f,,1 h,iuJ .md ciwft lif
•· ~ / li.- p.t~· \'\ t 11d u ,l k111g tool, rn g.11n ,1ue,
·
:.l\' ,ll Id Il I~· lt! r c 1tt>rrn I I k:i~,1 1,l(lJ V/flt'., .
· ' 1111 r
' •lf l\ !1 •"llfl n . 1• 111 Ul~· O j!l I! ~i•llfl r 1oul•, .1rr
24 DI GI I AL FO RLNs1c
lncrca~ed compurer .111d nernnrk misuse h.1\'t' bl l\l .111 imre.lSl' in lllllljlllll'r-l'Cl.llc~ invrnig:11ions. A
rypical inves1igatio11 includl'S (l'l'l,1in hyp\Hhesi~ l1J' llhscn·.1hlc plw11un1rnn11 th.11 1~vcn '1 ('d liy ~nn1e proof
These developments in inwsriga1in11 h;wc hi Ill auJ11i11g being the key 1n ,11mwn11g qul·~11nns related
10
user acriviry and cyherrrimc. .
The field of digi1al foremio h.1~ m.1dc some r.1pid dcwlllpllll'lllS ovt:r die pas, l:w ye;1r~ due to the
a~~'~llLenwn~ in tools and syst('l11\ 111:11 .dlnw 1mlin.ll\' l l1111plltl'I' ,_,ser~ t1) he nHHl' prnl1c1cnr in pcrforrning
d1!11cult a11d1t tasks. fvlany l1trr.1ture and 1nt n 11et ~e;mhl·~;m• :1v.11L1hk d1;11 g111de a 111v1:il :ind l.'asy llHori~I
user on how 10 perform ~impk t.1sks .1im_cd ,II g;1i11i11µ, .l(Cl'SS (1) any Lll111pL11l'I'. This has l'11.1hl('~I 1hc ordinary
computer user to access :111 ry pt·s of inlor111:11i1111. ~lllh as u1p1cd 11111~1(, pnrnngr.1ph y. co nl1dc111ial docu-
ments, illegal softw.m:- ;111d sn 011 . Th11s, rhcre is .111 i11L re.1scd demand 111 com puter ~ccuriry mechanisnis in
an effort to conrrol such activirics .111d a grnwing 11l'l:d for forl.'nsil tonb 10 g.1rl1l.'r :1Ccura1e digi1al evidl'nce.
According ro Beebe, rhe l.1ck of dig.it.ii forensic st.111d.1rdi1.atio11 and process rt·~tdts in limited prosecution
that is nor acceptJhle in the court of bw.
Numerous foren sic tool~ ;l!T fredy .1v.1ilahk crl'aring a mim rnccption among the common man that
anyone can conduct a computer forl'n~ic inwstigation . The forensic to,lls used h;1w variou~ features that
facilitate digital foremic inve~tigarions (Dfls). In ;1 court of law, the proces~ follownl in ga1hering the digital
evidence and the digital evidence nself is importan1. Unforrunately, rlw court proceedings focus on scruti-
nizing the validiry of the process followed in evidence handling before considning i1s v.1luc.
Numerous procedurt's have been proposed for the collenion of digir:d forensic l.'vidence. Commiuees
such as the Digital Foremic Research Workshop Group (DFRWS) .111d the i\nwriL:111 Society of Digital
foremics and e Discovery (ASDFED) have proposed procc~ses to he followed in the collection of digital
evidence. From this, it follow\ that there is no sra ndard forensi c process in place that can be followed by
digiral foren~it i11vc~1igator~. 11 would be a serious mistake !'or a loren~ic investigator tn ignore the proceduic
of evidence collection in cases where rhe evidcncr aids in proving the u se and leaws no doubt in the minds
of those having to decidr on rhe matter. Where evidence is presented wirhou1 proof of thorough prnce-
dure, the defence may question 1he foremi c procedure followrd to collw 1hc digital evidence. The famous
American rnun case of Simp,on is an C:'xamplc where tlw Forensic process w;1s scru1 ini·Led by rlw defence.
,
In this c 1,;e. the crime scene evidence wa~ L"olkcted . However, .1 rohmt evidcnn· rnlknion process was not
followed, hence, the evidence was invalidated by the ddence. Tools such as Enc he have beLil accepted as
a reliable solution in computer crime invC'~ tiga1ions. Both tlw !Hoce~s followl·d wlwn using Encase and the
resulting digital evidence have been accepted as reliable. 01 her tool~ have abo 11C'cn used suct-esst1dly, such as
FTK and Sleuth Ki,. Some arl' commercially avaibhle while others ;ire open source. tvh ny of rhcsc tools haw
bt'en validared and accepted as reliable by the· Amnican judiciary. However, dw evidence cnlkcrion process
and the digital evidence prt·sen1ation are viral in :111y successf11I pro~cnnion.
Digital forensics un hl' defined as follows:
Digital Forensic is a ~nics of Stl'ps to uncover .111d analy-,,c dl'ct ronic data thruuhh scientific nwthod.
The_major goal of tl11: procC'ss is to duplic rn: original data ;ind presn vc 11 1\;inal l'\'idl·nc,· then
performing the mie5 of' the investig;nion by colhting. identil·ying and valid:11 ing 1he digit:11 infor-
mation for the purpose of reconstructing p,1s1t'Vl'nt~. -
[ ~ ] _Need of Digital Forensic

Compuit·r forcn sic~ i~ thl.' pron·ss of using the latl'5l knowledge llf' science and 1ccl111ology with cvrnpur~r
scitnces to collect, an,ilyze. and presrnt pro1if~ to the nimin:ils or l'ivil co111h Ncrwork :1llmi11iscr:1rnr a nd
~ccurit .I' ~ta!f administn anJ m:111:1!!-c_ nc1 works ,ind in lorm:u ion sy~tcms ~hould havl' comp be k110wkd~c n!
rn n1p111n lorens1c~. l he nH·a nrng ol the word "lorcmic\·· is "to bring to dw courr".
I I I l I I I /\ I I , ANI I I) II I I I AI I V 11 ) I 1\1( I ')
hi I N·~I<_·_ • 25
IN I I, I \ 111 11 I 111N I I
--- --- --- -- --- -- -
I I l
--- -
II )\ 111'1(' \\, Ill' l111 IIH'l\\11 11, .1,l1111111 ~,, 11111 ''1111 I M'Llllll. )' ,c,111I"I nl 11c ·1w111fo·d n1p;111i'l,Hinm 10 pr:Kti cc
I II I · ' . ...11, .111 Lrca~1.11g grc;1tly.
·
1111 •1 l111 1·11 , 1,, ,111, s 11111, 1,11'1' k1111wlL·d hl i · 11 1· 1.,w~, Iiu, ,111.c,1• r:11 e 111 .Lylwr ( f'llll l'~
, ,111q 1 .
I 11 - . ·11
II \'1llll IH ' II\ 11'" I.\ ,Ill .I( l- 1•,I .11111 llll I 11111 ·1 I\ 1 ,,
,lll)I 11 , I It'll go111 rnowl1 •d1• c ,1ho111 wmp111cr lurcn,c,K<, WI
in ill!' 1. 011n . .,
111 Ip ,11111t11 itl1· i·, ,1 I,·111 i · .rnd pn1~('11111· dw ',l.\ L'
· I
· :iccou nt, Il, en Vll;J
. ll.',it .', I); I( II )'. II )'011 lIt) IHll 1:1 I{l' ·II In
l'lir 11 · ' 1H· 111.1111 11., k, ii 1·,111111.1l 111. ,. 1 om 11, 11 L•,· 1·Ol!.'
·r
IH' il n 11111·n l. Nnv 1·'1\\1\· ' li t' I)1.,·,1 h, (I··1 VL' Inp1·1 I 111 pro11 -r1 t·11.\10111er.~ d:ita ; )Ill , 1 ccria111 <In
I I . I. J
n 11 I11. I 1(' 11111',.111 · n I 10 1I1e nrga111·1.:ino11 · s
· . A· s organm· 111on
,, I ,1•11 ·11 , 11111 l'
'PI '' 111 11111k, 11·d . 1h,·11 , n11n It.\ 1,111 Iw .1 %1gn
• 1·1·' 1·,
: .,\/ 1,·.,1)
, · ;1 ~1ng,s
· I.w11ncre · j I
o t1I cy 1ave cvco pe
d d
· 1 1 1\1111' 111 1111111l w1 ,111d illl' I. 1\1' · ' .' 11 l11,,··l,i1.~.111c I cn111ra
1 •" ·
c1or.~1.,:i
.11-r i11< · · ,,
1111111 · , ,·, i, ·11 " · l ),'l \·111,"·111 illl ., h:1v1· de vl'lop n l .~l'c11ril)' dl'vice , /'or dwir nc1work lik e i111rusions
1h,·i1 ,,11 11 ~•
11 1111 1 111 ilH: .,en1ri1y ~,:1111~ ol n1.: 1work of an organiz;Hion .
,lrh" 111• 11,i·,11·111 ' l ).\~ , 1 " ·, , _ n v.tlls whi_d1 1r por1 on
111 11 11 111 ru ngni1.1·, g:i rlwr, pru1 ec1 and l'.xa minc data in
.-;, ,. 11·, li111, .dll', ilw 11 1.11 l', ,il I : "1:lill'I' lnrrnsic~ is 10
,111 h .111·.11 I Ii .II 1;i,,1< ·," iii(' lllll'W Y 1
11 11 1111· cnlb ll'd evidt·11n · 1n use i1 dflc icnily ,111d d fcc rively in a case.
___ _
~ Rules of Computer/Digital For_e_n_si_c_ __ __ __
\\ 'l11k ,,n l1 ll'l l1i1q : .I I )l ·I. ilH · i11 vl·~1ig,11or shn1tld go hy ,he lolklwing rub:
origin ;tl media .
Rulr I. /\11 n .1111i11.11i11n sho1tld 11L·v1·r lw pnl<,r111cd on 1hc
media shoitld always be used if available.
Ruk 2. /\ , 011." i, 111.1d L· 01110 l1H1·11.~ir:1 1ly ~rnilc mcdi:1. New
co py (Somer·im es referred to as a bir-srream
Ruic j, l'l w, Pl' \' of ilw l'vidr nu: m11.~1 hL· an exacr, hi1 -hy-hi1
I llj l\') ,
dw acqui sition of th e media 10 ensure
ll11k 4. 1·1i1• i'11rnp111n .111d lh l' da1a 011 i111111st he pro1cc1cd during
1'1.11 ill<' d.11 .1 i., 11111 11111dilinl (l Jsr a writ
e blocking devi ce when poss ible) .
10 preve n1 an y modifo:a1ion of the
Ruk ';. I 'lit· n, 1111111.11 iu11 11111.,1 IH' n111d11ucd in .~1irh :1 way as
l'V ld l' ll l (' ,
maintained ro provide an :iudir: log of
ltuk I Ill' 1l1.1i11 , d illl· 111~1111.l y of :di i:v idcnce nrnsr he clc:irly
<,,
wh,1111 11111•,111 l1.1 v1· .11,T,.,cd dw rv idn1re and al whar 1in1c.
f f.JJ I Types of Di~ital F_5>rensics

many .,uhdi~ ciplint' s. Somr of these subdisci-
I )i~i1,d 1;,1 c11 \i1 , i~ ,1 , 1111•,1;1111 ly 1·vnl ving s1il'nl ili c field wi1h
pli11,·, .II L' .1s l11ll11w, :
ion, analysis and reporting on evidence
I. Computer For(·m.i cs dw idL'n Ii fiL·:11 ion, prrsnv:ll ion, colleu
n of i11vcs1igarions and legal proceedings.
f'111111ll 1111 l t1111p111 n .,, l.1p101 h, :11HI .qorngc ml'dia in suppn
from various compurer systems, storage mc-
1'11,· 1111rp<1 sc oi' t( llllj''" L' I (;m-11., it.\ i, 10 nhr:1i11 cvidrn cr
of our investigations, we can obrain a wide
di11n1.\, Pr 1'11 \ 1roni, do, 11111t·1ir.,. Tliroughour the cour.~l'
inrcrncr. browsing history; email and cexr
r.111gv 111 i1dm 11 1.1,i1,i1. j 11 ciudi 11 g sy.,1 c111 :ind file transfer logs;
u 11111111111it .111Pn l11 g~ ; hidd l' n, ddl'IL'd, 1cmpor;1ry,
:111d password -protected files; sensitive documents
.ind ~prl'.td ., ht·1·1.\; ,;11d 111.11111 inurt·.

and analysis of network :1crivities or events in
1
l. Nc1wurk Forensic.. ih r 1rn1nitorin g, cap1urc, ~wrin g,

nts, rhat is, worms,
11 nk1 1,1 di~, ,,w 1 dw , 11 11 rl'c ol' scrnri1 y a11acks , i111rusions or other proble m incide
i1y hrl':ich cs. The purpose of network fo-
vin1 \. <11 1H alw.1rL' .t ll.h b , :il, 11 ormal 11~·1work 1raHic ;111d S<'C11r
c, includin g LAN/WAN and internee rraffic ,
1,·1hi1, i.\ 111 111nnii11 r ,111 d ,11 1.d y1 L' lllllllH lfl'I' nnwo rk Lr,il'li
w11 h ii ll' .i i 1n , ,1· ~;, 1ii 1c111 ,1~ 111 11 ;rin,11 ion , l'ulkd ing L'viden
ce , or dl.'teu i 11g ;1nd derermi ning rh e extent of
111 11 11 \l(l l'I\ .u,d il1 l' ,1111,,11111 11111lllljlm111i., n l d:1L.1.
DIGITAL FORENs1c
~26~•- - - - - - - - - - - - - - - - . : . - - - . : :
. (• •1,. ·. evidc:iK«: from mobile phones, smanpho
Dc,iccs Forensics - 1 l·on·ryIn t cc trOllll
he rt' . r . . I Iles
j. Mobile . . l ·s Mobile device 10rem1cs 11wo ws the re '
·r . l1lets atll 0 d
· ,. .. This on indude call an communications dcov.
J . 1':\01(' (L)llSll l .
Sl~t cards. rD:\s, li S uevKl'S, _tJ • 'L ' \
'd d
erv l,f di~it.1I e,·1 i:nce or ,\I,\ trom mn111 e 1t'\ Iles. • Ch ata
unic:Hion vi,\ WharsApp, w,
l
. we at , etc., as well '
s;dl as :.lll lo~s. tt·st ml'SS.\~es, and 1n- 3pp c_omm · as
. . · ~ · · · b ·11 GPS 1 or rd\ s11e l()gs. . .
locauon 111torm.mon , ·1.\ Ill lit • d . I ,5·is of digitally acquired photograph IC images
. •·-• I
4. D,gn.u Fo · th' cxtrn:uon an ,ult\ ) • . . h' to
magc rensics - 1.: • : h 1 t of the im;\ge file ro ascertain its 1story.
·''J h . h . ·n bv rernvenng t e mc1.1u,1. 1
f d
\'.ul ati:- t e,r JUl ent1ci ; . . h ~ II . . . ll"l)rsis
D"al\"d /Adi Frcns1cs - tccol·ct1 on, ,\" ., ,wd evaluation o. soun .
and video record
S. . tgtt ., ~ ~ oh o bl' ·h , f authenticity as to whether a recordmg is ong111al and whether. ..
tn\!S. The sc1enl'e ,s t e est,\) 1s mt 1H o ·.
·h b ed : h either maliciously or awdent,\lly.
It as t-e~ t.1m~rr "It '
6. Memory forensics - the recover), ot: e\l,·J,cnce . from the RAM of a running com purer, also called live
acquisition.
. chere are excep1·ons to blur chis classification, because the grouping by the provider is
In practKe, 1 • I
dicrated by staff skill sets, contractual requiremems, lab space, etc. For examp c:
I. Tablets or smart phones without SIM cards could ?e considfteredc comdp~ters. h d bl
2. Memorv cards (and ocher removable storage media) are o en roun . m smart P ones an ta ets, so
they co~d be considered under mobile forensics or computer forensics. . .
3, Tablets with keyboards could be considered laptops and fit under computer or mobile forensics.
The science of dioital forensics has a seeminoly limitless future and as technology advances, the field will
continue to expand a~ new types of digital data :re create~ by ~ew d~vi~es logging people's activity. Altho~gh
djgital forensics began outside the mainstream of forensic science, tr 1s now fully absorbed and recognized
as a branch of forensic science.
f Jj Ethical Issues
"Ethics" is derived from the ancient Greek word ethikos, meaning "moral, showing moral character". Ethics
in digiral forensics field can be defined as a set of moral principles that regulate the use of computers; some
common drawbacks of computer forensics include intellectual property resources, privacy concerns, and the
impact of computers on the society. To effectively spor ethical problems, an examiner must be familiar with
the law and professional norms governing the cyber forensics discipline, and this familiarity is one of several
presumptions incorporated into the code of ethics.
With this perspective in mind, ethical decision-making in digital forensics work comprises of one or
more of the following:
1. Honesty toward the investigation.
2. Prudence means carefully handling the digital evidences.
3. Compliance with the law and professional norms.
2.5.1 General Ethics Norms for Investigator in Digital Forensic Field

Co'.11puter forensics is an i~tegral part o~ th~widely expanding field of digital forensica. with any investi-
-~:..:-1
r .,
15
gat~ve fiel~ there comes a ttme when ethical issues will arise. During the research in &,rensic field,
ethics or nghts comes first. ~
Hence, ~fore Starting the investigation in the digital foren~c field the i . di<
followmg pomrs. • n,1 1 - ~
~~:. - ·. · ·
~
DIGITAL 27
TION TO DI GITAL FO REN SICS AND EV ID ENCES
TROD UC
~
g.
Should contribure to the socie ty and human bein
J. Should avoid harm to ochers.
· h Id be honesr and rrusr.worrhy.·
2, SOU
_are.
:: Should be fair and rake ~-ctlo~ ~1ot to _discrimin
, Should honor property ~ iglu~, mcludmg copy
nght s and parents.
erry.
~- Should give prop er cr_edn to '.ntellecrual prop
· Should respe ct rhe privacy of others.
7 . 1·
s.· Should honor con fid enna 1ty.
z.S.2 Unethical Norms for Digital Forensic

Investigation
The investigaror should nor:
J. Uphold any relevant e:idence. from a
are any conf idential matters or know ledge learned in an investigation without an order
2. Decl
client's consent.
courr of competent jurisdiction or without the
nging to any party.
3. Express an opinion on the guilt or innocence belo
l conduct.
4. Engage or involve in any kind of unethical or illega
nt beyond his or her capability.
5, Deliberately or knowingly undertake an assignme
ls.
6. Distort or falsify education, training or credentia
ons.
7, Display bias or prejudice in findings or observati
ucting exam inations.
8. Exceed or outpace authorization in cond
fJ.j Digital Forensic Investigations

forensic investigations have been used to describe
an
inves tigat ions, DFis , foren sic exam ination, and
Digit:al term "digital
the incident. For the purposes of this study, the
investigation where a digital device forms part of section to
will, however, be used interchangeably in this
forensic investigation" (DFI) is used. The terms al evidence.
l outcome of a DFI is the presentation of digit
reflect the opinions of other authors. The successfu
investigator.
A DFI is conducted by an appropriately certified can
ever scientific procedures and techniques used
A DFI is thus a special rype of investigation wher should
allowable in a court of law. The results of a DFI
permir the resulrs, that is, the digital proof, to be -
basis. Proo f cann ot be directly read, and a few tools are employed to look at the state of the infor
have a legal on. This
digital knowledge is indirect knowledge observati
mation. One in every tool to watch the state of rumour
r than seeing it for you, formally referred to as
is similar to being told concerning one thing rathe nt to which
to the evidentiary worth relies on the exte
within the rules of proof The burden you arrribute
the tool is trustworthy. es and
type of investigation where the scientific procedur
Digital forensic investigation or DFI is a special t of law.
ts - digital evidence - to be admissible in a cour
techniques used will he allowed to view the resul
ftj Introduction to Digital Evidences

provide a successful courtroom experience, whic
h are
~'h~ field of compurer security includes events chat n?,
puter security inc!dent lea~ to a legal proc~e~i
s::h :onhwhile and ~atisfacrory. Inve~t!gatio~ of a com rts m
and documents obtamed are likely used as exhrb
rh .· coun proceed mg, where rhe d1g1ta1 evidence
e trial.
I. ' I/ I ' ' ,, I , ,
28
11 1 , ., 111 , ,I,,,
·11i 111 <:l'I 1hl· 1eq1111 l'lllc111 \ (JI il11 p1J1 ;11, 1, 1,, ,,1 ) .,11,l 1,, ,~ 1il 1·.1 .11, ,I ' " /.,, ' -1111 ' 11,II , IJ! ''
11
lnlltiw rlw cv id l' lht· h:111Llli11 g llltJt n l111 n . Al,,, 11 1\ 11 , ,, ·· .1 1, 1, 1, 11 ·.111 • 111. 11 ii,, ' nd, '' I, ,1111! 11,1, 1,111 ,
dim·\ d1t,M·11 ., ,c11,ll Ji1r" 1i11 ,,, 1111 11 1, •11,,·11, .,1 1,,,11 ,11 ,•..1111, .11 11 ,11 ,. 11 1, , .111 ·,1111 11 1 1111 1,,, ''"'' .,1 , ',1, ,i ,, 4 , 1
li,r .111 org.111i,.1t11 i11 . l111h1 \ t l1.1p1l·1, wt 1\ ill d1 ·,, 11 -.) d1 t , ,ill , , 11,,11 , 11.111, 1111 11• 1 111 1 . ,,,, 1f" , ,I 11d ,,1111,, 1,, 11111
,111 ,1111)1'opnall· 111.11i1w1. \Xlr will ' d\11, x11I'111 1 ii ,, , II ,, 11 \ t .11 1t l i-11 1, 1, ·111 , ·, Il l• 111 • l1 .111, ll 1111 , , , ,, , , ,l , 11 , , .,I ' iJ , 1,,
11
w11h 1hc gu1Jcl111L'\ l111 1111pl,·111, ·111111 g il 11·\t p1 11, c.!111 , , 111 y,1111• Jlj 1-111111 11.,11 · ·
\X'hilc III Vl'\ II r,P,lllll j'1 ,It t)ll lj)llll 'I \ ( ' I 11 111 \' 11 1, ,d, Ill . \\I ,li t ',til/11 11111 1'\ 1111 ' 111 1· .11111 111 ,I , I ,I / I ,,l l"d,, I ·111
1
1
itL'lll (vi , ., :1 d1ip. lloppl' di \k. l'IL.) , lirnild llt' tti 11·,1d, 11 ,I .I\ .111 , 11d, 11, , 111 .111 111 .1< l11,1t 111 ,1 .11 1 .,,1,1 , 11 ,j 11111
RL' k v.1111 <: vidt'nu· i\ dd11wd .1, "A11111l111111.111,,,1 wl11 , Ii l1 .1·, .1 11,,•,1 11 v, 111 111.11 1 1,11 il1< .1, 11, 111 ' ", IJ J I' ,I •,, 1, I, ., .
rlw i11for111J11u11 \ uppon111 g .111 11 1, 1tl,·111
Uz~Jf,i! ('/l/(l('//11 ' i\ ,Ill )' inltJrlll ,llltlll tll J :11.1 ,if v.d11, .Ill ll lV<", 1114·""'1) 11 1.11 1·, ·,11 11 1d 1,11 /1 '1I l'/1 ,I I,;,,,
ii )
1ra11 smi11 C'd h)' .111 d, ·llruni l LlL1 1u:. II x1 1n" ' ·'l''l "' 1·11 1.,d ,, 11111111 c", .111.J v11I , 11·, .11 ,d IJJI• 11 ,, 1 •1.,11 J,, , ,j/f
\<)tn(' or tlw llHhl llJlllll11Jl1 1yp1 '\ nl d1 g11.il ,·v1d ,·11u·
Ev iden ce L:111 l)l' \ l,H c:d :L, ,111)' 111/o m1,111m1 1h11 11111 hi' 11111/irlt'III 01 u11 1t l'J .1 11,I , .1 11 1,1111, ·.,, 11 1, ,1 1111,1
rel.11rJ to :1 L:t~l' in 1ri:1I , 1h ,1 1 J\, i11dit ,1 1ing il1.11 .1 u ·11.1i11 'i til J'i LIIH ,. <JI, 1,11di111 111 I', 111 1--., JJ I I, 1·. •..;( ,. 1,1 11.1'.·
such informarion a.'i ev1dl'11u · Jur111 g :111 1n vn 11g:1111111. M:i ny 11 w1ni .d·, rH 11hjt-•1 1·, 1;rn lll'lp 11 ·. j11t,•;1 1,u,, ,,·.,
such as documcn1 , dcctro11i c nwdia , ck-c1rnn1 l lil n , pri111nu1 .,, 01 01hn qbjcl l', ,,l 11:1i11ed J11 1111,'. ,11111 1.1,.,
ciga1ion (Fig. 2.1). Thc:y c:111 he 1n::HtJ ;h t v1cltn cc or proof :111J lrn1dl i:d :JLl 'Jrdin g 11, y11111 'lll',-1i,1 , :, 111111.
evidence-handlin g proce~s.
Figure 2.1 Example~ or digiL:d dev iu:- \.

2. 7.1 The Best Evidence Rule
- ·
Th e hes1 c·vidence rule i~ rh:.11 th e 1Jrigin;1] or tr , . ·
it s contents wirhout an . . _. . I l I Lil w_, nu1g or reum.l111g lllll'i C he cnnh.s ,cd ii, <0 111 ' 111 p,0vt
y expecta1 ions. n L ·1<: wsr ev 1dtn . . I .. 1 , . 'J
ered ·is s11per·101· ''v1·cl '·' 11 C..l . . () ne O f. t·]1e fl( les ~l. I .. I · u.: ru c,Ian ongma Lony of th e JrKt JIJ WJll ,.. cu1 1j',1 '
' • . ' r .r
· • ·1 (~ L lat I an tv1r en ce l\ rcad abl1· hy ~i1:;h1 ,,r rdb.. 1:i 1h r 1 ~c;J
IN1R() 11 uCT I (.) N l ( ' D I l ·, I r.A I I- l) RI: I\J !:i I C ~ I\ N I) l) I (i I TA I r VI D I N CL s 29
d.1t.1 ,torC'd in ·.1 Lornp_ull'r or rn111 . . .

·I. s11 d 1 ,l.\ .rn v ..print11111 , or . . · . 1ar dtVllC. \ nr an y utl1 cr 011tp11t , 11 ,~
.1,lu1 .1r, ~- · .. _. . · I h .. · · I''
. ··d ·1·s 01111111.11
L1111~11.1l' 1'
. It ~I.lits. 1h.1t• 11111li11)
<' .. _. . . .. ·
I
k cu 1,, l..\ n I cn.:tron 1·L h., ,c~ 111.1y 1c :1 p,1rt ol t c· ong111:i
· , j ,111 111 till' 011~111.t l . . l he .u1llt·l·1n l cl,,"l·1r·on1l · cv1·dcnu· 1·~ n1o~tly 1ramkr ·r. ·
· rcd 10 l111ft'rrn1 lll t'l1·1;1.
,1r .-q u11,l t • .
1k11L·c. 111.111~· comp11llT ~en1r11 y prolcs\1on:rl!I :1rt' dqw11dl'll1 on ihi~ r11I<' . ·
• hnt n·1rl,,11.-r 1s I he 1110.s l ·01 11 I 11 ecc~.~ary parrs of
L_ _ P Cll' rnpy 01 ,I copy whid1 i11cludt', all
, i ,,
\X t' li t' IllC '' · · I
1s ,-lmclv rcl:11l·d 10 tl1 c 1nw111·1 I ,.,,,·d,,' 11 Ll. · l IlC origrna
· J ll Ct',\ ·,~ I·1av1ng
.., l) Ill' () 1· I Il l' I)(,',\ ( CVl{tt'
. I .. wh1d1
('I'll. t' llll. . , ' :-, • ."
iI i~ wnsidcrcd ,rs rhe
c, idrn,·e !lll',frl. Lei us !l.'l)' ·1 ,_IicrH h'.1.\ :t copv t)I th e orrg in:i l evicknu · media . Thrn,
Wl' ,ay
j,l•~I cl'idr·11 cr. \V..k r,c_ :ll lon·nsrc dupli ca i ii HJ hy u)midn ing i1 ,I.\ rite he~, rv1dt·nce. Therefore, when
"hc~I l·vidc1lL'l'", i1 rd cr.\ ro the t'v idc1Kc wr luvc in om po~vn.
2.7.2 Original Evidence

Lhc control or rhe clienr/
Soincrimc~ 1hc pro.-l'dllrl' ,idoptcd 10 deal wid1 a si tuation or c 1se rakes ir ourside
work will end up in a judi-
l'iciin1. We :1ho Jss11rnc 1h:n ,1 .-:ise wirh proper diligence or a L:lsc with peViisrent
proceedings (proceedings
,i:tl proceeding. anJ we will h.111dl c' the evidences acco rdingly. ff criminal or civil
oiher than criminal proceeding in a cou rt) are a pos~ibiliry, then we often persiste
ntly push the client/victim
ro allow us ro hand over all di e original ev iden ces, since we have evidt'nce-handl
ing procedures in place.
the evidence media
For our purpose, we define ongi1111l n•idm!'e as the truth or real(original) copy of
which includes all the
which is given by a client/vi ctim. We define hest incidence as the most complete copy,
necessary pans of rhe eviden a thar are closely related to the original evidence. It
is also called as duplication
e or orig-
of evidence medi,1. There should be a.n evidence protector which will store either the best evidenc
inal evidence for every investigation in the evidence safe.
f00 I Rules of Digital Evidence

principles that govern all
Rule of evidence is also ca lled as law of evidmCf. It surrounds the rules and legal
rhe proor of focr.~. T his rule helps w, 10 determine what evidence must or
must not be considered by a trier
which helps us to
of tJCt. The rule of evidence is also co ncerned with the amount, qualiry, and type or proof
etc. The rules must be:
prove in a li1igation. The rules may vary according to the criminal court, civil court,
I. Admissible: The evidence must be usable in rhe courr.
2. Authentic: The evidence should act positively roan incident.
3. Complete: A proof that covers ~ill perspectives.
4. Reliable: There ought robe no doubt abnur the realiry of rhe specialist's decision.
5. Believable: The evidence should be understandable and believable 10 rhe jury.
Rule 103: RuJe of evidence
1. Mainraining a claim of error.
2• N_o renewal or objection or proof
3. Aim an offer of proof.
4· Plain error taken as notice .
legal proceedings. Key
. Evidence collection should always be performed to ensure that it will withstand
cntcri-i• f01. han di 111g .
' such evidenc JI
e are our 1·me d as 10 ows:
r
of whether it phys-
I. The proper protocol should be followed for acquisition of the evidence irrespective
the device may be dam-
ical or digital. Cf.'nrle handling should be exercised for those situations where
aged k .g., dropped or ,-vet). '
D l( i ll A I I O RENs1c
30 •
· · r . .. 11 pl , whl'n 1he dev ice i~ acrivel y destr
2. Snecial lw11lling nuv bl.:' lt'q11ircd fo1 ~n1m· ~11ua11om . I·01 tlx.11 c , -1·111· ·I}' to IJre~c.' rVt' th•· "v·1d, oy.
r- · .• r . · , · I he \llll 111w11 1mmec.; l ... ' · cnct·
i1w d:11 a through disk 11)1 mat ung, 11 111 •1Yneu 10 . I 1 I , J , · ., I ·
C' • • . .
On che ocher hand . 111 ~o mc ~1111atu1ns, 11 wo u not H. •
Id I· . ar111ro1rn,1t e (l) ~ llll oown I IC CVICe ~o I 1(1( rh
c
dig-it:il forensic- expert c:111 cx,1111inl' the device's 1cmpor,1ry mc~iwry. _. . , _.
... .. I • .I I/ · 1· ·
3. All .1rut.1c1~. p 1ys1ca ,1nL or c 1g11 .1 s wu L 11 I1hrcolb-icd •
rc1a111 ed,and1ran ~luredus 111gaprcsrrved
chain of custo1lv. d I ·i d I I
4. All. marena · I~ sI1ou
' 111) , ci·itr ,,n,J
t .l ,
· ,. ,r:imiied , idrnrif),itwr, who collcc1e I ie· cvrt cnce ;m r 1e oca tion
• .1 11111 , ~ ,
it is being rranspo1trd ro aftn initi.~I collectio1~ . . .

S. Proper logs should bl' mai nrainl'd when I ranskrrn1g posscs_s,on . ._ _, . .
6. When storing evidence, suit able acce~~ controls should bl' implemented and tr,icked to L-e rufy the ev i-
dence has only been acct:Ssed by authorized individual.
ffl Characteristics of Digital Evidence

This section provides a few hints of the essence and characteristics of digital evidence. These characteristics
ca n help and challenge invesriga1ors during an investigation.
2. 9.1 Locard's Exchange Principle

According co Edmond Locard's principle, when two items make contact, there will be an interchange. The
Locard principle is often cited in forensic sciences and is relevant in digital forensics investigations.
When an incident rakes place, a criminal will leave a hint evidence at the scene and remove a him
evidence from rhe scene. This alteration is known as the Locard exchange principle. Many methods have
been suggested in conventional forensi c sciences to strongly prosecute criminals. Techniques used consist of
blood analysis, DNA matching, and fingerprint verification. These techniques are used to certify the exis-
tence of a suspected person at a physical scene. Based on this principle, Culley suggests that where there is a
communication with a computer system, clues will be left.
2. 9.2 Digital Stream of Bits

~ohen r~fers to digital evidence as a bag of bits, which in turn can be arranged in arrays to display the
mformatton. The information in continuous bits will rarely make sense, and tools are needed to show these
structures logically so that it is readable.
The ci:cumstances in which digital evidence are found also helps the investigator during the inspection.
M~tadata 1s used to portray data more specifically and is helpful in determining the background of digital
evidence.
fj1•j Types of Evidence

There are many types of evidence each with h · ·c. · ~
f 'd f' II
types o ev1 ence are as o ows: ' t e,r own spectnc or umque characteristics
· ·• Some of che maior
1. Illustrative evidence
2. Electronic evidence
3. Documented evidence
L FO REN SIC S A N D
NTRODU CTIO N TO DIG ITA DIG ITA L EVIDE NC [S • 31
~
ble cv,dcn c:e
4. b pl.1i1rn
,. Suh s1.rn1i:d evid ence
6. Tes ti111oni:1I
2.1 O.1 Illustrative Evidence

as dcmonstrati ·d J .
)/lum:111n· l',·iJence i~ .dso call ed n1a1ion of an object
for m of pro of F · I ve cvi ence. 1 rs generally :i represe g~ X-n ys maps
I .'_h j~ a common exampande, phorog raphs, videos, sound recordin ·' ' ' '
1
. uIano
I cl .rs, s1m . · orlptu res, mo del s.
' Ill ns, scu
drawing. grap 1s. 1a1
2.10.2 Electronic Evidence ·I h

f d' · 1 'd
ence is not hin g bur dig ital evidence As we know, th e use o 1gna ev1 ence rnd mads' asI
Electronic evidd l 'I . · l · · all
· .,
rnm :.ise . 1e
·d
ev1 enc es 01 pro of rhat can be obtained firom an e ectron1e source 1s c. e as ·
igit a
ll
oreadr d d · ins t t I A'f M
· e111 a1·1s, I1ar nves, word-processino documents ,
:,1 ·{/'. (viz an message ogs, transacnons, ce
, ,;dfl/ .. t>
phone Iogs, ere. )
e
2.10.3 Documented Evidenc of is
ons _trati~e evi den ce. Howev er, in documentary evidence, the pro
de~
Documenred e~i~ence _is similar to es, etc. ). It can include any number of
medias. Such docu-
conrra cts, wills, rnv o1e
presen red m wrm ng (viz., emails, ere.).
reco rded and sto red (viz ., pho tographs, recordings, films, printed
mt'ntati on can be
(Exculpatory)
2.10.4 Explainable Evidence partially
use d in crim ina l cases in whi ch it supports the dependent , either
This 1ype of eviden ce is rypica lly ato,y evi dence.
case. Jr is also referred to as exculp
or rou lly removing rhe ir guilr in rhe
2.10.5 Substantial Evidence

is referred t0 as subst,m-
ced in he form of a physica l obj ecr, whether whole or in part,
A proof rhar is 1nrrodu I
dried blood, fingerprints,
is also call ed as phy sira / evid mre . Such evidence might consist of
flii/ t'l'ldfnrf'. 11 e.
ints, or rires ar the sce ne of crim
a11J DNA samples, ca.'>cs of footpr
2.10. 6 Testim onial ciaJ

evid ence given und er oar h by an oftJ
specraror und er oat h, or written
It is .1 kind of C'\'id encc spoken by a mon form s of evidence in the sys
tem.
afli iav ir. T his is one of rhe com
dl'clm 1ion, rha1 is,
~ Challenges in Evidence Hand

ling
to a?eq uarely ?ocum enr is one
of the ~1'.ost
er sec uril}' inc ide nt, a fail ure
\\:'hilr responding to a compur ionals . An alyncaJ data might never
be.collected, crm cal
de by com pur er sec uri ry pro fess ted .
cumrnon nl!srake_., mc1 om e unk now n. As there are ma_ny ev1d~nces collec
me ani ng may bec
da,~ may be bt . or data's origin and xiry is the fac t rhat the properly remeved eviden
ce requires
tec hni cal com ple
rhe tv1dence ~·ollecrcd ba.-;ed on of having a certain qualiryagainst
rh_e n~ru_ral instincts
enrarions giv e an imp ress ion
a papn 1rial. ~u,·h doc um er sec umy rnC1denrs.
pra ctir nl kno wle dge of ind ividuals, who often investigate com put
of che iechnical
32 - - ---- ----D ICil I AI 1 (
--.:~
<, ,mi lie ll11111L ·tl v u11drr,111ml hy ,di 1n vc,1iga 11 m . lnvl'~ li,, ,
· 1 11 111ti 11
l h, · 1 I1,1II l ll j.;C\ f,ILC'l I Ill l'\ l l ll' ll u lllll ' . . o dl or ~
11 "
, h,Hild ·""' 1111 d rr,1.1 nd hm~ 111 mn·1 1I11 ' ' I1·' II 111 1-\l ' - H lnrr ' 11 ,, 1·,,e11tul 101 evr1y 11rg:1n11a111 ,11 I
1
. . . · lo 1.ivc
101 111 1I ,., 1d, 111 t h,111Jl111~ 111n, t dllH'' 1I1.11 ,11ppn11 ' ' 1111 1111 I l ·r ' ('L I\III Y11we~1111 ,111 011 . 11ll' inmr d,m1 \
. . n LU 11a\k
. ·J . I 1t 111d1l 1,d
I, 11 .111 tv 1J1·n, ,, h.111d lu 1, 111 .1111 I1t 11t1u t,· 1Ilt l U II c, 11 t vit, til l'
. p1ut l'1"tfo11ci_ Main1 ' 111 llng
· the
II L L' 1
· •
1 l1.1111 nl u 1,1od~ ,, ,1I,,1 1Wu ' \\,ll } 11111 111 11 ,1 I1.1, r l)i,1 I1 , 11 w ·1 111d , ktl l 111 v.d1d.11 c you, cv ,d!' nu:
,.
1 l • •
2. 11 . 1 Authentication of Evidence
I'll< l.1w, 11! 111 ,1ny , tdtt 11 1mJ1u i11n , dd111 \' d.11 ,1.1 , "11m11r11-11HJrk/ and "rrrord-keepillg" . Before intro<lucin
1li1.:111 dc,t11mu11 , .111d 11·ui1,bl m.11 cri:d 11111,1 he :i u1lten1 1catcd.
,1' n 1< k-11 u ·,
g
fh l n ·1rl1.: nu·\ 1h.11 ,11 c· , ollet 1u l h, ,lll ) pt·N111 /in vn 1ig;11ur ~liould lit' col! eued_w,ing authenticate
rnc1hod, .ind tcd1111 q111:, bu .111,r d11rlllg Ln11 11 p1nu·1·ding\ 1hc~c will beco me m:11or evid ence~ to
prove th
n imr. In ntli <:1 v, ,,r,h. l11r p1ov1di11g :i p1 rLt of 1:v id1:nu: of the tr~1imo11y, it is n1.:cc~sary ro have an
authen~
ti L.1tcd t"\·1Ju 1n: h~ .1 •,pc·, 1,1101 whc, ha, a 11cr~o 11.il lrn,Jw lcdgc 10 it s origin .
h1r ,111 <:v,Jc-nu' to he ,1Jrrn,\ililc, i1 i, mu~~.,ry 1h:i1 i1 ~hould be aurhe nricared, ot herwise
the informa-
non LJnn n r lw pn:,r11t n l 111 tltt' jmlging hoJ y. The 111,1u cr of record is 1ha1
the eviden ce collect ed by an
pcr\1Jll \ho11ld mcc11he demand of :iu1 hcnt ic.11 ion . The evidences collected must have some sort of
intern;i
Jol unH:n1.11i on th:H rcc(), d\ the man11c1 of collected informarion.
2.11.2 Chain of Custody

M:1in1aining the chain ofcus1ody means 1h:11rhc evidences collected should not be accessed by any unauthoriz
ed
individual ;md mw,t hl' ~tored in a tamper-proof manner. for each item obtained, there must be a complete
chain
of custody rw ,rJ . Chain of custody is nothing 6111 the n.:quirement that you may be able to trace the location
of
cvidcnLc front rhc morncnt it wa~collecttd 10 tl1t mome111 it was presented in a judicial proceeding (Fig.
2.2).
-~--
- -,~,
• 100°/~-~~~ • .,
b_
Authentic •· ·,:1 ) ,.E.'.
Figure 2.2 Digital evidence should 6,, l 0001,

· , ro aur hentte.
.
,Ti1 mrel t ht rcquirt·1~1enrs of chain of cu~tod (Fi). . , ,. . . . , ce by
pol1u' dc:parcment s and bier I I· . c • . Y _g 2.3), evidences ,ire stored in a secure pla l
a ,tw uuorcem
t:x pcrn and law rnfort:l' menr offi,c ... _ ·c1 enr ag•enc1es wh. ·I1 I d ".. er tie
., . , " ·'
.tis, t:V I enccs art ch, I , I ic " 1avc a property eparrments. r\S P d
chcrktd..111 ' whentver rh ey arc retlii· l I , ·k .
h. · •d an
. ~c <ec -out w encver they need co be rev1ewe
,1el Mc to storage.
EV IDE NC[S • 33
11\JJRul)U( ll O N 1 0 DIGITAL f O RENSI CS AN O DI GITAL ~
:.:..-----=-- ---- --_ _:_ :_:. ::... :::_~~ ~~ :.:_- - - - -~
. . e con1ro I (rIic
lgl' of d1ain or rnstoJ ·y rn111ire111 t, 1115- 11 . orga nizano
. ,tny . . n 1.s 111;1111u . . po.rn,v
. 11n111g
·1·11,' l -h.dl<'l 1
I ·d
ol· :di rl1l' collcctc( best cv1 ence
. •
I . , wlw·h ,\ 'tlll ow1H:d. or have . 11111 's r bl' k,cpt 111 · your sig .
· I11 at all 11111c~)
('l' .l< Clll t . d. -or - propn storage. /\11 l'V l·( It' llCl'/1 S IOU Id llOI
I
. Ii , cv1tkn cl's are (anwd o r sh11m l'd ro l'vi,J , ., .
~ C1ICC LllSIO rans 1
u1111 1 I l . t
d. · · · ·
other , ·d.
than tlw a11point,ttf t:v1 . UlCl' custo 1an, tlit· bes1 l'v1denct' ol your orga n1zat1011
he J(t<. ..~~·ihlc
to ;tll. ,V<llll'
. .
h.111g I)Lit rhc st.oragc art·:1. ·1·h e ev1·dcnce·
b 1 , sroredw1th111
.1.s,deor storagt·ruo111 · "I~"v 1·d,t nu., s,1 ,....
e 1 s not
11111st t ·
.ll~·t·•di.tn~ 111ll.'it nintrol all I he access to the evidence s·i/'c
C V
'' '
CHAIN OF
CUSTODY
Received F10111. _ _ _ _ _ _ _ _ __
Received By· _ _ _ _ _ _ _ __ __
Date _ _ _ _ _ _ Time _ _ _ _ am/pm
Received From. _ _ _ _ _ _ _ _ __
Received By- _ _ _ _ _ _ _ _ _ __
Date: _ _ _ _ _ _ Time: _ _ _ _ am/pm
Received From· _ _ _ _ _ _ _ _ __
Received By: _ _ _ _ _ _ _ _ _ __
Date: _ _ _ _ _ _ Time: _ _ _ _ am/pm
Received From: _ _ _ _ _ _ _ _ __
Received By: _ _ _ _ _ _ _ _ _ __
Date: _ _ _ _ _ _ Time: _ _ __ am/pm
Received From· _ _ _ _ _ _ _ __ _
Received By: _ _ _ _ _ _ _ _ _ __
Date: _ _ _ _ _ _ Time: _ _ _ _ am/pm
Received From: _ _ __ _ _ _ _ __
Received By: _ _ __ _ _ _ _ _ __
Date: _ _ _ _ _ _ Time: _ _ __ am/pm
Figure 2.3 Chain of custody.
2.11. 3 Evidence Validation

have collected is similar to the data
The challrngc is 10 ensure that providing or obtain ing the data that you
ion of eviden ce and the producrion
provided or prt'senred in the court. Several years pass betwee n the collect
ge of validation, it is neces-
of evidence a1;i judiciary proceeding, which is very common. To meet the challen
by using MOS hashes . The evidence
s_ary to ensure char rhe origin al media marches the forensic duplication
every file that contri butes to the case.
lor :very fi le is norhin g bur rhe MD5 hash values that are generated for
duplicating a hard drive with
_ rhe verify funcrion within the Encase application can be used while
a MOS hash for both rhe original
l-.nc<1~c· . To perform a forensi c duplication using dd, you must record
ic duplication.
<'vidrncc llll'di,1and hi nary fil es or rhe files which compose rhe forens
be hel pful. MOS hashes should
b. Note: Evidl'n ce collection calculated by MOS after 6 month s may not
t prrfor111ecl when the evidence is obtained.
34 I l I I ii I /\ I I 1 111I I J,
--- -- ,11
EJ. Summary
111 thi~ , lu\'t l'L wr d1sc. 1t~,1.'II 111111\l·r,Hb di~i1.1 in dw ltnni 111 i11l;,rn ,,11i1111 11 11111 , 11111p1 - di
I 11 11 ii
lorrn,iL 11wdcb .md h1ghlif_l1tcd tlw ph.1,1 ·, 111 t';1d1 ltll'I\I ~. l'lll ,llb , 111~1.1111 llll'\~,l g1·,, llll l'l lli'I li1 ~1111 l', 11
Ill
mn1kl . l'ad1 1)1•\l tvl tl\l' ' panirnl.11 ,l·rics ol ph.1,c
111 J1 g11.1l frnrn ,,,- l1l'ld . tlwn- ,H l' m.1n1· l1lll'll
,. ll'~t .
. linlll v ll'llllt S d,·< '
1r11111 1 dl' v1, 1' '. , ;11111 11 i, v
,.,,,
,il ,·lfrct ivc. ( :nm111tlL'r 1~ 1n·.11 1:d .,~ ,11111111.11 y ,
11111 11. il
a1,prn .tl he, whi, h l ,\11 h1. 11,r,I li\' dw lll\\', t'1t;,11,H
lll i·viLli·iH r i11 ;tlinmt all L.\\I' \. I )iµ,ll .11, 11 1111 ·11, 1· ,1 , 1
11w1•~ti g.11e 1\w ( N ', 1),git ,d rv1,km c~ on he fo11n< vit.11 rule in di git.ii l,11l'11 ~iL i11vl'~ ll)!,,1t1rn1. 1 11,~ .,
l
Key Terms
• Acquisition: The pn1L1·~, ell' LTl', llin~ .1 dupli catl' • Verification: ;\ term llSl.'ll 10 rd er ,'n 1he h,1.\ lii11
, 1i11y ol dip.it.ii mnli .1 1~11 d,L. pu1 pose ,lf L'X.tl\1 - ~
ol bo1h SlllllH mcd1 ,1and :ll lllllrr d 1m.1~•r to vr,i(y
1nm~ 11 . the .1crnr:1ry nf tlw cupy.
• Computational forensics: Compu1at 1011.il fon:11 ·
- • Hacking: Modifying, a urn1p11tL'r in a w.,y wh,d
~i,, .ll'l' digital foremi c~ wi1 h thl' me or .Hliltcial ,
wa~ mlt origin:illy int en(h l 1n hrnel11 th" h:1rkei\
int ellige nce . goals.
• Digital media: Used within the l,eld5 to n:fcr • Denial-of-service attack: An at1c·mp1 111 prcvc-
to
the phys iu l medium (vil .. ,1 hard drivl'.) or d.tta- 111
legitimate mers of :1 comp111n ~ys1e111 rrom h.1 vin~
srornge device. access to that system's infurmat ion or wrviLc~ .
• E-discovery or Discovery: A common acron ym
• Metadata: Data ahou1 1.l.11;1. Ii can he embnldl'd
for ekc1runic di~l'ove1y. wnhin fib or ,1Uml ex ternall y in .1 ,cpar ,n,, !ill'
• Exhibit: \)i g,i tal media seized for invc~tigation
i, and may co ntain information :1bu11t 1hc Ilk·\
u, 11.tll y rel"crr ed 10 :i, an "ex hi hit ".
author, rorimt, nca tin11 dat l', .,nd so 011 .
• Hashing: Within thl.' lteld. "ha,liing" n:fn, to tliv
ll~( ' 1)r h.1, h I ll11 Ll ion~ (e .g. , CRC
, SHA I or Ml)'))
• Write blocker: A h:ml w:11\' 1.k-viu· Ill' IV.Il l',or,
appli cation which prc·vi-·n ts an y data 1'111111 hei11 h
tn vcril'y tl, at an "im:1 gt:'' i~ ,dcmiLJI to tlH: source
modified or added to th1.· strna gr 111 edi111n lwi11 h
111edi ,1.
cxa minrd .
• Image: A d11pli ca t,· rnpy of ,Ollll.' diµ,i1:1I media
1reat ed .1, pa1t oi' th c i<ll l' mlL process.
0
or
Bit copy: "Bit " is a (llllll':lctiLln the \tr1l\ "hi11.1ry
diµ,11 " and i~ the f1111d.tm cn1al 1111i1 1i!' ~·,1mp111i11g.
• Imaging: Sy11011yrn of "acq ui,iri on".
A bit copy ,Acr, to a ,eq11rn1i:d rnpy llf rvr1y 1111
• Live analysis: i\naly~,s of a piw· of di git.ii med
ia on a s1ora l:.\c medium . whi ch in, lt11k, ,ll'L',1', 111° ilw
lrt11ll w11hin i1 ,elr; nfttn W,L'd Ill acquire data from
medium "invi,ihk" to 1hc u,er.
RAM whrn: tit" wnu ld lw lo,t 11pon shut1in11,
d11w11 die cl ev iLc. • RAM: Rand om Ac, L's~ Memnry. RAM 1, ;1
• Siad< span·: ·I he 11nu, ed sp:tlL' al the rncl of a <.o mput c:1\ temporary wmk span· and i, 1'111.1 ·
1,k 1ik, which 111cam it, co111 1.·n1~ :tl'l' lti.,;t wli l'11 du·
111 .1tile \\'•,1rn1 th~t u~e, l1xi:d-,ize clus1ns (if the 1,le
t\ ,111.1ll c-r tlt.111 dtL'l1 xl:d block si-,.e, tlll'n the unu~e d comput er i~ powered ,ll.
,11,11 1· I\ ,i,npl y kit ). l )ft,·11 Lrnl\.iim dekt ed infor- • Key-logging: Thl'. l"l:'Llll'ding iii k1:yh11;1rd i11p111
111.1111111 i'ri1111 jll l'.v io11s u,c~111' th r block. givin g ilw ahi liry [l1 read ,1 u":r',; typc,I p.1,,wn1,k
• \ teganography: lhe Wlll LI stq>,a 111>graph y Lome email ~. a11d mhu 1"11111,drnti.11 i11l;1rmatio11.
~
1111111 1h,: ( ;,eek name '\1q~.1no," (hiddrn or • Data : Informati on in :111 11\ng Pl Jiµ,i t.il 1111111 1h.11
\\\ r,·1) :,nd "r~r.,phv'' lw ri1111 ~ Ill' dr.1wi 11 b) :l ll LI can lw tr:11vrn1ittl'd or 1n1i1.·1·,,cd ,
111 ,·1.dl v 11 1,·,111, lrn\dcn w rit i110 Stl.'",111ouriphv • Dat:1 extraction: A ph11.l·,, th:1t ide11tif1,·, .,n~
t''
l
11\1 , 11., lu11q11c, 10 u,111111u11i catc i1dort'Im,1t io11t, ' ,' l'l'rnv n ~ 1n fc.H 1ll;Hilln 1ha1 111 :1>" 1101 lic i11rn1r,l1·
in a
.I ,II' I h.11 I\ hidd,·1l. inely .tppa renr.
,N1R1..~DU CT IO N TO DI GITAL FOR ENS ICS AND DIGITAL EV IDEN
CES • 35
Encryption: A pnKt'durc thar co nvcns plain text • Work copy: A copy or duplicate of ,1 recordin g or
the int ended
111ro -.,rnihuls co prt·vc:nr anvo . · nc but da ta 1har Lan he 11s<:cl for ,11hseq11<:nt pn,cc,s ing
r:lipil'llt lrom undcr~tanJ1ng rhe 111ess:1ge. and/or an,tlysis . Ir is also Lalkd an image.
f ilr formal: The strucuire lw which da t:i i~org:i- • Write block/write protect: H::irdw:t1L' and/or
1111c:d 111 a ftk. .,ofrv,a re method s of prevcnr ing mod11ic 1tion of
• Forrnsic wipt•: A vnifohle procedu re fo r sani- cont ent on a media storag<: 11ni1 ~uch a~ ,1 CD or
rii trH~ ,1 dd1ncd ,m -.1 of digir;d medi.1 by over- thumb dri ve.
Mtl t~ig t\tCh lwrc wi th ,l known Yalue; this pro(e.~s • Acquisition of digital evidence: Acqu isition n/'
prn en1, no., \-\'O!lt.1mi n,1t ion of dJ r,1. digital ev idence begi ns when information and/or
, Hash or hash "aJue: Numerical vJ!ues rh:n repre- physical irems are collected or stored for cx:1 mina-
,rnt ,I , tring or fl'XI (~t'cll'Ch term), gene rated bv 1ion. The term "evidence" implie!> rha t rhe collel -
h,1,hine, f1111crinm (.1lgorirh1m). Hash v,1lues ar~ tion of evidence is recogni zed by the courn,. T he
u,cd t,; querr l.1rg,· su m~1)f d:ira such a~ databases process of collectin g is also assumed ro be a legal
, 11 hard dri \'c'~ for specillc terms. l 11 fo rensics,
hash process and is appropriate for ru !cs of evidence
,·.tlt1c, .tr,· al ~o u~ed ro su bsranriate rhe integrity of in rhar locali ry. A data object or physic,1I irem
d1oi1.tl l'Vtdr nn· .ind /or fo r inclusio n and exclu- only becomes evidence when so deemed by a law
" cL1111pari~nm agc1 inst known value sets.
~1011 enforcemenr official or designee.
, Log file: :\ recurd of ,1criom, event~, and related • Data objects: Objects or inform ation of potemi al
d,11,1. probativ e value that are associated with physica l
• Media: Uhjcl t\ on which data can be stored. items. Data objects may occur in differen t fo rmats
In, l11de~ h,1rJ drives, thumb drives, CD/DVD, wi rhout alt ering the original information.
ilnppy di ~c~. Sltvl carJ ~ fro m mobik device~. • Digital Evidence: Jnfo rmation of probative value
111e1mir,· t ,trd~ l~ir L.1nwra~, etc. stored or transmirred in digital fo rm .
• Metada1a: O:ita . freq uently embedded within • PhysicaJ items: Items on which data objects or
1 tile, 1h.n cbcrihe~ ,1 Il le or directory, and ca n info rmation may be stored and/or through which
include I he loc.11 iom where the co111enr is srored, data objecrs are transferred.
d.11c~.rnJ 1inH·, . ;1pplicaci on-spec ific info rm arion, • Original digital evidence: Physica l irems and
.ind pern1is~iom (t'.g. , email header~ and wehsit e dara objects associated wirh such irems at the time
~LlllrL l' u > dc co111ain me1adara). of acquisition or seizure.
• Par1ition U,er-Jd1 ned sect ion of d ec1ronic
: • Duplicate digital evidence: An accurare digital
111edi:1. P.1r1i tio1l\ u 111 be 11seJ 10 ~epa ratc and hide reprodu ction of all data objecrs cont ained on an
111li1rm,ll 10ll 1lll ,1 h:irJ drive. originaJ physica l item.
• Source code: T hl' 111structi o11s wri tren in :i • Copy: An acrnrate reprodu ction of in form:11i on
prog1.1111m111g langu.t!!,I' used 10 build :i compu rer conrain ed on an origi nal physica l irem, indepen-
prngr,1 111. dent of the origi nal physical item.
ai Review Questions
I. \X'lw 1~ digi1:1 I fiJi emic~? 6. What are rhc clullenges in evidence ha ndling?
2, h 1,l.1in thl' p1oc,~~ ,d'J igital k1rcmics. 7. Wh:i t is digital evidence?
3. Wh,11 t·1hilal i,,,LH's :in· i11 vnlvl'd in the d1gi1 al 8. Explain rhe various rypes of evidence. Ex plain
f1ll\'ll.\ lL jlrth ('~, ? the rules of evidence.
4· 1_~1,l.1i11 the hi~tor_v of digi 1.tl forensic field . 9. Describe the· term metadata.
S. \\ 11.11 1., ,111 ev idcrll·e lw 1dlin r.c• ,,rc•ced urc 1
Incidence Response Process
LEARNING OBJECTIVES
Afrer reading this chapter, you will be able to:
• Understand the concept incident and its inci- • Interpret and apply va rious phases of method-
dent response goal. ology on incident.
• Understand rhe proce~s of incident response • Distinguish difference between initial response
process. activity and after detection of an incident.
Bei11g prepared for incident response is likely to be onf ofthf more cost-effective security mfasures any organiZ11-
1io11 c1111 take because well-planned JR reduces the incident impart and costs and bfcausf serurity incidents arf
inevitable.
-Anton Chuvakin
[}.Mi J Introduction
Accordi ng to incidence response (IR) investigator team, they have responded to a gamut of incidents: crim-
inal inciden ts, inciJencs that involved civil litigation, and incidents th at disrupted business but were not
actionable (case~ where criminal or civil action was improbable) . They also have developed incident response
plans for numerous organizations, ranging from financial services insrit mions to companies that produce
mainstream products. During their various responses and progra m development engagemenrs, they sought
111 dr~ign an incident response proce~s that will work with each type of incident you may encounter. They
bdieve that the incident response proces~ rhey introduce in this chaprer meets the needs of any organization
or individual who must respond to compurer security incidents. T hey also believe that law enforcement or
hired invesrigarors should understand all or the phases of rhis methodology, even if they perform actions
during_on ly a portion of the enti re proce~.\ .
Bdore we delve into the speci fi cs of rhe incident respome methodology, there are some basic ques tions
'.,h~t need answers about incident response. Some of them are "What are com puter security incident~",
What are tht" goab of' incident response", anJ ''Who is involved in th e incidenr respome process"?
38 • DI GI TA L ro r(ENs1c
1'dentify analyze. prioritize. and resolve security

• Incident management is a set of delined processes 1O kl as p~ssible and prevent future recurrence of the
Incidents to restore normal service operations as qurc Y
incident
Incident Management
Vulnerability Handling Incident Handling
~======= ==~ f ~ _I I n":l

I
1
I~====~~~"-l a II ~ ~l
Amfact Han~lng
~-==========================
L I_ _ _ __ _ _ A1e_r1s
______ ~I Other Incident Management Serv<es
3. 1. 1 An Incident
In info technology, an occurrence or an incident (arrack) is an event wherever a service or element fails to
produce a fea ture or service ,hat ir had been designed to deliver.
3.1.2 An Incident Response

Incidcnr response is an associare degree-orga nized approach ro addressing and managing the afrermacl1 of a
securiry breach or a11ack (abo known as an incident) and its goaJs are to handle the situatio n in a way that
limirs damage and reduces recovery rime and cosrs. An occurrence response set-up includes a policy that
d"fines, in specific terms, what const itures an occurrence and provides a piecemeal method rhar oughr 10 be
fo llowed once an occurrence happens.
3.1 .3 An Incident Response Plan

An incident re~ponse plan prov ides a step-by-step process, which should be followed during an occurrence
of incident.
3. 1.4 Goals of Incident Response

The primary goal of incident response is ro eA-enive]y rem h f I · · '. . pucing
· · I• . . .. · · . ove :i r rear rom t 1e organization 5 cor11
rnv1ronme11t, w iilc 111 1n1m1z111g damages and rcstorin j • . kl ·11 This ao~I
·
1~ accomp 1·1.~Il ('LtJ 1I1rn11gh two m a111
. anivi'tie~: g norrna operarrons as qu1c · y as poss, , c. ·o
iNCiDE NCl: R[ SPO NSE PR OLES~ 39
•~etriialak
·-
•
(mfl .
-- ~
•IJe mt11tnm1s
ogrg
•~ o o
We t'rnph;1:,1ze 1he goa ls of co rpora1e sccuriry professionals wit h legitimate business concerns in our inci-
dcn1 re~ponse merhodology. In add i1ion, we also take imo considcrarion 1he concern s of law enforcement
officials. Therefore, we have developed a procedure that promo1e.~ a coordinated, cohesive response ,md
achieve~ 1he follow ing:
I. Prevention 0L1 di!>join1 and non-cohesive response (whi ch could be disasrrous).
2. Occurrence of" incidenr is confirmed or dispelled.
3. Promotes collec1ion of accura1e informarion.
4. Proper retrieval and handling of evidence esrablishmcn1 is controlled.
5. Pro1ection of privacy rights established by law and policy.
6. Minimization of disruption to busin ess and network opera tions.
7. Allowance for criminal or civil act ion aga insr the culprit.
8. Accurate repom and useful reco mmendations are provided.
9. Rapid dc1ec1ion and co n1ainme11t are provided.
10. Minimi·Larion to exposure and cumpromise proprie1ary da1 a.
11. 'IJ·ic~ to protec1 your organization's repu1ation and assets.
12. Educ,11c.~~enior :1dminisrration.
13. Pru11101io11 of rapid dert:ction and/or preven1ion of such incidents in the futu re (via lc~sons learned,
policy Lhanges , ere.).
[@_ People Involved in Incident Response Process

Tlw main quali1 y of in cident response i~ thar 1hey have a mul risided discipline. Hence, the people involved
111
incidcn1 respon~c proce.~s should helong w va rious multidiscipline field. To properly prepare for and
addre\
. ~ 1 · · a centra11·zeuJ 1nc1oent
-· Ien, ~ across the orga niza11011,
·lllll · · 1
response ream shou Id 6e iorme
c d . l'h'ts team
is re~ponsible fo r anaJyzino security breaches and taking any necessary responsive measures. The incident
be
rl'spon.\e lea rn should 1101 exclusively responsible for addressing securiry threats. All business representa-
i,vcs and rn1ployecs must fu lly understand and advocate for the incident response plan in order to ensure
40 •
char crnrrgency pr01.cd urt>) nm ~moo1hl~. l:..a.i.:h a~l~a of 1he comp,rn~· fus unique re,pomibdi 11e~ du ring an
inc1dc:n1 .\1 irs rnre. &n IR 1e-am should lon<1\I ol
• The troiOe1it rasoonse manager o-.eisees and pnonlaes

~,u,, - ac!Ol'IS <1,r ng lhe deLecial, analyS s, and conlaJllment
cl ar rrodenl and arso resj)OflS ble for c.on. e~ ng ttie
Man•, speoa! re:r.reMefl:S of h,gh sev8flly R:Jden1s
• Tr,e mar-ager IS svpported b,' a team of securrty analysts

lilal •IIOfk o.rectty NJth the affected netv,olic to research the
Siad) Analpls I.me location and deWS of an irodenl. There are two types
of analys:S Tnage Analysis aJ\d Forens11C Analysts
• Thu,at resea,chers complement sewnty analysts by

pr!Md,ng lhteat ints gence and contex1 for an incident.
n.. Alallldal Th€y are cooslaf!tly combcng the internet and identifying
inte igeoce that may liave been reported externally.
•Managemel't buy-in is necessaryfor for1nctdent

provision of resources,
response
fundlll'J and time commitment
j planning and execution.
1- - I• _
~A 15 calte<J upon when an employee is discovered to be
rnvot1ed with an incident
AdsndRiak • These s~ists help to develop threat metrics and

Maliagarnen, Specialists vulnerability assessments while encouraging best practices
across the organization.
• _An attorney ensures Iha! any evrdence collected . .

rts forensic value in the evem that the ~ choomamta1ns
to take legal actJon. - .. ..,..ny ses
• PR will communicate with tea

accurate account o . mleaders, ensuring an
stoeld)ofde t any issues is commumcated lo
rs.
ENCE RESPONSE PROC[SS
~:..:.- - - - - - - - - - - - - - - - - - - - - - ~•~ 4~1
, . utrr SmmtJ' fll ridmt R,,spom,· ];•mn ((SIRT) · . , 1 1
. . .
C,0111/' · d . I . . ~ • tu m whmc mrn1hn ., worked lo, 111c1delllt'
P rocess. In or er to re.<,o ve an 1nc1d<:111 /,111 -1 -1- 1I l 'Sl l)'l· . · · ·
response h . I I ' c '· ic , \ works tugcthn .1., an 1nrcrdr~c1plrnary
· CSIRT ha.1, r e appropriate cna , technic1 1 1 d I , . . . ·
ti:a!ll- . , . :, _, ' n ot lc:t cxµn tJ.\L' 1wu.:~., .1ry, It s member~deude whether
, 1·0 -,dcnce response or not h:.b ed on senom 11 , - O 1· tI1c. ·111c1cL·111 I I · · · ·
10 appI) L. . __ __ \:~s . \XI wn :111 orga111za11011 requ ires ns
.1. · rhe CSIRl 1s norrn all)· an d feulla l tc- 1111 I · ...
capa 61111e~ . - ' ' ,Kct11m1 a11011 10 conduct an 111 111al rcspomc proce~s.
3_2.1 Role of Computer Security Incident Response Team

There i~ ,,lway, a <liv,5,on lwrw~cn hu rn_.in tcsm11-ces whn inve~tigarc l.tptop ~ccuri 1,, incidenl..\ and people
who inve.'> tigare no,rn,J Crl llle~. Separat e hmcrions for cornpanv sccu rn y human resomce~ and laptop secu ri ty
human resources are., units ,ire diarau cnLcd by ~everal companies. Ncrwork anac.ks (e.g., laptop inrrusions and
Deni.J of St'rviu.' att ,1cl.:-'> ) are solely responded ro hy Computer Seu1riry Incident Re~pome Team. The sccuriry
o/llcm or cnrpo1,11 e invl'-'> tig:.i tor~ pr rform the invesriga tion once an add itional cri me is commined. However,
it i~very common for the u npm:11e ~l'curiry hum:rn re~ource tu hl' defemeltss and unready ro deal wirh rcch-
nid rvidenL e. Th,~ tcchnic d procl is common ly insignificant and easy for the PC Sernriry Incident Response
Team to interpret. On balance, the members of your Incident Rcspomc -,e,1111 have the technical skill~ needed
to perform in vt''itig,111om that in volvl' rcchniLal proof. The memhcrs could he employed ro do ~o, neverrheless
of thl' 1nudrnt that created th e technical evidence. In fu rure, we c.m prediu of a pa nit ioned field in corporate
invcitigarions. 11 is ll<"LL'\Sa ry th at everyone wou ld need to obtain and 11ndersr:111d techn ical evidence.
Managirg security issues by laking a proactive

approach !awards !he customers' security Providing a single point of contact for
vulnorab11111es and by responding effectively reporting security incidents and Issues
10 potential 1n!orma11on security incidents
Developing or reviewing the process Reviewing changes In legal and regulatory

and procedures !hat must be followed requirements to ensure that all processes
In response 10 an 1nciden1 and procedures are valid
Man;;ging the response lo an 1ncldenl and Re~ewmg axlstln

ensuring thal all procedures are followed
c01 rectly in ardor to minimize and control
the damage
Identifying and analyzing whal has Eslablishing relationship with local law
happonad during an incident, including enforcement agency, government agencies,
the tmpact end threat key partners, and suppliers
Ill_ Incident Response Pro~ess _

l'hr l..1,1( I- - - - - - - - - -_-_- 1. , .,. lniri'tl Re~11ome, lnw stiga tiun, Re-mediation, 'faJCki ng
, 1nuL n it 11ro, t '\\ cnco111p..1~~n six p 1,1,l .,. . •. . . __ . _. . . •. ..
I \11'•n1f 1,"1 111 Invi:~ 11.g ;t11-Vl' 1n 1-nrmatlllfl
ol . l RL·rornn ru· I lie d)'ll:tllm rel.1r1onsh1 p amoni:;, tbo~c phaM::s ,~
• , ..111,
11ghligh1 ('d i11 h p,. ,-i. I.
D IG / /A L I () /~i= Ns1c
--..:
42
-----
-
ltl\CklriO Of
Reporting
slgrllliCAnl
~llal lnl/\'~h!,IAliOfl
Romtld1a11~ 111vost1u1,1lv11
~e lntornu1t1on
Vi)!lll'l' .i. I 11, ,1.1111i, 11-l.111ti11~l1111 .11111111g ~j;,; ph ;1!ll'~.
3.3.1 Initial Response .. .

. I . I 1 111 im-ilkn1 : pol1rn:'. \, 1001!1,' procedure~, effectivr
' I ' . I l ·, dlll\l' 1,1 ,
1\llll'. 11.11 (t~p1llll () . ' I
I 11111.1 f<'~I nibt Ilk ll( t · . . ·I I . ff ·-ied nro1111!, ·-have 1 . m 111u1 et the control
s
. .. . I Ir .11~,1 ,m p1,n I 1.11 I lt ., tL
11,111,111 pl.111,. :, . . .
~.tl,, 111.111L t .11 1< u1 111111111 . . ( . l in ·idcnl is disllJvcred . I he ma111 oh1ec11ves Ill 1h1s
11 r,s !IT !tl rcn11r1 .111,I , 1111111111t· tipcr.llltlil' ., rc1 .11 t . 1·1 ·1 11 I
'' .. I . . ,· . inn ncr-work-b.tsed and orher 1-eat I y ava1 a 1I e. c.al.a, dcter-
.
,ir p t1ll"llllk .1,,r111hl111g r H' rc~pnn~c lt,llll, n I I( 11 n .. . I .
· ·. I J .. · ",h ' lllll l'll!i.d im 11.1cr I hr go:i l 1., tn gat l<'I cnoug 1. 1111ual 111for-
m111111i.: the l\'fll' ,11 lll(ll t'lll ..Ill - ~" ~' :, l 1 111 . • , , I f ,I · ·
. II I .
11 1.111011 rti .1 0 11· r 1c lt .1111 o t l
I I ·1t
·r111111 t• the ·i111iro1111:t1t· re~11011~c. the tea .m ik vc lnps I ,•e o1111,1 • I 111nden1
I 1>1 occ~s de1111111g
I . . . . 1... •.111 in l•idenl rc!,· 11ome . . . ., . • ' , , . •. till' org:1 111za t1011a s1ruc1ure
rr'Sfll lll~I' .:.q1.111 I ·1·Ill ; IV l t'rl' Ill ) ,re l, ,. ..
10
·1,1 · ... ,j . t. J11,1, tr.:·itr
1111 I1 rn In .11 1<j 1e,pt111,11 11 11,. 11 111 1 . · im>u'durn w11h. d1t.11kd . cgu1d.111ct Ill ordu 10 rt_spond • •
_111 lllci,kni : ll'hrrc rlic\' "'led tlw righ1 people wi 1 h Ihe appropriare \kill set: where I hey defi nc 1he crneria
111,le,·l.,rc _111 inlldcni : ·,, hnc thcr ddi 1w rlw righ1 {(1ols 10 h:mdk an i11 cide111 :
where 1hc rc;im defin c:s what
tl1<·i· .11 ,· f.;tll ng 111 1eporr: :ind 111whum i, the 1c.1111 go ing In rn111 m1111ic Ht'. . . .
I Im ,rep i~ 1ruc,.11111cn~11 rc rc,p111hl' ,ll li1111., :ire known .ind 1110rd111.lll'd . l ,und prcparat1nm will help
rhl'lll lm1i1 rl1t· r ,111·111i.d J,111.l~t· h)' L'lhUring q11iLk .111d cfli.'l 1ivc l'('S jlllllSt' ;1ctiom.
3.3.2 Investigation
or
I 11\'l'Slig:mon I.\ Ihe pii.lSL'whn c ll'.1111 j>(' I son nd dctt' l'lll llll' dw priori ry, .\ CO pr, :111d l'l)() ( C.ll!Se rhe incidenl.
l l1 is ql'p i, 11he1c 1hc n-.1111 ,·niflc, ii' .111 rn·1.1 \io11 lw ou urrnl, ~11ppuneJ evcn1 s ohsnva1inn , i11dica rors,
.,ml \C,111.:h lll1 J cvi.11111n~ fit>lll 1r.1di1in11.d 11pcr,uiom .111d liir 111.diciou~ aus or trin 10 and do damage. The
r1t1l l'l'fi1111 1111\ h:1111., 111 in pl.1lt' 1.111 l:1t il11.11 t· 1hl' tc.1111 do111g die idrn1il1c:11io11 . 1111 idl'llt h:111dler tt·:nn will
11" ' dw,r rx pc1i1nu· ru IPnk .11 1hc !,ig11, and 111dio101., . The ll h\crv.11io11 111igh1 occ11r ~ll 11e1work , host. or
,r., 1e111 kvcl. It i\ where dw 1e.1m lever,1g,s rhc .dcm .111d log~ fwm 1n111er~, f1rcwall\, IDS, SIEi\11, AV garc-
11·.11 ., . •1111·1.11i11g w~tt·m. lll' l11 nrk llm\'\, .111d 111<1r1·. \Vhrn di.\ 11 11gui\ hing an nct:t \iun , 1hc I L'Jlll i, compelled
10 •"~1·,., 1hc imp:1u .111d 1101il\ tl1l· ~1111.1hk pt·upk ,11 1·>. 1c111;il p.1r1ir\. If ih n e are rc:i~om ru hdicw rh:11 1hc
or
11 .llll ll'ill r ng.,~,· l. 111 · 1·nl;1ru·mrn1. i1 i~ ll' ill'll' dw fl'.111! l' ll\llfl'\ ( h:1i11 lll ~tndy, 11 is ,Ir rl1i ~ ) l,tg l' Ih,tt ,he
1t·.1n1,H11 l1ne\ dw nex t ,1cp\. ·
3.3.3 Remediation
lfrmc1l 1.11io11 ,~ tlw pm1 111cidrn1 1 •111ir 11 ( 1,.-. ,I · • f.f. ,d
· , ' · · 1u 1t 1 ~1·,1t·m, , w 111111u111(,H11J11 , and imLruc1ion ro a t'tlc::
· · I
p.1r11c·., . .11 ,J .111.d1 ,h d1.1t cn11 l1nm· ilw 1h1t.•11 ILI\ I1eu, 1 cont .11·11n I. 11w dncr111111 :111on of whcd1cr 1 1ere are
A
• 43
. ,,,ul.iri)ry rcq11ircJn L' lll.\, r(_H rq~o n '. ng rhe in:·idcnt (:rnd to whi ch oursid e pani es) will be m:i de at rhi'.> stage
it;-, ·i:tl in11 w1tl 1 ( )( ,( ·· ApLu 1 1ru m ,my formal reports, rhe j)OS L-morrem will be com1Jlcted at rl11S ~t agc
. ,H li K 1· . J .
111 ' n,i\' iinp,Ht ,he H:' lll L' l l:tu on anc1 int erp re rari on of the in cident .
,l ' II I .
Tracking of Significant Investigative Information

3.3.4
\X'c nient io ned e:1rlier inthi ~ cha_pter rh:u many of' th e chall enge.', rn effecti ve in cideni- res ponse are no nrec h-
.. Scaving orga nized 1:- one of I ho!-ie chalkn ge,1, and is an espec iall y big one. We hare to use th e te rm "siru -
1
111 '--·1 • • "I I . I 11 · .
warene::,s, )I.It t l ,l l I'.> w l a t we are La <111 ° about here. Yo ur in ves ti ga ti ons must have a mechanism
·
1110 11.I 3
. . J
. . • r · . ~ · .
·[ll t,l. ~l-·ly rrnck cnt 1cal 111i orrn :Ht ,) n. ,rn cl share. , 1r .w1d1
.
the ancill ary tea ms and the orga nizatio n's leadership.,,
You ~hn11 ld also_have a W,l )' to reler ro ,1, pec1hc 111 c1dent s, oth er than "th e thin g rhar starred last Tuesd~y.
b tahli~h an incident numb n ,~g or 1_1amrng .',ystem and use that to refer to and docum ent any information
, J rv idence related r, 1a spcctf 1c mc1clent.
.in Whar i~"signil'1 c111 t invest igati ve in fo rm ati on"? We have found a handful of data point~ rhat are critical
to :iny investigation. T hese ire ms must he trJcked a~ close ro real rim e as possible, because ream members
will use them as the "gro und tru th" when it co mes to the current srarus of th e investiga tion. T his data will
,ilso be the firs t thing that rea m members will referen ce wh en queries come in from management.
1. List of evidence collected: This should include rhe date and rime of th e collection and rhe source of
rhe dara, wherher it be an actual person or a server. Ensure that a chain of custody is maintained for
each item. Keep rhe chain of custody with the item, and its presence in rhis list is an indicator w you
rhar an item has been handled properly.
2. List of affected systems: Track how and when the sysrem was identified. Nore that ''affected " includes
systems that are suspected of a security compromise as well as th ose simply accessed by a suspi cious
account.
3. List of any files of interest: T his list usuall y contains only mali cious software, bur it may al so contain
data fi les or ca ptured co mm and output. Track rhe system rhe file was found on as well as the file sys tem
merada ra.
4. List of accessed and stolen data: T hi s includes file names, content, and the date of suspected expo-
sure.
5. List of significant attacker activity: During examin ations of live response or foren sic data , you may
di~cover signifi cant activiti es , such as logins and malware execurion. Include the sys tem affected and rhe
date and time of rh e evenr.
6, List of network-based IOCs: Track relevant l P addresses and domain names.
7. List of host-based IOCs: Track any charac teri stic necessa ry to form a well-defin ed ind.icaror.
8. List of compromised accounts: Ensure yo u track the scope of the account 's access, local or
domain-wide.
9· List of ongoing and requested tasks for your teams: During our investigation s, we usuall y have
scores of tas ks pen<ling at any poin t. ]~ro m reques ts for additi onal information from the ancillary reams,
10
fo rensic exa minari ons, ir ca n be easy rn let som ething fa ll through the cracks if you are not organized.
33 5
· · Reporting
~\~~:~~~~n, respo nse an ivitic~, wi ll _be_documenred ro incl_ude a_ni'.acts obrai_~~d using methods cons_istent
11 of cusrodv and co nft dentnlnv reciuirements. Inc1denrs will be pno11t1zed and ranked accordmg to
ti\t1.r . ' ' 1 · . '
1
111 a ~~ ~nt1al to disclose restricted data. As an inves riga tion progr~sses, that ranking may change , resulring
invt~ t,1tn or lesse r prioritizati on of resources. ln cid enrs will be reviewed post-mortem to assess whether the
.tigarinnal pnxe~s was successful and effective. Su bsequenr adjustments may be made to methods and
1
111,,, r,li11 n ,111,I hyod11·111,111i, q1.1111 :, 111 i11111111vc iii, i11, 1.l, ·111 Jt''•l'• 111·,1: )" "'' ..,. /\ itd,i, ~,,l,1.011 ·.J d•Jtiii;•, ii.
1
11
,11111,c 111 ,111 i111 ,·,1i1•,1ti,11111t.1)' h,· d, k11·d ,il11 1 d11•, 1111, lm,1111111 tl w111 11• :,111•,, 1,,11 . · ·
[ ~::,~ lncidont Rosponso Mothodology

h1r d11· 111·1kll \\',I)' 11111rr,,111 i11: ,1 111,,, 1·,,, wr ,Ill' :dw.1p 1111 .111 r xpl 1 11 .11i,J11. ·1,, dd lnl' JJl 1:J'r, ,,I tl11.- pi,,,--":•
1·,1··, 1,1 av,,id 1111J1~y ar,:;J• .•·,,
\\'\' ~•·.11lli 1;,r tl1r 1i1•,li1 \\',IV ,1111I ,d,11 l,,, 111 l11 r l11il',lil li11r \l')J:11 :11 i1J11 ,,I 1,li. l 1
' . I . I I I, ,,
tlh1,1 1.111.' d,r p1111 r." , wr 11 y 1,1111.d,I.' illl' I'' 1ln 1 ll,1w, l1.11 t ,111, 1111•,:11111,4,• I w_p 1;1·,1..",, ·,,, 11c JmJCe:,, un '"·
1
.1p11l1l'II 111 d1c 1\\'1111i, l ,,,r, . 11 i~ 'i\lll l' .1, l1.dk11g,· 1c1 l111ill :1 , 11 .111•,l1d1Jrw,1rd u11agc 1I die J!rt >1,.1,":,, wlH•i,,.•
111.1i111.1i11i111,,1 :1 lirl1•1°11I k"rl 111 .11 l 111.1,·1· :1, ,1 n",11 li ,,( di(' i111 idr111 rn p >ll'1l' JH
1 1
J1 1.:·,~ will inv,,l w r,u, 11 ,:, ••
r · ' 'JU•·
v.111.1hlr~ ,llhl l.1, 1,11, d1.11 11LI\'. l1.1w .111 r ll i·, 1 ,11 1it, llnw. 1lnWl'Yl'I', we 11:nd 1 > m·I d1 ~1 Wt 11:nc dcvd ,,1,,.d ~'
1
~·vc111 11·,11111hr 111rd1,1d d1.11 i, ~11 .1iglii1,11 w.11d , 11/lll'l l, :111d :11. 111:il.
: \ 1111pt1ll'I M\ ~1111 )' in, i,k111\ ,II L' lnr_tl1r 1_11,,,1 p.111 , l llllljllil:lf t'd'. lllllli if;iu·ic_J pr il1l1:1m, We u·,c a "bi.t\.h
1
~10~ ·'Pl't"i1.1d1 ~ ,•11h_.lily , t@plrx ('llg111cr n11g prnl,l,·~11 111 ~olw 11 . Wt: d1\~11l,u1c the: lart,tr Jm,bltin ,if
1Jl ltnt. hgw1: 3.
~Ill tll(. 1H 1c:s11l11t 11111 111111 u'.1 111_)1J1J l'lll \ :ind ~11rvry thl' 111p11ts ;111d 011tpu1, of t·ad1 (,..lJJll jJ 2
1ll1btl .ll l'., t)III' .1pprn.11. h 111 llllllk11t ,c:~pnmc.
g
{D:;, lncldont occurs: Point-ln-hmo or ongoing
e:., C
---
/
'
lnvc:;li!)ale the incident
- - /
/
'
Formulate
/
' /
'
Pre•inc1dont Dotection Initial Data Data
prcparntion ·• of lncidonl:; • ro!iponso
f-► response i-.
collection analysis
~ Reporting
stratogy
\. ., \. , \. \.. '- ,
'- '
"'
' i,
'
Resolution
Hecovory
Implement security moa:;ures
\.
Figure 3.2 lnt.idc:nct' f('~pon~t· rm:1hodology.
In i,11..iJl'nt n.:spon~l' llll't hodolw,)' there • . •, , , . ·

• • r, , arc sn rn 111,IJor wniponcms of incidenr respollJC!
I. ~re-mc1dcm preparation: Bdill, ,1n int.idc: Il r (i ccurs, . ·I , . .
ta ' ' ni:cr~~ary a, 11011s 10 prepare me orpd"
.
r1nn .rnd tlie c,J HT
,
2. Dl"te,·1ion of incidents: Rcl.'ogni1.i11g .1 1m1ba)11e u>mpuri:r , . .
m.:umy mc1d,·nr.
__________ _ _ _ _ _ _._4_ 5
1NCID::_::E:.:..N:..:.C_E_R_E_SP_O_N_S_E_P_R_o_c_E_s_s_ _ _
s of surrounding the inodenr, collecring Lh e inci-

3. Initial response: By redco_r~ng r_he basic particular
who need ro know about rhe incident, che inirial
dent response ream, an mrormrng the individuals
response ream performs an initial investigation .
gain rhe managemenr approval
. Form ulate resp onse strategy: Regulate the best response team and
4 che basis of concllliions, try to regulJre the civil,
based on rhe outcomes of all the known facrs. On
appropriate to be drawn from the investigation.
criminal, adrninimative, or other actions which are
ction of dara, to determ ine whar happened ,
5, Investigate the incident: Perform a comprehensive colle
nted in th e furure.
when it happ ened, who did it, and how it can be preve
tigation in such a manner char ir becomes
6. Reporting: Flaw lessly report information about the inves
useful to decision makers.
employing securi ry measures and procedural
7, Resolution: Various resolution s must be taken such as
ent of long-term fixes for any problems identified.
changes, recording of lessons learned and developm
3.4.1 Pre-Incident Preparation

organization needs to prepare both the organization
Planning leads to successful incident response. Your
to a computer securiry incident during this phase.
irself and the CSIRT members, prior to responding
outside our control. We have no clue when the
We recognized that computer security incidents are
we often have no conrro1 or access to the exagger-
nexr incident will arise , as an investigator. Moreover,
h having no control does nor mean we shouJd nor
ated computers before an incident happens. Even thoug
and fruitful response ro any incidents.
arrempt ro position an organization to encourage a fast
nt preparation phases include the only preemp-
Incident response is vulnerable in nature. The pre-incide on
uard that an organization's possessions and informati
tive measures the CSIRT can pledge in order to safeg
are safe and conserved.
the tools and developing techniques ro respond ro
Preferably, preparation involves not just obtaining
systems and networks that will be part of any incident
incidents it also includes taking up the actions on the
you can take now to save rime and effort later, if
thar you need to inves tigate. There are a variety of steps ro
you are forrunat e enough to have any level of contr
ol over the hosts and networks that you will be asked
investigate .
corporate-wide strategies you need co employ co
I. Preparing the organization: Developing all of the
response is whar all is required for preparation.
get be11er position of your organization for incident
Preparation of an organization includes:
ted.
(a) Hosr-ba.\cd security acrions should be implemen
be impl emented.
(b) Network-based security procedures should
(c) Training for eventual users.
(d) Intrusion detection system (IDS) should be
active.
(e) formation of ~trong access control.
(f) Performance of timely weakness assessments.
basis.
(g) Safeguarding backups which are achieved on a regular preparation
2· Preparing the computer security incident response team: During the pre-incident
to assemble a "'fD <i apens to handle any
phase , the CSJRT is defined. Your organization needs
incidents that occur. Preparing the CSIRT includes:
are is needed.
(a) To investigate compucer securiry incidents, hardw
(b) To investigate computer security im:idents,
software is needed.
!o
(c) invNig:u~ computer security incidents, documentation
there should ~ epenting
(d) fo implement your m,ponse strategies,
procedures,
DIGITAL FORENs1c
46 •
{e) 11.> pl·rform incident response in ~uch a m.1nner that it promotes sucC.C.'!)~fu l foren sics, investigations
and rcnwJi;1tion; train yo ur staff or l'rnploycc~. '
Afta :111 i1Kidl'nr occms, you would not want to acquire c~~cn ti.tl rnourccs. Anyhow, you cannot afford
urnwce~sary dd;1ys when ancmpting to resolvt an incident. We: will go inro detail about the hardware
software, docurncntarion, policir~. and training rl'Cp1ire<l 10 prepare your organization and CSIRT before a~
incidnH occurs.
3.4.2 Detection of Incidents

It carrnot be sun-cs~ful in re~ptrnsl' to incidt·nts if an organization can not notice or !lense incidents success-
fully. Therefore, one of the most imponanr fearurcs of in cident response i.ci the detection of incident's phase
(Fig. J.3). It i~ also one of the mo~t disjoimcd phases, in which incid ent response proficien cy has only slight
con trol.
Suspected incidenrs may be dcrcctcd in innumerable ways. When someone sw;pects that an unau-
thorized, unacceptable. or unlawful c:vcr,r has occurred involving an organization's computer networks or
J.ua-processing equipmrnt , computer security incidents are normally i<lentified. Initially, the incidenr may
be reported by a user, detected by a ~ysrem administrator, identified by IDS alerts, or detected by some other
means.
Preparation
Detection
No
Containment
Eradicalion
Recovery
Follow-up
Figure 3.3 Dcreuion of incidence.

In most organizations, ultimate users m .
· · ay report an mc:idenc thr h
aven1ws may be their immediate superviso L oug
'f 1 . . r, tne c.orpurace- help de s·k (or I
menr, 1 c 1cre 1s no formal help desk) . 'd
·r . 1 . ' or an mer . enc hoc!' db.
l ypical y, ernployee-rdaH·d issut·s ar. d me manag~
· , t rcpom: to a su . • d'
clepanmenr, while t'lld u~crs report te ·I . __I . perv1sor or trect
t: llltLa issues to the help desk.
• 47
Ir is i111i,,n.mt ll' r,\.\) t\{ .11! dw k1h,wn dri ,·1, 1 1 11111nh,, · : ·11 11 1Il'!1 \ I .1111·11111 ' I1·111. ·1·11 111.1,I c .~111 c
.hcB . " 'l' sw,, · ·c .· - ~.. 11,1 , . · l ' , ,
. - )rd cht rd t, .mr . I1rd11 · · •
.
1\f 1n .111 Ith 11lrn1 1\ dclc llrd
· N , 0 ll1-lll~ ,ll\ 11\lt nl r •
,·.Hl r:\, t·' • t'~ p,,n se l ' ,
t. 1.
· ·; 11! r~s'' l'm " d 1t'\lli,;r "hl't tl l I •1\llll
.. ,
l · I II ' ' , .1hk
•
, 1,,,.11 \h• ' ·t . . ll l
,·
1'l'l lllll\ '
·. - l l 1.,, _s. 1111 1 ,,·l ol wl11· l· Ii l"'ill hl' 1c.11lily rcni r,ni
: •' , ,. r-·IY. .-\ls rc'(w d ch, kn'1 " n f•11..
1
,.
b. •,,,m e l,t the d··11
' • ·
1ls ,, 111· \. l ,lrl' 1' llll1 ,l
·
til l
I I
Ill 1•;
un:,.,,.t.t '
I. Prn 1km n me- .inJ ,I.Ht'.
2. R"['1Jl ll rh.:- in, id<nt ~lt-.:h .ls whl,/wh.n.
3. Pts..-ripti,,n 1)f rlw in,iJ,:nr.
~. ln,·iJent o.:n1m:.'rKt.'.
;. Jn,-., 1\',·ment "' f h.1 rJw .1r1:·/s,,fr\\ .l rt' .
s.
6. J\,inr~ l,f l'l'ntJ.:r t~,r inw1 lwJ hum.m rrsn urrc
· 11l'
. ,K(\'1 I ,I 1·ll'f' L'<l llll' Ir 11ng- · · ·.1 I n·.,pllllSl'
I 1n111
CSI RT sh1,1ild_. ~e J1:ti\ '.1tt· J .rn,{ ' 'l'l'r ,,•1,ri ' 11 t. I'.l~,pl. ~. U)llf
Th, .. ~ .' .• . • .
rl1 c rH·x 1 pli.1sl' of
. .f' .
11 tr,'lm the 111111.tl rcspl111:,c rhcckli:-.1 10 hn:i n
rh.xk11 ~r. Th, ~ rd m " ~ll __~c th~ rntl,rnl.llt,,n C
rhe n'~f"-m ,e rrlh Y:-~ -l llltl.ll fl'S plrnS l'.
3.4.3 Initial Response

inin g enough
is Jcrcrmin c an ,1pprop1i1tt· rc.,p1111.~c by ohu
~1ne cl c_he fir~c ~r_r~s- of an>· invc' stig.ui~n
!0
kc's ;l:iscmbling 1hl· CSIRT. i:ollcc1io11 of
nctwl)l'k .. l,:1scd and
111fomur1on. The mrna.l response ph.1 se mvo tee of
a.ls' -) im·o ln·s dete rmi ning rht' t)'pt ' of inciJenr rh.n h.1s oi:curreJ :md assessing 1hr imp.
lHh.:>r J.u-J . Ir in J evclnpin g
c'm. To begi n rhe next pha se, rhe idc:i is tn g-.ichrr t'110ugh inform:irion , whi ch is used
rhe in,id t be undrr-
sTraregy. The or her mor in~of the iniri.11
response pluse is ro document !irc·p~ rh:tr mus
.
J resp. 1nse allowing yum
n an inci Jenr is dere cred . this ;tpp ro:K h pre,·ents "knee-jerk'' reactions and pani c,
uken. \\he
roach in che middle of a strt'ssful sit11.1tio11.
e>rg:m imio n to implement a merhodii.:-al .1pp cJ
rity ini.:-i den rs on be dl'tt'Ctcd in innu ml'r able ways. The' Dcpamnem ofJusrirt· condun
Com pur a secu An employel'
Li rge.sc eco nom ic surv eilb nce ime srig acio ns rhar began wirh non -technical indicators.
onl'Of the ware into a ~ym
ted anorhcr employee placing propriet,lf}' hard
of a hrg-e rdccommunicarions rnmpan y spor ked on
mon ly acce pted thJr rhe prog rJm s whic h were developed by them could also be wor
bJg. It was com loyt·r noticed rh.tt rhis
spec ializ ed equ ipm enr by emp loye es who worked at home. Hl>Wt>Vt'r, the emp
1hc>ir in a gym bag.
rit'tary componenrs our of rhe orgJnization
rmicubr emp lo}·ee contin ued ro "sneJk'' prop incidenr
app roac hi ng and Jler ting rhe emp loye e, che witness was smart enough to report the
Rather than ation of some-
ess reco gniz ed that rhe srolen hardware may be a manifest
ro me .1pp ropr iare peop le. The wim
fostered excellent
company's prizt'd source code. The witness
'.hing much more devastati ng: the theft of the ring the
onse by nor aler ting rhe emp loye e. To determine whether che employee was also pilfe
incident resp
lemenr steps co collecr additional evidence.
source code , the orgJ,niurion was able to imp cting an inci-
phase is rhe involvement of individuals dete
Actu;tl:y, rhe l:ie:inni ng of the initial response have occurred,
ever der:C .cs th; inci den r or an indi vidu al who has notified char the incident may
denr. \Xnu ntage of the team's
rhe crime scene has been documenred (e.g.,
help desk or security personnel). To take adva
be forw arde d to the CSIRT early ht the process.
The more steps
~!)('rience, con trol of rhe resp onse shou ld
•n rhe ini rial response phase performed by rhe
~rpically, touching the affected sysrem(s) will
CSIRT. the better it is.
nor be invo.lved in the initid fli a,••ie. ...
:t,:. lhe cllia collected
nrsponse
ri. 1 rt'Sp onse phas e in~l udes re,·ie win g of necwork-based and
during this ini 1
pha.,"C involves:
incident who m·
L lncen·icwin~0 system adminismuors of an
derails. •
DIG IT AL FORE~•
~4~8_:·'.__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _-.:..:.~
I ide •1 conrexLfor the incident, which .

2. lntrrvit'wing busmcss unit human ~esourcc t ,at may prov . 111tglit
have an unJcrstandmg into the business events. kl d I f h . .
3. rfl> identify data-reviewing intrusion detection reports and neLwor - nse ogs o t e incident that
w,rnld support that an incident has occurred. . , I . _
4. To determine if any avenues or attack can be ruled out, review the network !Opo ogy and ,ICcess l.:Ontrol
lists of an inLidcnt.
The team must verify that an inciden1 has actually occurre1, and ~vh'.c~ syS tems are directly or indirectly
affected. Ir should also veri~, the mcrs involved and the ~otenual bmm~ss ~mpact. For th e act~al response to
be appropriate, the team should vcri~• enough informan~n. ~bout the tnCJdent .. In .0rd er to ~i mply confirlll
thar an incident has occmred, it becomes necessary to . mlllate ne~ork mon1tori~g at thi~ sta?e. Before
formulating your o,,crall mponse strategy, the key here 1: to dete~mme how ~nuch information 1s enough,
The answer drpends on many factors, which have been discussed m later secno~s . .
At the end of the ini1 ial respon_se stage, you will know whether o~ n~t an mCJdenr has occ~rred. Thi!
phase will give you a good idea of the systems affected, the type of mc1dent ,. ~nd the potenual business
impact. With the basis of this information, you are now ready to make a dernion on how to handle the
incidem.
3.4.4 Formulate Response Strategy

Ti, de1ermine the mo~t appropriate re~ponse strategy, the circumstances of the incident is the main goal of
the re!>ponse strategy formulation phase. The political, technical, legal, and business factors that surround
the incident should be considered into sLrategy. For selecting the strategy, the objectives of the group
01
individual with responsibility should be taken on which the final solution depends.
I. Considering the totality of the circumstances: Based on the circumstances of the computer secu ·
incident, the response strategies will vary. While deciding how many resources are needed to invest· nty
· ·d h I r . . . 1gate
an mc1 enr, w et 1er to create a 1orens1C duplicanon of relevant systems, whether to make a crimi al
referral, whether to pursue civil litigation, and other a.~pecrs of your response strategy, the follow:
factors are needed to be considered: g
(a) How much are the affected systems critical?
(b) How sensitive is the compromised or stolen information?
(c) Who arc the potential perpetrators?
(d) Is rhe incident known to the public?
(e) What ~s the level of unauthorized access attained by the attacker?
(f) Whar 1s Lhe attacker's apparent skill?
(g) Involvement of system and user downtime.
(h) The overall dollar loss.
s· rro~n vir'.1s ~ut.bursts t~ thefr of consumers' credit card information, rhe incidents may differ exren-
1vc y. typ1ca vtrus out urst usually results in some idle time and I t d . . Th h ft f
_11sromcr's credit card informaLion cvuld put an inex erienced d os pr? urnv1ty. _e t e o
response strai egy for each <.'vent . n P ot-com operarion out of business. The
• w1 11 11uctuate, consequently A vi b . II d
the carpet· the thcfr of credit ca <l • f, . . . · rns out urst 1s usua y swept un er
,ndudes the Public R ·I . d r 111 ormat1on is JUSt like a five-alarm fire-compelling a response that
c a11ons eparrmcnt the CEO d II ·1 b .
During the initial re~ponse the d t . • b . .1' an a avai a le tedrn1cal resources.
I,·or txamplc, a Denial of Service ' e ai 1s o tameu can be er·1t' I h h •
att· ·k .. _ . ica w en c oosmg a response strategy.
I10w an equivalenr Denial of Ser · • ,H.: ongmaung
. ·k h . .
from a u · · b h
niwrsity may c andled differently froll1
vice attac t at onginates f . .
neces~ary to rrinVC'stigate derails of rhe . . I . b f, rom a rnmpernor 1s handled. le may bccolJIC
111Cll rnr e ore the rrsponse strategy is chosen.
INCIDENCE RESPONSE PROCESS
• 49
The response strategy is also important in a large organization because it proviJes future update
for new CS!R~ team to det~rmine technical resources, political considerations, legal constraints, and
business obJeCtlves. The detailed discussion of these factors will be discussed later.
2. Considering appropriate responses: You should be able to arrive at a viable response strategy armed
with the circumstanc~s of the attack and your capacity to respond. It shows some common siruations
with response strategies and potential outcomes. The response strategy determines how you proceed
from an incident to an outcome. As shown in Table 3.1, which explains some examples oflncident and
its response strategy as well as its expected outcome.
Table 3.1 Response strategy for attacks

Incident &a111ple Respo11se strategy Likely outcome
DoS artack TFN DDoS attack Reconfigure router Effects of artack mitigated by
(a popular to minimize effect router Coumer measures.
Distributed Denial of the Aooding. Establishment of perpetrator's
of Service atlack). identity may require too
many resources to be worth
while investment.
Unauthorized Using work Possible forensic Perpetrator idenrifted, and
use computers to surf duplication and evidence collected for disci-
pornography sites. investigation. plinary action. Action taken
Interview with may depend on the employ-
suspect. ee's position or past enforce-
ment of company policy.
VandJli.\m Defaced web site. Monitor, repair, and Web site restored to
investigate web site operational status.
while it is online. Decision to identify
Implement web site perpetrator may involve
"re fres her" program. law enforcement.
Th1J1 of Stolen creJit card Make puhlic affairs Detailed inveMigation

infor111a1 ion and customer statement, initiated. Law enforcement
information from forensic duplication participation poMihle.
wmpany database. of relevant systems, and Civil complaint filed to
invesrigation of recover potential damages.
thcfr. Systems potentially offiine
for some rime.
Computn Remote aJminisr.ra- Monitor activitit"s Vulncrabiliq, lelding to
inrru~ion 1ive accC'ss via att,u.:ks of attacker. inuution Wemi.fied and
such as CMSs buffer Isolate and contain ~~made
scope of • •
overflow and lnternt"t If
] nformation Servin·~ unaurhoriLcd access.
OIS) auacks. Secure and recover
systems.
~o •
.,, , • ,J, ,,n 1111111 11,:'.J1 1i1.J lff1n'b l111 'lillt~'I ,,l,j, ·1 1i vc ~. ll,,,
JI , , JI jd tl)'' 11• 1 1111· 1 1' 111
~IJ ,j!(l' /11111' f 1
J '1 I ,, . ,:
, jl , ' ,,, ,n1 Jl l ,Jlld 111 t .JIJ '.,t' r1f tl1t· pt Ht Ill 1:il IJJlpJt I l
/ ' -. J1', f , , ~f t~,, i'/ :, I1,,1; lI l I,(, ~1,J,f' Jlf f 11 ,f 11,, I J 11 .,J 1• 1I , .. ' (J
'f',,;1 ' "J',-d ,11.i11 •11 1 j I,, J• ' J1•1 W ' ' IJ Jt< i'./ "1' 11, ,J, ) :.11,,u!d I,, 'JIJ ,J lllllwd w1d1 p1r1•, :Jlld u 1m n·IJ1 cd ,,, th<:
'l I
,, , 1,1,1 11;' . ": P1 ' ,( ' :t· l f1J> ,1 ,.J :,.1;1~ ,, ~, I# 1 ..J1Jl
, . I I, . pJ111 ,1 1,), w ~1,1m JI<. 11 ·, u :,ll y oil ,111d w .11 e 1:
'I;,) I I ,l,1.1•• ,j ,l,,11.H 111. ~

11,, 11., JJ, , 1.,• , II/ 11r• 1.1i ,,1, ,~ JIJ•I 1,, , ,,,1,1, cl,,.,,,,,,,11, .
1
(, J j I,, /I I,, .,. f I/IJ/jl'I JIJ J) J~ ,,,,,l ll'.' t ,l, Jllfal lll/ 1
1
, .
,,1, h ' ,,,,, 111 :•.111 1/ ,Jl/1,/j ,,, / i i ,( I, :•JI,- ,, 1111J11 IJ, d 111 LJl, t LI JI J Jlf J t lltJll \~
(,J j•,,!il,, d,.:·1-i-.,w ,,f ii,, 111 , ,, 1,' 1, 1 ,,1 1,I tlw 11i1J1,I' J 111 ,r 1111 d 1, 1JJg.Jni1.i 1i1JJJ\ 1tp11L.lli11J1/bu·>iJ1t:~~.
(/} j 1,,, ,1 1; 1,/ JJ, 11 ii, 1111 ,I ,,,,,,,, 11 y J IJ.j i, ~111111 1j fl.1l 1, 1,1 J1JJ Jtk JJ /l jl:H I,
J, 'L,Ll,,y, :4, ri,,111 /, 11 1J1 i',i 1,1 1,if l'11l w ill,,, , ,j IIJ d1 ~ ipl1 lJ/' .ill < 1Jlj1l11j'I ,. '.ir l•J re ·,p1J'.1d LO J 111 :ilJCi 1JtJ \ au
1
1, ,. 1, ,, 11 ,,,.j, 1 IL, .,, 11, ) 11 , .,1 1 I,, ,, 11 , 11!• ,l w1 d, .i 1 1111111 w l 11 f<·11.Jl. a u vil , 011Jj1b1111 , 1H adniini·,rraiivc
1
, , J,111 1; :,1 1,I •11 1,1 1n l• ;;•· , , 1•11 Jl 11,11 ·1,li, fl il,, 11J1 Jd ·111 J\ w .111 ;1Jfl<"d ., , 1
/4 , f., y,;,I ;,1 1i,w: / 1 ,·. , , 11 ::1 11, 111 I'> 111 , , •, 1i;,,1H J, , 11111i111q ~,,, IJJ i1 y 1111 1d 1·111 d 1J1 , ~ 111 //f)llflhle, <JI" il1a1 U HilJ
I, ..j 1,1 ., I, //'.l ltl ,,, I •1 1: 11 1,11,, , ., ,J11 q~, 11,, · l 'lrl / JJf<r,i,1·, If '/(' l ·1 ~•'' d1<111 I\ :llt ,,, lil t· a Liv,I (.IJlllj1l.i1111 ()f
1
1,, 1,11 1,fl l.,·u , , ,l,11 • • 11111.1 , I :,11 11111,1, , 111 1 111ll1 '11Jl •1c1111111 will 1,dtH ( il it J IJ IIJrJtim y 1h.J1 y<111r orga 11 j.
u1 11 ,i ,J, ,,h ;,11 ,l, JII 11 1, ,d, 111 , ,111d I J I• fill ,!,·ld1 1·1.,11111J d1111Jld 111 1u IH f1 1rC' y,, 11 c·11g:11:l' die: ,1pp11,p11Ji c
1 <
;, 111L,,,11 1, ~ If Y'"'' ,1 1;: 11t11.J lt1,11 Ir, h , 1,111111 lhl 1,1111111/ y d,c· l.,w l' fll1J11 t r1 1rr11 , y o11 l1l :1y WJ11 1 1o J,:.
f 1 11 1:11,, d,, ., ,,,,,,11, 1 ,,/ , fl,,,, J lr•l ,, ',1J1,r,, ~ y,,11 v, .1111 1,, i11 v, ·,1 111 die 11 1v, ',ll i' -ll i()fl bdorc: l11i11gi11~ in J
l. 1/t I f1 lf,/ 1 // J/ I / 1/ ,J;'; JI I y

'/II, , 11 , l,, 111111;'. ·,.I" ,I,,, 1,, 111• lqd,· l.1 11 111/,,11, 1111111 111 dH· 1111 1d c:111 n ",p1111 ·,,·, il1 l' llJlltJ w ing ~li,,ulJ
l,1• It , /1 ' )'j l JI ,l
, .. ; f J,,, ) ,I,, ,l.111 :.i;•,1 ft,, .., ,,f ti,,. 11,1 1,li-111 111 1 ,,, JI 1i1111J1,,I I I itt I /<Il l~
(l,J b 11 l1l• 1 I; d 1" ,!,,. ,,11 11• , l, ·.11, d l,y y,,,., •1ri:,11 11, .11 i1,11 w ill l1r: •" Im VC'd liy u vd ,,r
1, 1111 ui 111inJI
,JI I,, JIJ ' ( .Ill Y' 1JJ , ,., / 111·1 1L1111.r;:1 ·, I ,I ,, I' I w Jr ', I II IJI/I JIJ lr1u11 ilw IJ/f « 11d111g p:.111 y?
(1 J '//., ~ 1L,· , .111•1· ,,I ,I,, 111, 1dr1 11 1111·11 11·.J'.11Jl.1l,ly 1 •,1.,l1l1 ·.lw,P IL.1w c-1d1 m r111rm 1ifliu:f\ Jr{' 1101
I 1,11q111t, I . , I fJlll Y i ,1,,/, ·.1,,1,.,I·, )
1,IJ I 111 •{I,• •1 ·w 111 v1 '•" i',-1111 ,11 ,111, ~ y,,111 1,q 1J1tlnl1 1,11 l1.1•w 111111'< r d1Jc1111 1< 111 .H1011 and ;rn 111g.mi1nl
.111 1
11 l" 'll nl11 1 I, 11111 l.r 11,11d1J• 1vr~
ltJ ' m 1.,1L•.1.11,11JJ i11 •11 111• 111 , , l, ..J,lr, L,· 1,1,,, ,,1, d 1,1 l.,w rnl,11< 1111! 11111/li, i.1 1\ f;,r dtl' III ,,, ,Ill on?
ff) I J, ,, ~ y111 H 1,11•.-,1,11 .,11,,i, h; 1,11 .11,d h:111· J ·1mil•11,g 11 l.iri1Jtl',l,1p l p,i,,, l1.1i\1J11) with rlu: lolal or
/1 ,!, ,.,I In , 1 ,tf,11 1111111,1 ,,ljj,, n'
tv,1 'Y/dl r'"''

'"J'. "'"·''' 1,,. 1r.1,ly ,,, 11·J 1,11lil1t , ,.,,,,~11,, ~
1
'''
'!•J I J, , d 1r j 1,1·.1 I;, r/,,1111 ,1111 1 ~ ,,f 1L,. i11d1,1,l111l Ill \ Ill J IJY h1:,,I ,l<.ti<1 f1 '
11) I /,,If 11111 d,, 1 11
J.1 ;,1 1d ,1 1114111 i11 ·,1,l •,1 J"fll 1,1 11111, 11 r 1111 LIJ', IJir·,) 111 ir1;11iulJ\~
1.,1,I, I 1 · !1' ,:.". ·,' .,, 1~ I ' '·1111 ,,, ,11 ,,, 1 11.111 1,·, J 11 1 1,,, 1111e I" ,1r,11 1 d Jt 111 ,11, dIJI 111Jy lead ro l.iw rnfon.c•
/J JI '" Ill ✓ 1 ,I ,'("" Ill
r..hl• J.2 ( ~,,,,,fl i1 >n V1•1 1.-111<J'; ilnd r,r,t(:11ti,,I 1Jr t1<.1n~
, / q 1t
'"''''"'"
,1 11 f l , , (
,,,,. , J • , 111 ,,1,, ,,1J1 1•1•1111!,
. ·--· ~
Artion
>
n "' ., 11 ,·1111,1
-'"- - - -- --
,,, idu111I}· tli!'

· · - •-
l1k4y -llfdw
-
1111 , 41 1 ,1 L II ti w ,, 111 1 r 1
I\
· J f' l
h l"llll II"\,
I .
l llll~,llrr 111111fym~
r I f rIu: Jl!Jr Y,r-r
l'lj,11f1i· d11· J t)f,1J \,fr, ' 1
I
1.
I .. ,,,.I/or l<'rntlf~Jlt
I
,
-11,r lulp of rht ~uunr ISP by
i,n:,11111.11,111 l11 .1y J l •.11 ,,, c·~
,,j lu11n ,,( 'i, I"'' r N ,,( tl1c 1111' I,}' rl1t· Jltal ~ .., .
INCI DEN CE RESPONSE PROCESS • 51
Table 3.2 (Continued)

J11citk11t Action
Exrernal arracker Identify ai_1 IP address as the likely source and consider using law enforce-
ment to pierce the anonymity behind rhe IP address.
Possessio n of child Your organization may be required to notify law enforcement. The U.S. law
Pornography currently dictates that failure i-o notify may risk criminal liability. Contact
l~gal counsel and human resources immediately. Control access ro the mate-
rial and prevent dissemination.
Possession or This activity is not investigated by law enforcement. Contact legal counsel
dissem in ation of and human resources to protect the organization from civil liability. Ensure
pornography your Acceptable Use Policy discourages such activity by employees.
Harassi ng email This activity is not investigated by law enforcement. Contact legal counsel
and human resources to protect the organization from potential civil liability.
5. Administrative action: Currently, more common than initiating civil or criminal actions is disci-
plining or terminating employees via administrative measures. To discipline internal employees, some
admin istrative actions that can be implemented includes:
(a) Letter of reproof.
(b) Immediate discharge.
(c) Leave of absence for a specific length of rime (paid or unpaid) is mandatory.
(d) Job duties should be reassigned (diminished responsibility).
(e) Temporary reduction in pay to interpret for losses/damage.
(f) Public/private apology for actions regulated.
(g) Wi rhdrawal of certain advantages such as network or web access.
3.4.5 Investigate the Incident

Determining the who, whar, when, where, how, and why surrounding an incident is involved in the inves-
tigation phase. You need to conduce your investigation, reviewing host-based evidence, network-based
evidence, and evidence gathered via traditional, nontechnical investigative steps.
No maner how you conduct your investigation, you need to respond to an incident caused by people.
People cause the in cidents by using things to destroy, steal, access, hide, attack, and hurt other things. With
any type of investigation, rhe key is to determine which things were harmed by which people. However,
establishing the identity behind the people on a network is increasingly difficult because a computer crime
incident adJs complexity to this simple equation.
Users are becoming experrs at using encryption, steganography, anonymous email accounts, fake mails,
spoofed source JP addresses, spoofed MAC addresses, masquerading as other individuals. The other means
to mask their crue identity in "cyberspace" is also one of the factors. The idmtific:ation of an attacker who
brought down your web sites can be so time-consuming that, in fact, - - . . . . - ~ may elect not to even
try. facablishing identity can be less of a concern to the victim th ot damaged; since
many organizations choose to focus solely on what was damaged, tad how to fix it.
The two phases for computer security investigation can br.
I. Dara collection
2· Forensic analysis
D I Ci ITAL FO R[ N51C
52 •
Y , r lll.1111111
I . ' II ii ' II I ' V 1111 lllllll , , ·I · I
Il l II 11 111 I I " that ' meet ~ yottr
rnolw tlu· i11Licl,,nt in :1 111:111nL'I
rn1 1',,11 I\ I ., I II' I ii' u:• d I( I I (} II I 'i II.IIII pI·I, I\(,' \/II i I I•·>. imillr :ill tl,e data wlh tt·1 to (' l'1t'Irm1nc 'the who
I
' '
idcnt in ,tlw 1;11\'ll!,k .111:ilym p rn\c, F1g11rc J/4
I
l!",p1ll1\I' i,11 ,111 I·',)' ' 11111 ~,•I : ·, . , , HI .·I · t tll thr int ., .
wli.11 , wl1e·11 , whr1r, ,1111 1nw tll 111111.111011 v,111
illm11.111·\ th,· p,,.,.,tl,1,· \ll'jl\ 1.d,rn d111ing il1L' twn pl1.1,e~11l 111v1·\1tl',:tlt11ll,
Dnl,1 1,ollrn:lioll Annlysls
Nntwo, k- h1111od c:vlclcmr.o 1. novlow tllo volntllo dnta.

• fJlit.till II l;, IO!]fl • llovlow lho notwork connocllons .
•01,l,1111 r1xl:,lh1a r1>11lo1IOQ:J • tdontlly nny roouo procossos (Bnckdoors,
•01i1111n rnl11v,111111ruwnll loo11 snifforn).
e()IJl.illl 111111!lliJ k1\J:1 110111 n 2, Analyzo tho rolovnnt limo/data stamps,
1;n11h11li11 :d hw,I (CYSI OG) • ldontlfy filos uplondod to the system by
•1 10,lrum 1111lwo1k mnn11or1111J on Allncker.
•01t111111 h,1i.klljY1 • ldonllfy filo downloAded or taken from the
oystom.
II01il·bli6tld cvldunce
•01,1ii1111110 vol.1l1ln drlla 3, Rovlow tho log files.
rl1111na n llvo rr.:1po11no 4, ldonllfy unautt1ori1od user accounts.
e0lili111111111 r,y• ,lfHl1 lllllO 5. Look for unucual or hidden files,
• Qt,1,111111,u 11111r,/d;11a '.ilnnip~ 6. Exr1mino jobs run t,y the scheduler service.
lo, uvwy lilo r,n 1110 vlcllm Gyotom 7. noviow tho rogislry.
• Ohlrtlll ;111 mluv,,nl f11t,3 llla1 8, Perform keyword searches.
r:011l1rrr1,,r <ht.pol nllq pllon
• ()1J1;1l11 h111;k11p3
Othor cvldunr.e
• 01,lriln oral 11:::1111,ony ltorn wllnr,!;:-:no
r:igurc J./4 I )a1a rollw iull :ind data analy\i ~.
3.4.5. 1 Data Co//cclion

'1lw a,, 1111111l.11i,,11,lf.111 , ;111d d111·., 1h.11 ~l1111dd llt' c.:umidm·d during your lc,rcmil· analy\i~ is data col!t'Ctinn.
ll11: li,c•,i ~111' yu111 u,11dwiiom i, du: d.11a you u,llcu . You may not lie able ro rncccssfully comprcbcu<l bow
.111 i,h idr1,1 oc 111rrnl 1,r ;1pp1opri:11dy rr•,olvl' an in,ideni, if you do not rnlht all 1bc llt'ccssary Jara. B,·fore
11u11 1.111 j><'ili11111 :11,y i11v1·•,1ig:11i1111, yu11 lllml tolll'll d:11a.
I ).,q c11111·11 inn in v,,lv1:~ ,c·vnal difli:1r111 li11cw.ic t hallcnt;r\:
I. Y,,11 11111·.1 c11ll qt rl1·L11011ir i111; 11111.11 ion ill .1 forrn,kally Mlltnd mannC'r.
2. You v,·1y 1,f1rn Llllln t 111111t· da1a il1a11 you Lall 1<·ad in your lifrtimc (rnmputa \torag<" capaciry concin-
111 ~ lo 1•,n,w).
J, Ynu 11111•,1li:,ndl,· dll' uillt-w·d da1,1 i11 \11d1 a lll:lllll('f tl1:11 it prortu\ the inrq;riry (evidence handling).
Tl,r•, ~ 11, 111i1rn1rn1\ dl'\(lilw d1.11 \1'<'1 i.11 ~kill\ art· rrquircd to oh1ain redmical c.-vidcnce. During the
1 1
cl,11J , 11n j.,,1 pl1.1•,r, rl,c- i1donua1 i1J1t you oh1;iin ( an be dividt'd into rhrec fundamc.-ntal area: host-based
11 I
i11l1J1111,ili1111 , 1wtwotl1 11:1•,cJ inf111nlJli1111 , a11d orl1rr in!imn,uio 11 ,
I. 1lm,1 •hJstcl i11for111~1ion: ~, lir 1111•,,, rn 1mh, d111.1trnt·1H\, and any otlic-r information thac ii found on 1
,y•,trn1 ,111cl .' '"' ol,1 .1~11nl fru111111·1w,11k-ha ,nl 110,k~;.re indudc:J in host-ba~cd evic1taQa. Fo,.....-plc,
1
11:1•,1 l,.,,.,l'd .111f ,rt11:H101, 111,1y l,l' a \yl.lrni l1:1c kup whid 1 harhon evidence at a spedlc
1 in dJrlC.
( 1.ttlll'rt11g 11111,1111.1111,11 n11wo d1flnt11t 111111ner•
·
/ 1• , 1 L'1 ·
,- 11 , ,,.114 w ,rr
dfi
1um an rJrtns
, .
lw 1111 l11dnl 111 1111•,1-h.1•,nl datJ ,.olll'Lti1,u c·ffort\.
53
.,., RESPONSE PROCESS ----:·~~
- -..: . . - - - - - - - - - - - -
' \'-- ~..... ~l\'-:...: ---------------
. J
, 1 rnt' ..:Js1:'5, "hen the vicrim lrele
vJnt -.,rste m 1s· powen:-d down. rhe evidence 1ha1 1.s rcqum·t to
In _ l .
•· n a1rempr1ng• co un ders1a11 d
, ·r.md .rn
.
mc1d
.
rnt 1s ephemaal (rempor:tn · •
, · g) or Iosc. \\!he
· or LlI ter111
j
tlf. d'S . . . . . · 1
r. "" I1e co II ecr,01
- . ·fhcrerore,
_1. rure ot Jn mc1d enc. this ,·obtile d•m• ca,1 prm.-d I e · · 1J ·ml -orma11on
cm1c t
. _ . II ·
o/·dara co ecuon .
u,e nl · · I ·
· . 1 1.itile mtormat1on from a host . - befor e ch ·-· r. ·
b mrormanon 1s ost 1s the frrsr srep
ot Jn: '~
n shor" of .1 system. You need co record rhe
..\r the nme Y0 ~1 r~s~o <l, ~he Yob iile d.Ha prm·ides a ·'snap
. P1,,in,, vol.wle mtorm.mon:
tt1iil ~
(a) Tht.> d.ue Jnd time of syste m.

the system.
tb) The .1ppli~ati0ns whi_ch are rnrrenrly running 0 11
(d Th~emblbhmcnt ot current nemo rk connectio ns.
(d) The recenrly opened sockets (porn ).
sockers.
(e) Th~ applic..uions which are listening on the open
(0 The network interface StJtt' (prom iscuo us or nor).
chis information. When a computer system is
Ali,-e response muse be performed in order to collect
ucted. This actually mean s that the inform ation
still rowered on and running, a li,·e response is cond
cting che data on the compromised device.
concJ.ined in these areas musr bt collected withour impa
There Jre ,·.uiarions of live response:
(a) lnitial fo·e response: Initial liYe response invol
ws obtaining only rhe volatile data from a carget or
forensic duplication of rhe medi a, an initial
,·1crim system. \'\nen you have decided to conduct a
li,e response is usually performed.
(b) In-depth response: This obtains merely the
volatile data. To determine a valid respo nse strategy,
from the rargec/vicri m sys1em. Non-volatile
che CSI RT obtai ns enough additional information
understand the nature of the incident.
information. such as log fries , is collected 10 help and
(c) Full li,·e response: This helps in a full investigati
on on a live system. A.II data for che investigation
rming a forensic duplication , which requires
is collecred from the live system, usually in lieu of perfo
rhe syste m t0 be powe~ed off.
cation of the evidence media ar some point
You need t0 decide whether or nor to perform a foren sic dupli
sic duplication is warranted if the incident is severe
(usually during your initial response). Generally, a foren
ling crirical incidents, forensic duplication of the
or delered marerial ma v need to be recovered. While hand
target system, which is same as original the copy. For
r-arget media provides ):Ou wirh a "mirror image" of rhe
the target media without worrying abour altering or
analysis, 1r provides a means to have working copies of
prefers forensic "bit-for-bit, byre-for-byte" dupli-
desuoying potencial eYidence. Law enforcemenr generally
n. It is prudent to perform a forensic duplication,
cares of target syste ms, if the intent is to rake judicial actio
with grave consequences.
if the incidenc could evolve into a corporare-wide issue
I. Netv.•ork-based evidence: Network-based evide
nce includes the following sources from which rhe
information is obtained:
(a) IDS logs
(b) ComensuaJ monitoring logs
(c) 1':onconsemua.1 wiretaps
(d) Pen .. rrgi~ter/rrap and traces
(e) Router logs
(f) Firewall logs irators in-
2
· Authentication servers: To confirm suspicions, aca1m
s1"9
n often pe nitoring)
vol,ed in an incident, an organ izatio
iJlance is
where host-hased auditing may fail; networks
nor deliberated to prevent attacks. Instead,
it
..,5~4_:•_ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ __ _ _D_IG_I_TA_L FORE:
- ~
1..~,rnt'irm ,,r J i,r-·l ,u,pi..ttHh sum\l1ti.lin;; J ~upp1)~cJ nm1rurn Sl'(Uricy incidcnr.
(:l.)
(b) \..:,:umuLw,111 ,,t .1,lditiM1.il ni,k1h·t' .rnJ 1nh)11ll,llh)ll.
(d \ (rtl1..:.1ti1'1l rt' rhr ~-•'re of;} (111l1rr0misc.
(J) l,km1f1,.1t10n ti JJJ1tinn.il prtics im·oh ed.
\e) l),1,rr.11nrn~ .1 timdinc.' ,lt·n·nts o,-.·urrcJ 011 the ncrwork.
lO [1Mmn;: ,,l;:,1,l1.t1h.'1' \\ i1h .1 J,·~ird .1(ti\·i1y. _ .
l O,hcr c, idcnce: Th, tr~tinwm· .rnJ t)ther inf~mn.ni,)n ob1.1ined from people are 111volved in the ~
.. . ' . 'd ,· 11 . d' ' Othei
n iJ..-1;,·c ~ (.n_ .-p,r). Thi~ 1, tl:t' r~ I'"" ,11 c,)llccm~n ol _e~-'.- c~K~ ~ ow111g mo:e era 1t10 11al i_n~t5tigati\
r,·1.ht~hJU~,. ) ,rn nw ~hm~ L'I th_1s .1s the collcLC1~rn ol ~, 1Ju~~e , 1.1 n~ncech_nJCaJ means. T~ 1s 15 the col:
lc,·ii,, 1111 t r<:1',1nnd hl,s. 111n·rv1cw cmployl'es, 1111crYll'\\. w1111esses, 1111erv1ew character witnesses
· 1 • •
J , ll°Ullk'll(\ ,,t {[ll' inf..1rn1.ifltlll pt 1
__ J , and
ll'lru.
3.4.5.2 Forensic Analysis

i->:.-i;.,:,· .m.:.'1ili u>11s1~1s of re, it'\\ ing .ill the J.11.1 ctillected. Ir also incl udes reviewing log files, sys
.
~0nt1~uut1<1n .I rrusr reI.1r111ns.
tic~. . web br~wser ,I11srory
. rec~rds, cIectron1c
. ma1·1. mess~ges ~nd their attac.h.
rem
mcnrs. 11btJll_...J ,1rl'l1.:Ju,1n~. Jnd grJphK lilt's. \ ou can perform software analy~1s, review time/date Starn
perl<mn kt·y,\\1rJ ~c.lrLhes, .md tJke any 01her nccessal}' im·estigarive steps. Ir also includes perforrnt'
111,,re 11"' -1'.·:d tJ~l,, :uJi a.s looking thro~gh informatio~ char has been logically ~ele1ed from the system~!
Jc1mn1ne 1t Jcl.:tnl l ib , slJ(k spJ-:e. or lree sp.1ce conram d:11a fr.1gments or enure files that may be useful
rn till' im1·s1iption. h~ure 3.5 depi-:ts the nujor steps tJken during forensic analysis.
Analysis of Data
Preparation of Data Extract Review Review

email and browser installed
Create Perform
attachments history files application
file statistical data
lists par1ition table
~
file system Review data
Create a Search for
collected
working relevant
during
Perform
. Recover Perform file .
-
copy strings
fo1ensic .__ , r-► deleted signature live response
dupl,Cithon
of all
data analysis
evidence
Identify and
media Perform
decrypt
Recover software
Identify encrypted
unallocalod analysis
known files
space system file
Perform Perform
file-by-file specialized
review analysis
Figure 3.5 Major ~tcps takt·n Juring forcmic analysis.
_ ~d~>rt. }_"t>_11 brgin to an,drz_e, the datJ forensii: analy~is requires lhal you assemble and prtpart ct.a
cc,lltttu.1. f his prou·dure applil''i 10 the forrnsic explorarion of host-based media and snrcifical'1, ilaad
t111vt·s. .,--
• 55
J,4. 6 Reporting
c-::,Ht r:-pcru th.a:
·1be ,oo·,l J1ffiud1 pk1·,1_: ':f _tl,1· i1,c.i,l,;nr f'.:'.p<m·,.,.. r,r,J:t<.', i~ repr;rr:r:7,. Tl-,! d. '.·.d'~ng:- i ,; rr,
n i!'lt;Cer.. cb~ a:-i v. ;rh;c.u, d
art: u11dcr•,t.inda"1e 1'J ik~,,,l(JrJ rn;JVU;, and wfiid, can dt(.{.Tf~,e 1he dtr.a d~ <J 4
0 ( ),·;'.al ',c.ruuny and 1li;1r art pr,,<lw.c.d in a rimely rnar,n,_r - . ,_. ,
11;t I
,a m•,cf, . , .
,,,,:.ff CSIRT 5
Wi: l,a-,,c: wrni: 11 P wllh ,,,,me t 10 ddmt<i t<J Cn',life that d1c rtprJrtir.g ph:i·,t dr-":s r.rH l/-») ; !'. !:
ncmcd·,:
:, rom co be d1x:u~en ted
J, Docum ent jm~cd i_.t_tdy; It j,, nt<.c·:,ary fr1r ~IJ irwrnigative steps ar,d e<Jr.du
u::ica[ed rr.ort d ~rly
a\ \<1(Jn a.\ }''''>', Jblt. l1J trr,urc _that tht J,;r;.ids <Jf the rn·,,c·,tigatir,n can be wrr,m
w ,1 1htr\ at any rn,Jrn t rH, wm 1ng Yimt:thing dearly and UJnciv.: ly
cr,e mr,rr.tm yr,'..l dj_;.c.c,·.·er e.i denu
a:;,igned co led .:he in-,e5-
~a·, o rirn t: , prr,mc,rc; accura cy, ;ind if ntv-.' ptr~<;nnel beUJme inv0l ved fJT aie
rig.1ti1Jn.
Documenring ir:,·esrig:atr,e
2. Writ e wnciscly and dearly: Try to enf,Jrce the "write it cighr" phi!c,sophy.
~ttp~ rrq11irt c, di ·,<.iplint and CJrganiza.ti(Jn, You 5hould write
e-.·erything do-.vn in a fashion thar i.s U...'1-
ite r.oc:..;.rio n5. i::cor::pfere
drr•,1.inJ,1 hlr t /J Y'JIJ and others. Do nm me shorthand or 5honcuts. Indefin
~w blJling, and c,thtr unclear doc.um,-ntation can lead co redundant efforts,
forced ms..s'.Ario:1 of no;cS.
or orhers.
wnfirmatJnn cl n(Jtt'>, and a failure co comprehend notes made by you r~lf
and st.ick to it. For cr~rir. g rhe
3, LJ..,e a ~tandard format: Dc."Vd()p a particular furmat for your reports
shou'.d be l!Sed. Tiii.s hd?s
pmnanrnt Ja1a mndar d forms, outline~ and templates of incider.t response
in report wriring , ~aves time, and promotes accuracy.
de..-elop re?<)rtS char are
4. u~e editors: ~fo read your foremic reports employ technicaJ edirors. Tiiis helps
:t respome su2~e.gy a:id
wmprchcmiL lc to nonttch nical people who ha ve an im pact on your incider
s leaders ). Cnforrun.ardy,
rc:.olution (<,uc.h as hum an resou rces personnel, legal counsel, and busines
the burden is still on you ro
tdi[(JT\ <.a n inadve n endy change the meaning of criticaJ inform arion, so
rtvicw the final pmducr prior ro submisc,ion.
3.4.7 Resolution
to prevent an incident from
T() irnpltrn cnr ho~t-bascd, network-based, and procedural countermeasures
operational staru.s is the goal of
cau .. ing funhtr damage and to return your organiz.arion ro a secure, healthy
, soh·e rhe problem , anJ rake
rrnilurion phast. Jn 01her word.<i, in resolution phase, you contain the problem
\!eps to prevrnc the prnblem from occurring again.
I( you arc auum ulating evidence for potential civil, crimina
l, or administrati\.·e accion, it is always a
es chat would airer the
g""d iJc:a ro ,.olb .t all evidence before you begin co implement any sccuriry measur
t·vidtnLc cihraintd. If you rapidly secu re a sym"m by changing your
nerwork copol<>g)', implemenr packet
filrtri ng, or insra ll !.rltware on a hose wirhouc proper re\'iew and validation,
good invcsrigativ~ du(S- Such
a.\ thr scare of th e c;ys rcm ar rh~ rime of rhe incide
nt- are often lost!
·nH'. fc,llowing steps are undertaken co resolve a compu
ter securiry incident:
I. ldcnrifi ca rion u( your organization's top priorities, such as which of the followi
ng is the most airical to
~e~c:lvr: n·rurning all ~ym·ms to operarionaJ status, ensuring data diltgiAJ. motain
ing the impact of rhe
1
nudtnr , colleuing t"vidence, or avoiding public disda&wc.
2· In ordc-r ro understand and determine the nature of the · • bow the security
O((u rrrd and what ho~r-ha ..ed and nerwork-bascd 1ena:f rs
addttsstd(lack
----•it.
3. Dt·rc:-rmining if there are undcrlring or systemic aullll-...,--...
uf si,rndard~. noncompliance with standards, etc:.).
F-Qf~f:Nsi
~56~·:__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ DIGITAL
_ _---.::--:
. • d s To ensure 1hat the sy~1em performs as you cxpt·ct •

4. Restormo anv affected or compromise sy~Iem · . f'. 11 10
. t> ' 1 I • r version of the data, server platform srn 1ware, or ,tpplirai'h>n
pertiorm, you may neeu to re y on a pno
sofrwareasneeded. .. N L 1. r I •
· · · d dd h t b·iscd vulncra 6 I1
iry. ote tnJL unore x ·111n J .
5. Applying correcuons requtre to a ress any ~ - • · 0 . . ti PP 1ltd
ro producuon · systems, aII corrce11ve · , ~ I10uId be rested

· 1cchniqUts · in a .lab
. cnv1ronmrn1
, . . .
6. Applying the network-based rnun1ermeasures such as_a~cess control lisi s, fire w.tll\, or ID~.
7. Assigning the responsibility for correcting any system IC 1ss11es. .
8. If they take a significant amount of time to complete, track the progms on all corrcu1ons that arc
required. . .• . . . .
9. Va]idarion of all remedial steps or countermeasures sho11ld he effec11vc. I Im IS verifying thar .ill ho.,,.
ba5ed, network-based, and systemic remedies have bern applied correctly.
10. To improve your response process, upda1e yo ur sm1riry policy and proted11res as needed .
Activities in Initial Response

Your organization will be confronted with many challenges, soon after the alcri that a computer security
incident may have occurred. You will need a process that fo~ters the following:
I. There ~hould be rapid and effective decision making.
2. In a forensically sound manner, there should be rapid accumulation of in format ion.
3. There ~hould be proper escalation of the incidenl.
4. To assemblt' your CSIRT, rapid notification of the panicipants is requireJ.
3.5.1 Obtaining Preliminary Information

O~e_of 1hc primary 5t~~p~ ?f any study i5 to gain_enough information to determine an appropriate re5ponse-
1h1s 1s 1hc goal of rhe 11111,al response phase. It 1s necessary for your organi1. a1ion's ini1i:1l respun~e 10 indude
1he following activit-il·s:
1. An inLi<lcnt receiving the initial no1ifica1ion.
2. After the initi:il not ifiLation, record tht' details, including an incident Jc:clara1 ion, if apprnpriJh:.
3. As~t'mbling rhc CSIRT.
4. Perform tlw traditional inw5tigative ~teps.
5. Interviews to be conducted.
6. Determine whether the incident is eKala1cd or not.
Again, 10 develop an appropriate re~ponse wa1egy, rhe idea is ro gather rnough infnrmar ion.
3.5.2 Documenting Steps to Take

The other reamn of the: initial rc5pon\e pl . 1·5 10 I . , •
detcctl'd organi·z·,t·1011 d 1. . . i.i,e 'ornmcnt s.tl'ps that rrnm he tJkc:n. When an incident IS
• ·' an c 15c1p1me preven t "ku . · k" · J .
al~o help.~in promoring a c r,11 . I .. 1.:e-1er rearnons an panrr. A 5rruc111rcJ initial response
ro a repo11111g procc5s and f, · · ·
Your organizarion will have a . ·· o~tt·r~ mainra111111g goo<l mclfi(~.
n accurate num 1)c•r (or a~ 11 •• , 'bl ) 1· h k 1
their frequency, the damage cau<cJ l) h 1 · tar~ pus51 l" o L e type of :mat ~ rnar oc:cur,
·' Y t esc attarK.\ and ti ff I •
tion by recording the details of an in .· j . . ' . lt'_(' cost l('~c auack!I ha!i liJd on your orpnllt'
. c11 rnr m an org·miz •J f I · 5 I . , h -•m
a r,0 . 1. J . 'J · . <.: J.\ uon. uc I mt·trlL!I, for mt'asurmg t t ,-..~-··
on mvc~trnent (ROI) for hwing• rma 1/.t· mu mt
rc~pom(' program, an• tritical.
DENCE RESPONSE PROCESS
-~•~5~7
~;__---------------------
Phases afte r Dete ctio n of an Incident

c II owed .
· pI1a!ies shou Id lJe ro
e rhe incident has been identified and detected , the f;oII owrng
0 nc
the Details after Initial Detection

3_6.1 Recording · t J1e
· d ·111c1'd enc response program. One sue h chec kl'1st 1s
ing an orgamze
Ch ec kJl··sr is requir . implement.
ed for
rd notification of an incident. If it is possible
initial r~sp~nse checklm for reco mg the details after the initial
as an attack.
chat an mc1dent occurred, you may also declare the incident
unding a reporred incident, use an initial
J. Initial respons~ checkli s: To re~ord the circumstances surro
st
response checklist into two separate
resp_on se checkli st as the_mechan~sm. We can divide our initial
ic details.
sections: one_ for general _111_f~rmat1on and one for more specif
second part of the initial response checklist
2. Second sect10n of the m1t1al response checklist: The
technical derails surrounding the incident.
could be used by the members of the CSIRT to address the
need ro personally respond. Specifically,
To obtain and record the information, a CSIRT member will
.
the initial response check.list can be used to address the issues
3.6.2 Incident Declaration

or not the activity is actually a computer secu-
In most of the cases, it will be immediately obvious whether
in a few cases, if an incident occurred based
rity incident in which suspicious activity is reported. However,
be difficult to determine. It should most likely
on the derails recorded in the initial response check.list it may
igation proves otherwise. If it is not clear,
be considered an incident and treated as one until your invest
nt, then it should most likely be considered an
whether the reported suspicious activity constitutes an incide
ise.
incident and treated as one until your investigation proves otherw
we recommend that you assign a case or
If you cannot immediately tell if an incident has occurred,
nt is declared, the incident has an incident
incident number making it worth investigating. Once an incide
that incident.
number (or case number) to be used as a specific reference to
shows chronology as well as the type of
Incident numbers are often constructed in such a manner that
that allows you to track the chronology of
incident. You can wish to develop an incident numbering system
inciJents you investigated and indicates the incident type.
onse Team
3.6.3 Assembling the Com pute r Security Incident Resp
chat is formed in response to a particular situ-
Responding to incidents, many organizations have a CSIRT
lized team. Therefore, the CSIRT needs to
ation or incident rather than an established and dedicated centra
ization must identify the types of skills and
he staffed in real time after an incident is detected. Your organ
respond to that panicular incident to staff the
re~ources that are required from the rest of the organization to
nt respo.me cfton, a variety of organizational
team properly for a particular incident. To support the incide
man.~ll!llli-t~o f 1!he biggest challenges
are~s contributes hardware, software, technical knowledge, and · that an incident
to incident response is knowing who to contact and when. Hawe
ve
b\c::i4att.
occurred, you do not want to go through notification pr
terviews
3.6.5 Conducting In · _q ses,;ons, when your CS
IRT lean,,
w. Ce r,, z::d ho w d,
, ,y i, '" ::....~ dCc.z ,h ·-,~"- wb-.,, sh n, , ,om , fa cts su rrounding die incid,nr, su
n , fr ,- yo, ro ~mr.: uc , and so on
;,, , ,,, ,,u or J a!!o, ,·e occurred and when
,,(, ,.,;r.::;,d ,c.,'dtct 1)
,-.~,. ~-::ten, ,d □ :o;;uzci,e wn ra ct s, w h. , m ay h.
ion; however, rbe answer
a: CC, hz :« ,n ,,fr,!
rh, ; 'e,- ir •i ll b, for you ro mess w\, sinm 10
o,r.:n. ea
1 k m,,r, an;·.cr; ! •;olbca-:n .. ,.1_1,,~
(.I1•I" J>l, IT:
' ' •". ." ' r;,
~,, o) • ' - ' ' - . ~ .,_._
.,,,.,.,
l,.'f_~r
- :~"
6. 6 Fo rm ul ating a Response Strategy a.<e, 'TIU

3. sponse Sl ra teg J: In this ph
gu abl_v rour re
a of incident rtipo
n1< is ar ld also ind;,dt
11-.e rw,:r i;;:;,,rr..nr <:pe W<e to r,w.-<r from the incident Your ac respon.se SI r.uegy shou
ker.
« whar ren: ,& ,I : "P' ployee or an external arr
to
u,,, :id irm agaim, an imern;;J em
iniri;;t.:!ig ;,.d ·:cr'.~ ;,a
' lnc :,jent

' ! ',- -~~--.
/,
Inves tigate
Classify Resolve Closed
A~ ue :t
Futt1ll
g a rt5ponse stracegy.
figure 3.6 formularin __JII
rn~r an cu to d"'c · h b •zauo

1n
• n co r.-...,.l,._ 11
. ,- - ..
of tht Cl rtu y fo ur or gani
Rtg:mJ/c:~,
f 1 , er.min,.ne r c e.sr wa r yo
• . g kS
1u irt mul rip ld,,a .. , 1orm
1·,i., in \Jo
pr<, ,;ihu,ny•,1rer
. ,, o/:.
~
It
gy U,n5idcrarions
J• Hi:-~por i',e marc-l)n
2, l't,licy \·i:r,Fi<.ati
.
,\ ,,,,,rn,l P"<edurt ,r,
e, dt ttu ion is shown in fig. 3.6
IDf NCE RESPONSE PROCESS • 59
1NC
...-- ] Summary -
----------
__
' [__ .L--------
This ch:ipter highlight ed the bJsics of the incid ent have encountered, all too often, companies that are
respon se process. We discu sst"d the importance of incapable of handling even minor computer secu-
planning with a focus .on_gathering information rity incidents. As attacks beco me craftier and more
about rhe target of your mnd ent response and tech- focused, your CSI Rf will need to be a well-oiled,
niques thar ensur e that you have the staff and equip- capable (with the appropriate breadth of knowl-
ment resources you need on site. Understanding edge), well-mixed (including lawyers, technical sraff,
what a computer secu ri ty incident is, what inci- and perhaps law enforcement personnel), motivated
denr respo nse defines, :ind tht> steps takt>n during team that fully understands the flow of incident
most responses puts yo ur organization in a place response.
to best guard its properties and its standing. We
Key Terms
puter security incident handling: By
Constituency: Implicit in the purpose of a CSIRT • Com
is the existe nce of a constituency. This is the group providing the basic set of services (triage, handling,
of users, si tes, nerworks, or organizations served and request), a team offers a defined constituency
support for responding to computer security inci-
by the team. The team must be recognized by its
dents. In addition to this basic set, an announce-
constituen cy in order to be effective.
ment service might also be offered.
• Security incident: For the purpose of this docu-
• CSIRT: An acronym for "Computer Security
menr , chis term is a synonym of Computer Security
adve rse even t whic h comp romi ses Incident Response Team." This is a team
Incid ent- any
providing services to a defined constituency.
some aspect of computer or nerwork security.
There are several acronyms used to describe teams
• Constituency: A spt>c ific group of people and/or
providing similar types of services (e.g., CSIRC,
organiza tions that have access to specific services
CSRC, CIRC, CIRT, IHT, IRC, lRT, SERT, and
offered by a CS IRT.
is chara cteris tic of a piece of SIRT). We have chosen to use the generic term
• Vuln erabi lity: This
"CSIRT," as it has been widely adopted in the
technology which can be exploited to perpetrate a
computer security community.
secur ity incident. For example, if a program unin-
• Liability: The responsibility of someone for
tentionally allowed ordinary users to execute arbi-
damage or loss.
trary operating system commands in privileged
woul d be vulne rabili ty. • Policy: A set of written statements directing the
mode , chi~ "fea ture"
operation of an organization or community with
• Computer security incident: Any real or
t in relation to the secu- regard to specific topics such as security or dealing
suspe ned adver se even
with the media.
riry of computer systems or computer networks.
even ts are intru sion of comp uter • Procedure: The implementation Qf a policy in the
ples of such
form of work.flows, °"'- • or Jll&!Cbanisms.
Exam
systems via rhe nerwork (often referred to as
"hacking'').
Review Que stio ns

l. What is incident and incident response?
l. What are the goals of incidence response?
3. Explain the incidence response methodology.
(
i
~ ·
Live Data Collection

t
LEARNING OBJECTIVES
--------------- -------
Aha reading this rlupccr, you will be able ro:
• U11dcrs1and live d.1tJ rnlll'ction on Microsoft • I nterprct and apply various tools for data
Windows Systems. collection.
• UnJcn,cand live <lata collcnion on Unix-based • Distinguish different methods for collection in
Systems. the Windows and UNIX sy1item.
• Understand the importance of data collcnion.
Understand what data you hold, how you are using it, and make sure that you are practising good data
hygiene.
-David Mount
[t11'f] Introduction
In Chapter 2, we discussed rhe basic definition, types, and rules of digital evidences. Now, the first ques-
tion rhat comcs to our minds is: "How are these digital evidences collected?" Therefore, in this chapter, we
discuss the r:.icts or evidences that will be used to create the case file to take actions against an offend.er.
As we know, digital evidence is "Information of value to a criminal cai;e that is stored or transmitted in digital
form." The I erm "com purer forensic" involves identification, sunder out, preparation of documents, and storing
information rhar is kept or sent over in electronic or magnetic form basically considered as digital evidence. For
example, in fingerprints, digital evidence is visible as the files are stored on disk that can be easily accessible by
s1andarJ file management tools (like Windows Explorer), or can be hidden using special method or a software.
The main purpose of computer forensic is to find these hidden evidences in order to increase &as value. .•
Different stand;1rds have been created which are used to find out and preserve digital evidences There are
a number of 1he procedures accepted by law. Those are:
1. If evidence is not collected and handled according to the proper stanw
eviden ce inadmissible when it is presented and the jury members will ocve .~ illfate it
or rnrn.iJcr it in making their decision.
2. If Lhe proof is admitted, the opposing lawyer can attack its q
Such an amKk will produce doubt in jury members' minds
trt"at ing dwir decision-and mayhe even taint the quality of the
62 •
5S~j The Facts in a Criminal Case

r~
Legal process of searching. examining. preserving, and exhibiting facts or evi~ence i_s generally g o v e ~
law of authorirv of the coun. This process will introduce an mdence. As an mvesngator, a person should fi
become famili~r with the applicable laws. These rules are collected in a document calle~ "rules of evidenc/:t
The rules of a federal court can be different from the rules of a stare court. Before l~troducing evidence
in coun, it is important to find our the e.xistence of char evidence. Although the detailed description has
already been discussed in Chapter 3, we repeat the definition of evidence for the sake of convenience.
4.2.1 Definition of Evidence

faiidence can generally be ckft11ed as thr means by w/J1ch an alleged fort, the truth ofwhich is subjected to scru-
tiny, is mablished or duprot•ed. The legal significance ofany gi11m piece ofevidence lies in its influence on the
judge or jury at trial.
-Debra Little John Shindcr
4.2.2 Evidence Admissibility

There are c..crrain requirements for evidence to be admissible or acceptable by court:
I. Evidence should be competent.
2. Evidence should be relevant.
3. Evidence should he material.
4. Evidence should be obtained legally.
Standards of Forensic Examination

Surpa.<,sing rhe minimum requirements of admissibiliry is always safest. If extra precautions are taken by
investigators, it will nor only decrea_c,e rhe possibiliry of evidence being rejected by a judge, but it will also
help in gening an impression by jury.
Some orgJnizations provide standard forensic governing examination methods or procedures for their
members.
Standards regarJing ~me digital evidence handling are:
1. The originality of the evidence should be preserved.
2. There ~hould he an exacr copy of the original, if possible, in order to maintain integrity of the evidence.
3. The copies should be pre~erved on a disk with no other documents available on the disk. That is. disk
should he cleaned before placing copies in ir.
4.2.3 Collection of Digital Evidences

The fiN person to become aware of a cybercrime is always a nerwork adminimator. Jf a:bc company has all
IT incident response team, then this team will stop the crime progress immediately and fiaea it before atl1
law enforcement authoritie\ take over.
There arc sc\'eral people_involved in the process of colleaing digital evidenc
(usually an officer or a scc.umy ptnon, who reaches the crime scene first), the in¥
sec~~ '>pc'c~~lim_and technicians;_ th~re is al\o someone 'in-charge' of the crime
drm1ons. I his 1s ~sually rhc sc-mor investigator. It is also important that the
should cooperace III the proc~ss of investigation.
LIVE DATA COLLE CTION
• 63
Every member of the investigators re·am sIiou Id I)e ·1w·w O{ h. /I . l d h I .y

. .1nvesng . Learn members is ·ilso
. at1on . ' ' e Is It'l ro e an s ou d cooperate. Jnre,,m
10 an essenual part · II . . ci
111 oruer to co ecr evidences sucLessl ully.
< J
·
&l .P_eople Involved in Data Collection Techniques

Only a spec1al1s1 Ill computer forensic sh 0 Id h I
.· . u touc r 1e sy 5rem; care has robe taken. to pro tec t the co mputers
rrom alteration and damage Tl • h . .
n · 1e c11mma 1s wl10 Iant 1'roian orses or somethrng surnlar, usually make
eir systems ready in such . h II ·' . P ·
th l a way t at a the ev 1 ences automanca11 y get ues1roye
d J •
d alter rebooun •
g or ~hu t-
. d · ·I
ting own t , e systems Jy anyone except themselves.
There.are several) people . rech01q
involved in evi'd ence co ll cct1011 . ues- firs1 respondent (muallv an officer
. . · ·ans' (usually a
·
· . mvesrrg
111 vest1gators (usuall}' a se11101 · a1.or), aml rhc cn·me scene rechn1c1
h .person , .
or a 5ecu nf) 1
specific roles.
person w O is an expert 111 computer foren sic). These people have been assigned wirh
4.3.1 Role of First Respondent

or a securi ty person. As
The ~rsr respond ent is t~e one who appears in crime locations, usually an officer
even evidence, the first
shumng down or rebootmg the system may destroy some important information or
to seek rhe evidence.
respond ent should not power off or restart the system, nor should he access the system
He/she should follow the following process:
the crime scene,
I. Identifying the crime location: The person (usua11y an officer), who arrives first at
. This location can
should be able to identify deprh of the crime and restrict access to the crime location
cting a list of
be as wide as a room , or can consist of several rooms, or even multiple buildings. Constru
a first respondent
comput er systems lhat might have been involved in the crime scene is one of the tasks
should be able to do.
2. Protecting the crime scene: All the devices, including nonfunctional comput
ers, mobile phones, note-
First respondent
books, PDAs, or other portable devices, are considered a part of the crime scene.
team or investigator
should freeze che condition of all the devices and wait for the IT incident response
in-charge ro decide if any equipment can be excluded.
ar or destroyed before
3. Preserving temporary and tampered evidences: An evidence that could disappe
ent. If there is
rhe arri val of invesrigarion team should be preserved and maintained by the first respond
there is no surveil-
surveillance (CCTV) available, then it is easier to have a record of the crime. But if
lance, then identify ing crime scene is a challenge for investigators.
4.3.2 Role of Investigators

IT incidrn c rcspon~c team has author!ty of c~~lecti_ng evidences before anr !~w
enforc~men~ team arrives.
aror. He/she
To handle all the activities at the locauon of cnme 1s generally the respons1bd1ty of an mvesug
will be responsible for:
1. A Chain of order: An investigator should make sure that everyone at the crime scene
is aware of ~he
and other eqwp-
chain of orck·r. Chain of order refers to the Aow investigation process. All the syste~
mcnt ar rhe crime scene should not be touched, replaced, accessed, ortm '1·~
o~t ~ permtS-
~ aon. . .
sion of a 5enior investigator. The role of investigator i~ to cont~ol and
a _person with
In c.a~c a senior investigator has to leave the locanon of crune, h
~imila r <le!.ignation to stay in contact with that person until all the t
hemi collected
,rnd shif1 ed to a secure storage area.
DI GITAi I OR[ r
64 • l~:c
l. (\rndn\°tin~ ,l,c rrimc ~1..cnr ~rard,: Ul11 ll r, ,hnul,I ,crl< .ill d1t· ~) , tr ill \, ." 1iurn d1H urn(' 1ll , ,llJJ
Ill'\.:\. 111,111\l.lk .uhl l,1g lib rel.uni \0 thr ( 11111 (:- lt 11)\()l \'( \ lllllh1k phonn , p11111 c,~, \l,lllll('[ 'i, t,tcrn.,1
J,\ld'' q11:h .1\ lb,h J1iH·,. lurd d1,k,, ( 1), 1)\'l), up, ,, .mJ 111n1 r .
.\. l'rescn·intt intqvity of ,he fa1..1s or nillcnrr~: C'1imin.1h .l~\\ ,I)'\ rl lll-~l\l' ,di die n:idL·1i. n, 1'11is h ihc
l\J\•ll\ l l ' rrl"-1'1'\'(' .111 1hc n'i.lllll\'\ Ill ,mil I (() 1.1kr ,lll 11111\ ·'l~-1111\I l he (II ll lH_
ll r. Il\,\l·~ug._rn, 111 ~hnuld 111,,kr
C\,ld ••'P" ut ,111 d1l· r,·1,k 11l-r,, ii p,,"ihk ,lllll ,h,111ld hr .1hlL· tn ,11ul~1c the lnntp11111, lll .111.1, kcrh nn,in.,l.
4.3.3 Role of Crime Scene Technicians

They .H~ d tl' ,
1wd,1li~1, npcrt, in rnmp ut n lon'!l\il . lhry llH1,1 11.1,·c J h.,~kgrnund in the ltdd r,i
,11'
,·,,inputer .rnJ it\ It', hnnl,,gy with .1 11 the i:,1mp111 cr-rl'l.11cJ 1n111~ likl' \\orklllg ol file ~)'~lcms, wuuurl' of
di,k~, .md h JI inn of 11\rs "hc1t' lbt.1 is qmcJ.
l \ uJlly, ai ml' srcnc C\IK ' ts ;ire rr~pl)mibll· ll1r:
1. Preserving temporal c,•iJcnccs to replicating <foks: Temporal data is sometimes known as volatile
dat a l,h:,ircJ in 1he l·ompu1c1 \ memory ~uch as rJ ndnm-access memory. The di ~k conraining evidence~
~houlll be n'plicatcd nr .:opicJ hd~m' ~hutting down the system, as there might be the pm~ibiliry of
Ji~.1ppcJrJlll'l" llf l"viJc1kl" .tftcr ~hurting down or rebooting the system.
1. Shutting down the computer system for transport: To preserve the integrity of original evidence,
~hutt inF, down the systems propcrlr is importJnt. All the running programs or applications should be
properly do.,eJ in orJl·r rn avoid rnrruption of files.
One ~(hool of thought sJys :iftcr n1.1king sure that there is no fragmentation or disk checking
programs is running, power off the system an<l also unplug the power cable to prevent running of
self-destruct pwgrams progrJmmcd ro run afrcr shur down.
Bur in UNlX system should not be ~hur down in an abrupt manner because it may damage the
data files . Some cxperrs in fo rensic sugge~t to change the account by "su" command or use "syn c;
sync ; hal t" command ro power off the sysrem; but this can only be done if the root password of
.
the s,·stem is avaibble .
3. Marking and recording the evidence: All the evidences should be noted or marked with time and
date of evidence collected, initials of rhe investigacor, case identification number, and other related
information. All these tagged or nored evidences should be recorded in evidence log files.
4. Packaging of the evidence: All rhe digital evidences such as hand held, computer, laptops, PDAs, hard
disks should be properly packed in antistatic hags for transport.
Wrincn documents, such as nores, manuals, and books, should be placed in plastic bags in order to
protect them from damage:.
S. Transporting evidence: All the data should be securely transported to a secure evidence locker or
room. The evidence should not come directly in contact with magnetic fields during transport nor left
in direct comact with sunlight or any other place whe;e temperature increases to 75° R
6. Processing the evidence: The disc image can be reconstructed when the copy of the disk is brought
back to rhe lab. Special rnols a, ~· used to analyze the data.
Live Data Collection

Primary srep of any digital investigation is to collect information and then deciding-
srraregy. The sreps vary in accordance with the type of incident. For example, there '
strategy to check whether employee is stealing data present on a share data server. You
depth of circumstances prior co responding to rhe target system.
LIVE DATA COLLEC TION
• 65
There .ire rwo ways of initial response- E I . . . . . ,
·11 d. 'f ' · nsure t 1ere 1s an mc1dent, and aher that, un
obt~ systems
,pora j daca rI1at w1 1sappear I you po\ O1rI I . . .
ten . .. , . I ver r 1e svsrem. 1 he mvewoaror should be able 10 perform
inina.i response us111° very ess operation . d · 'd t: · • · ·
the . b an ttme an should be authomed ro cake fon:·rn-,c dupl1Cauon
of rhe cnme scene systems.
4.4.1 Live Data Collection from Windows System

Here ' the first
. step is to determine
. whether
. . · · or t I1e atrac k·er. ,v,
th e system was use d by t he v1Cr1m d'
we wt·11 1scuss
the prepara_nons _made pno_r to the 111c1dent and format ion response rool kir.
Af~er discussmg tool ~Its, we wil! discuss how to collecr temporal informarion so rhat ir reduces rhe
alterar10n of the syst em. Fmally, we will make a decision about presenting a forensic replication of evidence.
4.4.2 Creating a Response Toolkit

We need ro plan a policy to retrieve all the information without messing up with strong evidence. We have
to be careful about not destroying or altering the evidence and to do this we need to create a response toolkit.
Do not beli ttle the significance of creating a response toolkit. There should be an experienced and
uusted person ro collect files and burn them into CDs. The toolkit should be in proper working condition.
Testing roolkit for the first time in "live investigation" will be the biggest risk in the process of investigation.
I. Collecting the tools: It is critical to use trusted commands in all incident responses, irrespective of type
of incident. An investigator should maintain a CD or a floppy that involves a minimum of the tools
described in Table 4.1.
Table 4.1 Response Toolkit tools

Tool Description Soun:e
cmd.exe The command prompt for Windows NT and Built in

Windows 2000
PsLoggedOn A utility rhat shows all users connected locally and www.foundstone.com
remotely
rasusers A command that shows which users have remote NT Resource Kit (NTRK)
access privileges on rhe target system
net1>tat A system tool that enumerates all listening pons Built in
and all current connections to those ports
Fporc A utility rhat enumerates all processes that opened www.foundstonc.com
and TCP/IP ports on a Windows NT/2000 system
PsList A utility that enumerates all running processes on www.fo~one.com
rhe target system
LisrDLb A utility chat lists all running processes, th~ir
command-line arguments, and the dynamically
linked libraries (DLLs) on which each process
depends
nbstat A system tool chat lists the recent NetBIOS •
connections for approximately the last IO
1)1\ ti 1i d I I Jl ' I fl' ,i/
66 •
·--··--- ·-- - --------
fo.,/ J)(J(ripri,m
\ '·\·,ti m l111l II1 I II ' Ilo'\',\ I IH \I\( 111,ltl\ \l\ lluil1 111
'
' I
o> l '•\ 'lll>l ', ll.lllH I
' I '\'' !I Ill h,,
\.1111 ' h111I
I 111111111111h .,till!'\ \ 1il1. I" 1tl111I
1\i1 I.1st tlll!\1111
!-.ill ,\ ' ,1111m 111tl 1h ,11 ,, I m111Jt1, ,I l'"ll l .._,

N I I~I'\
\ 111 i\11 \· du1 • r, ,1 1, , ~1 I ) 'I h.1..!1l' 1,11 ., j:1\l ll ltk \\ \I 11 .l \ ~!\\ 111 . l\•IJI
lllll ', \ 1 Ill

\ ' ll I II 1\1 . I 11' I ti LI I t II' I 'l.11 ' I "I . ,, II.l I\ ' ·" l ( " ,I, I,' II I I ,I N I l{K
1, 1,,111 .- 111 .» l1 1n, ·
111 h.,1 1 :\ 111111 11 11·.,·,I Ill l I > .11 ( J 1 t11lilll tlllll,t ll< lll d1.11t llt'I \\\\'\\ .,1 .. 1.,k r L11111 / rr,c .ll l It!
lh "'', 11 l\lll .1i1·1, I( Ill,, ,11111 1, 111 \.,fnrt " 111 k_11 l ti II l l'\
l I \ I'' l ,,I
'\ ,11,111 , i1,,,I "' ll( .11 c .111 lll-t1p1,·,I d1.1111wl ol· 1111 p://q1 u1 u· l'c11 ~c.: .1w1 /
, 1>I 11 Ill II I111 ,I I ll 111\ pi l> jC.: ll \h rypll, 11
\ 11til111· tt-l\l ,,1 ,lump 1hr tl\ll l l'lll ' of tl1t' cvr111 www.li111nd ,1c ,m·.o lit!
I,'!','
\ ') ,11·m 111nl th.ll d1 , pl.1 ) \ in tnl.1,l' (onfi~ur.11io11 Built in
11 d111111.11 illtl
A 111 i1 11 1, 1'1 .11 u1 lh1, i11 fn rtn .11 1un .1h11 ut th ~ luu l www.founJ~wn c.rnm
.,, •, tc 111 l1utl 1
Pd tic :\ 111tl11 1· 1h.11 ,h ,111 ., fib 1h,11 Jrl' opr11i:J rt·mnt t· ly www.founJswnc:.l.om
l\ 1w111 u' ,\ u1tl11 y 1h.11,h11\\ , infllrtll.llttlll .1hou1 t: urr rnt www.found~tonc.mm
ptou·, ,l., dtrr.1J ,
Jt11!
J111lt1po l A 111tli1 y tJ\nl 1,1 J1,pL1y tht' tllrfl'llt ~l'L urir y :.1t1Jit NTRK
\t' ll lllS'
Jmkcy A ~y~ t,111

th.11 d1 ~pl.1r, co mm.1nd hi,lOI')' for
1001
Built in
!1pn1 un.l.n .c ~hdl
---~
,1lll'lt Jf( two I) p1 \ (Ir .1ppl1LJ ti1111~ av.,i!Jhll' in window~:
I. IIN.·.I 1111 (, l1 1 (C1.1pl11L,il llscr lmc.:rfacl')
2. I\N·d on CU I (Co11tr11l U\cr lntl'f'f.Kt)
( ,U I i11volv, ., pL1ll ·Jown nwm" anJ 11,uall y worb in the.: bad,.grounJ
or "ht'hind the scene'"~nterac•
1i11n,. I l(l\','l-, rr. c11 pcrb ad\'i\t d rn avoid l ;rn f11r invc~tig,at
ion. Table 4.1 contains Response Toolkit~
2. !1rrparin~ tht mpon~e toolkit: We must assure that tlw tonlkit
will work exactly as intended and &t
,ho~l,I 11ul .clin the t.np,et sy\1rm. lhl'rc arl.' ~t'\'l'ral ~tages to prepare
toolkit for initial response:
(a) f11g ,, mpom r toolkit mtdia: DoLumcming 1hc collec
tion itself is the first step in cvidmcc.ciol~
ti,,n l'"'"rn. ( :1) or tl,1ppin ~houlJ he tagged, tu idc.:ntif), that
1.1g 111.1y c1,111.1i11 infurnwiun ~,u:h as c.u.c iJt·ntilic11ion number,
this is your part of inv~ Tht_
time and elate of 1h'1 ....,.dt"1
11 .l llh of tlw i11vt•,11g.11or -.du, ut;1tcd rc~pom
c mt·dia, and name of the invesrig;ttor
rn p,,11~, nti:llia .
(b) Om·k 1/,,. dtp,-11tl,•11ries: Ii is nnt\\ ary to idc111ify which files
tht rcliponsc tool i
hl111 L:111 lit u,,J to dct C'rmin c all the fib mcll and afl~·crcd by 1:ach
of rhc utility
'E DATA COLLECTIO N
LI V • 67
Thal' ~hould nor be a rool which will I· . . , _. . ;

, ·I I ·h· . I . a tcr rnform.-111011 of· the target system although knowing
" .Irn 1 ton l .in gu; 1 1~ a(ct:ss r11 ne 011 frl . f h ., . . . '
• , k fi · es O l c t,11 get system 1·s bencf1e1al
(d Cre11t111g mu sum or the ,·espouse to Ofk · . Tl , . •15 . ' · .
. II h, -0111111 -111 l 1 - ·r·1 ·. c-1 ~ · II If, lt:J e always a 11lr which co nta111s the checksum of
,1 r t 1.. • 1s. 11s ri e ,~ usua y a text filr .
figurt' 4.1shows the md5sum co mmJt I· . ,d ,
, ll s Usl to gcnl'rate the text hie (named commandsums. Lxt) .
E: ,1 H}k:; 1>on :, ~ )rnc\ ~> :; um

£: ,J HRe :. po11 ~ c >t ypc l: oi:11T1n1Hb 1111 :.; • t xt
d2e269e421b3363~15e~~2J9~~~9 hc~ a nFinrl •
Jt1d58rd9]a4c22f81e74A~61d3 H5c de ORP r~ixe
4becb?75Jb7~3c~rld6L5ec827ef3e39~ CMD:Exf
Scf6dbd2~c9fd4?e9de1ed2497h~71L& MILL. f X~
2c962b998~ee6Jd8~~9Mf90L 9663 d74 9 lOGGFDON EXE
drl fdb9bad~af66 5dft194fbc655157dcd ~niiinI tiE
tlf c~i2'?~6 il'l71t3 21 dMf c2e 4f.H <!e{ 32e h
e?Jc?Orle4bc21J hSf hc~•e b9 cf6 9c a'/85
NC M(F •
HET ·EXE
J
d6221arbaah lh b8~dU5dah?26e1124ff NET~T AT EXE
272df92c8cd58GtU5~62c135049d9bef HILa st .;~e
eS945h08bh75f49d2a59~7d~a0db0~94 PSAP I . DLL
Ji61ZUU5f 2d2%1J'38ct'/8df h?hea28 82d f'SLI ST. l:.XE
f a527Pf~ 4517f5961 2f8f 01~7fdc1f hij SPind .e xe
d~b1b54e1cc1a6d97b3?cec93 1f9892b c om~a nds u~s txt
2d~7Jb42?~85afea2~3e457 h7c3 15?fb cygwi nl . dll.
S0'78 eff0d95<le3(t935h2e bfd<".h082 tl crl f11o rt .exe
8d317~h2c936 97daij?4~dcd0?5 bdc9d7 li s tdll s.e xe
2 ij8erlSa29c ◄ d58ch7a8c3fcc7 0be8?hh md5 s u~.exe
~63h25aaf7 h86hUJf2d1f20b7b898fh7 pul ist.exe
F.: \ I RRr:; 11on !; ~ >
Figure 4.1 md5sum to create a checksum for the response toolkit.
3. Preparing the response toolkit: We assure that the toolkit will work exactly as intended and it should
not alter th e t.irget system. There arc several stages to prepare toolkit for initial response:
(a) T11g a respome toolkit media: Documenting the collection itself is the first step in evidence collec-
rion prm:ess. CD or floppies should be tagged, co identify that this is your part of investigation. The
tag may co ntain information such as case identification number, time and date of the investigation,
name of I he inwst igaror who created response media, and name of the investigator who used that
res ponse media.
(b) Check the dependencies: le is necc~sary ro identify which files the response tool is to depend on.
him can be used to determine all the files used and affected by each of the utility in the toolkit.
Tllt're should not be a tool which will alter information of the tafFt system, although knowing
wh ich tool ch.mges the access time on files of the target system i s ~ ,
(c) Creating checksum for the respo11se toolkit: There is always a ~ s the checksum of
all the commands. This file is w.ually a text file.
4•4,3 Saving Information Collected During Initial
~le c.in
collect a lor of information from the live system at
t 1c11 ' 1 - tm use J c
the ·'vsr · · ·
ror mvcsttg~mun · s1gm
1s • ·r.Kant, whe
powned on ar 1I11s
. moment.
There ar c- four ,,p1i11m ,1v,11l.1l,lc wl1c11 tl,c i11f1Jrrn;11i,,n !1,1', brr.II rriricvcd fr,,rn rl,r li vl' ,y-,r,·111:
J. ·J-lie ·inf11r111m11m,, I,1,1111\

· JI rorn I Iir IrnrJ <j ri· ve 1f 1!1c 1ir11r.11,y•,1u 11 .J1oulJ I,,: •.avcJ .
1 , r, ·
2. Tlie ol,1;1i11cd d,11a \hnuld l,r 11otrd l,y h.uid. I III I
3. Tlw da1,1uht:111ml frorn die lluppy di•,h ,,r oilier cx H·111al dl'vi<:"' \ 1'''' < ,r ,,;ivcc ·
4. The oh1Jinrd datJ \l11Juld he q1,r cd (rom fon:11 ,iL ,y•,1 c111 l,y 11•,111g uypit,tl ,,r 111 ·1t;i1.
1
It is no, ,1dvi•,ahlr 10 ,avr dw data to 1hr lwJ drive·~ hn.amc i1 ah,·r~ die <,y-,lt llJ. .\ruti 11 1~ die d,rta rn:uiii.
~illy by hallfl is Ill/I r(J~\ihlr a~ the V(Jlume of da1a wulJ ht larger. u :,c of n,'.ppy dt1Vl'\ an: 'If.It lwt:111',(· Ilic
srnragc cap;1Liry of rhc 11,Jppy i, Ir,, c,,n1parc<l trJ rcn.:n1 ,10r:1gi: devr~n wl11d1 ;ire <.11111p:ic I 111 \i1.c ', 11th a\
rr:rnovablc USB Jrivn. Ir i, 1he l,c·,t ,olut ir,n in the pbc.c r,fnoppy drrvt\,
Thr: ~10r;igc ca pabilitic, of 1hr~c wrnpacl dcvict.:~ ;ire fa,cina1 ing. It provide, 1',c r,111gc of V,IJ! ,il ,y1c• h:i·,in
1 1
the c;i patity ()f ~,oring tcH1lkj1 3!> wdl a, the wllrucd d_ata. Thrn: drviL.c', w! II w111k witl1 any torripuit~
having U~B porl s. E.xpcm ~uggc~I d1at one ~hould ,,b1am a few of rlH:\C dcvlll:'> for d"· rc•,p1m ,c 1c,,,lht 1
Even if rhc'>r dt·vict·\ are gc>oJ to store· large amount of inforrnat i()n rel at cJ t<J 311 invc\1 igari,,,,, tht tl' i'> \I ill~
nrl'd of nrtwo1k to ,ave 1hr: information. Nctcar is a widely med wol to tramfrr 1hc data frr ,111 target !•Y'> ltrn
to remote foremil worbtaticms.
Moving of Data Using Netcat

Nctcat i, a frel'ly availal,lc to<JI tha1 can l,c u~cJ to <:!>tabli•,h a n1mmunicatirm d,annd bc1w,T11 IH,',t\. We
can tJ.\(: 1hi~ at 1hc 1irnc of ini1ial rc~pome to t'\labJi,,h a TCP rnnncuion bctwccn IIH: f'orrn '> iL work,iati,m~
and the target ~y\lcm. Nc1c.a1 i~ca'>y 10 u,c. 'fo U',(' Nr:1 c;11, we rm:d an IP addrl'\\ of I he targtr ,y'>tcrn and
sufnricnt w,ragc c.apac..ity lap1op 10 hep lhl' inliJrmation Wl' l,avc u,llccll'J. Nctc.at help.'> 10 1ramfcr all ihc
~ignificant system inforrrwi,,11 a11J data 1lic.11 i, rt·L1uircd 10 <.,onfirm wl1ctl1cr an cv<:111 lia'> Olrnrrcd or not.
There arc two prac.tic.c:, promutt'd by 1hi.'> tnlini'luc:
I. h help, to quickly gtt on and c,ff the target ~y.'> tt'm .

2. h al,o provides ofllinc fca1ure ,,f reviewing 1hc inli,rrna1ion whid1 wa~ prcviou, ly .iuainl'd.
0 0 G)
Forensics
limo
$yr.tom ◄
NT Sy:;tom
dato
□
I!.; •• ..;;,~
◄
log9odon
!port
p:;lisl
E1
-
-~::~-=~! .-~~.
• ·---- ~ Nbtslal·C
◄
1 nun trur;tod c·_ornmand') on NT Sorver ~2

t::\ \V Send output to forensics box
~ Porforrn oft,ltna rov1ew md5sum output files
- - ~" an organized, loron:;icatly sound fashion
ngure 4.2 U"t c, f NctL·•t Jr ,1, ·

.. ,e ume of ·m1u.u
· ·__, re~pon
• 69
oATA COLLEC TION
LIVE
Marion. We also need to redirect all rhe

\X'e need 10 inirialize a Nercat listener on rhe forensic work
The file called pslist will contain
. niincr dac:1. Figu re 4.l shows tithe incoming connt'ction on port 2222 · the
1nco t"> . • d ourpur to rhe response command is provided to
all the inforrnau~n recetvt' . on e porr 2222. The
1
by
system. Figure 4.3 runs the command for pslisr,
fon•nsic wMksrauons hy usmg ~ercar on ~he ra_rget
me JP address 192.168.0.20.
sending the ourput co the forensic worksrauon w11h
8~ £1
· cmd exe · nc -I -p 7227
£:,JRResponse>nc - 1 - p 2222 > psll st
sic workstation.
Figure 4.3 Serring up the nercat listener on the foren
fer while transferring the files in this manner. We
The Netcat is unaware of completion of data trans sic
on of data transfer by pressing CTRL-C on the foren
need lO disco nnect rhe connection afrer the completi me
m or no growrh of the file size wi!J indicate that
workswio n. The sropp ing of the spine on targer syste
data trJ11sfer is co mplered .
4.4.4 Obtaining Volatile Data

data
ExJd lYwhic h data is to be colle cted is determine
d in rhis section. Here, we need ro rerrieve temporal
tile
the system. We collect the following temporal/vola
from ,~indows NT/ 2000 system before powering off
dm before foren sic duplicarion:
I. The date and the cime of the sysrem.
1.. Li\t of users that are currently logged on.
3. En1ire file sysrem's time and dare stamp.
4. Lisr of proces.\es thar are currenrly running.
5. Lisr of sockecs I hac are open currently.
ets.
6. Applications chat are lisrening on the open sock
ections 10 rhe system.
7. List of ~y~1enH char ha ve current or had recent conn
le 10 require forensic duplication, you need to
If you are aw,1re of 1he invesrigarion that is improbab use ic
are imporranr co retrieve as soon as possible, beca
collccr a lot of informati on. Here are some steps 1hat
may &.,appear on turning off che sy..,rem and pt·rfo
rm forensic replication.
4.4.5 Documenting and Managing the Investigation

technical skills. Practices that are documented and
For a~.cura tc incident re..,pome, it is necessary ro have the
for documenting the actions while responding to
org.1n1LeJ are important. There- are rwo main n·asons
v1ct11n ~ysrem :
J. 0 pro1m an orga nization to which you belong.

1:
2· lo wlb:1 the d:ua 1har may become evidence against the offender or criminal
has been received, crashe,l
h \X'hai if the strve r, from which the information
ld have MD5 checksum
s.t\'e ro note . . ,er~ that we rook on rhe srscem. We shou
lMtin g 10 c.ollto the informarion. We
~ill also use binaries wich their path
DIGITAL FO Rt
~70~·-----------------~
J and the command line er ll('r ,d
· t I bcirwti cxccutc
o1: urn, 111111 :ire using, rru~1cd to lltHr ~
.
I f · · 1. rn st ·trt 11me ·l ut which bin:iry we
In t 1c procr~s o 111vcMiga u ' · · i
~hould also be rccordt>d. Then: should be ,ldt i!Kumt;n i .11~mand ·111d sio11ific com111en1 s are :iL~o ·Jdcl lJdSltd.
1nt
' e •An
Thrn. we create MD5 sum of d.1rHctrit'VC )'t',1C con · · · ' ::, ·
1 1
~-- -------------:--::::-:=-::==--~---..........
ernnplc of this form is illu~trated in the following table:
==
~~: ___ ___ :== =-- ~-- --~~~~;--;:.c=-:------
Start Time Command Li11t Trusttd U11tr11sted MD5 Sum of Outp1tt Co111111e111s
JJ2e53 I d.6553ee93 ,onten1s of

12: 15:22 rypc lmhosts I X
c089009 I .3857eef3 lmhosts Pile
nc 192.168 .0.1 2222
I ded672ha8b2ebf5be
12:15:27 pslist I X
IK 192.168.0.) 2222
ef67220 I 003fe8
12:15:32 nctstat -an I X 52285a2311332453

nc 192. 168.0.1 2222 efe202343857eeC3
in ensuring rhar
Using this form will help us ger information in rhe future references. This method helps
the invesrigarors plan ahead.
4.4.6 Collecting Temporal Data

it is time to retrieve the
Afrer knowing what data should be collected and how to document the response,
temporal data. Following are rhe steps used for collecting the data:
the traps that have
1. Run a Trusted cmd.exe: As discussed earlier, investigators should be careful about
incident response.
been implemented by an attacker, which will mislead the investig ator to place wrong
del *.* in the
There might be a need ro run cmd.exe on victim system, only to find that you actually
\winnr\system32 directory, illustrating the system virtually inoperable.
this problem .
Running trusted version of cmd.exe from your own toolkit will be the best solution for
run command.
To open trusted cmd.exe on floppy drive of Windows system, Figure 4.4 shows che
Aun fJEI
p T~ the name~ a progrM1, foldet. or docllTleri, and

Wr1dows wil open ii fo, you.
.Qpen: 1111 3
17 '. i ' I •
OK
I Cancel
J Browse...
I
Figure 4.4 Running the trusted version of cmd.exe.
2 rd st it i, agood idea to
· ~eco i~g ~he sy em time and date: After executing the trusted command shell
~:pture t e. oca! system da_re and time settings. This is important to correlate the•
~ lop, ts wdl
• rtll-tre•J'I"
~f ~~em,ar~ th~ ume~ ar _which_ you perf~rmed your response. The time and datc.+alt
m -~xe apphcanon. Figure 4.5 illustrates the executio n of the date co • 11n•1•
~~:~:t~~o(:>/:::~~dr~ate.txr on rhehfforpy drive. The second command in che
~
e ourpur tot e time command to the dare.rxt file.
• 71
oATA COLLECT IOr'IJ -
-- -- -----------------
Li'. 'f ~ . . : . . - - - - - - - - -
l!!lliJEI
.., \cand exe
·'.-.A
~
J
A:,)ty pe d~te. txt . . .
T~ cur r ent d~te •~ · FrJ U2/H2 /2 "UI
Enter t he n~w cl <1te. (nA- <hl - yy) Th~ 1.urt•f!
nt t.i"1e i-l: 9 : ~!f : •,J. ll
Enter t},e ni>w t 1n":
A:,>.
4
Figur e 4.5 Ohtai ning th <.: d.tre anJ time o( th l' !>ystc11
1.
the "e nrer" key.

To indicJt <.> Ihat ) ou do not want: tu cha11gc the !,l'tl ing, pre!..s
arc the remote access users: Ident ilying il1 L'
3. Identify who has logged on to tJ1c system and who
shown in Figure 4. 6, Ru.,si 11ovil h <.. rratl'd a
ac ti ve connectiom of th e mer acrn unts i!, the next w:·p. As
remote users.
utility whiLh proviJes th e informJtion about the local and
Ir i.!> neccs.<,a ry to identify which user accounts l,;1ve
rrmot,· acccs., rights on tlir target systrm, in
mockm . You nl.'.nl to deciclr ir you w;rnt to
order to re<.pond to a sys tem that offers remot e access via
if s<..·vcral acrnunts arc<..·ss systl'lllS via
pull the telephone lin es from the !,p,t em at the time of re!..ponse,
Remote Acces, Services (RAS).
RliJ El
" ..," A \cad eae
•
A: ,> Jogge don
Lo9!fedOn u1.1 - Lo9on Ser.a io n Dis pl aye1·
vich
Copyr ight (C) 1999 - 201!10 Mc\rk Ru :.sino
Sys I nte rna Ia - \IYW. s ydnt ernd h. coria
I
~~er, Joyge d on local ly:

UEBTARGET,bat ~~n
Mo one h )O!J•1ed on vi a .-ec.o urce chare a.
A:\) log'}e don
LougedOn vl . 1 - Logon Seu ion Dhp) ctyflr

Copy right CC) 1999 - 2HR0 Mar~ Ru ns inovi ch
Sya lnt e l"flala - www .1yni ntern aJ1.c oft
U:iera lo<rn1ut on loca lly:
Ul IHAHGET , b<1t111_..n
U: ers lo!fqe d on uia re s ource ~hare s:
( null )\doe
tly lugga4t1u•ch1uy1rcm.
1-'igure 4.6 Lhr ofl\LoggcJOn to li . . c the us<.·rs thar are rurrcn
Yuu may want to .tllow any alcc:ss to the rargct system while you
1101
Tl1<: u 1mman<l~ to d<:renninc Lhc number of the users who

I• d
called ra.,u,crs.
72 •
4. Record creauon,• access time, and all the modifications made. to the files: I . To gt·c the list of all 1h,e
directory files on the tJrget m:Khine, "dir'' comnund is ust·~- 1t ind_~des c_1e ~1: e, ;ic~es;, and ~!eration
" date snmps
· rtme. The ti' n1e "nd , bernme the endencc, 111hc s1g111hCJ11t
~- intumu11on alLIOUt
an d crca11on
the time frame when an event occurred is identiflt·d. Wind1-..\'S sys1cm per~orms the usk of collecuno
time and date stamps very quickly. ., . . . :i
An exJmple of using "dir" commJnd to g.1in ,iccess. moddicauon, and time of creanon:
dir / t:a / a ! s /c : dc:\ Providt'.s a recursi\'e directory lisring of all the access times on
the C: drive
dir , t :w/ a 1 s /o :dd : \ Pro\'ides a rt'cursive directory listing of a.II 1he modification
rimes on the D: drive
d1r /t :c •a , s ·o :de : \ Provides ,1 recursive dirl'.'ctory lis1ing of J.11 the creation times
on the E: drive
5. Identifying open ports: There are several networking commands available, our of which Nersrar can
be used to determine which ports are open. lt also enlim all listening porr and currents connections
to 1hose pores. Volatile data, such as recencly terminated connections and current connections, can
be recorded using Nerstar. Figure 4.7 illustrates the execution of Nets tat command on NT server
machine. There are several local hosr connections in the ourput. The applications on the local host
127.0.0.1 will always be displayed by Nets tat command.
· ~ A \, md rxr l!I~ £3
A:,>netstat -11n
I
Active Connect ions
Proto Local Addre ss Pore ign Addre ss Sl<\te
TCP 0.0.0 . 0:25 0.0.0.0:0 LISTENING
TCP 0.0 . 0.0:80 0 . 0.0 . 0:0 LIST [ HING
TCP 0.0 . 0.0:13'.i 0.0 . 0.0: 0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:8 LISTFHIHG
TCP 0 . 0 . 0.0:443 0.0.0.0:0 LISTENING
TCP 0.0 . 0 . 0:165 0.8.8.0:0 LISTLlUNG
TCP 0.0 . 0 . 0:1026 0.0.0.0:0 LI SHH ING
TCP 0.0 . 0.0:1028 0.0.0.0 : 0 LISH.HING
TCP 0 . 8 . 0.0:1029 0.0.0 . 0:0 LI SHNJ NG
TCP 0.0. 0.0: 10)1 0.0.0.0:0 LISTDUNG
TCP 0.0.0.0:39?0 0.0.0.0:0 LISHNING
TCP 127.0. 0.I :1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1 :1025 127.0.0.1: 1026
TCP 127. 0.0.1:1026 ESTABLISHED
TCP 127.0.0.1:1025 fS TABLISHI:D
12?. 0.0.t:102? 0.0.0.0:0
TCP 127 . 0.0.1: 102? LISHNJNG
TCP 127. IUl.1 :1029 ESTABLISHED
12·1.0.0.1 :1029 12 ., . 0 . 0. t : 102 7
TCP 12? .0.0.1: 10]0 ESTABLISHED
TCP 0.0 . IUt:0 LISHNJNG
192.168.0.100:137 0.IUl.0:0
TCP 192.168.0.100:tJS 0.0.0.0:0
LISTENING
TCP 192. 168 .0 . 1"0: 139 0.8.0.0:0
LJSTENJNC
! TCP 192.168.0.100:139 LISH.HING
lCP 192.16R . M.20:JW-i1 fSTABLISHED
192.168.0.100:1152 0.0.0.0:0
TCP 192.168.0.100:1152 LISTENING
UDP 0.0.0 . 0: 135 192.168.0.20:139 ESTABLISHED
UDP
UDP
192 . 168.0.100:JJ?
192.168.0.100:138 .
ll; ll
•:•
: ..
Figure 4.7 View ofNetstat command.

LIV( -· ----------------- --------_:·~ 73
I~
nATJ\(OllLCllO N
~
(l. . as,oci.11nl
l · I \ ( ·..that arc
'st of ltpplt(,1tio11s . . ports: l\11 m,·111 g ,, h1l. h ,c1\' I(<, l1 ·,1r 11
·111 t IIOSC wl11l I1
11 11
I .t. . WI
1'(1r1,: 1~ he j'lll
. .. ' I . ton 11.,pnrt
11.t 1, .u,cd
· ·
. I'" 1 I'l\lrn111g
to Lil I'""' • r .ill the pn 1<rw·,. I 111111 <' ·I.H , l11 1w,
l,1
1hl' lptll·t ~, Ill.I\ .ll1l II~ l..lll ( ( \jl(llld111 1; Olli pill.
•': A \cmd •• l!lfi1 £1

A. '>f l Ovl .JI
!Tort •
·· . J l.'p / 11' r 1•01 r. s: lo J'orl
,~op_y rhih1 ;.:Hl111 hv l'uun,1,tonc•. Inc .
lilt v: / / 111,'\I , fo1111d :. tone . , Cll'I
f,ecurin :~ th~ ,1111 t:Ol'I oor Jil
I' t.l Pr11ct.: t:.: l' o,·l J11•11l 11 l',1t h
1 t Sy:. l r A ) ;'', 1 Cl'
160 innt. wfo "> ;"> 1cr D; '~JI HN I\S y:: tr 111 12, lne t !: .-v, Jnl' t in r o . «' l<e
2 Sv ,; t1:A > trn lCI'
1fi0 inrtinfo -) lH-1 T' I' n: ,u I NNT ,!: yi. l rn·12, I Ill' t s rv , I llf' l inf O. r. )(ff
·79 fl11cS s -> 11~, l Cl' o : , UINHf, cy!;te" ll \ RpL~ G-~)(e
2 }; .,, ~t r:A - > 1 F, 1 r I'
2 Sy ~t C ~ } 1.1 'J TCP
2 Sy:; tl"III -) HJ 1cr
Jf,U int'tinfo > 11) lCI' D:,UJ HMt ,Sy~tenJ2,l nel~rv,inetinfo . e)(e
2 Sy:.tri, -> TCP
'1hr,
o:,\JI HH ( ,Sys t.e11,:J2,Jnr.urv,i11el info. e)(e
1~0 inetinfu ) 4h~ TC I•
?9 Rv,:Ss - > rn;-~ TCP D:,\/1 t,INJ ,:. y :; t.erd2, R1•c S :i. e ,a:
2 Sy o; U" ) l U2!:, 1 Cl'
79 Rpr.S :. > Ul::'(, TCP D:,UJ HH J,syste111J2,RpcS s.exe
2 Sy:;tr:l'I -> lU .' (1 ICP
2 Sy~te~ -> H12? TCP
91 n:.,ltc -> Hl27 TCP D:,UIHHT ,Syste111J2,111sdtc . exe
2 Sy :;tr:111 -> 1'1:-~8 TCP
D:,U lHHT ,S ys teJ11J2,ns dt c.exe
91 111t:dtc -> H1 2fl ICP
2 Syc tt""' - > 1"'29 TCP
• > 1029 lCP o:,U IHHT ,SysteA32,ncdt c.exe
91 r:isdtc
2 S y:; l e 111 - ) HUH TCP
TCP D:,UIHHT, Syslpn]2, in et,rv,inetinfo.e)(e
160 inetinfo -> 101"1
TCP
2 Syste1C1 -> 10]1 o: , UIHHJ,Sy s t.e111J2 ,i ne t s rv,in eti nfo.exe
160 inetinfo -> HBl TCP
2 S ys t e 111 - ) 11 S 1 TCP
2 Syste111 -> 3970 l GP
TCP o: , UIHHT ,Syst e111J 2,i net s rv,inetinfo .exe
160 i net info -> 19'/lj
D: ,U lNHT ,:. y:. teA32,RpcS s .exe
I
.?9 Rpc~ ~ -> 135 UDP
Systel'I -> lJS UDP
2
2 Sy:; t e,,, -> 1 '.l? UDP
z Sy:;teJ11 -> 138 UDP
I
!A:, >
Figure 4.8 View of fpor t command.
7. List of all running processes: It is necessary co record all the processes that are currently executing on
the system before turning off the target system. Unplugging the power cable will destroy this informa-
tion. The exccutahle code that resides in aJdress space has been created when a process is created on the
Windows system. To manage the process and maintain statistical information about the process, the
kernel ohject is created by che operating system.
8· List of current and recent connections: To know who is connected or who has connccred recently,
the networking commands like Nets tat, ARP, and Nbs tat are useful. ~ ~owsaystcm,
these utilities might be the only way to determine a remote system conn • ~II Id don. Many
experts refer Net stat command co enlist the pons that are opened en ' clis-
cussed, fport lists open ports and application listening to them, IWtdMtlf;,
IP address of remote syscem and current connections of the ad t,
used to map IP address to the MAC address. The utility n
__:•________ ________ _____0_1_G_1T_A1_. 1_:,:0Rt~
!~ ~
Nl.'tBlOS name cache. listing the recent Ne1BIOS co111H'Llions for approxi111a1dy the lil-'l 10 rninu1t1
The t·xampk of Nt·rBIOS is shown in rigurc 4.<J. ·
'· ~ " \ cmd t!KC l!lli) 13

'A:\)nbt:;t11t -c
N-Ode l11Alld1'u s : l192. H,8 . lLl00l Sr o1>C Id : [)
Hc tllJOS Rt-note Cache H.,ne hblc
Tyvc Ito~t tl1l!lro~ s Lil e l:;cc l
H..1 no
-----·· ---·---- ·--------- f,(l
<Ul.l ) UNIQUE 192 . tf,tl. ,1. 211
GJ'.MGIS 192. U, tl . IL 21i (,(ii}
GE.HGIS <W> UNIQUE
n: \)11hl :. t a t - c
Hod e I pO rl d re s:; : I J 92 • H, 8 • ll. 1011 J Sc o JlC I d : LJ
Hct DIOS Rel'lote C.,c he H,1nc hhle
M,u1e Type llo :;l A,ldrc:; :; I.H e I :, c c J
-- -------- ------ ----------·------------ -- ---
GEHGIS <2 U) UHi QU E 192. 1611 . 0.20
I
Figure 4.9 Using Nbtstat 10 view recent NetBIOS connections.

9. Record date and time of target system: Recording date and time of the target system ensures that you
have a record of when you were logged on ro that system. lt can be used as an evidence, if anything
changed on the system outside the cimeframe you have recorded; you are not responsible for chat alrer-
ation.
10. Commands accessed at the time of initial response: We can u.~e doskey/hiscory command to show
the history of the commands that was currently accessed on the system. Figure 4. 10 shows the use of
doskey/history command.
' ~ A \cmd exe "~-= ====== = = ~[!] ti

~ :,)doskey l hi~tory
;!late
,til'le
~!~!:~t
1
,ntld:.t
- an
;nth:.t - f - r
J
/ port
,els
do::lley lhhtot•y
l
Figure 4.10 Use of doskey to record the steps taken during initial response.
Live Data Collection from UNIX System

. . initial response
The ' for both- w·mdows system and UN
. for. incidents is simihr
1
of _1vc data collccnon is to obtain .temporal or volati'Ie data berorec c · d )' •
. rorens1c up 1
response can be expanded by obtammg configuration fil1 es, system I'.)
n es, fil
1 es t
hat
. . .•
h
susp1uous programs, and log files to confirm quick] Y w het her t c event as occu h
uvE DATA CO LLE CTI ON • 75
ted files in the UN IX ·sy s.1cm becomes , · 1I·nr nce .tn workrng . wJCh. UNIX and
Recovering dele
. . a rna1 or c rere
ond I h .
Windows. In Wmdows, fil es thar corresp ing proces.c, from 1he hard drive cannot be deleted,
s in UN IX , pro gram s files can be d ·I · ~} er unfn d , · .
crea t eteu even 1 · section, we will see
wh UN IX sysrem by .· r le process rs runningI. In this ·
. c data collection from recover mg llles b ,fi . · rir
I t 1e sysr-em, crea11ng
response
I1v . . finall . . ( ore rurn mg o
. olkit, obiarnrng tem por al data , and 1 . .
Y conuuctrng live data .
10
4.5.1 Creating a Response Toolkit

te ,1 trusted toolkit as it take s l . • is that every variable in
Ir is ditfi cu!t ro crea
· UN IX II · I · · a ot tune;d the reason. behind this
UNIX req um"'> a _1 ton or. n. some cases.' yo u may nee ro com pre 1 a source code on your own because
I .· I UNIX system.
~om c rcco mm· endc euItoo.., are not rnd uded wrrh th e ofn cia
. . 1101 fiorward or backw ard compati·ble. For -:xample,
Bl'fore gomg•1run 1er,Sman y versions of UNIX ·S)'Stem aie · es
J l· .
not
· versa. Th ese 11.su
work propei·Iy on 5oIans· 2.6 an d vice
pre on - o ans 2.7 syst em. may
Programs com . .
co nsumm o. The numb"r · ces ·rs aIso mcr
of"resour
· e.
· ease db ecause of 1h'1s issu
mak e )'ou r respome rool k1t nme b · ,
at the Time of Initial Response

4.5.2 Saving Information Obtained
. The storage options are:
tion retrieved at the 1im e of inir ial response
You mm1 chome where to save informa
J. Save 1he d:Ha Oil lou l har<l driv e.
as USB or tape drives.
2. Save the data on ex rcrnal device.<, ~uch
by hand) .
3. Reco rd 1he information manually (i .e.,
works1a1ions, use Net cat or cry;JtCat.
4. To I ra n~ler rhe n: t1 ieve d data ro the forensic
l
th e da1.1 on loca l driv es sho uld be avoideJ. The informarion you save oil the loca
Whc-n po~\ible , ~avi r1g e; chis may be of investigative value
de.', troy the J cle1 ed data I bar was in a not alloned spac
hard dri ve will
is rrquircd.
when dat a recovery or fo rens ic analysis for information collcc-
e rnnnenions, and chey are also useful
Newe r vn sions uf Linux support USB driv ofNetcat ro transfer the
i L al cnn nel lion . Bur rher e is a solution for this lim irar ion -use
1io11 hy dir ect php provi<les a faster response.
a net wo rk 11, forrn sic wor ksta tion . U,e of Linux in foren~i c workstation
Jat:i over the information across the
storage space. We use nercat to transfer
This hdp s 10 overcom e rh e limirarion of mand offers an
e" th e nctc :ll st.re am thro ugh dt's co encrypt che transfer. The cryptcat com
nrr wo rk , ,rnd "pip
rncr ypreJ TCP d1 anllel in J .<,ingle srcp. information from the
idered after sdccring how to retrieve
Tht' ht\t rime 10 re.,pnnJ should be com After
uld be a nee d for dete rmi ning the network connectivity of the target system.
tar get ~y,1rrn. Thn e ~ho target system.
dcr ern1inin g the nerwur k rnrrneLI ivi1 y,
yo u can now rcspon<l at the console of the
4,5.3 Obtaining Volatile Data be for e Forensic Duplic

ation
~pond to rhe target syscem console rath
er than accessing it over
.:tin g rcn1 por.1 I d. • , you ner J co n~
Aftn colln 11 1
lity of the attJ lkcr s1.1lking the responst and
also ensures that you _are
This redu ce. \ rhc pos sibi shucrmg
g du: temporal dataofthe.,.eem before
a 11 rtwo rk,
rnrn ;md . You ~ho uld four s on g;uh erin
running J rrn~rcd co
creating a forensic duplk• i• afa wge
will ht'
,; ,ystem.
ain char you
do,~n tli, ~r~ rc:m , if )'O Ii :!ft'. ren
nin g proc esses. syscem RAM's co G:i■ dma of Ila that are
. lrnr purJ I data may invo lve run
y open.
Ulll~nk<'d , arid Jl~o dw ~ockcrs chat arc rurrenrl access it art
lll t~•- -~ files.
when pron ·sses char d
J h(• filn n,arknl h,r dd,·tion ,
turn ed -c Jt
i'1-irtrd flln fc ,r ddt'IJOn will v.wi~1 1 wht n the spr rm is
will rrrovcr each rype of voiaa-
>t" cr~;tl(•J 111 HI( h "W J }' tl1Jt it
Jdt•l!£in .
6_:_•_________ _________ ________
7_7~ .. t~~iC
Di CITf..t rop~
Co/lcding the dJta

111c I, illm1 111µ 1111; ,1 m.111011 ,hrnild h1: t <il!n 1rd •
). J).llC' J11J 11mr of 1fll· \},,trill
l . .\ liq t)I U\C'r, 1'1111 .w.: llllfl ntlJ· l,1r:;cd 1111 .
.}. L111 ,re tile <1 -rrn1\ 111111..' .11JJ dJ1c -,1.1mp,
·1. I 1,1 (I/ pro<"l'''-~tl1.11 Jlf Lum·nil:, in r111111in ~ ,1.nl'.
5. I i,t of umrrlll\' or rn ~•Kkcr.
6. IN of ,1pplit.11u,11 1h.11 "l1'1Llllllf._; 10 1'1,1,c nprn porr ,
7. J ,,1 nf ~)src.:m~1h.11 h ,1\t' tum·11 1 or ri-crn1 tnnnt'd1om 111 1h, ') , lt' fll .
ror nh1.1in111g 11 \l' d.HJ , foll,m ing step~ ,hn1dJ ht' f,>llmwd:
I. Run a rrusrcd sliell: Onr <>f the rwo ~i:rnJno, you get wht n rou rc,pond IO che target system runnina
u:--: IX- the m.1d11ne cxtLUllll~ in comole mode and the machinl' excc.ucing X \\'indows. b
X \\'inJows ~hould be do\~J hc(orc inmacing a rt·,pome, 111 order IO avoid common X Window,.
ba.,cd rnlner,1hil11 it~ thJt allo\1 tht' allJckcr to ltlg keyscroke.s. You should be able ro switch 10 anotht"T
virtual con,olr b~· pre!.s1ng Alf IF2l.
To a.aid ~enm1ing ntrn ork jJmming, log on ar che victim console with ~cot-level privileges. You
netd 10 1mpk-menc your rrustd coolkir and respond wi th the trumd rools. This command-::-1o:ir:: /
d-:: v ,' f d: .'rr.:-, t /f: c,pp y-will mount rl1e trusred toolkj1 on the mounr poim/mnr/floppy. You will
be ah!e ro a.:c~s the Ll'llited files when you change the rurecwry w/mnr/lloppy.
To he certain abour execurion of crusted command shell is the first step in all response. Attacker
a1tacks the UNIX 5hdl ro log all rl1e commands executed on rhe system or ro perform criminal acti\i-
1ies hidden 10 che inve)1igawr This is the reason to run your rrumd own shell. Ba!ih ~hell can be UScd
for chis purpo~e. Ser path environment variable equal to dot (.) after execming your trusted shell. The '
possibiliry of executi ng umrusced commands thar are in tht> target sysrem's PATH will be reduced.
2. Record the time and date of the system: Recording local time and d.ite is necessary for furure refer-
ence. It \\ill also display when }OU WC're on the sy) tem. The following command can be used to capiwe
chis information:
Tufr [~~ l' 16 : 12 : ~3 UTC 20~3
3. Identify who is currently logged on to the system: Ir is easy to idenri~, who is logged on. We jusr
nee<l to execute rhe w command. The user IOs of logged on usm, rhe sysrem they logged on from, and
what they are currenrly executing can be displayed by using 1his w command.
Following shows the example of w command:
[1oot@con2n / r oot)~ w
11 : 39pm up 3: 11 , .,., u:::<::rs , lead a vcr ag~ : 1. 27 ,
1. 43 , 1. 34
USER TTY FPC~-! Lo:rn~ IDLE JCP!J PCFU WHAT
nada ~t:lPO J lt te:r . rahul . r.'3t a: 3C~m 3 : O2;n 1 : 0& O. l~s
telnet b oU·.ost i
bo·.r me tt:;pl she ll I . bothost.b 8: 35pm 3: O2m 1 : 01 0 .1 23 -bash
mandiak ttyp2 ad 3l - 22 5- 75 . pJt~ 11 : 3 8;::rr, O. ODs 0 . 25s O.11s w
root@conan /rcct] ;
. The hc~der line in the output shows the current rime of rhe system, how long the syscem ~
d· d I I d r-1on f/l,
m the runnmg stare,. number of user~ that are currenrly Jogge m, an c1e sy~cem oa ave,'"tl-
pasc I , 5, or 15 mmures.
• 77
Li\lE DATA COL LECTIO N
, • · J I
, alteration,, and access ti me O f eac I1 fil e: )ou h:1ve IO oht.1111 all the t11nt' an ( ,1tc
4· Record creaItion
fil , . , ndows and
t rirne/Jar c st.imps available fnr c.ich fil l' in Wi J I
scamp: on t e c_S)S ~m. l here a_re three
1
J ·i..: • • ) J · (' ·
,.c., lllOl lt' l lJllg t'
m-at1111e (1.e. ·111 C I. e . , mo III C,111011 lime , an r11111e
, access 11me ) ' rnt 1
(.
UNIX syste
, . • . · camt fil e, you G Iil
• 'S for
. 1hc.~c tlllH.
·me) \\'11h the use ot pro1)er comman 11 · .
• L inc argu111ents to ohra,11
ps and
s the demonm,11ion 0 { obt.1ining timc/d.11 e stam
fl ·
use the tru 5 red comman<l ls. Following show
saving rhe outp ut on trusted Aoppy disk:
ls -a l Ru t > / fl opr y/a U me
ls -a l Rc I > / fl oppy /cti me
l s - al R / > / fl opp y / mlime
es you
listing for which it rakes some rime. Sometim
R option in rhe ls rnmmand forces a recursive y drive .
car beca use rhis J ara may nor fir on I. 55 rnb flopp
mar be forced rouse od1er media or cryprc.1t/Ner is Ner -
n port s: The mos t widely used com mand for listing open porrs on a UNIX sysrem
5, Identify ope To view
onsible for the open network sockers are ditficulr.
srar. Determining which applications are resp hose name,
the Net s tat command not to resolve the
all the open ports, use -an command. To tell is used .
reduces the imp act on the system and speed up the execution of che command, -n option
which
[root@cona n / r oot ]# net sta t -a n
ver s and esta bJis hed )
Act ive Int e rn et c onn ecti ons (ser For eign Add r ess Sta t e
Pro to Recv - Q Sen d- Q Loc al Add ress 66.1 92 . 0 . 26: 208 19
t cp O 176 66.1 9 2 . 0.6 6 : 22
ESTABLISHED
0 . 0 . 0.0 :* LIS TEN
tcp 0 0 0 . 0. 0 . 0 : 80 LI STEN
0.0 . 0 . 0:*
tcp 0 0 0 . 0 . 0.0 : 2 1 LI STEN
0 . 0 . 0.0 : *
tcp 0 0 0 . 0 . 0 . 0 : 22
0 . 0 . 0.0 :*
udp 0 0 0 . 0 . 0 . 0 : 69
s: -p option of_Ne ts tat command used

to map the
app lica tion s asso date d with ope n port
6. Enlist ) to rhe open ports.
tification number (r.e., PIO
name of the application and ics process iden
sta t - a np
[roo t@ co nan /ro ot]# net hed )
c onn ecti ons (ser ver s and esta blis
Act ive Inte r net For e i gn Add ress Sta te
Loc al Add ress
Pro t o Re c v-Q Sen d-Q
PIO/ Prog ram name LISTEN 385 /ine td
0 . 0.0 .0:1 4 3 0.0 .0.0 :*
0 0 LISTEN 395 /ssh d
l) tcp 0.0 .0.0 :*
2) t cp 0 0 0 .0.0 .0: 22 LISTEN 385 /ine td
o. o.o .o:*
3) t cp 0 0 o.o .o.o : s12 LISTEN 385 /ine td
o.o .o.o :* 385 /ine td
0 0 0.0 .0.0 :51 3 LISTEN
4) t cp 0.0 .0.0 :*
5) t cp 0 0 o.o .o.o :s1 4 LISTIN 385 /ine td
o.o .o.o :* 385 /ine td
6) tcp 0 0 o . o.o .o:2 3
o.o .o.O ;*
7) tcp 0 0 0.0 .0.0 :21 385 /ine td
o.o .o.o : *
8) udp 0 0 o.o .o.o :69 ,l,'.
o.o .o. ct
9) raw 0 0 0 .0.0 .0: 1
10) raw 0 o o.o .o.o :6

Di ti l TAi.
78 •
> .\lllhC'I . II' }1111 n,.1n,ine Ii, ,
This out pui Jj~pl.iys ,n rn l'j'l 'll
·11 .l.1r
TC P
s.,
~ll
hJ
lkc
. "ii
b .llh
1
l_ .1
i 11n
Pl_D
l' ,1p
nfY
t·11 l /1)1
/1, _i, lh1 e11i11g /ur 1•l lltl! \1i 11
,, _, o,, ·t/;
_;vu an ,c-r rh.ir rl1r ~i;'l"Urt' ~h,
11,
nw tl1 e l,Lrnd ;, .I
i.-. li~t ,·11 11ig Im ll.i \ lP, .111,l l111l· 10 1cw.1I~ tl1.11
o( JH 5, ;~1,,, q •
w1 · .kt.1 1110
pori 22. Lne 'l inJ1lJC,·s J
~,11
6 .. ~ how rh.H I he i nc·11I. 11 i I Ii .1 I' II) 1
lisrriting fur TCP p.1t h ·rs. Lin
,·, l. J. ·L .:;, 111 J -
l,li ',llG
d 21. no w c.1 11J 1,,1 ·11 11d1ilh pru u ·,.\(·., .tr<.: re,pothi l o,
1!3, )1- l. 23 . .
111 fou
un TCJl pti rn l·U . ~ I~.
11c,,t·, 1li.11 .lrt n,,, fl .llh•
.
l ' 'Pl':..dil' I nta nrr porb.
op cw n~ 11<..
sse s: T:1 ki11 1,: )11.1 p,ll llf~ of p, l<lfll111:w d, 1hc p11 I . I.
I l l~. Outp111 will ho
<:e
7. Jdenrify thr runI ning pro . J . L I L L r~
I
l.\ \It' l,1l l ,ll 11n:c
. ..
cl u~i. ng rhl' .11111~:u rc~p<l!l:1.' '.~ ,1d n(l l [ : l'U[ fl\ mI' .1g ((ll llll l.ll
,: t
1 H .l\,,,, . 1h e 1N 1l1 of r~ to1 11111.rnd 1\ dl11 .,1r.ucd ;1, lnllow
on J1tkn:n1 L ~ 1.\
d1ttrrt'ni
'. 1
I 1'\I· T T 11:; I 't / J/ 1j\_),) I)
s ) I ; , r, , 1 I i I
(J : ( [' / U J. 1 )1 , Ij
( - .. l .,I: ' . •: l /J I ► I) lit , I

1·1 : ' . :J : l I;) I" ' lI
.·.-J ] 7 : <, I ; Q) I 1: ,, , if I I
(
C. J I ; ',_ ' : fj() /1, 11 , •• •,, •• ,, 1 yr! I
J __ J 'j : ', - () : (: u . ,I' J 1,/1.II, I• l ·,j ' '· hi,1
.,. I) : Ult i' I l ; ·1 I - r.1 (J
• .-( .r. 1. • .,
(' • I J
D: , 0 k l· 1, I
- .. ,' 0 : 0U 1
ll ;} ! /r/ )1 n/. 1tc j
,. ,~ t 11, I
'..' . 1 (. _, ,I
1 . .. ! 0 : "0
.J ~ :, .. 17 : , l 1 : ',0 ' 111'1. ,j

'1 C .I l : :, / u: I. '.J / u~ 1/ : Li! n / ., . I,. J
=• J .j _. :_ ! l ·;. 1·1 : ', J O: Ui"1 X l :; - / •u I t - I - j _ll'
,
l C. • 1 ·, ·, I , ', ~ J A,_ 1 I .., t t 1 yl 17 : ':i ll : nu J ,, /LI . - I l,>;I_
r• • •J ' .; , ~ t t ••
J- l 7: '.i .1 0 : 00 /:; l , i 11/1111r1J•' ltY tt
I :·,b j r./m i 11']( t. t y t. t
I' • .jf , I
J • I tt I
; !: l I • • 1 '·· : 0')
(, . 6 ~ i_ .J t' /·1 n: ·,n 1~.l,11,/mlr,•1•~ t ty !.t
I (
i I : '. l
.
C , '
r • .
.,.,I,_ ,,
·' -1 l 7 : J ·, (; : i_l 11 h l, 111/min,7, . t:ty rt
)
•j' I ' !
I , .• C, • j , .r ,j ,
' 1. I '/1, 11 ; '.JJ () : ,_ii) /:.b i11 t m1r1 jl' lt y tt
r ..· - , I J l ' l , : ·' :. Li : u/_1
)~ I t
-1.1 I ' / 1
r,
1_ .
.
I ,
I ' ' .; •; ,) I r:, .l
,
l , : -1 l (I : '.J I J
( ·,
.l - ' . -:; •t
: ·,1
, . • J '
I~
., I
J . l
l
: -1 l
· : ·1 I L : {I; 1
•. l' r
L, h -1
1 l , i.
•• ~ - t (
·I. I
f
; !... 1·1 u, • ) / ../ ; ,J ,J I ::; - ·J . I)(
' •
• h I
hw n dtc ,nap-,hn, '. Wr tan ~.,v r ;11 , J(' lJNIX . . I l11orr rLtnning procc'i~('S ,h:an .. .. .. .
, ,\ wr/J t.lkt· ad\'.~l!r;i •e of 1I 1 ~}~
~Ull l.!S
11 for ... ..
\~.n (I .\, ' I) Jlf, 1,k ,r
° li!dr ni l pro u·, s,·, . Wlwn loo~in
J ,, ll-:, " r~
J.'ruu:-,••n, a \)"- Inn adn1in ~l1vul •' 0 1 ' 011f'.11 ta\ 1I 11/ d1 t, Illl lld
~ ,
I l'l I\ of ,·xt, mi rh• pr cx
fa• ll Hi 1·1, , <i n1111.111J our put I\ ' tnl'lul r:.i lll , J \ .lf\Iio\ ,·,w h· .. I 0
uc:an
,1'· . (n~ l,l~MJrrc.-d.Yu I lll JJ) fO
1wr icd u· \u'
. ·\ll p1i it~ \\l" _\ {!J tfld 1·
ho t1 , .
J1·•· ,..\ . . I
< J _I(; I 111) (' l )('V
, • ~ lll lll 'l.
LIVE DA:.T:..:..A.:..,C_O_L IO_N_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___:.•__!_7~9
_L_E_C_T_
----
8.
' : t the current and recent connections•
L,JS
d. It prov1'dcs t I1e •m1ornutton
c .
abom nm
W, h· I .
· ,t' t .aveJ a ,rl'aJy d1srussed about che use of Netsrat com-
_. •
11 111
rnan . f th e • '-' ru:uu connt'ct1011s made ro the sysrem.
Rec ord the ume o e system: D.tte comm J . I I • ·11
9. . ·111 Clll 1 c LlSl'l to record the current systems t1me. Ir w1
I
he p ro know the exact rime frame wht·n )'LH .
1 1 I 1 . .
. . . • tert·u or m.m1pulated the system. It will help to know
hat any mod11icat1ons made outside this time fr une ·trc 11 >t I . . .
c' ak . Th ' · l l 11e to your 111vest1gat1on.
}O. Record the ~teps _t en. _e_c~mm. rnd s thar you have accessed should be recorded. Possibilities can
be: use of sen pr, lmtory, or vi iflive respon se _is !'crlormed from the editor. As you have rerrieved all the
commands from the cru sted shell. the use of history command will make a record of commands that
have been execu ted. Still, ex fens recommend using script command which records the output and the
keymokes made by Y?U. TlllS com man~ should he executed before performing live response.
11 Record cryptographic checksum: Md)surn can be used against all the files in dara directory ro record
· cryptographic checksu m of all collected information:
[root@co nan /r oot]# mdS s um * > md Ssums . t xt
Storing Information Obtained During Initial Response

Mose of rhe UNIX variants place their log files in /var/adm. To know where the logs are stored, you need to
be familiar with each variants of the UNlX system. Now, we discuss how retrieval of log files is carried our.
To reuieve the log files from the sysrem, we can use severaJ combinations ofNetcat, crypcat, dd, des
commands. You should acquire at least three binary log files and command ASCII text log file. Following
shows the binary log files of particular interest:
1. Utmp file accessed with w command.
2. Wtmp file accessed with last utility.
3. Lase log file accessed wi1h last log ~tiliry. ..
4. Process accounting logs accessed w1th las1comm uul1ty.
Some ASCII rex t log fib are as follows:
1. Xftrlog
2. Web access logs
3. Hiswry files
Obtaining Important Configuration Files . . d b UNIX. T I

·1 ·11e con11vurarion files commonly acce~se d or mo d·c:
nted bY attackers are mamtame , y . 10 ocate
' · d I ·
unaudwril.cd user IDs anJ unaurhonzed truste re auons ips ·h · · O f these
.
configuration
• • •
files
•
are important to
he reviewed. Here is 1he list about which file should be obtained <lurmg mmal response.
1. To look for 11n:1u rhori2c.: d user accou,m: /erc/passwd.
2· To cmure about pas~word aurbencicarion of every account: /etc/shadow.
3. To look for e\c1btion in swpe of an:css and privileges: /etc/groups.
!
4· 0 list the DNS (Domain Name- Sp,tem) entries: /ecc/ho 5t
s.
S. .ro review rrus1ed rdatiomhipli: /ctc/hosrs.e4uiv.
~- T 0
l'.x,k in the mn-up filrs: /etc/re.
· fo 1i~1 ~chedule<l evems: nonrab fib.
Du ·
, m~ing System RAM
propt·r way ro dump the system RA Mon the
l hrr(' 1~ rH>
or iproL/k
Lure filI e f rorn the target system. 1 'hcsc 11
t:>.J
CS
11\annn ( ' _ d .
· ,oie un1p type of analp1~ can be Jone by
80 •
Summary
Incident resptmse (Juring, early response) is a phas throu
e gh mions such as rebooting or s h ~
of initial infonn;Hion nw.>1 ing rn reguLHl' whether or a
sysrem. When live data collenion is necessa 0\\i~
not illt:~.1I, unntfo:ial, or intolt'r.1bk .l(tivity occurred
, is critical 10 adhere to sound forensic principle ry, 11
and th~ inform,nion gathered during your initia . sand
l '.1ltcr the ~late of the sy~tem a~ lmle
rr~ponse forms the b.1sis for your levd of response. as possible. l'ht
111format1on you obta111 dunng the response
During the ini1i.1I re~ponsc, it nuy be necessary
ro lead to administrative or legal proceedings. Illar
capture live d:ltJ-Yol.nile evidence--beforc it is lost
e{--1 Key Terms

• Recovery certificate: A method NTFS uses,
so that a nerwork administrator can recover
directory data such as UIDs, GIOs, modifica. ----
tion times, access times, creation times, and file
encrypted files if the file's user/creator loses the
locations .
private key encryption code .
• International Organization of Standardization
• Registry: A Windows database containing infor-
(ISO): An organization set up by the United
mation about hardware and software configu-
Nations to ensure compatibility in a variety of
rations, network connections, user preferences,
fields, including engineering, electricity, and
set up information, and other critical information.
computers. The acronym ISO is the Greek word
• Sector: A section on a track typically made up
of for "equal."
512 hytes.
• Leaf nodes: The bottom-level nodes of the B'-tree
• Track density: The ~pace betwC'en rracb on a
that contain actual file dara in the Macintosh file
disk. The smaller the space between tracks, the
system.
more tracks on a disk. Older drive~ with wider
• Logical blocks: In the Macintosh file system, a
track dt·nsities allowt'd the heads to wander.
• Tracks: Conu:nrric cirdcs on a disk platter where collecrion of Jara that cannot exceed 512 byres.
• Logical blocks: These are a~sembled in allocation
data is stored.
blocks to store files in a volume.
• Trusted Computing Group (TCG): A nonproftr
• Logical EOF: In the Macintosh file system, the
orgJnizarion thJt develops support standard~ for
rrmred computer accrn acros~ multiple platforms . number of byres in a file containing data.
• Tru~ted Platform Module (TPM): A microchi • Master Directory Block (MOB): On older
p Macintosh systems, the location where all volume
that ~tores encryption kt')' data used ro encrypt
and drcrypt drive d.1t.1. informJtion is stored. A copy of the MOB is kept
• lno<les: A key pm of the Linux file ~ystem, in the next-m-last block on the volume. Called
these the Volume Information Block (YIB} in HFS+.
inlurm.uion nodt·s co111,1in ckscriptivc file or
Review Questions
l. Wh.H arc the different ways to organi'l.c and
dllu nnt nt an tnn·scip,ation? 3. Explain re~ponsc tool kit. How Ji. J8ll ~
2. I fow ell) you ~tol e information obtained durin rl'\ponse tool kit for Windowa.,...r
g
initial rt'\po1hl.' in the UNIX ~r~u·m?
_. .....
, ,
Forensic Duplication
LEARNING OBJECTIVES
After reading this chapter, you will be able to:
• Understand the importance of forensic • Distinguish different types of forensic duplica-
duplication. tion images.
, Interpret and apply various tools for forensic
duplication.
The investigator gets one and only one chance to do it right because digital evidences are fragile.
-R. Rowlingson
Introduction to Forensic Duplication

A forensic duplicate contains the same digital data as the original piece of evidence. Many times, with data
collection process, forensic duplication process also gets started, which is based on response strategy already
formulated.
Rules of Forensic Duplication (Thumb Rule)

1. Make rwo copies of the original media (digital evidence).
(a) One copy becomes the working copy on which investigation will be done.
(b) One copy is a library/control copy for future reference.
(c) Verify the integrity of the copies.
2. The working copy is used for the analysis.
3. The library copy is stored for disclosure purposes or in the event ~ copy becomes cor-
rupted.
4. If performing a drive to drive imaging (not an image fil
5. Verify the integrity of all images using hash values.
During an incident, a significant amount of data is One
an,
ong t I1e roremost
c comprehensive sources of knowl Nursing
rd l,yn1-t w1,r~ ,,, flj'- Ly ,,,.., "',r~
affo.1rd ,,r \11·,p('l l ADP\ ·1111111;~1 111:111, ,1,w, ,Il l iv11 y ,1111;111 111,1 lw ' :11111J1
u·, 1r1 tr·,c;J11l1'. ''. '':!'. !m,,,f _ ,A II , /J1t •1·,,(,
~i-11 \(JJ \, o, jw,t i·, :il-.c, 11111 ''um ,11 1111( i11 ",/11' i11/1,r, 11,'.1i,,1_1 ,,1111,
lil'5 i11 pbi11 ,ii-;l,1 "n d,I" ard111i11•, d,ivn '" y111,r ,11;;rn1 1:n11,11 . l11
,1,,., ' l1._,,,1r·1, '111. I,,,it,,,,.
,,dtw. ~ Ir, u,,1i
p,ocr~\C:\, form;JI\, ,Jlld l<JOh ,h.,1 m: l' ltlfl,1/} f" l,y tlw fr,r, ·11•.i1.
v,1n1111J11'.'Y_ ,,~ 1,r'.".'1:tl~ Ju!1l1r.,,te ,r_,r,,r,/Jd
1io11. Yo11 will rr;,li,.e th;:11 l~,,c l:tw pn1111 11, :i /,,wu 1,m1111 fil.l,,t
1111 d,;1,, wl,,i, 'l/t 11 ·111 a IOlrlt_,,ly lti $.')ft 1,-:-tt
ar, q,r :Jl1l1: ;ir,J ru~d,-r 11 adrrll'. <, 11,11.:. A;
By Jr,igu , :t l OIJIL m;iy rc:JIJl,l' di~, d,r wt1plr,",t ,,,JI dwrc•d1Jpli1.;11_i,111
t11 t l/lllC llJ' wid, rhe •,1111r1lc:·.1 Ju1,l1t:JI~ j)IJ'.',tl,lc- -(,ru: tlu,
,~&'lei
:Ill m11.',Jlll , h()WtV('f', }()IJ fl(•(."d JI) ( 11dr:n,,,r
'. vm li dit fl1:.1.1l,il!'Y ~tJ ar,r ,wcr :r,; 'j!Jt',,.
y<Jur ttam, and JllY1Jd1cn tl1at will r.,i ·,l· ,,, dn11,11,d au._, ..,., t 1 d,.11
1
Lion. With ,hi, ,n mind, ,hen: :11 (· tw<J kinJ, ,i d11ph1 :1111,m; a m,11;),
d,nwar<l dupl1uJ1J1,n ;,r,d a f,,ru,·.it'
imc. A m.iigJ,,t;1rward d 11 p1K:,11111 i c.,1n,.1•.1 , (,{ ,.1111 ',ll lH. lirig
a rq1lu.,;1,l•.ptt.iftr. _infi,rmati 11n . ~11,c in(,, rr,ij;,
'-MIJ J1k-1c \Y/1111-h<:·,rc:r d~i•,c:, ,,r_diffcrc;, 1
inwrpoi ,Ht ,me file, a W'l'_glr; ,,f fdn, J p,lr!IIJ (JIJ ,111 ;J ll~UJ~l, dri~c:, a
jJJfts of i11frirmaii1JJJ ~,1Jrag1: d(:Vitn a11d d 1ncf1J
11f111r11 ;J11 1) 1l . ~t( r (Jll tl,t:m. A_f11rt rr,,c._ d~plic.ari,m I\
l(; il,e ,_
AwKi.rn· i11 N1mi11 g 1,.l)rm I L<ipy ,if i11f,111na1 i1m tl,,11 ,., utmed wnl,
rl,c g,,,,I ,,f L(;Jng admr•:,Jf,lc: c1\ pri",f
in kg;il prou:cdiJJg\. J-urd11:nn,,r e, wr /,,1·1c a rt nd1:nr.
y 111 ,,url111t f1,rc11·,ic duplic..itir,n a·, a r,1uure ri c.:,u:h
ah11UL.ill inf1,n11ati 1m yuu c.ollccr 41
,J<.(.c•;~ilJlc 1,ir fr"111 tlr<: ~upply mt<lium. We r11u1urJgc yr,u 1 1 11,irik
1
mu ,I p<:rf,mn dupli,arifJm with •,r ta!eg)t,

pmnf whicl, will contribu1 c ,,, a 1,·gal mcdwd. d,c,wJ fini ·ih, y,,u
1
r, we h:i vc Ji,,rn•:,cd a numbt7 r,f

1h:11 a,c gcnrra lly aw:ptcd within the fr,rcmi<. v,mmu11iry. In thi, c.liJJJte
11 ,ic Juplkate~, and that we prac..ric,e
1hc comid erari,m ~ a.w1t i;llcd wirh m;iking maig}11forvmd and f1,rc
1
y1JJJ \d('c l f1,r performing am a furen-,i,

~ome of the forc:nio•,r ,,,mmon marcgic:~ in u·.c. What t1J11h mu·,L
tabilit y 1Jf r.nuwledgeahlc 1rnim1Jny.
Jupli1. ,1tion? Building on rhc lc-g;il \tat1dar<l·1in •,iru l<J w ntrl)I tht ac..a:p
rhc f/Jll,,wi ng ar<:a\. A vital ll'JI C to ~tav
we 1,dic:ve that a forc:m ic Juplic.a1i,m lfJ()I •.lirJUIJ pr,JW ir ·,df within
tf,e 1c,m M tm,I" w c:xplain any imaging '
iu mind 1hn11Jg hou r d1i, c.h:ipter h that we liavt a trndt ncy 111 u·,t
n::,,il111io1J. Thi•; w,,,lution h ah,, p:lc.k:1gc: <ir hanl-Nart:.
J, The tool !>1,ould have 11,c p1JWt r ,,, imav,c: or ;,wJu m (r,r cad,
little l,it 1J( acu·;•,ihlc: data <m the medium,
.
2. The IIJ()l ,IJ11uld proJu <.,t a fon:n·,ic: d,,J!lic.atc uf tl,c: liPit 1m·dium
•,hk mann tr. 1f the imaging opcrarion faih
3. Tiu: w,,I ~h,,ulJ l,a11dk ~un l·Jron iu a vc:ty ~,urdy and
\. A plau·h11ldcr ,~al-.o plat.cd with-
once rtLUrrtnr II ics, rhe ,·m,r i\ 11/Jt t d ;u,rl al·,o the 11u.:dwd u ,111 inut
tht input wi th errors. The a,ntrn u
in tht UlfilJHlltr lilt wid1 an c1111iva le111 dimc1,w111a\ the J!"lli1m cl
,,r ,hi·, plac,·111,l,h •,111,uld l>t detailed withi11 the ,,,/)1\ d()c.umrniari,,n.
e medium.
4. Tl,c tool or tlH: mt·dwJ ,\lr<JulJ n i1 build any d,:w1_;c: ro rhe fir~, wmv
1
5, :1:hc- wol ~lwuld grntrc1te rt:, ulr , that VjJJiJ rc IIJ<:ii', llrt rtpta1:il1lc
and v:rifial,lc by a third party.
any t mm cnwunicrcd.
6. I he L1J<1I •J1,,ul<l gc·or:r.itt k1~\ rha, dt·1ail tht a,ti,,m rc(jUt', ttd a1Jd
{i:Jj~-- -N_e_c_!ssi~y_o_f_F_orensic Duplication

-- -- ·- -- -- -- -- -- -- - -- -- . NM,, 1hc next ~tcp i~ ro a~rt a
Wl· h~vt \(Tt~ lir,w vul;i~,l c da~a i, t()lkw:d fnim wind,, wh and UNIX
at<: J\ created and the need of creating a
~,rr:m,c dupl.1tat r. ln d11 ~ \rni,,11 , we J,•,um how fr,rt n<.ic. duplic.
/1Jrc-m ,c d1Jpl1L,H~.
h'.rtJJ \ic d11 plit,1tc _i~a d11t 1wwm file um, ;iiniug cve:·ry bit uf i,1form
ati1Jn /Jhtained from 1he IOUl'U au
t~ "! h,t:trcJJri li_,m,:H. 1h(: data i:, \f(Jt c<l :t\ it ,~fr1J1n lwd drive 1,, fr,rtn'.
ic duplicarc dcvict~. For csampr,
1C~I liard dnvc 1nul1 \ 111_✓.< JB ,,r (1J1<•n•;it J(1plilatt.
_. I lw. fij~_Jon _' '. ~untJl ll ;wy cxrra c!at;J od,rr d,,111 errorcornp
11 1 1nrn.1gc: while reading 1hc conrtnl - - •
rtm-J .
,,11g,n ,1I. Altt r J1111l1, a11 m p1 0Lt',\, fo1,w,J1.. Jupltc..aic- L:i ll be
1
di:1. J\ rlw 111-·Jill "trir11 t· ¼."en•·.... " Jt 1·,, impor

· h' ·
ranr t J,at t 1.1 c
In all ta·, n, d11• wmpu 1<:1/mr .
bri.aus 1·. onu· ilw dwnJI n•1drnu: (J•' ,,h,,w,, in 1:,·n1, · 5. IJ'1\ , omamir14rc · d It, cannot~ L-
pm1,·01:d , _ . ,,
rw rd. J lu.- 111 vc•.11g;:, 1<1r ·,l1ot1ld 1.,~t c;irc- to ,,,,1 d,a,w
• c,
c rf 11: digit·;.«I,,,-v11· Jm,c uunng
1 •
any ~trp o
r·
r OR l WdC IJUr' I ICA I IO N • 83
11
C' li l l1,1wd " ,111d d11· d 'll ·' 1 'I!> vi, I,,II 'I · , , , .
\ 111m l 111n li.1 ;Il l' 111.,lj',ll
"( . ) I l, n ,11111111111• .1 live 1,k .,y.\lrill l l1.111r1 ·.•, tl1 l' ~1.11 r
I \ I ~ ' ,
<if r1 11: rV ltl'llll' 1\ 1v1, , 111111·~ .
, I ,I,\ :
I ltnt l' , tl, r l111rn .t,it d11pl il,1li1111 111111111 t ' lll tt',' ' 111 III.:. ~11111111.111/,l\
L11 c i1n .11• t 1ir11vi ,I• ·•· r ,11, \V ' i 1·
I• Workin J; fr1,111 :i d1111li
, , , • ' ' ' ·' 11 ,1 I 1g 1',llllf'l'!>:
(a) l'rt ,nvrs tl1 r Pn1•,111 ;tl d11 •,11.tl rvi denq ·., .
(h) 1'1 rvr 111 , i11 ;1d vr
,
ri r 111, aht·1.11 io ,n ur
1,rii•·, 111 •·d l lii •it I ·I I · · ·
, ,I l'V ll l' lll l' l Ill 111g l'X,1111111 ,1111111.
(c), .Allow,, rn.1(·,1111111111 d1 r d11pl1 Lll l', i111.ii•r

, ,
ii' 11 I .l.l..~.!>.11 y.
. .
rv 1dt·1H r t.111 hr d11pl1 t.11 n l w11h 1111 dri•r1d 1·, 11111 l 111 ,y l Cl l opy:
2. l)1g11.. .d
. , , , . , • •1111111
(a) 1111.~ 1s 1101 di t· C l -'t' w11 h mns t od1 n In rim <ii' l'vi drnl l '.
_....\'"'" '
l I
. '.. I • •
1-'igurc 5.1 1-:xarnpk 111' digi1al drvin·s.
r.:~-· ] Forensic Dupl icate s as Admissible Evidence

satisry hrst' cvidl'llrc rult'. Even
Digi 1al cv idrn tl' ., ho1ild .,;11 iiJy rni11im11m nil('ria orlq~al standard.~. 11 should
rl1 l· prott,., wl1id1 l1 a, lwrn l'olluwnl hy tl1r invt·.,t igator to colll'rt'
digital cvidt·nn· also wnH·s undt·r inspl'c-
justify lil'st cvidt·nce rule.
1ion. Tltc invr.~1ig.11.in11 jHon·.,~/duplil-:tl ion procl·.,s as wdl as rvidr1Kc should
Sorrn.: ,q ,111d.1rd '.l :m· givm by tli l' Un iced Stall's, known as Prdnal Rules
Evidem:e (FRE) . or
or photograph. This means
1. FRE § 1002 rrq ui1T.\ ;11111rigi11al to prove the.: rnllll'lll ofa writing. rrrnrd,
1hl' i1rn1 or in/;1rrna1inn pH·,t·tHl'd in w11r1 11111st he original. Jc follows
from the best eviJcn1.:c rule:
Copyi ng can i111rodurc ,·rrcJl·s.
2. 1-'l{F § 100 I (j) .\ lairs I lta1 ir d;1ta arc dcpositl'd in a rn111pt1tl'r or
alike devke, any printout or other
c1111p111 n·ad.,hk- hy .,iglit , ~!town to reflect the d.1ta pret:isdy is an "original."
original if:
.l 1-'RE § I(HU ~1.,1 cs tl1a1 a d11pli L,1t ,· is admissihlc to the s;1111c l'Xlcllt as an
(,t) An ho11nt q11 i:s1ion is cll'v,11cd w 1hc audll'ntici1y of the original
or
the original.
(h} In d1 t· ( in 11m.,1a11u:.~. ir would he partial 10 cot&~s the identical in lieu of
e in rationality.
A\ fan1iliari1y with digital dat,I incn·asl'S, lid1.1vinr of the judic:i:1I system will increas
t9f:: ] ~po rtan t Terms in Forensic Duplicate

5,5.1 Forensic Duplicate
·
" ~ll. - (Iup 11ra1c
For,·11 1. r . r.r
1itorcs tvt·ry nt o 1111ormat1on 1rom so
fc,rrn~k duplica tion , ~c;n or driw rc11uhs in 5GB of fore
tlCu:pi in d1t· ta~c wlll'rc t·rrors ocrnrrt'd in a read opcrat
i
84 • DIG ITAL FOREN;i ,:
\Vhen this situation arises , a placeholder is put wher

e the data would have been. After .a dupli carion
process, a forensic duplicate may be compressed. Two
tools can be used to creare_a true forensic dup[icatc -
UNIXdd command and computer forensics lab versi
on of dd command , that is, dcfl dd. The tool called
ODD or Open Data Duplicator can also be used to creat
e a true forensic duplicate.
5.5.2 Qualified Forensic Duplicate

The file rhat stores every bit of information from the
source is referred to a.s qualified forem ic dupl icate in
the altered form . In-band hashes and empty sector comp
ression are rhe example of two altered form s. ln
some cools, it may read a number of sectors from the sourc
e. After reading a number of sectors, it will create
a hash from that group of sectors and write the secto
r group follow ed by ha.sh vaJue to the output file. ff
something goes wrong during the duplication, this meth
od will work very well. For reducing the size of the
output 11le, empty sector compression can be used. SafeB
ack and EnCase can be used to generate qualified
forensi c duplicate. Sometimes, you may need to use prop
rietary sofrware to restore quaJified forensic dupli-
cate files.
5.5.3 Restored Image

Restoration of a forensic duplicate or qualified forensic
duplicate 10 anoth er srorage media results in resto red
image. It is a complicated process. As the forensic dupli
cate is rrnored to the destination hard drive, the
partition rabies are updated with the new values. Resto
red image may invol ve some modificat ions in the
original image. To create a qualified forensic duplicate,
tools like Safe Back, EnCase, or dd can be used; there
is no need (sometime~) to resto1e EnCase and dd. The
detailed working of SafcBack, Encase, and dd have
bl·en discm~ in this chaprer.
5.5.4 Mirror Image

A hardware char does a hit-for-bit copy from one HOD
to anmhcr i~ used to generare a mirror image .
Ccnerating mirror image presents an exrra step in forem
ic investigation proce'is. You can easily make working
copic~. if your organizarion has the capability to kt-ep
the original drive detained from computer sysrem
being examined. The analy st will be obliged to genera re
a working copy of 1he mirror image for study, if che
original is returned. Hardware copiers likd ,ogicubc's foren
sic SF-5000 and incelleccual computer anw.-crs
image MASSta Solo-2 professiunal plus are simple "sc:1
up and operate."
D] Forensic Image Formats

~o~l IR groups ~an produc~ and proc.~~s three primary
types of forensic irnagc~:(a) compktt dilk.(b) parri-
'.1011, and (c) logical. Ewry 11na~c ha!> m purpose, and your
team ought 10 perceive when ro UK one inugr
mstcad of th~ or~cr. Mo~t significantly, your team has to
ptrceive the implications of chaulranadtc. TbauP
the whole disk image has the mo~t desirable format a~ a
result of its foremost comprehan 1ml and ap. .,
the contents of the storage m~dium during a mtic state,
technology, bminc:'is prioritiCII, Nl1Hzrr➔,1, .-l
aJvanrage m~y demand a \pl.'u~l mtthod. In this ~c·ction,
WC have a WC will di~l."USS chr .._
you1 team. F1i;ure 5.2 exempltf1cs the scop(' of every .... . t!c.,
format.
NSIC DUPLICA TIO N • 85
f0 RE
Complete Disk Image

5,6. 1
- ··s for crettintr a ·'complete disk im·1nc'' · ,. J 1·
Tht' proLt.:~ : :- . ~ , . . · ~ is mcrnt 11, m1p 1r.11t· c;irh ,tddn:,.,ahle l(ltllp11tl.:'I' mem ory
· (~.nnfig11r.111
· :\ s) ,111LI Drive
· ·011 () w rI,1 ys
unit. on the. ml'd1um . 1 his . tndudes
. . Ho~t· Prot,n · tc,J t\ rt·as (111)
·) 1 hou t>o-h so me d1fficulrie s mtflht exisr ( ,· l-ll1A, L I1.tngt'lI t Inw ' 1 ~l'L 1ors. and
· ronJLIc , hrni,.c11
· 1111(
(D Co ~ · . r- . · ·· 'I L.,
f1.'inappt'L~ se~wrs), th~ speculauon rem;Hns dut the resul1.1nr im.1gc c.1pturL'S l'.IC h .tllt1C,11 in
n uni, at thaL
th t
n1L1111cnL 111 ume. Once e me bod cannot cu mpk1 e, J S we h,wc mcnrio ned e.nl ia. it mmr L1il during a
predictable manner. If we tend to require a perfect situ:uion- .1 drive wi1 h no 1111hc.tlthy sectors, no Host
ProrecceJ sp:Ke, and one that properly reportt'd irs true v.1ricrv. of \Cnors-wh,tt wo uld ,1 colllJ)lt'tl' di~k
· ~F -,d . d
ini:1gc concarn . igure ) ..... epKts a std n <1rd onerous dri\'t'--on e th.tr )'OU just m.1y expccr to Sl.:'a rch out
during a systt' m purchased from .in afrernurker supply, like hollow or power uni r. It cont ains a hoor ~ccror,
rhrce partirions, and a t~uch of unalloc~t ed house ,lt rhe rip of rhe drive. After you gcL :.1 11 entire di.\k image,
rhe computer file crn~rams e,Kh all?car1on unit. or sect()r, .1ccessible to tht' imaging software system . Being
the most rhorough of the rhret' op11o ns, the" pr()cess will allow an exa miner to review data co111a ined in dri ve
management blocks, OEi\1 reco\'ery partitions, any user-generated partition, and 11nallocarc d st'ctors that
may have held data at one rime. In addition, if you need to perform recovery of d.ua p:utially overwritt en
by a format opt'rarion , you stand the best chance of doing so by starring wi th the emire disk. Addicionally,
if you wish to perform recovery of data partially overwritten by a format process, you stand a great chance
of doing it by beginning with the whole disk.
Boot Sector
I OEM Partition
,-I....
I
Partition 1 Partition 2
I
,◄ ►, ,◄
~. . , ~
Scope of a Partition Image Scope of a Logical Image
-
. .I
Scope of a Complete Disk Image
Figure 5.2 Drive layout example.
5.6.2 Partition Image

Most forensic imaging cools permit you specify a personal part~tion, or volume, as the ~urcc for a picture.
A parrition image may be a set of a whole disk image and contams all of the allocarl°? uruts from a ~rsonal
partition on a drive. This includes rhe unallocated space and file slack present wi6in that partition. A
parcition image srill affords you the chance to perform low-level analysis and ~ Ji' mulaletc 6les and
examine slack area from that partition. Even if you image each partition on a drl••!llll1l1J111#1at " arc
ocher pans of a disk that contain data. Reserved areas at the beginning or finish
panitions, and any united area will not be captured. Because a partition
on a drive, it is taken solely under special circumstances. There could
of authority an<l AN too giant disk, which stop you from taking a
86 • 1'11.,I I ;\I I UR t ~,,
I~ JI(
~i11 n,11 u;~J,r~l,\11,i the ri;, 1,r 1;k, ltkc 11th\·" '''' \ 1'll 111 ,l\' 11,·nl dw 11 11P11 l(lll\if~ hi h,~ ~,
'•' ll \\\1111 ,1
unJll,ll..1:cJ .1 ",.l. th,-r,·h, rr ,,,11 i ,1\\th'I ,m11'h ,\'!'~ 1'1k, In th, 1sr , .hr , . 1111.1!:1111; i 111 r 111 .I 1111 iii p.1ri
i1i,111,
d'u!J Jl-.1 h: th.'. rnf,, ·t ~-·ltxtll lll.
5.6.3 l ogica l lmJge

,\ t,,!;.:,.J 1111 .1~, l\ J ,m.t!l,•r Jl1h\\l l\l 1,f ,\ " ,)\I.If,• 111 ~111,111 ~ " 1111.1! i' .11ht .1ddit1 1l11.d
"11'''· ll 1, 1h,-'1, i~· ,,f -lu1,li,.Hh'tl \\ t' h.1H' c 1d1n 1,·forr,l .1, .11'\iml'
111' .1 ~11.111J
11l ~1 t\\.lt J
k dul'lt, .~111\11 ," :\ 111 1:i,.d i111.11~t· i~k·,, 1,f
Jn " ,m.,\:;.: '" JnJ r. 11 m: nf l , 1111 1'I" l'('l'"· .m.l i1 i, tlw
r~ l'C- of ,liq,ti, .11 iPn " l" rdcrrr,1 rn j'l\' \' l1lthl ~· ·" J '\i1nptc
d:1rl1cJ;;,,1t .\hlwu:=,h l,,si'-11 ,1'j'l1' \ .\I"\" I\ \'t, .ill\' the l.1.\1 ,r,,111
.111_,111\.tkt' 11~\l~l t:\ ,1111~1\l'I\ \ ri 11gr ,,l~rn thrr
h(Jr ,,r;.- 1, 1n\~1 1mJ. th, r..- Jlt' ~,,ti-! 1,.1,,111' "In 1hn .1r1· the d111 lil.lt1t1
1111! d1rn, t·. ( 11111m1 111 ll htd1, ,1t i,
1
1115
,, t' h.1, '- u"J Jr,· J~ t,,\\,,,, ,:
l. ~i'<·-it;, tik~Jtt' 111·\•d,1.I \.l,11,1 ~1cn1 hl .1 lq:,.1I rcq11r,1. Thcrl

· .lie- 11,(,l \11111s 1111\'t' n1~ty ~1'c1.·ili.: lib ,II\'
l!cl'd-:J fnr J r1·• 1',)(l\\' . s,·11111~ .in t'llfll(' 1.l1~k ltll.l~l' Ill .I\'
11111 he: l't)ll'l1ti.1I hc,.l\ l$" ( 11 kg.ii fl'.\ lfi l tl$I\ \,
2. .-\ ,rlt-c1c,l u,cr ·~ tik, fr,1m .1 N,\'i ,,r ~.\:--l dn i, t° .11c of 1mrfl: ~l tu
tht" im1.·.-.11s,ni,rn . In somt" th ing,,,~.
1.1'\ff~ ,it'dd,tl'J \)f hhl tl11nt:, fr,,111 N.\\ 11r ~:\N ,IC\ Ill'' u111l,I
I'\(' 1 l,1,(' Ill 11nl'11~ , ,hlt· hn·.u1 sc of ohjt\t
Jj'i"I~ 11r J,1.l" h' 1hc- l,1,, -Ind ,l1,k ,1n11 tl11 ,·,; thnrt',,rr , ,lll l'llllfC'
l, 1rr 11,11. d1111l11..\l h)ll i, 111i11Jks~.
3. .\ ,\1q,!11.Jt1,111 t'I 1nf,11111J11,rn fn1m J hu,111r,vu111,.tl N.\\
1H \ .\N 1, ,wr,k J ) ~,ur <1r1:,111 i1,11 ill11 might
!ll1t .11!,1" th<.' IR tc.111111.1 rc91 11rl' .1 J1, k u1111 lllll1111.· 11, l'rr
l~11m d1q1h,.11i11 11 .•1n,I y,,u will 11\lt h,· .1lih: 11:i
pal~ 1rm J l,, r mup·. :\ lnt-1 ,.1I im.,gl' "u,11
.11l y 1ht' l~H(ll111'.I .turp ubll· .1h r 111.ttl\'l' i111·dg
1· L IS t'S. Whl.' n
on.'.' ti...t11 , , 111.1~t' ,1!11' tl1Jt ~1HJ J,1ll lllH'lll dw 111,1di..1u1111 t,H
l.11rr 1rfr1r m r . \X'h.11 t1H1I, or p1 1i1.c, ~·,
11tifhf t\l bl" L1,cJ 1:1r 111Jh.ll1~ l11bi1.tl in1.1g1·,i A,
111hn1n1.1rc ~ollrdi n~ f11ll ,lul'li, .11 i1111, , tli nc 1t·111.1im ~
lk•Hl' 111 J,,_um ,11l l1k· inl~111nJt i,111 fu11hn .i~
i111q~111 ~· h.hh n . l'J, h FTK ln1.1~
r•\\Cf Il l ,;,rm pr111il l(llj (.11 11\'I\ ,;,r l,lt!ld l file, . l"hn· J tt' g1,i 11g It) J,1, 1in 1rm n .111,I ~hut in hJVt' d1,
di(' ti ll·,' i11furm .11io11 Jnd
l'lflllll ~nu IO m.lllJ}'.,~· 1hr 111 trp· 11 y l,( die l'ru1if p111pl' d). \X 'h.tt
h.1 1'prm .1f1n you .uc h.111dcJ k1111wl-
c-Jrc dlJl 1h)(·~ not fit ,1.111.l.irJ~ tl1.11 ) l lllr m ll' ,1111 h.1, ,1·1? lhi, i!I uftrn
J frn1m·nc IIKldrnrc- in our
f>'l\l[lt Jll - \\ ,teni ~ J1H·di )l} prnnd1
11b u~n llll' llltH }' , 111.k) J.llll ('.l\.ke J \\ 11h l,ip, VM ~t'l'\'l'r
Itll nrng in .. II 1 ,f du: fih ~ n l.11 , J 111 J , 11 tu.ii m.t, hinc (t'.g., \' ~I
Jdmim
X, \' t\ I DK, .rnJ \ ' MSS ftlc,) , or lll'tWmk
JJrJHm J rc,rp, 11~ I! <;B ul llt'l\\ork 1..tp turn 1111 )tlltr uhlc. In tlH
·,c th ings, J11( umr1H thl' maximum
Jrn, 1111n J,) 11t1 '"II h~· .1li\1: 10 u J, k d1r 111!;11111.11ilH\ .1, yo u"
,,,il,l .i f,lr1·n,i,· inu~t your ream rnlll-..:1eJ.
5.6.4 Image Integrity

\X lwn J lurtn \ 1~ 1111.11;'.c i, 1; ,rm, d,, 1yp1ul lli:,11.. dw, k, un" .ire.- ge
neut n l for rwo rt'J,on s. Fine, oner d,t imaf
" t Jku1 fr,
1111 J d~ IH',
"'hi\ Ii I\" ' l1111c (,1J11 l) .md prnn w ..i, the lu,h j\ t mployt',l lo Yfrify and ckmonstnlt
1hJ1 tht l1Ht'1h_1l tll\J)-:t" wul,l hr ;i m11.· Jlld w,tn I ill m1rJ1ion ti the in1tiJI
. \ cumJ , dw balll ii emploffd to
~1µh1 ti d,t· 11d,1 w.1, du11grJ , u1, r d1r pu 1pu-.1· of \·,,ur time
J t "'hid1 thl' imJ~~c wua ad O.. you&IC
\\111 k1nr' \\tth ~tJ1i, pi1turn, 1hc- l1.1-.h~, ,t'rvc tJl h ft1m1 i,,11 If.
ho\\ C\"t'r, the imJ.1 '11N •11C - •lite
,n,tc:111 ur I l r,Hni 111 to 11 1.1in .1 l,11;1L.1 I lilr (OI')', or 1f dw ini11.1I
\\J\ nut prot"IH:J ~ 1!11,111111, th,
lu .!1 1, Jll~l l1 \l·1l ,., ll\Jk r \lllr tl wt 1hr 11m·p 11 y hJ, \M.·t·n rn.tiu1
Ji11rJ throughout ;,,,a,-
~tS.':iJ Traditional Duplication
~ --- -· . ---- ·---------- -- -- -- --
A\ prn 11111 -.h· 11 1rn 11,H11.d , ilit· 1h11 r ~1HI\ of' j'i\lurn \~UJfC: 111ra,u
rc c-omplcw
.'\ n .o,·,wr11·r t q ,i\ .ill y UcJtn 1mr i11 n n y uf thC''IC snm
in r i1 hrr a sea
1111 .if,I' ,m tl1od In 1h 1, , 1·1.111 111 . w{' h..1w di,u,~,t·d .1 111.ic-111
lll1Jl~ing t«hniq•
FORENSI C DUPL ICATIO N • 87
Anc1 •enr imagin ° o- is, perfo rm ed on ~tatic drives- (i..e.,

, onuou · di al do not sccn1 10 be ,1 part o f a 1·rvc Jy,
, . s (Invrs
runnt·110::, S)'Stem). l he
. system ·. n
. has hee . turn ed
. off. ·-111 d l1 oot cuJ to a rmrcnsrc •
• 1magmg •
• cnv1ronmc11t, or t I1c J',., I<.s
have been 1-,lu ot>ooed mto an 1mage1
. 01 exammar
' • 1011 wo,·kst<1t1on • WhetI1er or not t tne dnvc
· 1·or J up 11.G1t1on. · 1·s
. n a p ,vered-down . RAID disc . pack or om· clr,·vc, croun db une · d 1oy
. t I1e 1acet
r ol·· t I1c roaJ , t I1e powerc d-o ff· state
-
1 0
is 01 ,n the start !me for ancient duplication.
s.7.1 Hardware Write Blockers

t?
The best way _make_sure that the supply media i~ not: chan ged in any manner is to use specialized hard-
ware rhat prohtbJCS wnte commands from reachin g th e dri ve controller. A set of chose write blockers oughr
robe in each_IR tean~'s kit. T he write blockers are generall y protocol bridges that co ntain changed code or
an ASIC destg~ ed ro 1nr_erce~1 t a se t of the protocol's commands. In Fig. 5.3, four versions are shown. With
these in your kit, you will fa1chfully duplicate SATA, PATA, SCS I, SAS, and USB devices. T he write block
hardware shown within the figure is from Tableau .
Figure 5.3 Write blocker hardware.
A lot of transportable version that permits one to image SATA and PATA drjves over USB, Firewire,
and eSATA is formed by WiebeTech. Many of our consultants carry these. lfllllli\ thc field as these are
well made, work nicely in little cases, and allow one to quickly d · ~ -The WiebeTech
. .
for enstc. Ul traDock v4 is shown connected to a su b'Ject's dnve
of these
T~e two samples of hardware write blockers presented a
sure
organizations are terribly active within the community and
th at the write protection theme is powerful and reliable. erto
th e web site of National Institute of Standards and Tt te
blockers.
88 • fW:ll AI f 01-l [N\ir-
l
t
,__ -___J
I lI
I
figure 5.4 i:SATA write bloLkc r h,udwm·.
5.7.2 Image Creation Tools

The most common techni que 10 lorm a forensic duplirne is via comp
uter codl'. The three main rools we tend I
t0 use are a unit DC3dd, Accr5sD:1tJ's FTK
lmJbl'I, and \tlenng ~ofrware's incase . Each has its pros and cons
th:1t build it addition:J or less ,1ppropr1are for J giwn seen.m o. You
just in case one does not work ev idc'lltl)' in J given c1rrnn1S1.111ce.
~hould become awJre of variety of tools, iI
In the following section s, we tend to step
through the employment of ewry of the three took During any duplic
ation method, you wish to deem the \
following five t.hing5 as you start:
II
1. Is my supply media write proteCled? I
2. Can my examination atmo~phere commit to perform :my anion
io where a hardware write-protection device i~ not feasible?
s mcch,mically, if I am in a very scen:1r· I
f I
3. Do I even have adequate house for rhc ourput filrs?
4. Do l address the supply media?
S. What command-line choices area unit is needed to induce the expec ted
output? Each section can begin
from an equivalent initial condition. You have got a suspect exhau
sting drive that you just ought to
image . Ir is connected to a forensic exami nation digital computer,
ha\'e got a volume able to receive the forensic image file. As previo
through a write blocker, and you iI
usly mentioned, this can be referred
I
to as "imaging a static drive."
r;;~· -~
I ~H~ i Live System Duplication
The creation of an image of media in a system that is activel y
running is the example of a live system
duplicarion.. This case is nor most popular; however, it is usuall
y the only alternative. The system could
also be a particularly business-crirical system that cannot be taken
down except throughout terribly short
maintenance window~. In different things, you may be rwo-faced
with encrypted drives that might not be
SI C DUPLICATION • 89
FORE N
shut down · Acting a j'IVt, ·image ca n lH11ld .

•bl , when rh edsystem was . minor modific:irion s ro Lhc system ,
acccssi e . . as
rea Y get da picr ure. Mak e sure to docu menl precisely what yo u probably did , as well
t,ur you will be to · and ·the ac1u;1 J <.j ,Hes
. ·ces cou Icl aIso be running,
ou used t11e proce ure )'OU follo
. wed ' w/1at sc1v1
rhe roo Y I ' . .
" I II " I he actual foct 1h:n you ch:111ged rI1e
s You may need that mfo JLISt 111 ca se
· so
· 11 1el)OCJy
J
r 1a engcs
• ·
·in d nme . 1 · I
ly refu red if you I1.,1ve got l I1e prop ' er uocu1
menta11on. A not 1cr potcnr1a
·
·system. Such challen°b.es are. simp
th at the sup_ply media may be a moving rarger. As yo 11 are making rhe
.
drawback to mea sure imag mg is

bound infor-
th ia occur. Also, rhe sofrware sy~ rem might h:1ve
dupli cate, chan~es to e contents of the med some rare cases,
th thele ss been committed to the media. So, in
mation cached 111 memory at has not none within rhc
te yo u prod uce may be pan ly or al roge r her unu.~able atrrihurable to inconsistencies
the duplica n once making
sed from the disk. Special ca re should he take
information chat the duplica ri~n meth~d brow rhe imag e hack
ection in siLU, and you will erroneously write
a live image. As a result , ther.e is no wnte prot our in what
supp ly dri ve-d estr oyin g proo f with in the method. You furth ermore may should watch
ro the something ro the
you employ ir. You ought not copy or install
form of software syste m you use and the way you should try
from external media or network ~hares. Also ,
supply drive - use tools that may run directly system. We regularly use rhe
1eighc'' to reduce the impact to the supply
and use softw are sysL em that 's "ligh m
sta tic image,
res. The process is almost as similar as for a
FTK Jmager far-free version to perform live picrn
with two main differences:
, minimize
from movable media or a network share. Abo
• Run the imaging sofrware system directly
like repeating or installing software system.
creating modifications ro the running system, m. Make
se sour ces chat corr espo nd to the labo riou s drives that are a part of rhe running syste
• choo system, as
image every drive that is part of the running
sure to review the complete list of sources and
acceptable.
[®] Forensic Du plic atio n Tool Requireme

nts
wing criteria:
Forensic duplication tools must satisfy the follo
an image of an original disk or partition.
I. The tool shall make a bitstream duplicate or
2. The cool shall not airer the original disk.
of a disk image file.
3. The tool will be able to veri.fy the integrity
4. The rool shall log 1/0 errors.
5. The rool's documelllation shaJl be correct.
sic duplicate of the original storage media.
6. The tool should create a mirror image or foren
7. The tool must be able handle read errors.
the source medium.
S. The tool should not make any changes to by a third
The lOol mus t have the capa bility to be held up to scientific review. Results must be verifiable
9.
party. image of
are no errors accessing the source, then the tool shaIJ create aW --.m duplicate or
IO. If there
the source. liltli relff i duplicate or
1 ~f there are I/0 errors accessing the source, then the cool shall
1.
image of the source.
12 readahl
· The tool shall log 1/0 errors in an accessible and
of the error.
13 The tool shall be able co access disk drives through o
·
14 Documentation shall be correct, insofar as the man
·
90 • DIGITAL FORENs1c
are concerned , that is, if a user following the tool's docu

memed procedures produces the expected re.
sult, then rhe documemation is deemed correct.
I 5. lf rhe cool copies a source to a destination that is large
r thJn the ~ource, then ir will document the
c.omenrs of the areas on the destination char are not part
of the copy.
16. If the tool copies a source to a destination that is smaJ
ler than the source, then the tool wiU notify the
user, truncate the copy. and log this action.
Some Exampb of forensic duplication tools are:
] . Safe Rack (www.forensics-iml.com)
2. Ghost (www.symantcc.com)
3. DD (standard U~lX/Linux utility)
4. Encase (www.enca5e.co m)
5. ~1areware
6. FTK (www.Jccessdata.com)
7. ProDiscover Basic
5. 9. 1 AccessData FTK lmager

FfK lmJgcr from ArLessOa ta could be a freely obtainable
and wmprchrnsive imaging tool. Presently,
rhne are veniom obtainable for Microsoft Windows, UN
IX /Debian and Fedora), :111d waterproof OS 10.5
duoug,h I 0.8. The Windows vmion is mo~rly mer interL
Ke-based and comes in two major relcaSt'S-a
~Lire " version and a full 1mtal l. the first d1~tincrion is
th.n 1he "Lite" versio n is movable, that means it
will run in an e-xcceJingly comp lete mode, dircnly from
a portable USB drive . FTK imager will be run
from the 111muc1ion for all supported operaring systems.
FTK lm:igcr will produ ce output picrures in four
format~: R..iw (dd), e,a\t' ([0 1/EFW), SMAR'f, and AFF.
The imager conjointly supporrs cacophonic files
into rhun ~ . rhal i, helpfu l if 1here are a uni1 dJ~siftcui
on system or b.Kkup syqe m restriuions. There are
variery of alternJtive helpful features, such as rhe 0cxib
ili1y to look ar picture~ or live media, extract files,
convert pirntrts, moun1 pinurcs as :i drive letter, and lot\
of alternative func1ions thar area unir documented
wi diin the u\er guide.
5. 9.2 Guidance Software En Case

Guidance wde provide~ three wuls to make forenslC piuu
rcs. You will be ;1hle 10 produce as.~1x:i;1te image:
directly in Micrfl.',ofr Window~ with lh1· case foremic produ
ct , with rhe 2 comn1;JnJ -line u1ilirit·s wint·n.cxc
or wina c4.exe, or \\ith one i11 all 1he Linu x-based GuidJnce
w1.k· bout 1.foks th:1r run UnEN (J Linux-based
im:ige rn:atiu11 tool) . You mu,, own J dupli cate of ca,('
10 achieve a1.cess 10 those tools. The im.1ging tools
permi t you to sdrn dt~ir ed ltvds of rnrnprc·s~ion and
0111p11t phJ~e ~izc.
Creating a Forensic Duplicate of a Hard Drive

"fo obtain a true fi,ren~1c duplicate, th!:' mo)l rnmmon
tools are built to run in a UNIX opcr.uing c:nviroD-
m<:111. A 11u,I dd i!> a parr of CNU software ~uitl'
. This dd tool was funher improvt'd and re-rd~~ckftdd
ac ,lie 0(,1) Compu1a fortmic LJb. ll1e commJnJ line
ari;umt' nts arc idcnti(al for both dd and Jcltil..
The l.Ort data uamli.·r wJ, lias nut hi.'t'.n tnl)dific<l. Very
little work wiU b( required co v.iliJ.uc new fflllll!II.
if your tl'.im h;1, v.tlidatcJ th, optration of dJ.
. . . , .. .
),, 11 1~,n-11., i'- ·' ,,,,,, i,lc .1 h'1)I c dh! l)I)[ ) W · ·11 1rt a 111
. · l wi rl11~ d1.1p1 rr. I li e 11111,r 1n1p1
11 'l 1h1., 10111 111
l I . I. I •. Ii .H II• .1II ')" ·' .Ill
. . . .
111vc,ti 'll llr lo pnlorm mul11pll' f1111L1io m a.~ rl1 c: i,11:igr 1, lw1n g
.
. . r~ i,t ' ...~ ll'1' t:,; '
· h·
1;.Hd '
,·r1,· •lh'J
s.1o.1 Duplicating with dd and dcfldd

• 1ool. ddwdl
· I I1c 1110.,1 l'f "l1l 1c11t h' 1· I ·
. pn1or rr11 ll - or- Jlf
·r' •111 11•' .1 11 u,· f~Hc:.n~i"· d111,. li'-·,llc i111 ·::., t•'l' 111 11, ·1 1 ·11) , 1~
I'
~ . ' '-
· 'S 1I1c ~1or.1ge 111 c ur1111 I ·
r-,'r , '. . .
1.d, .1~. lo1w .ls the 1,11<.: r 11111cnr ,~)·s·t <• Ill ,Mm • I rcc:og1111l 1·
1. I owc:vc:r, 11
. 1,1 rhc (lf'l-'11 e
· . ·lran
· -- lrnilt · spo,111g· a
,\'I'' . , ::., . ::., •
· 1111 , · 1 ·1·1· • I I · y 111c.1s 11rcs arc· 111
.,~,'. !'•-11:. ·,,·c..• · I he: d111, . lil·,ll1n 111 l'rnrcss·· l1c ll O u1 l(IJ I w 1c11 IJs:1 fc1 it 011
. Ynu ,ho11 hl· f.1111ili.1r wirh Jd before yo u 1m:
~in~k ch.1:.ldi.'I' _u~ _µ dJ _ • Y di:~rrlly thr ('vidl'nt"c
11 1 111
111 11 · \ ou shnulil .11,o lw aw.1rt· of hnw rhc UNIX r nviro nn1 c11t addr
c., ., c, rl1 c ~ruragc
.in .k fll, tl 111,c~ c,g-.1 '
Jn k,'S. sed
"old srhool " examiners' preference for block-ba
dJrn J_ddlJ.J ,lrc rn _1' s_i ~ il.ir rol,ls. S,1ri~l~ i11g rlw
11 1
ionali1y.
h.1.,Jws, rh,~ ll.' l)I a . lds J :-1gntl 1(;1IH amuunt ol h111n
5.10.2 Creating a Linux Boot Media

section. But
cult from rhe methods that we disrn ss in Lhis
Prq1JrJ1itm for duplication using Linux is difll , precom-
ble boot environment in the toolbox. To start with
using Linux is \\'Mth:-·, as it c:111 he the most flexi and add
the easy way. You can disassemble the packages
rilc·d \'~rsil,n of Limn; such as Trinux or FIRE is
the basic package up and running.
your own bin.uies, such as dct]dd, once you have
5.10.3 Performing a Duplication with dd

than 2.1
as CD/ DVD or file systems with files fewer
Sometimes, to fo on a spec ifi c media type, such To create
icario n will be stor ed in a ~
. eries of files. This is usually referred to as segmenced image.
GB, Jupl (for instance,
score the image on a local storage hard drive
a true forensic duplicate of hard drive and to
forensic workstations), following bash script will
be
your
when you need to dupli cate a suspect drive on
useful:
t ' 'bin / bash

driv es with dd
t 5ash s crip t f or dup lica ting hard
' Se t sour ce dev ice name here
~0 urce= I dev / hdc
t Set outp ut fi l e name here
2
utpu t name= / mnt / RAID 1/dd Imag e
f Se: ~utp ut file size - here -
Ottpu t_si ze= 204 8k;
H fli
C:):.17; t = l
Sco unt bs= $ou tpu t_si z
W!"iile (dd if=$ sou rce of= Sou tput _na me.
or,n otru nc);
count =l s kip= S( (S cou nt-1 )) con v=n oerr
.:lo Pr in tf " #"; cou nt =$ ((co unt
+l)) ; don e
Hw,
dS sum . "
· "Done. Ver ify the imag e with m
ecro
()llrll,\ l IORttis,c
9~2~ • - - - - - - - - - - - - - - - - -- - ~
I . ., th ll 11 , . iii , 1!iil,t r
ll L' u •11lllll 1, 1.1 I ,, t 1 1.1 111 p1nL1·,, ,1 ~r1:111rn1 n l in1 .11•c )
~h1,1 t,11\·11,tL 11,11 ,,11., . • . I' \II ) I ·
l l • . • . I ,,
00 \J·,
• . I •• ' ' 1\1 ~ ,11 ~,11q1 .l "'"'I .Il l
ii t ll')' \\UI' ll lh I .
I T 111 11 r.1t 1lic ,q:111n11 , .1,
\, l l\ l ' . .. -tr1.:
, ,111\..111 iuh I" ''l·"'L ·. . I I I , I' ·d,11 n1 rn11li1pk li111ll1nm 111 11111' 11·"~· rl thrr ,
I I I • \,~I l ' ' 11\ ' 111 I ll 11 I\ l I' 11111, l l ,1\I\ I I l 1· . l I\
,,·\l,r . \\ 11' I .' l, 'I · 11 · I II '' 11111 "ill hl' 11,,·d
n, n,(,I
'
,,I '\'h111111; tlw 1111q,111 11 ' . ,, ,, n\\ int, t
1,1 , 1, .11 r .1 ll'lll' •>IL' ll\lL d11pl1L.ltl'Jn'
I I
i'\ll)'l .,t llH ,,I dh' \\H
i •.
I II\ I I11\ . I'·''' C, ·11hc,111 11,<' .,.
I Il l\ '
l.lll 1111,,
, .I , I , L ,111 l' ti\ Pill \l .
•! b~n L1 ..;h
, r_ ,·1
• F.b11 ... i 1\L [ ,, 1 ,.l111.\lic ,1 t1 n,J 11.-1r··\ d1 1\'e3 wlt h tM
• ~liL r c•ur ..·,~ l·l'-1\ ' 1l.'1• n.1m,l h,::.1 v
:<·Ut 1.' '-l :0 L.h' ?V ' lkh:'
• S12t l"Ut pu t tilt, n;n'.,' hci '-1
( ' \..l tj'\l t _n:im0 = r.mt ' fu\ 1D_ 1 , lld_ Irr.3']\?
#10
Jd if-=$s ,"'urct1 t s= ld8il cc iw=noe ir or , not rune I tee soutpu t_narn e I rr.d5
llllll~
'-"'cho ·o-:-ne. Verify th~ image with rrd5sum . •
The 10 bl11d,. ~in· for 1his ~.ii pt is st·t ro 16,JS-I brres. This yields the fastest tramfer rare with the
lurJwm~.
5.10.4 Duplicating with the Open Data Duplicator

Tht· llC'W open SllUl'(C 1001 is l)DD. To perform furrn sic duplic.uion simultan eously on a
number of
computers owr .l L11L.Jl LAN, the clirnHcrwr model is followed by this tool. To u.~e rhc sofonre
on sing'.c
forrn~i( wnrkstJtions. you nccJ 10 run both halve~ <in the ~.une compurer. An ability to perform
addirional
fun(tio11s on rJ1c d:11.1 as i1 i\ bl·ing ptoL.C~~cJ is the mo~t significrnt fra1urr of this tool. In order to
cakul.m
dm:ksums and h.1~hl's, perform wing sr:mhcs and cx rraLt file~ ha5t'd on the file headers; ODD
includ~
plu~-ins.
Time ponions of ODD .nc:
1. Boot,1ble Cl) .. ROt\h: This is simil.1r to Trinux Linux Distributions;
2. Scrver-sid ~ applications: Mo~r of the duplications, ~uch as ming ~earches, cakulacion of h1sh(s,
and
~roragc: of true fo1cmil' dupli(.nions. will he done hy the ~rrwr.
3. Clicnt-siJe applications: If you are <luplic ning drives on forrmic workstations, this ponion may
be run
lorally.
In rig. 5.5, ODD is installed on red hat 5.4 and mmd ODD application. The firsucreen will a.«
for
1~1c lo~ation of the ODD St'rvcr. ln this cx;unpk-, we are running ever}'lhing on the same forensic work.ua·
t1on, so we can i:hoO\l' Dl·tcct Sl.'rva, as ~hown in Fig. 5.5.
Figure 5.6 shuws the dcvirl's derwcd by ODD. To direct ODD to duplicate a:nain portions. the«
text cn1 ry box 10 do so. is
· ·
. T he proce~~ing o~riom avJilabll· '.m the server are listed on the next scrcat. ~ MMCh
mt ~
tlllpl~t't.ll lt _
options :He
image swrc plugms an~ compn:ssed image ~tore plugin~
uue (on:flSIC
d'.1pl1c.lle 1111,1~c:. b:pcns sugi~l'st . the u~e of compressed image !-tore plugins • ;·• - is to-'-
F1~un· 1.7 ~hows 1hat all the plugins arc ~dtctc·d cxccpr compre~!>ed image stor
will II"'
• 93
~ •sic ----
FO'l::.N~ ~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
D UPLIC AT ION
during forcmi c image 5 wring procc5S. And

ht' rim<' for rhe anaJ~·s i5 procress. Stri~g search es ~a re perfor med
r, ·•c-rio n is .ilso carrJed our tor cerram types of hies ba.,t>d on
rhl·ir h c.1das .
exrrn
> S]Je:try seNer

) Local se~r
E It
figure 5.5 ODD startup screen .
,.,. •,...,_:~~~,._,~ I ~
( > _..~W I: .ti .. ts ..• GB
( ) ~ , , ftle:
C J Spilt ta chaua C,_):
a10 I
Figure 5.6 0 DD device der

DIGITAL FO RENs1c
94 •
'
ii
I llotd
()(I
IXI lla&-11
' IXI Str ltlf So..ud
I OU~
- I I t'ulin::.$d lm1~ S\cnt rlo1yl11
1
Figure 5.7 Sdernon of plugins.
information such as case

The llt''.\.t ~LTl't'll ~hO\n the requestt'd inl°onn.irion. Ht're, you have ro provide
system as shown in Fig. 5.8.
ID number. systl'm's time .111d d.1re..1Ctu.1l time :rnd d.1te, and derails about the
Anl lust tkw. Qoev Coe

('u.- FS-93Ab96
1 IP Alllren 172 .16.0 . 1
Kachhw D.tuT I• : IIZ JUN 2893 02:38:81
' flctul I t« to.'1'1., : 8l JUN 2983 QZ:·38:8.1
lcvlcc dcY_Jlclo
~ll:11 Dew-lpllu11. Dal8 Longllu•t, LitlJl.up
ftdCllloMI llotcs : La 1.0P' ca11pUtor. Location roo11 3,desl: z,1
wcl ■
Figure 5.8 ODD notes plugins .
, carv plu"ins will exuxr ·

,everal numhcr 0 f bvtes from rhe mcomm · d streaJJl
BJ~l'd on ftle hL-.1das g ata ·
F' r; 9 I ·1r 1d - 1
:;-, . · ·
in a directory on the odd
-~g~~e · . ~ inw~ F- ~'. . Jpg se ectl·d for exrraction. The carved flies m:;y be found
,c rur, Olllt the .1ppl1cartons hJ,•e been rnmpkted ,
REN:,:s_1c_o_u_
PL_1_
c _A1_1_o_N_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _~~
~ • 95
llullber or 1bulea to c•ru: lt:m: :a

..
t
.
IXI I tr
1)(1 1Jt
I'{] /•
I I P'V
enr.cl ■
ext
Figure 5.9 ODD carv plugin.
@00 Creating a Qualified Forensic Duplicate of a Hard Drive

"Never boor from the original drive" is one of che most important things a beginner examiner should do.
Starting from rhe moment che BIOS executes the book block on the hard drive, many items on the evidence
media can be altered. In a matter of seconds, file access, timestamps, partition information, registry, and
configuration files may be changed at the rime of the initial boot process.
5.11.1 Creating a Boot Disk

Clean operating environm ent is required for imaging a system. You must create an MS DOS boot disk when
imaging drives using DOS applications such as SafeBack or EnCase. The following command will format
;tnd copy the system fil es to a floppy using MS DOS 6.22 or Windows 95/98:
C:\form at a:\ /s
There should be four files in the root directory of the floppy that contains the code to get the computer
running a minimal operating system.
Directo ry of A:\
05/11/2 003 20:01 222,390 IO.SYS
05/11/2 003 20:01 68,871 DRVSPACB.BIN
05/11/2 003 20:01 93,880 a»DIAJID.C011
03/20/2 003 17:49 9 NSDOS.SYS
Computer IO.SYS processed the first file. The content i,~..5 YS conains the code in IO.SYS
and starcs to initialize device drivers, tests and reset the a>mmand inccrpreter
96 •
~-=-- - -~FOR[-
-- - - - - - - -- -- - - - - -DIG11AL
l ( )\t\l.\~D.C0.\1. If .i disk, connected to J mJc.hint', u,l.'s t~e rnmpre,~ion :t>ftware at rhe rinil' of
k, 1Jm,~ J~, i..:-e dmw. 5uch a\ DriwSp.Ke or DouhlcSp.1cl.', 10.5) S_lo.,d~ _d,t' DR\ SPACE.BIN driver fil
11,i, ,l;,,uld hJrrl'n "hilc paforming a forrmic duplication._ The dnwr wdl ~ount th e_LOmpressed ~·olurne~
Jnd prol'llt the operJting system "ith an uncomprc5~ed v,_cw of rhe file sptem, as ll loads. During the
m,>untii.g proce~ of comprt'5\l'J volume, ir "ill change the ume/date sramps on the comprcs,ed file, \vhich
,,ill lx· wmidm·d as the altt'ration of an evidence. .
?
You \houlJ emure that tlie loading of rhe DRVSP.-\CE.BIN driv~r file farl 5, v.hcn you 00 t f~om )'our dean
boot disl Jr can he al.'>O Jone by simply remm·ing the file, but IO.SYS ch~cl-5 the root_ direcron~ of all active
pmmonrnf rhe file. To ~top tlieloaJing of OR\'SPACE.BIN, load IO.SYS ,mo a h~x eduor a_nd alter the strin~
m.unullr- '.\unon·s di5k ed.iror can also be med ro do the file ediring: Load the fi_le m hex ednor and perforn, a
ming ~ch for the ke:i,,ord SPACE. Figure 5.10 sho"s the firn-stnng ~rarch h11 located at hex offset 7D93.
I Ink t: teM l nf(i 1n'll~ Hel }l

i
Figure 5.10 First location of srring SPACE in IO.SYS.

~O\\ if )uu ,,am DOS to fail when ic cries 10 load chis file, so you need to change the name to a value
that it ,houl<l nor find on the file spcem. Figure 5.11 shows chac the filename has. Observe rhat the rime
m tht fi~t ramt' i~ nor represented in the exe<;ucable file. Continue to search a ftle for sering SPACE. The
f(J:.r 1:i,tanu.:, in IO.SYS will nttd to be changed; afier the change, save rhe file and close the hex editor and
rtrr,,J, t tl,r I>R\''>PACE.Bl:'\ file from the floppy, too. After creating the clean boor floppy, copy over any
1
0( )) m .1dt Jri ,m tbt ~ou n1Jy need, to ac,rn rhe hard drives on the computer system under investigation.
Tl.c· ""di \; It 1,ir t Jth h:1rJware manufacturer rather than on the driver CD char is shipped with rhe product
i, rhr fi. ,r ,..,uru.: f.ir DOS driver. bl(:pt for dri\·es that are purely IEEE 1394, mosr hardware char provides
,1,JrJ~.t \•,i'.I \\1,rk. I}()\ Jri~u\ f.,r IEEE 1Y)4 docs nor exi.\r.
5. 11.2 Creating a Qualified Forensic Duplicate with SafeBack

~~...... Tl,~ hn,,!,,b')' Inc.. !'.'.ill) olfm ~A( H.1,k. Ir i~ thrd to make qualitic:J forensic duplication of an! hanl
dnw. '"u nLt·J to ha\l" a c.br tn.mirrn1u11 rc,1dy on rhc floppy fur SafeBack appliation bccaW( ,r runs
frn:n D( )\ hrn,r llorrr.
•~
_ _ _ __ _ _~ 7
9:...:..
SI_
roRE.:.:,N::.. C_D_U_P_ O_N_ _ _ _ __ _ _ _ _ _ _ _ _
LI_C_A_TI_
.
~. . . ► rtlt -,I Ink IJIAM I nf o ·rw,1 -.
►1
,-~
'
~
,.,
~ '
Figure 5. ll Changing DRVSPACF.hin 10 XXNULLXX.XXX.
the compurer sy.stem. Figure 5.12 .shows the

Using SareBack i.s qui1e simpl e for crear ing a duplita1c or
catiom offered by Sare Back:
start-up window for SareBack. T here are four modl'~ or appli
.
1. Backup functions generate image fik· or rhc rnurr e media
2. Restore function .storc.s forensicall y .\ound image .
' fi le. •
3. Verify funcr ions used LO verify the d1rc bum wirhin imagC
one action.
4. Copy func1ion used to restore and halk11p all dw operations in
&5C: bit. fl: Help 1'-"" 1•hll acll 2, 0 160uc:99

·-----··-
-----·--·--- - iSC to owlt , J'1 for h11lp ---- -- - · -
fnu EPn'III Nl,e11 aelec: t 101
:;e 111c t choic es u1 Ing tit• curu r lry,, .,•• , .
Is l:U"Jl lltllf. ,:~c exl ts lo 003: '1 llh pl1ys
~ Rest ora '-wr If, Cc!,u

Funct Ion:
RatC>1a connc ctlu~ : Lu1.• I
!Ill YIU
Direc t 1cc111:s:
llo 'r'cs Atfu
Use XBIOS:
QGjuct p•rtl tlon~ : llo f.11 • r. Cua '°"
Beck fl l l o• re~to re : llu ,n.

Co~ ress secto r !tf• :
figur e S.12 SJfe-HJ1.k~t1rtup ICtte n.

~_:_
98 • ___________________ DIG ilAL FOREN
~
. d screen.
. F'1g. '; . 13. shows Jrivcr sclectjon fo r SafeBack b physical
. . It · lists the • as ,vcII ~
Tl1e nexr screen Ill
· dl'tected b)' Sa,e
I001·CJI drive~ r Bat-k. As rhl' main 1 h j .1s 10 o .tarn
' n"oal of fo rcnste up ,canon I'
exact
•
dupl·ica
mateh rhe
c rrve spccu1cat 1ons 1
oftith(' origmal
• . media,
. logJCal
• · arc compIetc)'
drives ·
I ignore d· Ensure that. t e . r
· . m'~ BIOS ••1swell
•on that you recovereJ crrom t I1e 5ystC' •
as the 111format1 on ,rom the phys·icaI d1ivee
mformau
itself Record any disu epancies that occur. .
hard drive. SafeBJck ~houlJ be able ro address the complete hard drive.
l!iC: Exit . .fl: Help · .. · , SafeBatk-2 .0 :16Uec991!1fC'"fffl,t'ffi1.'~"·"'"9'tif"!:•,., BACNUP
- - - - · - - - -- - - - ( SC 1o o)(it , rt for l1olp- - - - - · - - - - - --- -..

Sour,,. Or ive
SfA~r Selet t~Dese lect f.H1U Fl 11J sl1eiJ ft Hulp
I' AI I 1'11Y:i IUIL ~.:ii; Quit
L AJ I Lll.i IUlL
C Clear se lecti~•s D ShoM DETAIL T Show Partit ions
-
~[Lll'T
..
-t-
-
VIHU
C
-
til
.
11:
18f1
I CYI.I NOJ'I",
-- -
I,1~111
1
81l6
HI Oil<;
- -
g
SH 1011~
·-
b:1
-
SP r.Ct AI.
----,
,,._ . ,,.,...,_
Figure 5.13 SafeBackd rivc seleuion.
The veri~· oprion is u~eJ to ensure that the created cvidcnrc fi le as .1propl'r rC'prcsent ation of the conrem
of rhe mrdia, and 1ha1 file ca n be re~tored ~uccrnfully. Befort' lc,1ving the ~ite, use l>crify option. Verify 1
the
oprion of EnCase in the WinJows inte1face will verify the con1t·n1s of image file wi1hu111 rdrrring to
original drive.
5.11.3 Creating a Qualified Forensic Duplicate with EnCase

The mmr popular commmially available foremic rool is E11Case from Guida nce SofrwJrc. Ir provides
'ca\)'·to-na\igate' (;UI. Allowing the examiner to cus1omize the types of searchc~ performed by the rool,
a
can u~
11('>.ible ~ripring Lrnguage in indulfrd. Preview oprion is the most signillc.rn r feature of EnCase. You
rh(' preview function ro quilkly as(eruin whether a computer system is material co the issue being invrsu·
g.11cJ, during rhe fiN st:igl·~ of the investigation. You nerd to boor the suspect computer with an EnCuc
boot Ji,k, in orJa w use prcvil·w option. You c,in connect to the su~pect computer via cable or a network
rn_nnt'Ction \,irh the rnpy of EnCJ·: running on rhe foremic workswion, insrrad of acquiring Jn imagt-
After chr ,uc.cr-'-~ful rnJhl1,hmc111 of the rnnnecti()n, the analy~is process is the same as working on EnUSC
image file J\ 5hown in Fig. 5.14.
A set of file~ will be crCJred by EnCase-J rnit· JnJ accurate represenw ion of the data on the ~;Jeni:t
media. fr also prO\ ides an :ihiliry to crcJte :.i boor floppy wit hin the sofrware. AdJicion:il SCSI or nerwork
card drivers will be required t~ pl'.Ke on the floppy lfok. Ju.,c boot tht' su~pc:ct computer system with En~
boot floppy Jnd srart the appl 1cat1on, once you hJvc created rhe hoot media conrainin g the EnCJ...t prograJII
• 99
fQR [NSI C DUP LICA TIO N
on the fo~t scree n. The next screen Fig. 5.

15 shows the
The Jevices rew gnized b~ EnCa.\e are disr byc d rw.ire
e ha rd drives a_fi er unloc. king dw storage drive. When EnCa.,e bcgim, il Lreares a sof
stJ!U S of the rhre hing. The in for-
th rd drive~ ., houlJ be unloc.kcd to accompfoh anyt
wrire protect on al_l e ha drrves. Stora~e
as dri~e rype, mod d, and serrJ I number, will
help you Jifferenriate between the smpect's drive
maiion, such
and you r storage drive.
I
I
]
Figure 5.14 Dev ices recognized by EnCase.
Figure 5.15 Unlocking rhe storage drive in EnC

ase.
as shown in
J uplicata f after sdccting the acquire buuon
. You will be a,kn l which Jriw nc-t'Js co be (drive O, drive I,
drive by using the drif ts physial identifier
rig. 5.16. You ~houlJ Jupli(ace rlit' complete rions.
limit 1hc ~ ope of ,our aearch to discme pani
<'tc.), unb s conr ranu ,tl or k gJI mtri ctio ns
DIGITAL FORt N
~10~0~-~- - - - - - - - - - - - - -- - - - - ~
Figure S.16 Sclccring 1he rnspccr drive 10 Juplica1e in EnCase.
Series of opriom and 1ex1cn1ry field will be provide~ by E~1Case after ,his, which will be placed in the '
header of 1he qualifieJ foremic duplicate. Following op11ons w ill be asked:
l. Locarion of qualified duplic:ite.
2. Case number.
3. Examiner's name.
4. Description of evidence being acquired.
S. Verification of currenl time/Ja1e.
6. Any orhcr comments tha1you wanl to make.
After collecting the above information, EnCasr will enquire wherher you wish to perform hashing on the
image as shown in Fig. 5. 17. A small amount of 1imr will be added 10 1he loral duplication, which is essential
ro ensure che in1rgriry of the image at a bier da1e. Experts recommend that this should be compulsory for
,JI duplic.11ions in EnCa~r. The next op1ion a~ks if you would like to pro1ect the image fil e with a password.
We nrvcr sci 1his opt ion. le does not truly prorect the dJ1a from unauthorized access, because it is trivial to
orcumvenr.
The total number of swors 10 duplicarc will be asked in the next ~creen. This can be verified from the
BIOS or label on the hard drive itself. In the final option, you will be asked to specify the size of the image
(;le 0n the ~turage J1ive. You will be able to copy the files to any file system, if you keep this size under 2GB.
'r<JU c.1n burn a copy of evidences to many CD-ROMs, if you J rop chis to approximately 640MB.
Figure 5.17 l:11CJ \t·'s up1ion to perform MD5 11a~hing.

Figure 5.18 \h<Jw\ tlit' progrt\\ ~trn:n ul' <l I' . . , . I ed
ac the wp of the \Lrc:cn an<l . I h up icttion proLrn. 1 he selected options will be d,sp 3Y
progrrn Jar at r e hottom. 'fo garhcr sufficient sra1iscics ro become accurare,
• 101
cNSI C DUPLI CAT ION
fQRc.
off the
Afrer completion of rhe process, you may turn
,he Lilllt' remaining coumer wi ll r~ke a fc~v minutes.
urcr S)'S trm and store the ev1J ences 111 your
storage locke r.
~rnr
-- -- -- -- --
Figure 5.18 EnCase's final screen.
[ -- : Sum ma ry
all
format you choose, you need to be familiar with
In thi.~ chapter, we have defined the three types of your
ire. the imag ing and duplication tools avail able for
dupli c.,Hions that you are likel y to create or acqu have a
you the mos t inves tigation. It is not sufficient to simply
A true foren sic duplicate will allow tool.
s- working knowledge of a forensic duplication
flexibility during rhe analysis phase of your inve tool
mali - You should be able to select the duplication
tigation. If rhe original drive was damaged, rve the
sic that is appropriate to the situation and prese
ciously or nor, a successful recovery from a foren the
- evid ence in a manner that ensures its validity in
duplicate is more likely than recovery from a qual
icate evenr it is used in court.
ified forensic duplicate. Regardless of the dupl
c·-, ·1 Key Terms

speed page display, web pages are usually recover-
• Bit stream copy: A bit-by-bit copy or duplicate .
able through digital forensics reccvery processes
of a piece of digital evidence from the original d in
• Forensic data: Data that is contained or foun
Morage medium that permits examination of frag-
a forensic copy, similarly admissible in court.
ment ary or hidden data that cannot be reached by such
a computc:r 's 0perJting system. Ir is usually called • Image file: A file mat contains graphic data,
an image." as a GIF or PNG file.
"acquiring an image" or "makinu
• MDS hash: Message Digest version 5-a n
0
• o·tsk cache: Wl'.b pages auto matically downloaded
advanced hashing algorithm thar yields a 132-
bit
~o a disk folder on a computer while surfing the
(32 byte) hash numbc., typically expressed as
a
internet. Because wc:bpages are rt"gularly cached
~n a lllcal hard drive (disk) co minimize chc quan
- hexadecimal number value.
tity of d,1ta transmitted ova dw intt'rner and
• RAJD: Redundanr Array of Independent (redundant) disk drives into a logical unit wh
. . ere
Disks-a technology that provides increased all the disk drives operate as a smg1e unit.
srorage and reliability by combining mulriplc
[ : ] Review Questions
I. What are forensic duplicarion tool requ1re-
menrs? cate of hard drive?
---
5. How do you create a qualified forensic dupli-
2. What is forensic duplication?Why is it needed? 6. Explain restored image and mirror image.
3. How do you create forensic duplication of hard 7. E~plain various duplication tools used for anal-
drive? ysis.
4. Why remove drivespace.bin file while start ing
forensic duplication?
rLl
(o) I Disk and File System Analysis
-~
-------------------------------
LEARNING OBJECTIVES
Afcer reading rhis chapter, you will be able to:
, Understand media anaJysis concepts. • know hashing.
, Under.stand partitioning and disk layouts. • Understand carving.
, Interpret special containers. • Interpret forensic imaging.
[mf] Media Analysis Concepts

At its basic, forensic analysis deals with files on media-files in folders, deleted files, files in ocher files, all
stored on or in some container. Media analysis goal includes identifying, extracting, and analyzing these files
and the flle systems they lie upon. Identification includes finding which active and deleted files are avaj)able
in a volume. Extraction is the retrieving relevant file data and mecadata. Analysis is che process in which
we can apply our intelligence to the dataset and ideally come up with meaningful resulcs. These are not
necessarily discrete procedural steps. In face, some examination processes will seem to bestride two or more
of these-carving, for example, can easily be described as both identification and extraction. Nevertheless,
we feel that this is a suitable model for describing why we as examiners are taking a particular action. This
chapter focuses primarily on rhe concepts behind identifying and extracting file system artifacts and infor-
m:u ion ahout files.
6.1.1 File System Abstraction Model

In the File System Forensic Analysis, a file system abstraction model is used while the functions of file
systems and the artifacts generated by these functions are descr~bed. For readers having networking back-
grounds, chis model is not unlike the OSI model used to describe communications systems. As per Carrier,
the systematic advancement of any file system, from low level to high level is as follows:
~nalysis of items at this level is outside the capacities of most examiners-physical media analysis ofconven-
t'.onaJ hard drives requires extensive specialized crajning and knowledge, access to a dean room, and cxpcn-
st electron microscopy equipment. With the rise of flash media.and Solid Scare Disks, analysis of media at
t is ~~vel may be in the realm of possibility for a larger pool of...,a.,._
. Single disk can contain several volumes, or a volume may 1111dltfll___.. depending on con6gura-
• · The
tion · · " 1s
. . term " partmon ·
· usua 11 y used mterchan melfflSilkel a wauncnon
~!-..! • .
whercm
a Partition" is limited to a single physical disk, and a «IIICR partitions. When
104 • DIGITAL FORENsic:
1'11t ~imply..1 ,.l,lumc lb--riho .1numhn ,l~l'l 111r~ 1)n .1 ,lisk(~) in .1~i\'l'n ~)'~ll' lll . Figml' (l. 1 ~how~ a sinipli.
lil'\.i d,~rLiy ,if dtl' Jdi1h',1ti,111 b.:t\\ l'l'll .I di.,k .111d H)ht_l:ll'\ pr1·.,cn1fl II I he d,~k. • ,
hem., in., 11k systl'lll l.t)a ind 11 dl· ml't.111.11.1 spl'l'IIK tn .111,I ~nlcly ll~l·J fnr thl' lilt' systt ms opc:ration
ll',~.. hr 2 ~11r.:1 hll)~·k).
Volume 1 Volume 2 Volume 3
◄ ►
Disk
Figure 6.1 Disk .ind volumes.
On Unix-deriwd file sysrem~, these data units .ire known as blocks. They are generally some '
power of 2
multiple of the physiCJI sector size of the disk. Previously, the sector size of every di~k was 5 I 2 byres- most
modern fi le systems will use 4096 byres (4K) or larger .1s the smallest addressable data unit. The information
avJibble at darJ unir layer is simple: rhe content of that data unit. lf that data unit is allocated to a JPEG
imJge, the data unit will have a ponion of JPEG data. lf da ta unit was allocated co a text fil e, the data unit
will contain text.
GiYen that the data unit layer holds dJta in a file system, the merndata layer then contains data about
data units. On Unix-derived file sysrems, this metadata units are called inodes. T he content of metadat,1
units depends on rhe actual file system being di~cussed; bur, generally, this layer will at least consist of file
time scamps, file ownership information, and dara units allocared ro rhis metadata unir. The specific artifacts
for each file srstem have been discussed in the relevam sections.
Artifacts 1h:1r are available in this layer vary depending on the file system. Ar the minimum, file names
have a pointer ro their corresponding metadata structure. As this abstraction model is built with the design
of Unix-derived file systems in mind, some of the separations do not map directly ro the designs of file
~y,11:ms fur other platforms. However, a good understanding of this model can lead to truly understanding
the ~ignifii:ance of fi le sysrem arcifom on any file system.
[ •:j Partitioning and Disk Layouts

·1l.c two demrn t:try pJrtitioning schemes being used rhese days are "Master Boot Record (MBR)" and I
"(, UID Partiti<,n Table ((~PT)". The GPT scheme was built up as a replacement for MBR scheme. The
,\fBR panirioning mc·tlrnd permitted only fou r primary partitions and disks of up to 2 Tcrabyrcs. The
GPT format bath up di,ks up to 8 Zm.1bytes and 128 primary partitions, in addition to many other
improvemt'nr ~- Tlw pm it ion 1.1bk i~ nut likely to include any relevant information to most invcstigatioll5·
When 1he pmitioning strunum are missing or corrupted, forensic analysis of the panicion table is usuall)·
limited to recovery of volumts.
• 105
~: ;:. ;_ ;,_ -- -- -- -- -- -- -- -- -- -- --_.:.~-=-=-
D FILE SYS rEM ANALYSIS
1 partition Iden tifica tion and Recovery

6.2. . .. I . I ·r, The tool contai ns a numb er of
)•ktcd or niissmg part1lion., la n JC I<ttlll ll'd hy 11 .,ing die ., igfi nd tool.
1 on table or file ~ysrem hcadl'r.
,r:·ddinl'd daw st_nKllln.: tr : Plaic~ ,liar loLat~· dw tcll -1all' marks of a partiti
11
1 I fon·nsic ~fool Testin g project (hrrp:/I
!J'I 1·scan bc cx,1n1111 rJ l>y u~,n~ hr o, h l('~l agl' from the Digital
1111
value "55AA" in rhe h,t
dh\ :wurccforgr.m·t./ic,i l.O/u'.dl·x.l:~n. l) . 'J'hl· "dospan" lcm.p!atcs·h11111s for 1he hex
1
,1 s11uuu1 t: co mmon 10 MBR l)al'llli on ' '

I
1WO 1Y l c~ 0 ( cad, .~tcwr,
drt ]() nt fs ·
11,r•r,-71 uhunl u: ·/ 1Ll nlfs ,1Uloi1,, tc·1ti :, iyf1n•l • t do:.p
.w u,,1l, t , •1 t.1 1n 11 t f" - ai s k . c1r1
1
Bl11c~ <,j/ ,' : r,l? ()ff:.i 'l : ,10 ', i 1J11r1t11r,~ : S'.,AA
HI ud : 0 ( l
8l11ck: G: ( ➔ 1~3)
81 oc k: %3f1') ( ➔ q, j1?G)
Blo ck: 06190 (1))
This can be compared with mmls output for the same image:
DOS Puti~ i.:,r, TuiJle

Of f scl S-:cto r: 0
Unit s are i i. Sl ?·byt .e s ecl<H'S
Slot StJrt [11d Lr•ng th Desc riptio n
00 : 1•:cta ;;8J118,}0!J00 000U0U0000 000000000 1 Prima
ry Table (j/0)
01: 000001'.J JOO OOOOOOOOGZ 0000000063 Una! locat ed
02 : 00:00 OOOJ000063 0000096389 0000096327 NlFS (0x07)
03: 00 :01 00080]6390 0000192779 0000096p90 NTFS C0x07J
04 : 0J00192 /80 0000192783 0000000004 Unall ocate d
sector (0), the beginning and

Ir can be observed that sigfind located the Ox55AA signature in the boot
volume (96390) .
end of 1he first volum e (63 and 96389), and the beginning of the next
ons in the case of disk corrup-
. Also, the Tes1Disk tool from CGSecuriry can be used ro recover parriti
11011 or intenrional spoiling. lestDisk can operat
e both on raw and Expen Wimess/EOI format files used
use ofTestDisk. Testdisk can be
?Y EnCase. An excellent tutorial is provided at the CGSecurity sire on rhe
for DOS, Windows, OS X,
111st
all~·d on Ubuntu through apr-get. The source code and precompiled binaries
n
a <l Linux can also be available from the CGSecurity site {www.cgscc
uriry.org).
622
· · Redundant Array of Inexpensive Disks
Rcd
11 nd
• ant Array oflnexpensive Disks (RAID) is design
ed to take multiple physical disks and address them
45
a Mngle logical unit. The most commonly used basic RAID levd,
m as follows:
1. ~~D-O: It r~fcrs to~ setup of at least two disks_ that arc_•sui AitiWac:k level. Giv_cn two dis~ 0 and
. o& Aw,11 be wmccn on disk O, block B will be tmrt.m ~liil lllo on. This tau:b to mcrease
~ritel speeds and does. noc slcrih(e any storage s
IDMPIY bf data. as losing a
singed · ,
n,e mean/i los111g half of your blocks.
106 •
2. RAID Ji Ii is the oppo~iic of RAIi) 0- hlocks arc mirrored ~cross pairs of Jrivcs. These increases re~ '
~r1:l'ds and rdiahili1y; hu1 i1 abo rl'd11n·s the a111011nt of av:ulahle ~torage to half of the physical disi
spate. . . . .
j , RAID 51 h nerds ar ka~t dircc di~ks and performs striping across mul11ple disks in a_dduion to crcarin
1
p.1ri1y blocks. Thm· bloLks arc also s1ripcJ across disks and are used 10 remake data ll1 the event a dri}e
.1~ lOSI.
Also, there art· "nrs1cJ" or "hybrid" RAIO sc111ps 1hat combine two of these RAID !evels in sequence ,
For example. a RAIi) 50 or 5+0 ~ct can be a p:iir of RAIDS se1s thar arc subsequently striped. ·
[~ ] Special Containers
Along with ftle systems in volumes on physical media, you may have to deal with file systems in other
containers. One such example is the Macincosh-specific DMG container which has been discussed in
--
the previou~ sec1ion. The other two major containers are Virtual Machine Disk Images and Forensic
Containers.
6.3.1 Virtual Machine Disk Images

Vinualization applicarions, such as VMWare, VirtualBox, Virtual PC. and QEMU allow users to run a full
"virtual machine" within 1he hosr operating system. Usually, rhey srore the file systems used by these virtual
machines as virtual disk images-co mainer files that act as a "disk" for purposes of virtualization software.
If it acts like a disk for vinualization sofrware, we should be ahle to get it to act as a disk for extracting
artifacts. The most common virtual disk format roday is VMDK, which is used by VMWare's virrualization
products.
A VMWare virrual disk is defined using a descriptor file that defines the file(s) that makes up that parric-
ular virtual disk, also specifications of the "disk" being presented to the virtual machine. A disk is formed
from the base file.
riles containing changes from the base image called delta links arc created as users create snapshots
of a virtual machine, and a new descriptor file containing information about the base and delta files is
created.
http://www.vmware.com/app/vmdk/?src=vmdk has full VMDK specification chat is available from
VMWare. AfFLib supports VMDK containers natively. If built with AFF (Advanced Forensics Formar)
~upporr, Sleuth Kit will import this functionality. Any of the sleuth kit tools can be used directly against
3
VMDK by ~pccifying the "afflib" parameter to the image type argument (-i).
6.3.2 Forensic Containers

We have already ~pent a liule time working with forensic containers, but we have not gone into the d~rh
ahout what exactly they arc. Con~ainer formats more towards forensic imaging have some functi?nalilf
above_and bey,_mJ wha~ we get wuh a raw disk image. This includes things such as inccrnal co,uJStell'1
d~n king, 1._J.\e rnform:111011 111anagc1r'.em, cor:nrression, and encryption. We can perform any of~~
wnh a raw image as well. for a forensic contarner format, there is a difference. These funaions ate b111lt llll
the format, reJucing _the a_dministrativc overhead involved with things such as ensuring dial the ha,.h and
also case note\ for a given image are kept with char image at aJI times.
• 107
--- M-
ND FILE SYSTE-
01S1< A::_:~ - - - - - - - - -__ ___ ___ ___ ____:__::..=
ANALY SIS ..:..
_3. .1 EWF/E01 ., .
6 2 \X'itness F~rm.i~ (E\'\ F) •~ t h ~ m o st commo n!?' ust>d fore nsic conta iner fo rmat that is som e rimes
£_,p(rr
rd~rred to as f~t'" EO
1 ~?r~iat afre: us_~efoult _cx ten~1on. G uida nce Softwa re's En Case fo rensic sui te uses
ro che nexr a nd it is nor a n op~n
this fornt:ir. Th•~ ~orn~~u_ h.ts ~h.rn::.-,eJ s lig htly fro m o n~ rele.tse ?f En Case
rd. The L1hE\~ 'F hbrJr) s ur ports all mod e rn va n .mes of 11nage fi les that is genera ted by E n Case an
,tJn dJ f I . . Rosen of AS RDaca, with furth er
·his (ormar. The st ru~rure O r llS f-o rmat h.t! been docum enred by Andy
0 n che LibEW F p roject. T h e EWF
~(l(Untenracion thar IS pe~formcd_ [ Joachin~ Men d uring his work o
(that includ es a n MD5 o r S H A I
forniar supporrs_com_pressio~t. split h ies, a nd it also scores case meradaca
ftrsr segm ent of rhe image fi le.
h..sh of rhe a~quire ~ image) 11~ a hea~ er data strucru re which is found in t he
should referen ce t hese d ocume nts.
[.x.iniiners th,H .tre mrerest ed m rh e rnner wo rkings of th e EWF fo rm ar
6.3.2.2 AFF
cs a nd an y relevan t metad ara.
The Aff is Jn open-s ource fo rmat used fo r sco ring disk images fo r forensi
AFF image files is su pporre d
AFF is implem ented in the LibAF F packag e thar we have installe d p revio usly.
, e ncrypt ed, a nd also d igi rally
hr The Sleulh Kit throug h this library. AFF images can be compressed
tadata stored in the im age fi le are
si.gned. One of the interes ting fon u res of the AFF for m at is that m e
stored directl y in the image fi le in
e:ccnsi ble-arb iuary inform ation w h ich is relevan t to rhe case can be
qm:scion.
AFF images is stored in one of t he fo llowing three method s:
file con rai n ing foren sic data
I. AFF: This is the defuuh fo rmat of a n AFF contain er; Ir is a single image
and ca~e me1aJ.1ra.
into fixed-s ize volumes.
2. AFD: This format contain s m etadata in the image, bur it splits the image file
file system s or m edia.
This c.m be useful when archivi ng images o r tra nsporti ng via size-lim ited
it stores m etad ara in an
3. AFM: This format stores t he im age fi le as a single and solid container, bur
external file.
[OOJ Hash ing

an examination is hashin g or gener-
One of the key acrivicies perform ed at m any differe nt points throughout
ry amoun t of data as input and
ation of a cryptog raphic h ash. A c ryptog raphic hash functio n takes an arbitra
Comm on hashin g algorit hms
then it returns a fi xed-siz e srring as output. Hash of data is rhe resulting value.
produces a 160-bi t ha.sh value
char are used during a forensi c examin a tion include SH.Al and MD5. SHAl
a~J ~ 105 produc es a J 2S-bit h ash value. Longer versions of SHA can be used; this
will be referred by the
functio ns used in forensi c
hit lr~gth of the hash val ue they produc e (e.g., SHA51 2 and SHA256). For hash
ly differe nt hash value as output .
~~ctll)ns, modifi cation of a single bit of input data will produc e a radical
t.;~lllg this properr v, it is easier to dete rmine one of the core uses for
hashing in forensi c analysi s: digital
~•dence verificarit~n of the integri ty. A hash that is generated from the
original evidence can be compa red
show that these two
~·1th a hash of the bit-stream im;oe thac is created from this C'Yidence--matched hashes
irhems Jre the same thing. Takin g~ additio nal hash aftcrco~ e x amio
arion ofa forensic copy implie s
t at the ev-, · J'd ... .
-=mina I no t alcer source data at any ~
~na ) fixmsic: uses. As a hash is
C.U ~ ther char-.icteristics of hash functio ns maJc.;
~ can be used to find
1
rt: cu JtcJ by prcx.-essing the conten t of a file.

ha~~ln_cd files, or to remove Mknown good• files
~M~ ~i:d. Alttma tely, the
est
tions ftJes of ime resr can be u.~ to I
0 Oletad.ira. M any progr.1 ms th.At im
or odier manip ula-
lie ..-..ilable for variou s
108 • Dl,111AL FORE
Ns,c
~
l'b\111111". 1'1,, :,11111,h 1·/1111.11i111~.1"-"h 11! .1~,11,J· tilr. d11· ,lt.1I ,11m 11r 1111! '\,11111 p1ngr.u11:. p tl'M: 11101111 I '
· I · Il' 11
· 111111111111
' , t,11•,·111·1.11l' h.1,h lt:-t,
· d,,.,l. 111,1,·1 .1111. 'Il'' or mul, ii>I•· e.ir Y
\ 11, 11 , ,,~l\·,11 , lh' , 11 t1',' i,•111 \ 1,11w ~ lll'S((.'J
: 1:1 l ·. . ,• .. ,•
, \II\'\ \\II,,·, \II I I'~ 1.,111 ,_. 'l\111,· Ill 111!'.·
I,, ~,,h(' d,i~ 1"11,-. h~,,· l\\'111bl11111 h.,, 11 111,lm·nl ti,,. 111,h,ln·p .111d h.1,lt,kcp 111ili1il'S. MdSdc..
• 1 'I I' .
MIi$' 111 h.1,hinr. 111tl11i,·, \ 11'.lh\l Ill\\'\ lllh' d11,111,:h ,I \l'( 111 1111 111 11 ,·:- Ill' I Ill\ llll ll'~ anu produrl'
J
h~.,l hp1IS· 3
'
. , Ih.,,._ I·1,, ,,11q•111 , .111 I,,. \111111!:1111·,
l,11 111.1,,-.I 1111 11,· .
. ' 1rq1mr11H·11
I r,.1111111l'1, . t I1e nainc, %
t:, ,1111,I 1It·:-p1tl' I
' lll\\· ith h1,k, ,111111.11 111111, d,.11 111111k1111·111, ~\I.\ ' .111,l 111lt,·r h.1,hi11l: ..lgnriil11m. 11.~.,hdrqi i:, ;1111:w lltil't
\k,d,111,\l ,I\,\ 111111,· ,,,\:\1,1 h.,,h .1111li1i111~ ,11 1 11li,.11i,,11. It 1 .111 h,· 11_,l'd 111 t:n11·'.,lll' 11111li1plc ha,.lws (e.g., SIIAi
,\l\d ~\$, h.1,111·,) l111 lib .111d ,.111 \,,. IIM\I t11 :,11h~r,p1rntl~ .11111111hr :,l'I iii h.1,lwd d.11.1. /\lier grner,1tin ,
li.1,1.· ~\.1\1.'. h.1,h1k<'I' '- ·"' 1,·1•, 11 I , n1 111 i"11w,. lib, 111.11, hi ,w•' l1lc.,. It b Ih.11 Ii.I\ 1.· lwl'11111uvcd from one lo,·•it'g , ion~ I
111 .11wtl1n. ,lllll tik, th.11 ,l11\ '"'' ·'l'l'\\H in th1· ,11 i!;in.11 .,l.'t. l
.\, ~t.~t1\l hd~'h', 1h1· fal t d1.11 :' d,.1111:r in ., ~in1:I~· i111 1 111 bi_t will \ h·'"!.\t' 111.111y hits in the final hash I
\'.1h1,· \\ l11d1 h.11 111\•11~ 111 bl' ,111\· 111 thl' llh\\t , .,lu.1hk· k.11111c~ 111 h,1:,h l1111nio11s for purposes of provin I
. I I..111~1,.1\I \1111 " ·"" 1,1 I'"'" ' t I1.11 t\\11 1'11 c:, .m· :,11111. ·1.11 I>ul not I'Jcnrical ~ ,ga /.
h'\l·'~ w111r111 ,,r .111tn·ru,·.\' •
I O51,10•
d.111I h.hhi11i: ·'l'l'''i.1,·h " ill ti1 1t h,·11 1 - -)\111 \\ ill ,,nly b1• .,bk to tdl th.11 two l,b :m: dilli:rclll :111J
1101 how I
llilfo,·m thl'y .Ill.'. k~~l· K,1rnbl11111\ ~,,kcl' " ·'" ,kn·l,11 11\I tn prn\'idl.' this (.1p.1hility, which Jesse refers toas f
"u,ntnt trir-l:rr1\I pi,\l'\\ i~1· h.hho" "ti,11, h.,~hi11~." In si111pk tn@. fuuy h.l\hing breaks the input file
int11 d11111k~. t1,~·11 h.,~h~-~ tl11,~r ..11hl thl'1111,1·s thi" fot 111 l'1>111p.m th1.· :,i111il.11 ity of two rill's.
~•,1• ,1, •,rl.1,1

1 1 - t'J,::n1-,.1:,•.i: .. ,,11''.•,-Jl ,1:i 1.-111'ltl l 11,li'
vl,~• 1 11~r:·~ .. 1 ,t 1 - "'1, ;i.,,,. 1;,1,,,: lt -i~ 111:ica ~rHeQ6dCd66
\'\'c c111 g1·1wr.111• ti,uy l1.1~h,·~1~,r h,ith of d1t· t,b hy running ssdtrp with no Aags:
ss:c•·~i. l. l t, 1,·.:, ·, 1 l•': i. l s•1: ~.1.,•1 . •· 1t:"l J I c

2•Lf")L·~~• ~;~1rv.,H1, ,·a :·Q 1~1\t irTfl11.rJ.~f._; ~'"i,\vt>J,11J:
4Yl Ci ~ )' :: J d' u t , 1· , 1~ JC J' H. \1 ~. ,· • • , i , h' I .:. ,, r y/ , ;de t1 r t e s t/ l o r c;r, l. t,. t •
:4 : lnOH1R1 S1 1'i., 1 ••i,.'l:l:11- 1 '\• 1: 1 l~ '.,,C l'd,:r.1M,.1,\veJ~o :dYfO
! q\ .- J ti~• ,1: 1 1<1 11 ,, • ,: l' G,h 1"' .; • • , 1 u111.:-, ( nr y / ~ ' d t' ,, µ t L"· t / l c r ern2 . t;,.. t •
\\'l• c.m idrntil~· th.11 h,,,h ~l.'.ts n( fu11y h.1,h,·s 111.11d1, hy impt·lli ng dwm visually, ext·rpt for the first
h} tl', \\ hi\ h is whrrr our mo\lilkuion 1K(urrrd. t\ltrrn.11rlr, w1.· 1.-.1n rnn :,sdl.'l'P in Jirl'ctory mode by passing
thl.'. -d tl.i~. "hi, h \\ ill n1mp,Hl' .111 f,b in .1 dirt'(lllry:
,1) e, _., .I·1. 11 t ,, : • , ~ s.1 ~ cr -t 1' · • t 1 ,, s ~cl' r •,1 •

•· ~n•ci 1., <t>rissj~q1 te~t/ J;rt'-~. t~t TT!Jtc llt'S / hl1:r-f/ use r/ss deep·
ti• ,Ul~rt-1,t \~ 1t1,Jl
,,. •,·--·-'
f ·.,.. j Carving
~ " 1' t" n ..im'.nrr of l~irt·mil· onl'.e s.1iJ "whrn .111 dse fails. Wt' (arve." Extraction of meaningful flJc conrcnr '
1_111111 111 ~rn".' ' nn,tru\.lur~·J ~,ri:.1111~ 1,~· 1!.11;1 !5 .1 sc~rncl' and ,lll art unto itself. This discipline has l,cen ~
1
hi\ 1 , nt multi pk p1c,rr11.1111,n, Jt the l)1 g11.1l hircns1,-s Rl·se.1rch \\'orkshop over theycan, and advance,ntO
~onunm· to Ix- m.,dl.' '.o thi, J,I)'· A, it~ tn1.hl b.1si(, rhc process of carving involves searching l data srrcan1 (or
hi\' h,·.11 lm .11\d ll\;\~1,· V.llUl'\, ,k1r1111inin~ (or gucssin~) ,he file end point, and saving m il~ -
ND FIL E SYSTEM ANALYSIS • 109
01SK A~; _ _ - - - - - - - - - - - - - - - - - - - - - - - _ : - ~
•11110 J (Jf\·cd file · Carvin~• is still
.
an open. problem •111d ·,s... f · · · · 11. 1 •
• .. n art>,I o 011~01110 artl\'e l'Xpcn men1Juon. h Jll}
1
•
,cnt11enr. 1I proorJms
::-
are des1°ned_::-
to 1mplcm"nr
~
s . .·c ·J .~ b • II ·1· ·
· pturJC new I eas m carving, as we J S more uc1 1t an.111
0
I 1~ grarcd 10\\ ard operational use.
proi;r,111 •
6.5.1 foremost
h J filr carvin~ progr:u1:1 wl_1ich was ori~inally writ1t•n hy jl'~se Kornblum and Kris Kend.1ll at the Air Force
Q!lice of Spec1JI lnve5ugat1ons and later upd.11ed by Nir k Mikus of the Naval PostgraJuare School. 1r uses
dt'llned foo ters, heJJers, and knowledge of the internal strucrurcs for supponed file typl's to aid in carving.
A complete list of tl~e _file types Supported na1iw ly by Foremost can be fo und in the program's man page
bul suffices ir to say IC includes the usual suspects: JPEG images, office documents, archive files, and mo re.
foremost can be in~ralkd easi ly using npt-get on Ubunru or by retrieving and compiling the sou rce
(or supplied binaries) f-r~m the ~oremosr project page at SourceForge: hrrp://foremost.sourceforge.net/.
Options that may be part1cul.uly important incl ude:
-~ :~r~ on ircirect block de tect i cn (fo r UhlX file- syste~sJ

·1 s pe cify ir. ptit f.le (default is stdin}
-a - wr-ite all heade rs . rerform no error detection (cor rupt ed
r 1~s)
-w Orly write t~e aud it file . do not wr ite any detected files
l.O t'le disk
o s et o~tcut di re ctory (defaults to ou tpu t)
-c set configJration file to us e (defaults to foremost . conf}
-c era~les quick mode . Search are performed on 512 by:e
t.oJr:c a r1 es .
A basic run of Foremost using the Digital Forensics Research Workshop 2006 carving challenge file as
input can be performed by us. We will use the -v flag ro increase rhe verbosity of the output.
user@ubuntu: -/ dfrws i f oremost - v -i dfrws- 2006 -challenge . raw

Foremost versicn ].S . 4 by Jesse Kornb lum . Kri s Kendall . and Nick Mikus
Audi t Fi l e
Foremost ~ta rt ed at Sat Dec JO 21:51:55 2010
lnvoLation : foremosl · v ·i dfrws -2006-challenge . raw
Output di rect ory: / home/u se r/dfrws/output
Confiqu , ation fi l e : / usr / l oc al/et c
Processing : dfrws-2006-c hallenge.raw
I· -··---- - ----·--- -------- - -- - ·- - - ---·---- --- --·-- - - --------- -
file: dt rws -2006-c hall enge .raw
S!art : Sat Jan 1 21 :51: 55 2011
len~th: U•1~nown
,,•him File Offset Comment
ti a·1e (bs-5 12) Size
G: C0003868 . j pg 280 kB 1980416
1: 00J0~?85 . jpg 534 KB 4241920
l· (JC0 11 619 . jpg 199 KB 5948928
3: 000 1l2?2 . jpg 6 MB 6257664
D IG I TAL FO RE
110 • Ns,c
~
185 1(3 1413~784

4: C0027607.jpg
206 KB 16115200
5: 00031475 . jpg
174 KB 18581504
6: 00036292.jpg
0004063B.jpg 292 KB 20806656
7:
00041611. jpg 1 MB 21~04832
8:
000~5566 . j pg 630 1(8 23329792
9:
10 : OC0911846 . j pg 391 KB 48561152
11 : O:JOOOG09.htm 17 KB ~691
12 : OC004456.htm 22 KB 2281535
13 : 00027496 . htm 349 Ka 14078061
14 : C~028244.rtm 50 I( 6 }t 46092B
15 : 00029529 . t-tm 183 KB 15118957
16 : C0032837 . doc 282 KB 1C812544
17: 00045964 . 00C 71 Ka 23!:133568
18: 00028439 . zip 157 KB 1~5607G8
19 : O~C30C50 . zip 697 KB 15385752
20 : C0045Cl5 . zip 274 KB 23047680
21: 00007982 . pn~ 6 KB .1086865 ( 1408 X 1800)
22 : 00033012 . png 69 KB 16902215 (1052 X 360)
23 : 00035391 . png 19 KB 18120696 (879 X 499)
24 : 00035~31.png 72 KB 18140936 (1 140 X S40)
•I
Finish: Sat J2'1 l 21 : 51 : 57 2011
25 FILES EXTRhCTED
j pg:- 11
htm :- 5
ale :- 2
zip : - 3
png:= 4
N ote that the bulk o f these extracted files will not be idemicaJ co the original items due co the intentional
fragmentation of this test image. Simson Garfinkel presented research at the Digital Forensics Research
workshop in 2007, which indicated that the majori ty of fil es on any given volume will be contiguous and
chat most fragmented files are simply split into two fragments, with a single block splitting the halves.
T he most common scenario for carving in an actual investigation is the attempted retrieval of deleted
J ara fo r which metadata are no longer present or no longer linked . In these cases, extracting the unallocated
space of che volume into a conriguo us block using blkls h as the potential to remove fragmentation caused
by currently allocated blocks.
-..-----Forensic
- - ---~~....:::!..
Imaging__________ ___~;;;...,....._ ______
___
We arc.- trying to caprure an accurate as possible representation of SOlllllii'ja ·oa of a forensi'
image. This is not unlike the police lines set up at a physical crime put in plact '~
minimiu the amount o f change that occurs in a crime scene, which scene in~
gators the mo~t accurate data possible. Imagine, then, if the crime sc a co(lf
the actual crime scene. In the real world, this is madness, but this is rioP ,J•
forensic image. A good fo rensic imaging process creates an exact dupli 111
duplicare) of the source media undc:r invesrigation. Exact duplicate
ND_;_F~IL_E_S_Y_ST_E_M_A_N_A_L_Y_s_is_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _~•-1.:....:.1~1
~
,kte byre-for-byre'. secror-for-sccror copy of original media. There should be no on-disk information
111l
,0
. cnr on source .media
0
. that docs
. nor •appear in I he 1rorcns1c · • .
image. An ideal . •
imaging process shou 11
l not
.• ,1I media fail to acquire any ponion 0 f
pr r rig111, · · I meu1a,.1· • d:Ha not present on
0 · ' . r. . . ongma nor introduce any
JIte
ce med'13 into the image 11le. A tra<l111onal fiorcmic · ana Iyst exam1111ng
• • a gu n used •in a 11omic1
L • 'd
e works
sourthe origina
· · I· Why docs. not a compurc
. fi · ·
r orcns1c cxammer do die ~amc? Examiners gcncrarc 1orens1 r ·c
on r St:•veral
.1 , acs ror • reasons. .fhe primary reason•· ,·s• 1o prov1'dc an exact copy of ongma
· · I med'ia co test. Tl ic
:;:·::11weapon is the bes_c evidence for the tra~i~ion~I analyst. In the case of digital evidence, we can make 3
d plicate of ~ource media t~ac matches the ong111al 111 every way. Working with original digital evidence ca n
b~ very dange~o~is, he~a.use It can be altered or ?estroyed :'!th relative ease. We minimi1.e our opp~rt~tnitics
to alter the original acc~~entally 67only_ a~cess111g the on~111al media once to generate our foren~1c image.
Anodil'.r benelll of workmg on an image is if w~ make a m1s1akc and somehow end up alrcring the image file
in sorne way, we can generate a new exact duplicate from rhe intact origi nal media.
6_6.1 Deleted Data

One of the reasons examiners us: forensic i~aging is for completeness. Simply examining an active file
system as pres:nted by the opera~mg ~ystem ~s not sufficiently thorough for a foremic examination. Most
volumes contain reams of porenttally mcercsung data outside of the viewable, allocared files on a mounted
file system. This includes several categories of "deleted dara."
1. Deleted files are the "most recoverable." Generally, this refers to files that have been "unlinkcd"-che
file name entry is no longer presented when a user views a directory, and rhe file name, meradata struc-
ture, and data units are marked as "free." However, the connections between these layers are still intact
when forensic techniques are applied co the file system. Recovery consists of recording the relevant file
name and metadat:1 structures and then extracring the data units.
2. Orphaned files are similar to deleted files except the link between the file name and metadata structure
is no longer accurate. In this case, recovery of data (and meradata structure) is still possible, but there is
no direct correlation from the file name co recovered dara.
3, Unallocated files have had their once-allocared file name entry and associated meradaca structure have
become unlinked and/or reused. In chis, the only way to recover is carving the not-yer-reused data units
from 1he unallocated space of the volume.
4. Overwritten files have had one or more of their data units reallocated to another file. Partial recovery
may depend on the exrenc of overwriting, but full recovery is no longer possible, bur partial recov-
ery may depend on the extent of overwriting. Files wirh file names and/or me1adata structures intact
that have had some or all dara units overwritten are somerimes referred to as Deleted/Overwritten or
Deleted/Reallocated.
6.6.2 File Slack

As prt'viously menrioned, the minimum space chat can be allocated on a volume is a single block. Assuming
a4K block size, on a standard drive with 512-byte sectors, rhis means the ASCII text file containing a single
byte-the letter 'a'-will consume eight sectors on the disk.
We provided the "a"-where did che other 4095 bytes written to the disk come from? The answer is,
a\ always, ir depends. Different file systems and operating systems handle this differently, but generally the
process goes:
1. The cluster to ht" used is marked as "allocated" and assigned to the file's mctadata structure.
2· The "a" followed by 511 null bytes (hex 00)
are placed in the first sectoL We did not state how the
ntxt seven sectors are written to the disk will be noted by Astute readers. That's not an oversight-they
1 12 0 I G 11 1\ l f OR [NS IC
•
are not ,Hi!lcn to d1r tfok. They rct.1in \\ h.11nrr d.11.1 \\ CH" l.i,1 Mlltnl in them during thci, j'rl'\inu1
JlloL,lli1l11. Thi, i\ what 1~ knnwn .,~ sl.ll k ~p.1l·c nr tik· ~l.u.:k.
Fi~uH' (d dt'n111mt r.Hl·~ tlw ~cn~r.11 illn ,if Ilk· :-Lil k ll\ing dm·r ~Ill~ l'~,i, l: \'ic":' ,ll" Ihe .,.111,l· ri1:h1hlolk,
on a di,k. Ar IIN, rhe n)w ron~i~,~ of nc-\\-. r111p1~. u11.1ll1h".1tc,I hh k,.1 hcn. Irk t\ '' l ll'.lll'II. h.1, r1gh1 hlnl~ 1
.11luc1tcJ ro 11 , anJ 1ho~e l'igh1 hl,,,k, .ire filhi " ith ,l.11.1. Filr :\ i~ thrn \lrktrd" ,111,I ~1111w1i111t· l.11n tl,l. fir,1
llv<· bll)c ks .ire rralloc.m·J .mJ tn t' f\\ ri11c11 "ith I he 11H1tr111 Ii 1Hn File n.Thi, k.nn thrcr hlnl k, uHtt,tinin
JJta from File A unJlllll,lll',i but 1crn,n.1hll'. ~
A A A A A A A I A]
-- ~ Figure 6.2 file ,l.1tk.

~! '. L.A.J.A...!. .A:::l
6.6.3 dd
The ,Id comm.111J i~rhe nlll'l hJ,il" 11p1·n-,ou1< t" (()ul J\'.1il.1hlc- Ill Ol'.ll l' a f~m·n,ir i111.1~c. B,·c.111H' it i~ .1 l11w~,
u11i wrs.1lly 1nt·1e111 on any opcwing ~p,nn l,ke Unix JnJ "1hc Ii.hi, for ~l'Vl'I .rl orl1cr forrn~ir i111.1~i11~ mil-
iril's, le.1rning its opa.uwn is vJluJblc.- 10 .my l'>.Jmina. Put JJ wpil·, d:11.1 f,0111 ont· pl,,,l. Ill ,111111ha . l h(
ust•r <,Ill prnviJe v.1riou~ .1rgumt·n1s anJ tlJp 10 moJJ!y rl11\ ~irnplc hd1.1vior, li111 rlw h.1,i( ~)'Ill.I'< 11f th<" (11111
i!I fairly dl•,u. The l'\(t'rpt from thl' totil lidp g1H·n hcrt' hJ'I I h<-" hJ1ir op1 iom \\l' ~ho11ld 1111da,1.111J in holil:
JS~r~f0rtn~•. ~: ! ~0 r~l~
d,J,F : c' J CSf;::.,•, .,:_
~ r: cJ 2:1 ;(' •,
( 0 p}' J fl 1<' , • i: •i. t r ~ " :; ,, r J { •rr j tt ' ~ .i , i • r •," 1 t v t 1 " 0 i,t· r a II n .

bs•B)T[S force 1bs•BYT[S and obs•BYT l S
ct-s•E\T:S -• 1 0::•·~ ~,- _ ) :-.,·~~ 1: ~ ''"'t'
,,'"~--:\\'') c,··· ,::?•: t~e " ':: 3S ;:t'r t·~ .:,·•a 'ffl'H ,..,1 s_,, 1~ti, l lnt
l C~- ... . a~ L:" l... ~ s ( . . ; \ :'l, ) s~ ~. . . ' ' r ; ... • :d - : ' ~
,r- ,.•fTi[5 ,~;-1 5•~:, ~,:~ " a" a 1· .... .

if•fll[ read from Fil[ 1nsteaJ cf stdin
~ ~2:af~ ~~ ~ rr3j dS ~e~ t~e ~:-- 3 !E ~J~ltfl s1 -tJ 1 l1s~
(~~-s r1[, ~r i:~ ~)-[~ t,te~ 3: a t i -~
of-Fil[ write to FILE ir.steaj of stdcut
'>ce , -:.,,~-
f' - ' .-~1:-
- t1.. .......-.. ~ : :-~ s.; : e.: ~,:c Js at s•3q ,.., 0 .. tput
s~1ri~_c:,~ :,1; F~ :: ,~ 1t~·~1~e~ ~·: c~! at ~: o' : C• • i n,t,t
~ s
EM_A_N_A_Lv_s_,_
N, .,D:._:F.:..'L:,.E_ s_v_s_T_ . '. .1~3
- - - - - - - - - - - -- - - ----=-~1
t i nc·e ro make a ~implc done from one dri ve to anorlicr we W ·11
1
· k I I l'k I ·
I III VO C I I(' IOCI , I (" t US;
jlC ' ,
dd tf• /d ev/ ~dd of • /dPv/~d~ bs-409C

·
• 1:1 kcs reads from the first disk' /4096 bytes a c a t1111c,
TI11s
· 1I1c 0 >111,·nr out IO rI1e ~eco nJ J'1~k,
an<l wrn,·s
block size (I,~..) argunwr-ir, Jcl would dcfoul r ro reading :rn<l
4096 l,yrcs at a time. Jf we Jid nor pr_ovide the
writing a single_5 I 2-bytc ~cctor at a tune, wh_ich is quite slow. Clo11ing a Ji 11k can he i111 crc~1ing hut of b s
usr (or an examiner. For th e moS t pa rt, w~ arc Hll crcstcJ in creating a fo rcn.~ic image file- a file that cont aim
all of ,he co11tcnr present on the sourc;e disk. This is also simple 10 do 11., ing the same· syncax:
user@f or ensi cs :- 1 sudo dd ff - / de v/ ~dq of- dd .tm~ b~-32K
[sudo] pa~~word for u~e r :
60832+0 r eco rd s i n
60832 ➔ 0 r eco rd s out
199334297 6 bytes ( 2.0 GB) copi ed , 873.939 s , 2.3 MB/ ~
The key items of interest in the console output for the dd command arc "records in" and "records our"
lines. First, they match, which is good; this ind icates that we did not lose any data due to drive failures,
fai lure co write the output file fully, or any other reason. Second, the "60832+0" records indicate th at exacrly
chis many 32K blocks were both read and written. If we had imaged a drive rhat was not an exact multiple
of32K in size, the "+O" would instead show "+I ," indicating chat a partial record was read (and written).
In rhe base dd command, other options of forensic interest that are present are the conv (convert) option.
If imaging a failing or damaged hard drive, the conv=noerror,sync option can be used to ignore read errors,
writing blocks of NULL characters in the output file for every block that was unable to be read. Additionally,
in the case of a dying drive, supplying the iflag=direct option (use direct 1/0, bypassing the kernel drive
cache) and reduci ng the block size ro 512 bytes will ensure that the amount of unrecoverable data is kept
to a mrn1mum.
6.6.4 ddldd
While dd can and has been used ro acquire forensically sound images, versions of dd are available that are
specifically designed for forensic use. The first of these to be examined is dcfldd, created for the Defense
Computer Forensics Laboratory by Nick Harbour. The dcfldd project is forked from GNU dd, so its basic
operation is quite si milar. Some interesting capabilities that dcfldd has are not found in vanilla dd. Most
of the capabilities revolve around hash creation and validation, logging of activity, and splitting the output
file inro fixed-size chunks. The extended dcfldd functions, as well as base dd functions, can be reviewed by
passing the --help flag to the dcfldd command. Unsurprisingly, performing the same image acquisition that
w.15 done wich dd using dcfldd is quite similar. In fact, if we did nor want to take advantage of the additional
fearures of ddldd, we could use rhe exact same arguments as before and would get the same results. In the
code section following, we reimage the same device as previously, but at the same time generate a log of the
md5 and ~ha l hashes generated of each 512-megabyte chunk of the disk:
user@fore nsics :- S sudo dcfidd bss32k if• /dev/sdg of•dcftdd.img
hasrwi ndow=5 12M hash- md5 , shal ha shlog• dcfldd.hashlog
G0672 blocks ( 1896Mb) wr itten .
6~ 932~0 records in
G08 32~0 records out
DIGITAL FORENs1c
114 •
6.6.5 dc3dd
The last dd variant we will examine is dc3dd, a forensically oriented version created by Jesse Kornhlu
for the Department of Defense Cyber Crime Center. dc3dd is <lev: loped as ~ p~tch applied to ~ NU c1~'.
rather than a fork, so dc3dd is able to incorporate changes made tn the m;11nl111e dd more rapidly than
ddldd. dc3dd has all of the same extended features found in <ldldd and has core <ld features current!
absent in the latest dcfldd release. We can provide the same arguments co dc3dd that wne used previous!~ 1
with dcfldd:
user@forensics:-$ sudo dc3dd bs~32k if~/dev/ sdg ofmdc3dd. i mg
hashwindow=512M hash=md5,shal hash logEdc3dd.has hl og
[sudo] password for user:
warning: sector size not probed, assuming 51 2
dc3dd 6.1 2. 3 started at 2010-09 -03 17:34:57 -0700
command line: dc3dd bs=32k if=/dev/ sdg of=dc3dd . img
hashwindow=512M hash=md5 , shal hashlog=dc3dd .hashlog
compiled options: DE FAULT_BLOCKSJZE=32768
sector size: 512 (assumed)
md5 O· 536870912: 07c416f8453933c80319c2d89e5533ad
shal 0- 536870912: a222f5835ed7b7a5lbaaa57c5 f4d 4495blcale79
mdS 536870912- 1073741824: acac88a20c6d6b364714e6174874e4da
shal 536870912- 1073741824:
5b69440al5795592e9el58146e4e458ec8c5b319
md5 1073741824- 1610612736: ed9b57705e7ae68118le0f86366b85e6
sha l 1073741824 - 1610612736:
bc5369977d9a2f788d910b5b0la9ale97432f928
mdS 1610612736- 1993342976: 812c94592ec562Bf749b59ale56cd9ab
shal 1610612736- 1993342976:
bb789315a814159cdf2d2803a7314958Bb5290ee
mdS TOTAL : 58e362af9868562864461385ecf58156
sha l TOTAL: 8eaba llcb49435df271d8bc020eb2b46dll902fe
3893248+0 sectors in
3893248+0 sectors out
1993342976 bytes (l.9 G) copied (??l) , 908.424 s , 2.1 M/s
dc3dd compl eted at 2010-09-03 17:50:06 -0700
Note that hash log to the console as well as writing it out to the file passed in the hashlog= argument
I is produced by dc3dd. Also, it presents the sector count rather than the block count as a summary upon
completion.
Summary
This chapter discussed about the core concepts of we have shown how we can exploit a file system for
disk and file syscem analysis. In addition, it explored artifacts of forensic interest. The succeeding chap-
many of che fundamental concepts of forensic anal- ters will build upon this foundation to examine and
ysis, such as hashing and forensic imaging, dealing analyze higher-level artifacts.
with forensic containers. By using the Sleuth Kie,
01sK,.:,.A~N:.:D:_F:...,I_LE_s_vs_T_E_M_A_N_A_L_v_s1_s_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _:..·___:1:..1:.:5:::
- KeyTerms
• Disk: A disk denotes a phys1~ storage device • Data Unit: Data unit is the smallest available
(e.g., an SCSI or SATA hard drive, or a Secure freestanding unit for data storage that is available
Digital Card from some digital camera). in a given file system.
• Volume: Volumes are created using all or part of • Metadata: Metadata is data about data.
one or more disks. • File Name: The file name layer is operated by
• File System: File system is laid down on a volume humans. This layer has file and folder/directory
and depicts the layout of files and their associated names.
meradata.
Review Questions
t. Explain File system and types of file system. 3. Write short notes on FAT32 and NTFS.
1"l,
2. Explain srorage layers and various types. 4. Explain forensic analysis of file system. 'r
i'
I
1
Data Analysis
LEARNING OBJECTIVES
-- -·- ·-- ---- -- -
After reading rhis chapter, you will be able to:
, Understand the concep t of <lata analysis. • Interpret and apply cools for data analysis.
, Understand the process of data analysis m • Distinguish different methods for data analysis.
Windows and UNIX system.
Digitalformsic is an exact science - not the procedures, but the results.
- Edewede Orjwo h
[f~fJ Prep arati on Step s for Forensic Analysis

organize all of the pieces of
In data analysis technique, we demonstrate how to find out the data and
the data analysis phase cakes
comput er media and inregra te them. After integrations of all media and dara,
quaJified forensic duplicates of
place. In order to make rhe data usable, resides in forensi c duplicates and
been explained how co restore
hard drives, additional planning may be required. In the next section, ic has
ing systems.
duplica te image and how to scan analysis phase for Linux and Windows operat
7.1.1 Restoring a Forensic Duplicate

have a hard disk of greater
Ir can he tricky to restore forensi c duplication. Ir is necessary 1hat one should
of data acquisition process.
capacil)• than che actual driver. Hard drive duplication is an imponanc part
e media can stop working any
~xtracting files directly from a pott'ntial failing media is dangerous, becaus
11 ~c. h is nor only more preferable that the drive should be of equal capacity, but it is also
necessary that the
quickly and easily from the
drive is from the sa me manufacturer. Due co this, the operator can transfer data
original hard disk to the backup hard disk.
disk, SSDs, and USB
The Aiola Insight Forensic is che industry's most efficient system for imaging hard
of system is MB/s.
ma.,\ s1orJgt media quickly and safely (Fig. 7.1 ). The maximum imaging speed
118 • DIGIThL FORE!lS•r,:
o -~-a.i- -.,,..,- -----

a
-x
..,. ;..,.~ :;..... -• , ..... t--- t:,.<p
- =- -====:::==
-=- =-----~-~------~~---------- --·-· ·-~ . • •
_, ..
\,a!A 'tw.... l
~ =llo:-·
.....
-~· "'-"-'-'"" C
,_ ,.,~ 500 IIHt!
u....~ ... 4't.ll n
.,_5»<1UT
l-n- -•-..
(Mo_.~ ,C.:.1,C.1 I )
·~~.1'\ 11,1
·--~.,.,..
- 0.--11.-- ,
~ .,
~__. ...o...,
l~i.•- l"lj
• c...
4. ~~- ,~~ . . 1'\A
figu~ 7. 1 Imaging hard di~k using Atala In.sight Faren.sic.
7.1.2 Preparin g a Forensic Duplica tion for Analysis in Linux

LintL\ is Jn ideal forensic duplication for analysis environmenr. The set of patches and cools provided by
NASA Computer Crime Di\'ision (~ CCD) can a~o be u1ilized. Large number of file syittms and partition
rypcs can he interpreted by LintLx. The user mar need 10 enable number of option and recompile the urnd,
if he.'she "ant~ ro take ad\'amage of irs capabilities.
Red I-far can be used t0 perform analysi..s. The ~t cl patches and 1ools provided by NCCD will be
rt'\1uired in addition to the comple1e Red Hat vnsion 8 and 7. This will allow the l)"tcm ro r«ogniu
multiple pan it ions by modif);ng kernd and loop playback mounting chc code wirhin a formsic duplicacion
image. This allows you to identify any duplicate file wi1houc storing it on anomcr bard disk drive.
7. 1.3 Review ing Image Files with Forensic Suites

It is blsically a straightforward process. \Xben a ~r is working with flKMC' • b'Clllic roolkir (FTK), ~
is a snate'£ic proce~s while ne-aring a nt·w case and populating it with •- 'Whca a acgmmr foffllSIC
Jurlicare ima~e is being imported by a user, he/she might face various.. ....- fffi ,a.;..
d
• .A~AL.Y,S·::.,'S: -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.:_•_.:1'.,_1:__:9
~
;-:,iW• kt us_set _how to initi.ue a c.1Se in these two surroundings and import the segmented replic4 to get
. ,., Jm1nJC1l.1n.
f(lJr tllr \.>
,. _1 Reviewing Forensic Duplicates in Encase
3
7.:.S ln r-Jsy mt'thod to restore and a~l1rz.e dd fib, Safe B.ick files, and also Encase evidence files, with its
h "suite of 1001s and e.1.sy-to-me interface. A new case must be cre.ued while acquiring an evidence for
stro11:i .
ch( first ume. .
Steps for cre:itmg EnCJsc:
}. {)ownlo.1d [nc.t~e
2. Choose a file
3, New
4, j\ew case
;. ·Create ~ ew" di.1k1g hox will appear
Once a new case is created, file can be added in chat case by the user. Figure 7.2 shows adding a new dd
im.ige file to your ose.
View Tcols Help

.J tfew...
Ctrl-0
:rJ ~ve Ctrl-S
~veAs ...
-' er,,t
Sa)!e Al
...
Ctrl-Snft·S
J Ctrl-4>
ptnter Se~.. .
..__ A~Device .. .
Add Ra?! Image...
~Xlt Alt.f4
Ctrl-1 '
1 I·
, oC:~starry~ts~~~
Figure 7.2 Selecting a raw image file to import imo EnCasc.
,h As we can see in Fig. 7.3. "an: Add Raw Image" dialog box is being displayed by Encase. when a user
imooo;c_10 dd a raw image. Here, the user needs co select the disk for dd image file that composes the raw
~e in proper order.
C-On.t~ $t'en in Figure 7.4, a powerful Window explorer-type interface. presented by Encase, displays all the
enc of r · l' _ ___i:,_n F ..L!- ___ ...,1_
Qn US( E aw image nle once the dd files are added to the case su~y. mm UU1 sage ODWillW, user
and dl' .nc~ suite of tools to perform almost all the preparation required to analp4; die data in an dJcctivc
ic1ent manner.
DIGITt-L FQf.£ ,,
120 • •I , ,I
t.dd p.," l:r.49t

r-
I Namt
I Ot,:[•.y~
l
I ln,)QCT ,ve
,~ ,.
B~ per ~~'.ct
512 II
Pre-smo, E;!t1
~ 0~
\'\A.l"le
0 I
P~t-~t orB~ I
I
ClHlCJ,1
0 I
R.!111 CD~U~
I
SIHI By!.e
0
Corrc:>onerit F~ (r91t-od: to add tMr. fit)

ltr,~ I
Figure 7.3 Selecting rhe appropriate dd image files.
J - _;0ps, A!#.• .J-n ... ..,.,c.,,., .l.u+ "'i- 1"-d
l _jc.-, ~ ----- _jP<:,crl .J~r _. r,,;-~ o~ ;'- ,I

! ~hx-,••~?'. ~S,a,i,,t, O ,_
(o, ........
j w~ 'J ,,
1 J
J
~,cr.ie-~! pd rr;i,e l .:~ 1 0 Foo~ CpenP~.sw:r d, ,tl'l"Y.~1fts -s.,.,'!I
11:»e Ao=.c;t1~Cl, f-G:t~ CQe,, F~5,(.ld,FH'TW'-"..ns~..,,fll(IO, AL:.

A.E!!rv:: .
E.na ,
4-, ,..,.:_.t)W: v•J ri'"'lt'AGAl.l )l!f
, f)t IQCO.• t; ,:,, Pro~-:11 C'.l)e-1 Fn,rqd, 1-er""v""',4 F-~-:..q:,,
ltl!, fno , i
\./_J_ Po~Ht , 9 J .,;.,.,.-j,,df
J 1, J ., __ ""' Ir,,, Aacbol~ O, P>o- C!>,t,,.-,...,d p...,_,..,wd, Aefra,
JI .) t9 - ,d w Tr.,t Act:Oil1 9 G, F'rO~Al• P~.:--,,s Pt,S',,i1oord, Aif'j fNr tPf:1"..tt, LOtlJ P~id
11 J "'"'«><'(lo -d vff ~~.n· ec,e,, PtS(', ,od, P e r ~ F...A •,<.I~ Ae ~ ,
f',?e J.tJ .olt 9 'i,
- " Jri,.,-a :pi:t l,o<' .&awot 9 ~. P>ot,,.r,n Cr,e-,P.-&1c,d, ,.,,.,.,.,..,, ~¥.,,.,,~ Af~ f.ro1
, ' 14 j l'I , - . ,of Tll,I(' Aacbtl 9 ,:,, ho~w c:cicn ftw•..,d. PftlTIC'X>"IS ~M,b(,t<J, A8 frcr1
t r,t Ao¼,1 l li,PTo:t,,-,-y,, Q.e,P, ~ . "'Jd, Pt-~.1CnSPtt•,Y.6'd
PC • t"<I'
:_; 15 jDoa.r,,ncJ odf
~ J c.oa,-,,,cJ :,:f T,i,, Ao<borlO, Pr•rz:w, ,..,,....,..P..."°'d, ~( 4(r(1-,C .0,o....
J0,11>-< . . ..
Cue 1•C' ii•·1ut ·ru u, au:hy . ,- ,. .1,t71 r,dt .. 1:1 ": fn'..oC)I
.A.c-1d: •t C ~ Ji ,,.; EJ'M"Cllt1
:nte-::1et1 :ertH 1 Unt i u11o1Cr 1 , ;;:, lr..c"t' /~:,on, tunt.1n7
N:, 1J1cn-.d
• ....J,CWl!N(
:...c,.,~a°"i {ntt • n t UnJ,l'OUCU ~e. l&.J• 1,u.ct:1r 1 Ut(J11•d
l w~4.dl
lie c ... l '; rc•t H t·C u•• . .. o:k.• / , ,-du,J ll ~ ! $ _,,,.,..,
.Ac1ctn I 0
;, t.,~1"•
:,.• ,,-puu.
Op.a h u 1i10,1. h nu a ■ un , J utv::rd , ;-:4 lr.crn,u,:,e
ltu u • fozce • -.1,....,, h:. t 1,1:d1tn9 uquHrf
' "- *'""'-
) C- J(p-w,l~ • ~ • t ~ - 00:f ~ • ~ l.!1~ IS •:513140 '1110!6!1
:;r-1))1) fOO Lf 0)
.. l".A"'_.$:.-·~ . . . : s . . . _ ~ ~ " " . - c - ; .....,••
C .....,.._, .__...__ ~~-~.. .=:._~~- --=~
Figure 7.4 EnCase analysis environment.
I. :--:ow, we: look at Rc:c.civing rorcmic Duplicates in FTK. Another powerful applica
tion in your wolkir is dit
a,e sJighdy lJIOlr
FI'K Ly Aw_,\ Data. A\ compJrcd ro Encase, che interface and evidence import process
compli1.,1k·d;.howcvtr: wh<.:n dtaling with e-mail score file and complex srring. it
can outperform En~
2. ~ow to b~gm_a sc1~1on: When you Mart 1hc appliocion, a dialog box
appears. Sd«r •New cast op-
uon from It. I igurt· 7. 5 ~how\ Cl\<: gc-ntr,ttion screen.
AccossData's
Forensic Toolklt™-FTK™
Th~ CompJ\lt~AnolySi$ Tool
Wizard for Cre11ling a New Cose

.:I
rl,11l°"'""'.1f'\.~,
r.,,~ N111'l,• F~:;T~ l
ta"' N.-,. ri tll l.\,t

( ••f' l'.,111 l \ P h>wtft
C~ •~ I'.i1.1,t Ir l lrll (&r

C·'"' !'~...- c,t,-n
.J
I
I'
r
I
Figure 7.5 FTK c.1sc gencrarion mrnu.
. )., •· · E'I
Rcline Ca10 - Oelaull
Refine Case - Default mtllln ktltta d dll.,

t'I t'lC<" to s.!~t'I ,-• 19·(' (/'~l'Ol'a! . y -·i-,... lo l'l~•r ,'l!e 1tl!l!'V\111t ,1.:i-1. ,,..,u llllY ~11nie lo ,IN"kllk-
~-.n 11,,. , .1:--. H..,,. y u c-..,., d N l ' II ,M,,ul .i.:\1-11nl,.,i:k,r• •1, no!ltr1~
ll>dl wl 11n:~ Ill 111.'ICI, IIVAlillrire il'lll tt..1 gti'•
1-"ed :;, tt-e .;ace To t-~~,:11 ~a ;,ial;e a11, C'l!l•!lDt lo th~ tellin1J$
belllw. No111· lt'J' ltmc 1h11 get ••c.Judod 1111 l1'lt
•~1 •1t•.lit1, n ~ ~ ca1, . er<! AI lit' i la'-t'!!.b,e
L;r~-J;~~~~r~:{~I Or•11\'II S,, i+n:: j Eh\,i F111r,11:uot j T111tE'mph.M j Gr.~, r~"'•
· l 1'lCcn1 ''<lnS\ .l.d:!

• ,"h1t'MlldlOMl•b),ltll19IIJIHIIIII
: f;1 h tt :-Lr k 1d.11.t ~-rd t~ t t-.J rl lhl'I lll] -.'llh l' tu Wlt>t1 lhe.111',
°""
· P h re Si ,,c.- 1,,..,.,. n tl,e I.Ir. ,yst0111 '1<•1 ::un 11!!), db .s1.-J 11• hill Id __..C Ulll-.i
dllltllll"- dol<II
- - -.. I
: p i:rr l~O!~~ r~, (ht-1 l.:u<i :!\• ,;.rr IO tt f01el'11ta,, \11111)0tllli. i... OS ...... .....
r Co1u J11·'4-.~ - - -·--· -·· -·
A.tlcthtl i:eml ~ ~case ri> I tllfto 1s:i1f1
I •~"•~·rc C,lt!!•<t ·- - - -- -- -
; Ot ~ Ul)l.ti.a f.,-_-,>11llt0nSt.11\a
l
'·r Clflfleif r c~~
Ir Nol ;1..~ r t.d en~'Ylllrd
j C: rr..
' I
~12~2~•----------- DIGITAL FOR
- - - - - - - - - . . : :EN~ I
Now, yon need to decide how yon would like to view

rhe Ja1~ from evid ence through the n.ext several
steps that appear. The hcsl W'J)' to start is to ~den _
nearly every opuo~, an~ 1~01 exclu~e any data , in
get an idea of what the applicnion is c.1pablc of. file orderto
from your l'x-a n1m a_t1on may be ma~vcnently exec
if user is nt>I careful and ancmivc. Figure 7.() show uted
s the case refining options that are availabl e for exec
whil e forrn sic image is being imported. ution
To import a forensic duplication, fTK will requ . , ..
ire a large amount 0 '. nme. FTK ~ ability to hand :
complex files (vii ., OLE, Outlook , and exchange file) le
i~currently parallel. Figure 7.7 depi cts the FTK inter-
face with evidence loaded, sorted, and read y for anal
ym.
•~ t ,- ,-... 1,, .. t- ,t
.,.... \ .,... I ,.... ~, I •..,. I ..,.,. I ......., I
,,_ _ --- ..,....., •"I
~'.!.7.!._ J ~".!.~ '"'
,..,...
·~~., ~-- '~
·1 •. ,. ~;: ;:
---
~ "I•_
· -- -- -- - -~-
' • •, . ., . . .. • C' ~ ..... ,, ...., " '.t"I
r;,:;. _;-- ;:,7 .!.,..,...,., ,. !! ! ~ - - •
- - ~ ..
C•uH•O- . 1 I• ,.-lrl-•
"".-:"L,.,1!
f (,,1t t lt.J _, t~ I. I !J..)JJtC ltt •:
_. 1._. . _ ._.,
·;.., . f~t• - . -:1'1, .,, - ··-;..., ~!'!.~
,.,. h tn r ~ •~ - -'~•
..,_, .,~•• 1
I ,..._. .. .,, """ ti'J\ •.!°
. ......
l':A ol
...,,.,s
1~1
....,.,
,,..1 1,
''"
·~:r}r---4· \,
r.-u,•• ► 'lt
1 1- ..._. ••
... ·\)''H ' 'i -~l'- !Ur.-t l
' • · '4.t' ►
h- 11...,.., •t• ••u.u~" '
.. .........
' I
• I I
,I \.,,,,.-.. fa •~• t,..e,.,._
.... ",,... ,.,, .. N'\

~r~:•:w,,,.u, •: )
~
.
\."l: .....H,1: J
,,.,,...
. ,,
•,• ,r
.,_..
~, rt,,.
..:-.. \
r , ._ , ·r ,' Tf" Pf• "1 MI •,.y.,:rr I
,, . ..... W,( d'lh t ,·~-
••
Ill ►
,..
fiEE, .,~
1B Eli
... ,.
IM
..
Wlf
,.....
, .... w...1 ..
.
, . • • 1 u•tC•M ~,-b
_,
!rt' I
"' ' )ltl ' .. '-A:):U H I
'WI D+ e
',
I
l
• I I I I t .. 11. ., .. . , . • • u .., .. '
rJ"'J•""'.. tl1MNfUUX ◄ •,1
''""1 .," ~,,..
r,,- "•1 k 1 - ·
...•..
0
lJ~• '• V 1,.t,.,..,11~,,-·
• • . • I • U ~,.. ... .......
0 .h,
,
:: :: .;:~~: ~~: ;: I
' t•11,,,-. 1 u t w llh"►
:,.Jl
I I " ' . .,-....,~•,. ·-,...
h ,,.,.tt. •..
••r w r, ► llf
•~..ua.
~
IWt~ ·
l I "' I I
:c!
J
Figure 7.7 FTK analy sis environment.
7.1.4 Converting a Qualified Forensic

Duplicate to a Forensic Duplicate
What liappl.'ns if something goes wrong, whe
n you h.ave collected qualified forensic dupl
wmph:tdy om uf lul k! The PTK will convert ic.ite? You arc
ch.e qualified forensic duplicate executed by
\ ,. 11 ,~ i1110 lrU(' l,it-for-b
it duplil'.atcs of the original. The explorer prog Encase or Sie
11uiLkly lo.iJ and cxamine <luplica1e image is prov ram th.at allows an inves tigator 10
ided by FTK software packages. Cmuing a new
and buildinv. ming ~1:.ud 1 indicc~ L.\11 prove
to be more advantageous when th.e user docs
case file
load a rnmplrte vcr~ion uf Fl'K. not have time 10
hgurc 7.8 ~hows Artrn Dm FTK expl orer.
Herc, we have loaded an Encase evidence file
following ,1cps: fill.', cliLk on oprn image com using the
nund, then right click on Encase evidence item
to <'Xport. Then , ~clcu item "Export that you want
Di~k lnugc itt m."
~
ts_ _ _ _ _ _ _ _ _ _ _ _ _
ANA~L~Y~S~
_ _ _ _ _ _ _ _ _ _ _ _ _..:__ . !~2~3
(ji.±!24'1iFtJf%· I IN tif f A - ,Ja1>c1
..... , !ae, lo-

1a..t.a r,....._.
ll.Soa n ..,.....
rc.
Figure 7.8 Sele ctin g an evidence file for expo
, that is, the
ion thar will crea te MD 5 of ima ge (Fig. 7.9) . The opti on is available here
Enable the opc will be kep t in sing le
split into chu nks , whe n the user crea tes a dup lica te image with dd. The ima ge
files are
itio n is larg er eno ugh .
conragious file, if the des tina tion file part to con vert 18G B
can say thar this proc ess is fast eno ugh and thar it rakes app roxi mat ely 12 min
Thu s, we
(Fig. 7.10 ).
Encase image ro a true fore nsic dup lica te
· lma g3 Se gn ent Size

olilooe
YouconcttMM x,wo thc d4l.iroaotooai,d•~l ha n9
~ll flM . p.. ,.,- -t, 11 1tl ~••
ne fAl
beawcro !NI f,o bgo al Ho ttd con bo c.eolcda
C.- Do raM gnl llN ._.
r-- , •Ma r ,mu,e
f"' 28M B t"'" MO Hi
f' C.-o aiN B
124 •
f ~,,1',
1111,~ I LI
\
• II
I
\
Figure 7.10 Ex porting .111 EnCase evide nce file. \
7.1.5 Recovering Deleted Files on Windows Systems

In order 10 caned 1he J rnin.1tion file or recovery of as m:my
files or file fragments as possible, there would I \
be an occ.15ion th.11 you w.rnt to scour thro u!:1,h u11allo c11ed
sp,1ce on restored foremic image. Sometimes, \
rhere are c:ises where inrrud er~or malicium mcrs er:ised the
evidence to cover up their misdeeds or identiiv
and you want 10 certai nly recover all that data. In this sectio
n. we will ex:im ine the differenr ways to obtai~ I
the 11les for all inrems and pu1pu~es, suspem would believ
e no longer exist, because the files that are begin I
ddered are the ones rhar make5 or breal-s your inve~1ig:11io
n. \
As we know, deleted Illes are actually not deleted, but merel
y nurked for deletion. For example, from the
FAT 5)'5tem , when a 11le or dircuory 15 ddeted, the 11rs1 letter
of its 11le name is set to sigm,1 character (6),
or in hex, OxE5. The deleted file located on a ha1d disk will
remain intact until a new 11le or Jata. Special
tools c,1n f111d these "int.Kt" Jelctt·d Gies and recover 1hem 1
for review. Remember, the sooner you attempt to
rernver a file, the beltl:r your ch.1nce~ of ~u(ces5. After a file
h,1s hel'll mark ed for ddt·tiun, each h,ird drive
1/0 could overwrite the data y1)u want to rrcnv.r.
1. Using Windows-based tools to recover files on FAT file
systems: To rL'L0V t'r the 11'es on FAT files sys-
wn, we recommend the tolll~ Enca~e Jnd l·TK. Boch thl'sc
tools h.1ve huilt-in capabiliry to automati-
cally recover any fib. We have mcJ the old Norton u1ili1it·s
and MS-DOS untld eted utilities; however,
thl'ir me is rarely nccmary ~inc.e the ument foremic tool~
an: so l'ffenive. If you are interested, simply
find the OX c5 thar,1ccn, a11d use a hex edito r an<l rebuild
the duster chain (Dir/FAT/raw clusters) by
hand. This is ptm· joy,
2. Using Linux tools to recover files on FAT file systems: The
following capabilities should be provided
by an oper.ni ng \)'Stem to value \Cl a computer forensic examiner:
(a) Surpcirt, .1 widevJ riety of filnyste1m, including FATl 2,
FATl 6, FAT.U, NTFS, HPFS, MJcincosh.
OS/2 , EXT2, E'<T3. and UFS.
(b) Rc-1.'ovcrs file ~lack ,rnd not allo~.1te space. The improved
loopb.1ck kernel makes ic easy to rccognitt
~l.lL k and not allocate drive space.
(c} PrO\ i<l1:, an l'fficicnt, effl'ctivc, and accurate undelete utility
.
(J) Ddivn~ k1:yworJ search compcrences and perfo
rms all functions in a read-only !Cate on the file
~y~tL'm bL·in~ proc.t·~~L·J. ·1he NASA kernel also provides che
read-only option co sccup.
(c) I fanLllL, rnm pr1:,,r J driws (Orivt·Sp.1te, O6\space, and
OriveSpace 3).
(f) l>di, rn widL"\jllL,1~! 1.heLking and cataloging of all
foremic activities.
(g) Dd1,cr~ fo r J.1t,1.1uthu11i(atio11 :111J rdi,1l:iilitr,
N.ALYS:,,l::..,S_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _•:_____:1:_::2:..=-5
~
Recovering Unallocated Space, Free Space, and Slack Space
6 · dup I'icanon
7, 1·e rhe [orens1~ · ~ f me di a an d r~covery of the ~n~1re
· possible file is done, there is s rill <lata lefc
one ·dcnce media that you will want to review. The rema1nmg data is stored in slack place, unallocated
on evi nd free space. So, to unde rs_rand th ese terms, we must first rC'view what an allocation un it or clmter is.
spa'~/,he dara srorcd on hard drive a~e a rranged by the operating system into segm ents called allocaci?n
. lusters. For example, an operanng syst em that uses 32k cluster reads a nd writes that from h a rd drive
11
un or c •me It cannot read or write less than 32k at a rim e to h ard drive T here are very few files that h ave
32k at a ti unt· of data to occupy an e ntire cluster or set of clus ters. T herefore, when an operating system chat
. ·
~ac1
. arno2k clusters to a h ard d nve .
. .is b emg as k·ed to save a 20k Microsoft Word document, there is 12k of
3
wruesd space called file slack. In our example, th ere m ay be remna nts of previous files in I his J 2k of file slack.
unuse
_1_ _1 Slack and Its Types
7 6
4,096 bytes per Allocation Unit
512 bytes per Sector
Allocation Unit Allocation Unit
s s s s s s s s s ss ssss s
Writing a 5,167 byte file
5,167 bytes - Aclive File 2560 bytes - File Slack
t
465 bytes - Ram Slack
Figure 7.11 Illustration of slack space.
Most people refer to rwo different rypes of slack s pace, RAM slack and file slack. Figure 7.11 helps
elucidate what we mean by these terms. The figure demonstrates how an operating system using 4k clusters
would store a file rhar is 5, 167 byres in size.
Many people refer co rwo different types of slack space: file slack and RAM slack.
I. File slack: Everyone is aware chat che file size varies, and char is ok! The fact is that many people are not
aware that cl uster is nothing bur a place to store rhe files. The file system uses fixed sized containers or
blocks of sectors, which the Microsoft operating system w,es to assign disk srorage space.
Cluster and sector: Operating system s arrange all data stored on a hard drive into segments called
· units or clusters.
all ocauon
&ample: A 5,000-byte file cakes up 9 sectors; however, the operating system will allocate the file 2
clu 5iers 06 sectors, 2 x 8 secto rs), as it does not fie into 1 sector. Two Sectors is 8 kB (2 >< 4 kB}.
A 2,500-byte file will fie into 5 sectors; however, the operating system will allocate the file I full
1 r (8 sectors), which is 4 kB. A file which is J 0,000 bytes wi~l be allocated 12 kB - 3 sectors.
. ~
2
slack: RAM slack is basically data between the end of a logical file and sector (NOT the duster).
11
r _tJk_es_up to S 12 bye es on a standard hard drive; if file takes up 400 bytes in the last logical sector, the
tlllaining 112 hytcs will be RAM slack. RAM slack contains a amall ponion of random data whose
\vurce i~ wh:never conccncs of RAM char 1s
of
. chosen to fill -L-• ....,.,..
uliAI " 'Y-
. 1s
Ordinara·1y, It . fragmem
. a uny
r./001
<= executable fi le in memory. File slack contam$ dam ~jt.rnlously delc«d files or from the
ctory conJ· . .
Note• lllonmg of the hard drive.
· RAM slack <lot:s not exist on trendy versio M ~ f'or many rimes.
126 • DIG ITAL FORENs1c
Examp le: W 1t. h 512 - byte o f sec tor on NTFS Jrive and 8 secrors per cluster, the size of cluster .
.
4,096 bytes. This means that if che file is 5, 100-byte long, if th cre are 3 , 092 bytes of slacks, this ts
is
·
b ro ken d own into 20 by1es o f RAM slack and 3 ,072 bytes of file slack (or 6 slacks).
7.1.7 Genera ting File Lists

To create informat ion file listings, one of the most critical yet overlook ed steps in analy1.ing the content
of
hard drive should include the following informati on:
I. Full path of each file found on the evidence media.
2. Last written and modified time/date stamps for each file.
3. Creation time/date stamps, if they exist (Linux does not maintain a creation time/dat e scamp!).
4. Last access time/date stamps.
5. Logical size of each file.
6. An MOS hash of each file.
An alternativ e way that helps reduce the workload of investigative step is to compare the MOS
hashes
of investigative know-go od files with all the files on evidence media. It is not uncomm on to
eliminate
more than 50% of the files on a Windows system from your analysis, because the files have a known-go
od
purpose. For example, there may be a file like the applicati on file or operatin g system files that would
prob-
ably not contribu te ro your ca~e. Similarly, it is not uncomm on to use che MOS hashes of «known-
bad" files
in an effort to quickly locate files that are indicator s of malicious intent.
7. 1. 7. 1 Listing File Metada ta

For rapid time/dare stamp correlatio n, we have populate d a database and have develope d in-house
script that
takes directory output (Window s) or ls-al output (UNIX). When you simply perform live response
do a forensic duplicate , these in-house cools are especially helpful. However , to assist you in listening
and not I
the file '\
data, we recomme nd you to use Encase environm ent or FTK.
As per our observati on, we noticed that during most cases, we need to order every file involved in
case
by time/data stamps. Figure 7. 12 illustrates how easy it is to display file data, when it comes to
use Encase \
inrerface.
Figure 7.12 Reviewing time/dat e scamps in EnCase.

: '..-_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __:•_1~2~7
.AN~L'rr';S::.IS
~
1 we order every file in the case in as
Fi 1-:un: ..,, . 1-• . . • rypcs. --r
cen d.rng ord er by c.rt 1e creaoon · h"
10 view t 1s
1 . ·t'JJ.itc: ~1,1111p III adJJCent columns, we have also adjusted columns in the file table that Encase has
11
thll'C tllll .
11
(f'l·• ~J. JJitio11.1l analysis a nd reporting, Encase has made it very easy ro export file datato delimited text
},lir ,I . ~ 1 r . . h
• (' ih,lf plll c 1~1 •~•port ro~ a~ app acataon sue as
'
Microsoft Excel. The file that you can select to include
til · port fate 1s shown m Figure 7.l3. You can also use Danny Mares CATALOG a file list if you do
.111 nlll r t'\ r T l fi II . . I
1 e< 0 owmg command lane works on as single partition drive (-p) and recursively
• . Fm:,1se or TTK.
1 0
111111" the:'. fiks loc,1teJ on mount po .int / mm/hardd rive, · an output file called filelisting.txt.
· creaung
.. ill
I11L' •
Q]oc al ho st Mares]# . /CATALOG -p /mnt/harddrive -o filelisting . txt
[r .:>O t \:
2>/dev/null
Rlt.-..,s...
0""'-Als.r.
□,..,_
0Roo<ot--,
ONo1-..
Olil4'11n9t_..
0..._.I.O<_
O"-r~
e
Figure 7.13 Selecting fields to be exported with the file lists.
7.1.8 Preparing a Drive for String Searches

\\lien you perform computer fore nsic on hard drive, there are many different challenges. Perhaps, the most
common cha.llenge is that there is simply too much data to review on every hard drive, especially as the
sior-.ige c.1p,Kity of drive is commonly over 100 GB. Therefore, it is critical to reduce the amount of data
~at nt'eds to be reviewed during analysis. Reviewing enormous amount of unallocated space or slack space
15
~ocher challenge to be faced . We hope you will follow our guidance and perform string searches by mini-
m,~ng the d.1ta you need to sift throL&gh. You have overcome d1e following challenges in order to properly
1tnng st>arch nwdia:
1. F~quent proprietary file formats endorse extra difficuhy when trying to carry out string hunts on the
40
;arters of a hard drive. Files, such as Outlook's ".pst" and .ost,• Outlook Express's •.dbx,• the Win-
ows R~istry files, the Windows event log files, the browser history files, and numerous other files, all
n~d
2. ~ SN>cial
r ·~ too Is 10r c
c correct 1orens1c ·
· exanunanon.·
~~:;;ous comp~essed file fo~mat~ rC'nder traditional string aeudu~ in~vc.. Com~~ ~les
.1 . . tgz, .r-ar, .,ar, .z..gz, .zip, arJ, .lzh, packed 6les. ancl~uduvesareall foil uadinon-
41 Strang h"
3. E ~.ire mg utilities.
:.net\ ~
vo ;pr files or password-protected files caoanc be ftKcd. Tbcrcforc, before
. u Cln lOnJu ·t 11· .
(a.) ld . l
I
e ect1ve, comp etc strmg
.
(h) !Jent'.~' all compressed filc-s and Jccom
ennty all
k) Ide . encrypted files and unC'n
ntify all compressed files in c--mail
DI G ITAL FO REN
128 • sic
r ,.,· f Investigating Windows Systems ---

O nce you hJve set up your forensic work,;1a1ion with proJ~t'r to~ls a_nd recorded th~ low-le~el p_a n it i~n d .it~
from thl· targer image, you are now ser ro c~ ndu<.1 your 111ves11ga t1on. Fo, a for mal examinauon of targ1.:1
S)'!.tcm , fo llowing inws1igati ve Meps are required:
I . Review all pertinent logs.
2. Perform keyword !.c·arches.
3. Rt:vil'w rdcvanr files.
4. JJcntify unauthorized m er act.ounr!, or groups.
5. Identify rogue proce!.~es and service!,.
6. Look for unusual or hidden fil es/directories.
7. C heck fo r illeg,1J ent ry poi nts.
8. Inspect jobs ru n by th e Schedu ler service.
9. Analyze tr w,t rclarionship\.
JO. Review securi ty identifiers.
The!.e steps are not fil ed chronologically or in order of im portance. Yo u m ay need to perform each of
th~e step<; or ju!> t a few of them . Your approach depends on your response plan and t he circumstances of
the incident.
W'here Does Evidence Reside on Windows Systems?

It i!> imponanr ro know where we plan to look fo r evidence, before you di ve into fo rensic analysis. T he loca-
tion will depend on specific cases, bur in general evidence can he fo und in the fo llowin g areas:
I. Volatile daca in kernel structure<;
2. Slack ~pace, where you ca n obta in inform atio n from previously deleted fil es that are unrecoverable
3. Free or unalloc~11ed space, where you can obtain previo usly deleted fi les, including <lamaged or inacces-
sible dusrcrs
4. T he logical file !,)'Stem
5. The evenr logs
6. The H·gi!>try, which you should think of as an enormous log fil e
7. Application logs not managed by the W indows Event Log Service
8. T he primer !,pool
9. 5<.· nt or rc:ceived e-mail, sut.h as che .pst fi les fo r O utlook mail
7.2 . 1 Re vie w ing All Pertinent Logs

TJ•c: , y,tc:m log, :ipplic.uion log, and security log are the three fil es chat Windows NT 2000 and XP op<"r·
JtlllV, ~,,it:m ni.4 in iai m . Yo u will be able to o btai n the following info rmati on by revie~ing d;esc logs:
I. I >t·tn m '. nt' which u,c:rs hJ vr been :icce"sing :,,pecific fi les
2 . I >t I< rn, ~,,l. \\ho 11.l\ been suu .essfully logging on co a system
.l. I >u <rm rn<: who has hcc·n I r}·ing umuccessfu lly to log o n to a system
4. ·r·, ,,, k' 11\J~e o f ,pl·, ific applic.11io11.s
5. ·1, ad, Jlic:r:irions lo dit' au\JiL pol it v
6. TrJt.h. d1.rngn <u mt·r pn mi!>,ions ( \lKh a~ i ncrea,c;c:d access)
• 129
Svsiem log records System pr~cesses and .device driver activities. Windows includes device drivers that
t:iil 1~ start properly; ha rd ware failures; duplic~te .JP add~esses; and che starting, pausing, and stopping of
srr-•ict!S are au?Hed by system evem~. T_he Applte~tto~ log 1s populated by Activities related to user programs
ommercial off-the-shelf applteatton. Application events that are audited by Windows include any
anJ c . h 1· .
t at an app. icanon wants . to report · The number of failed logons , amount of di~k
errors Or informa11on .
usage, and other important me.mes can also be included by Application log. In the Security log, we find
S•stem auditing and th~ security p~ocesses used by Windows. Auditing done by Windows for Security
e~ents include changes 111 user privileges, changes in the audit policy, file and directory access, printer
S)1Stem logons and logoffs.
ac11·v1·ry, and
The Security log can he read by administrators only, bur System logs and Applications can be viewed by
anv user. During an incident response, Security log is usually the most useful log. An investigator must be
co~fortable with viewing and filtering the output to these logs to recognize the evidence chat they contain.
7.2.2 Performing Keyword Searches

le is important ro perform string searches of the subject's hard drive during investigations into possession of
iniellecrual property or proprietary information, sex offenses, and practically any case involving text-based
communication. Many different keywords can be critical to an investigation, including user IDs, passwords,
sensitive data (code words), known filenames, and subject-specific words (e.g., marijuana, Mary Jane, bong,
and dope). To examine the contents of an entire drive, string searches can be conducted on the logical file
mucture or at the physical level to examine the contents of an entire drive.
Many keyword search utilities provide a "window" of information around the keyword or phrase. This
allows 1he reviewer to determine its applicability to the investigation. However, on specialized cases involving
privileged data, this window can present serious legal issues if the defense believes it leads co an excessive
reviewof data. In such scenarios, plan your keyword searches carefully to minimize exposure while balancing
the requirement for discovery of data relevant to your investigation.
Forensic sofrware performs raw reads from the hard drive, conducting a physical-level sering search of
the drive. In most disk search tools that are marketed, you cannot physically read a drive that is running
a Windows operating system, because various types of cools require chat you boot the target system from
a controlled boot floppy or other media (they cannot be run from active hard drives) and run the tool.
Commonly used disk search utilities include dtSearch, offered by dcSearch Corp. Boch utilities perform the
search from a physical level. Encase has a string search capability that can be run against the evidence image
file that it creates.
l.2.3 Reviewing Relevant Files

It can be a cumbersome and exciting task co determine the files that harbor evidence of an attack or misuse
un \X-'indows systems. To help in confirming or dispelling your suspicions, there is usually trace evidence
;:,'-whereon r~c system that helps to confirm or dispel your _suspicions. The_ hard pa"! may be findin.g it.
1
h <low\ contJ1ns temp files, cache files, other countless locauons where runtune data as stored, a Regastry
at krtp\ traLk of rcctncly used files, and a Rei:ycle Bin that maintains deleted files.
~f p< 1~~ililc, it is important to recognize files by their extensions as well as by their true file headers. At
ano nium, you IH:l'J to know whar .doc, .tmp, .log, .ext, .wpd, .gi'f., .cxc, and .Jpg
011111 · filcs arc. Encasc docs
I
co covtr tvtryching, although it provides viewing capabiLJty for many types of fil4 You may also need a
..:~;'~en,;., file view,r, such as Quickview Plus (by JASC Softwatt), n,n - ~ duo limmi<:
the r;i· he na_me of a file: doc~ nor "crick" the application because quick view aicl Slcviewas ignore
c t'X tens10 11 •
~1 3~ 0~ •-- --- --- --- - - - -- DIGITA
- --~
L FORE~, -~
.
PL'PUI.u t h.1ru-rJIC
i • tnnre cm ·m•~mtn, C t he 01l , 11 itorin,·:-- .m,l rtY1.ml k,,·1,ing. tlut I.l \\indo\
h
\s S\'St<: ....
. '"
) so • . . . ::, . .· J. ts ., . ·ur 1.lO .l sn!l'nl runmn~ .l Hl:,{• ,bl-d
fire\\"·
· v h" ·3-k t e,·erv umt' ,·our mc1mn . v1.1. •
,11
pt·rforms. 1ou 1t J 1 ~ po • •
•. 1 c • . . _ Sr cnil, for inw:-ti~.1wrs Ill l'll."\'e w~nha tnt"ominl! .i.nJ .. •
Third-party fin-wall sohware pronues r.mr.1~t11.. JU t • , ~ ~ '
outooino network a<.:tivity on a sptem. . . . .
11 1· - _. J
-'lll'J!-\"~lem n~m. tr.lp\tnl~lS, ;rn rro,1_.J e,tnJudit
,
rewl Jpp1,ano.nsre\."'I.,r1uc:·,·en:\\t'~
::, t' . I'
t-.kmpcrsona.ih ., . . . .· . .
. .· .
tr.ul for every known attar k on t he systl.m. This• cert.1mk. nukes re\.'.1.,nscrmcm~ tHnts e.,~ic:r.
7.2.4 Identi fying Unauthorized User Accounts or Group s

To start rooue accounts on a sYstem or rn cb·.1.te their rrivil(1:eS is .t comnhrn plor by
evildoers to st.trt wgu~
accounts on::-
a sp-tem to .,, 0 ti.n"utho
"
rized h·vd •
where thl·,·
•
c.m ,,ct
:--
co d.tt.t th.u they should nnt be .ible to
access.
User accounts and user groups on a liw sy~tem CJn be audited in sev1:nl w.1ys:
l. For unauthorized user accounts, Look in the: User ~1anJger (during a live system
rc:sponse).
2. To view all domain accounts on a domain controller and for suspicio us entries,
use usrsrJ.t from the
NTRK.
3. Examine the Security log using Event \'iewer, filtering for eYent 10 624 (additio n of.
a new accoum).
626 (user account enabled), 636 (changing an account group), and 6-L! (user account changed
).
4. Check che \~os,•stemroot%\Profiles directories on the system. lf the user account ex.ists, buc
there is no
correspondino \%~vstemroot~o\Profiles\<user 11rco1111t> directory, the user acrnunt hJs
not been ust'd to
loo in to the ~-ste~ yet. If that directory does exist, but the user account is no longer
listed in the l 'm
M:0ager or Registry (at HKLM\S.Mvt\Dom:iins\Account\Users\Names), the user ID
did exist :it onr
rime but no longer exists.
7.2.5 Identifying Rogue Processes

When reYiewinga live system, Identifying rogue process is much simpler. For clear text
user ID, and passwon k
most rogue processes listen for nerwork connections or sniff the network; these processe
s be(ome e.1sier ro finJ
when they are executing. r~Li.,t liscs the name of che running process, Lise DLLs provide
s the full c0mn1.1nJ
I line arguments for each running process, and Fporc shows which processes are listC'nin
But now on a cold system, how can you find rogue processes? T he e.tsiest solution
up-to-date virus scanner on the whole logical volume of evidence. Make sure chat the
read-only, when you choose to run a virus-checking utiliry agai nst the file systtm
\'vithout your knowledge, you would not want the cool to stare moving and delrting
g on which pores.
is to run the most
volume is mounted
of the restored im.ige.
filrs. PestPatrol is an
excellent tool chat identifi~!, Trojans, backdoors, keystroke loggers, an<l other "malwa
rc,"
7.2.6 Lookin g for Unusual or Hidde n Files

There are ~o differen_ces between bad guys who want to hide somerhing and comput
er crimin.1I~. One~ an
attacker gams unlawtu l acce~ to a Windows syMem, he/she needs to hide the files for
later US(. An insider
may choo~~ co make ~ few_ ftles "invisible,'' once he/she chooses to perform unauth
oriud or unacccpublc
dee~, on his system. fo hide data behind legitimate files, both these attackers can
take advantage of the
Nl FS file streams. Unfortunately, how co stream files is common knowledge to the compu
ter savvy.
. ~<.) ~tore multiple instances of file data under one file entry, Macintosh Hicrardiical File System
(HfS}
ongm.11ly ~cvclopc~ _a feat ure that NTFS contains. Because the Windows ~
does not indicate tht
presence ot rhe ad<l1t1onal streams, the following multiple data streams ma be mc:d
co hide data:
1
Checking for Unauthorized Access Points
1.2.7
k witho111 1he use ofrxtcrna.l
\\'inJiiw~ ~T J,,t'SIH't. allim· _n:mntc ~·o_mm.mJ li1w-lt'n~I ac1xss across a nccw,,r
tilirii·~: chis i~ Oil<.' 1'1 the htK_~l'SI Jitlt'r<.'tKes betwt'<.'n \X'inJlm -s NT and
UNIX systc.-ms. This ch.rngcd
rnmnu nJ admini~rwion.
~r.un.,n,·.tlly wi1h \'\inJ0" ~ ~000. "hkh <.'onws with_.t Tdnt·t Serwr flH rl·mote
service thJc .tllows some Jec,rec ot mnorC"
, Cl11 r,· 1~1inc Cl) un\\·,inr1..-J mrruJ as coulJ be pronJ cJ h\'• .tm·
,n • ~
·.\,\°t~~- ~11..:h ~t·rvi..:cs coulJ be provi"ic-J hy Tn.1j;ms. in :idJirion to built-in

.md chird-pJrt)' applicJtions.
·rhi~(' ~1·rviccs induJ1..•:
1. l~·rmirul senc•r
1. SQL!t1r.1dl'
;. ThirJ·r,,rry cdncc d.1c' n1\1ns on \'\ 'inJows NT
4. \X'inJ,,ws 20()0 Tdncc Sa\'l'r
5, lhirJ-p.ircy Ff r ,.Ltcmons
6. \\'l'h sawn; lrnch .is Ap.iche .111J IIS)
7, \ 'irtu.11 ncmwl-. c,,mpucing (TCP porr 1S00) and PC Any-where (TCP porr 5631)
8. Rem,,re .11.n-ss servi"·es (PPP .ind PPTP)
9. XSmm
obtained, when responding
fou mu~t idl'ntil)· the.- Jccess poinrs co che srsrem to determine how access wJs
as nerscar and Fport are crir-
to 1-i.1im sy$1cms. For iJl.'ntif)·ing lhe .tcces~ points rn a srs1em, the Tools such
UDP connection tables. You
i,-JI. Th1·y use :\Pl cJlls co re.id che rnnrencs of h·rnd and user space TCP and
ation. If you performed chis
nn-J to Jl!,,w lhe re~wrcd inuge io hooc, if you inrend to capture chis inform
Sll'P during 1hc.- li\'e s~·~t<.·m re\'icw, before che sysrem w.ts
shut down for imaging, comp;ue the resulrs of the
n.
l\lu orx·r.ui,rns. Discrt·pJncics nuy he indicarive of an unaurhorizt'.d daemo
7.2.8 Examining Jobs Run by the Scheduler Service

.\ rnmmon tril:k by :ittJ(kt·rs is w h,1ve J sd1e<lull'II evem st.in h.KkJoor progrJ
ms for them and also change
the .1uJi1 p0licy. or ('t'thJps en·n someching more thrc.1tening s1Kh as a schcdu
Jed wiping of files.
CmsiJ a the following b.1rch file running che NTRK tool remote to
an NT system: remote Is
\md.l'xe" hJtn1JnS ~ L
fi If ihis rnmnund line \\We run at J specific time, someone couJd connec
t to the system using the
olluwin~ comm.ind line: remote le <hosmame> barman5.
phrase to connect.
Th The <h1,srn.une> is 1he NcrRIOS name of the" remote system and barman5 is the key
ill or soon utiliry. Malicious scheduled jobs
t pe~on can now execure anv comm;mds desired using the
:: ~ riC'3.lly s.:-heJuleJ. The at c~mm Jnd, with no command line arguments.
will show any jobs that have
11 5'-hc."\.iull'd.
~13~2~•:__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
DIGITAL
__ roRENs1c
---.;
___
7.2. 9 Analyzing Trust Relationships .

. . .
1 rust rd.,m,n~lup s ,1moni,: lI,,m.uns · . . . 1 iiily
l.lll u r • 1
innl'.,~c tlw !-ropl' of a rompro1111,c, ,lwuld a valiJ ll\ .
· . . , · • I . .. , 1r
11) ,111J p.1s~w,mI l1(' ll t,.·l, ·11 I,,• •111 •lit •ll~l'r• Al·ct·~~
•
to tim· mad11nc 111.1y mean lot,11 .1 .IC<t~, to rn,1ny o1h1•r,
, I · I) · · ·
c • • • t 111 .111,t s····l, , .. ,,f I romi1romise r.1iH' the trmt rl'l.111011~
.-.cH·ntv o,: ·•I,c 11\l ups. cH·rin111111g tru,t within
ll c • , - 1 ~ • · . . w·
LINlX.envininml'nt is.,~ ~inipk .1s l'lllllp,1rl·d 10 lkll'l'lllining tru~I w11h111 a 111,1ow,< 1_oma1n, wh1th
• .
i,
Jitlil:uh. St111-tr.:•uiri1·f M ,,1ll'-W,I)' trmt is \v'indnws N'I'. Thi~ 11wans that au..l'.\S a11d !lcrv1n:~ art provid1:d
in l,nc Jin-l"til,n onlr. • · ·1 r,
lt Joc:i m,t lll"l.j to truM your PDC. ii' your NT l'L)C trn~1s anutl~cr dorn:1111 . I wr<· orc: mcrs on the
uustcJ lh,m.iin l',lll \IM'. snvil'c:- l'll )'l'llr dom.1in. but not virc wrsa. \X/1ndows 2(~00_ can prov1_dc a t~•m-way
,,r rr.m;iri,·f trust rd.,1k,mhip. T,, cnmmunk.uc propnly. I)omains ~oc,unl ~11h~11 a,~ Ai.:11ve . D1rec1ory
forest rt'lJUin: two-w.1y 1rm1s. for n:.11npk. in \X1indows 2000 Active l)lf(·t:t~ry ~l'~v_,c_cs, ,f [~oma,_n ~ lru,t.\
D,in1.1in B .m,I D,m1.1in I\ mi~ts Dom.1,n C. 1hm Domain A trusts I)omam C. l lus rcla11omh1p •~ illu\-
tr.1ted in Fipm~ 7. 14.
E x p l i c i.t B
g Explicil I C
Domain A - Trust omain +- Trust Doma n
' - - - - - - - Implicit Trust - - - - - ~
Figure 7.14 Windows 2000 trust relationships.
7.2.10 Reviewing Security Identifiers

You nuy nt'l'd to romp.ire security idrntificrs (S1Os) found on the victim machine with those at the central
amhl.'mication Juthoriry, 10 l'StJhli~h the actions of a !>prrific user ID. Here, we sec how SI Os can contribute
t,) inci'-tt'nt rtspon~e.
To iJ('nril)' :\ usa or a group uniqudy, SID is um.I. Each system has its own identifier, and each user
h.ls its own iJrntificr on that systt•m. 'fo make the SID, computer idemificr and the user identifier are
combinl-J. Thus, SIDs c.111 uniqucl)' iJcmify user accounts. SIDs do not apply to share security.
For ex.uuple, thl' foll(iwing is a SID that bdongs 10 the .ldminis1rator account:
S-t-S-21 -91 72(,77 12-l.342860078-1792 151419-S00
The S dl·not<·s the series of digics as a SI 0 . The 1 is the revision level, the 5 is 1he idcnrificr authoriry
\'.1\uc, :rnJ 21-91 7 2677 12- 1]42860078-17921 S1419 indudl"s the suhauthority values. The 500 is the rela·
,ivc idt'ntilter.
\'\~th hdp of uscrnatnl'S anJ passwords, Access to shares is accomplished. However, S10s do apply when
rcm~tl" :w.~ss to a J,)nuin is pnwidt·J. A SID wirh the server's unique sequence of numbers is placed in ~he
Reg1i.try ot chc workslJtion. afrcr the.- ftrsc successful logon to that server. Therefore, SIDs can be the digital
fingerprints thJt prov<" th.u a rcmoce systc:m was used to log on to a machine and access a domain.
m Investigating UNIX Systems

The UNIX is powerful, flt'xihll", and extrcmdy functional. Jc has bcco _..,11111 D{usersand
foren~ic ~nv~s1igJ1ors, to im·cMigJte a rnmpromi!lcd UNIX system and ~~-- a cornpurd
~l'l.'llrlt)' Ill\ 1Jl·nt. But UNIX Jnes not have a dl"ct·n1 standing for depc
~'...._!!~
~
s1_s _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
~NAL:,:.Y__
_ __
.
"h UNIX does offer some effective safety fca h .
drl I . 'turcs sue. as logm and user accounts, whi<.h are
Altholl:;, w1rh a ~ranuhrir O f
. 1 he /etclpa5S'v 11 c, access conrro '" ' Y /owner, cumcntgroup, and world, and save
111rcd 11 t / d /I ti / / d /utmp, /va.r/ad m/wt / / d
) l r. 1 s usr a Jm as og, ft var a m mp , var a m/acct . UNIX system!> directlv·
(\0r, II e · b' h . .
'd to the nternet are o en su iect to ackmo attemp ts
. .
n('(IC • . t,
,onSonle of the methods for UNIX 1nvest1gation are:

Srudying relevant logs
~· Carrying out keyv,ord searches
· Go through relevant files
!: Recogn izing illegal user accou nts or groups
ing ro~ue procrn,es .
5. Classi~• g for illegal a~ct·ss pomtl)
6, Checkin
in~ rr_ust relauonsh1ps
7. Examin
s. Noticing lro1an loadable kernel modules
incident, there is no need
These steps are nor listed in order of importance or chronologically. For every
rhe goals of your response. A~
to take .ill of the sc_eps. ~our_approach depends on the specific incident and
anything can happen . An
vou conduct your mvestt gatton, be aware that in the event of root compromise,
ng system, including the
~ttJtker with root access '.o a_system can modify just about anything on the operati
evid~nce that you are review ing.
7.3.1 Reviewing Pertinent Logs

chat can yield important clues.
During incident response, UNIX operating systems have a variety oflog 11les
, but also events associa ted
Not only are system activities, such as logons , starrup s, and shutdowns, logged
ry, usually /var/log. However,
with UNIX network services. Most log files are located in a common directo
m. Some logs are placed
some Oavors of Unix will me an alterna te directory, such as /usr/adm or /var/ad
c docum entarion, when
in non-intuitive locatiom, such as /etc. You can consult operating system -specifi
may find pertinent logs on a
in doubt. However, nor all log files are even on the system in question. You
network server or securiry device such as a firewall or IDS.
7.3.2 Performing Keyword Searc hes

d searches are a critical pan
R.mging from e-mail harassment to remote nerwork compromise cases, keywor
of almo~r every incident respome investi gJtion. Including an attacke
r's backdoor password, a username, a
. Keyword searches can
~IAC address, or an IP address, che keywords can be a wide range of ASCII strings
~ pnformed on the logical file structure or at the physical level, examin
ing the contents of an cncire drive.
Here. wi: focus on how to perform string searches using UNIX utilities.
7.3.2.1 String Searches with Grep

searches. Use the grep
lhe grcp command is a powerful and flexible command primarily cool for string
command as follows, to perfo rm a string search within a file:
(root @luc ky]# grep root /etc/ pass wd
root : x:0 : 0 : root : /roo t : /bin/ bash
Notice that the line in rhe passwd file with the string roar inside appears as
output. The passwd file is a
1txt file.
Now, let us try grcp on a binary file:

( root@ lucky ] # grep PROM I SC / sbin / if config
134 •
Binary file /sbin/ifconfig matches . .

This time, the string does not appear. lnstead, you se: a not1fica11on_ that a file of type binary has a
matching entry. If you want to see the match, u5e the -aopt1on ro handle binary files:
[root@lucky]# grep - a PROMISC /sbi n/ifconfig
!NO HAGS] UP BROADCAST DEBUG LOOPBACK POINTOPOINT NOTRAILERs
RUNNING NOARP PROMlSC ALLMULTI SLAVE MASTER MULTICAST DYNAMIC.
7.3.3 Reviewing Relevant Files

It is a safe bet 1h.1t numerous files will port evidence connected . to any giv~n .inci~en_t. However, your
achievement in ren)Onizino
::, ::, all the applicable files is much bs certain. To help m 1dent1fymg which files are
, , I
likely to be relc,·ant to any given incident, we use various techniques. These techniques include idencifyin
relevant files by their time/date stamps and by the information gained during the initial response to UNI~
\Y/e also search configuration and system files commonly abused by attackers.
7.3.3.1 Incident Time and Time/Date Stamps

You must fim know the rime of the suspected incident, in order to search for files and di rectories that were
accessed, modified, or created around the time of a suspected incident. The time frame may be very specific,
such as when a network IDS discovered and logged the attack as it happened. The first step to make sure thai
the system time on the IDS matches that of the victim system is if you have a good record from an outside '
source (such as network IDS) of when the attack occurred.
To follow up on the relevant time windows that you have already determined is the goal in reviewing
time/date stamps. All the files or directories accessed, modified, or created during this time are likely candi-
dates as relevant items.
7.3.4 Identifying Unauthorized User Accounts or Groups

On ,~ctim systems, attackers will often modify account and group information. This modification can come
in the form of additional accounts or escalations in privilege of current accounts. For future access, the goal
is usually to create a backdoor. To validate that an attacker did not manipulate this information, you should
audit user and group accounts on suspected victi m systems. Auditing UNIX system account information~
a straightforward process. .
1
7.3.4.1 User Account Investigation

User information is stored in the /etc/passwd file. Using a variety of mechanisms, this is a text file that you
can easily review through. Every user on a UNIX system has an entry in the /ctc/passwd file. Atypical entry
looks like this:
lester:x : 512 : 516 : Lester Pace : /home/ lester:/bin/ba sh
The entry c_onsis_ts of seven colon delimited fields: the username (lester), the password
(~hadowed •_n th•~ case), the user ID (5 12), grouplO (516), GECOS field (for comments;
Lcmr Pace in this case), home directory, and default login shell.
7.3.4.2 Group Account Investigation

_grouplD show~ in the letc/passwd file as well as the/etc/groups filc:t.-)lel ht' Group accounts,}.
ryp1c.il /etc/group hie looks like this:
1. $ ca~ /etc/group
• 135
p.N.ALYSIS
~
O: root , ashun n
·•
oo t ..
1,. r. . . 2 . root , bin , daem on
3. l:>ln :: 3 ; root , bin , sys , adm
4· sys -.•· 4 : root , adm , daem on
, 3 dm - ·
7• p ·· S : root , uucp
6. uuc • •
st th group. It is import ant to note
Along with the users, the file li s e groups t_hat· are associated wich that
membe rship is based on the
h:it an entry in che group fil e d oes not n eed to exist for a group to ex ist. Group
1 ID in che passwo rd fil e
group
_ _ Identifying Rogu e Proce sses

73 5 You should record all listeni ng
When examin ing a live syst em , identif ying rogue processes is much easier.
oris and runnin g processes.
es. Also, review all binaries
p To verify their validity, you should carefully examin e the runnin g process
have not been modifi ed.
associa1ed with listenin g services and runnin g processes to ensure chat they
J.3.5.1 What Can Happ en?

investi gation, you notice an
You dutifull y record listenin g pores and runnin g processes. During your initial
anomaly with FTI~ During further examin ation:
[root@ victirn ]# netst at - anp
tcp O O 0 . 0 . 0 . 0 : 23 0 . 0 . 0 . 0 : + LISTEN 519/i netd
tcp O O 0 . 0 . 0 . 0 : 21 0 .0.0 . 0 : * LISTEN 519/f tpd
7.3.6 Checking for Unau thoriz ed Acces s Point s

functio nality (ner.vo rk services
UNIX is a full y functio n al, robust operat ing system . It has continu ally added
rk File System (NFS), telnet,
are no excepti on) over the course of its long history. Along with the Netwo
g array of networ k services.
finger, rlogin, and many orhers, a default installa tion of UNIX offers a dazzlin
degree of remote access to
Any one of the networ ked services on UNIX system s can potenti ally allow some
unwanted intrude rs, as can a phone line connec ted to a modem .
HTTP . and HTTP S are
X Servers, FTP, telnet, TFTP, DNS, send mail, finger, SNMP , IMAP, POP,
advant age of. Unfort unately , this
some of the most commo n access points that we have seen intru<lers rake
, you will need co examin e all
is just a partial list. As you condu ct your investi gation of the UNIX system
ous from your investi gation of
network services as potenti al access points. Did you find anyrhi ng suspici '.
'
s were runnin g on the system
configurarion files, startup files, and listenin g sockets? What "norma l" service
system will help in answer ing all
at the time of the suspec ted inciden t? How could an intrude r access your
config ured securel y and has the
these questio ns. Examin e every potent ial access point to ensure that it is
latest patches or softwa re version .
7-3.7 Analy zing Trust Relat ionsh ips

loclude the most popula r services like login, rsh, the Netwo rk Inform ation
Service (NlS and NIS+) , NFS,
a~d _s~h. Trust can be establi shed bcr.vee n UNIX system s with a variety
of services. Trust relationships
administrators and users, trust
w;th~n UNIX i.yscems were once a primar y mecha nism of attack. For system then the user on machi ne 8 can
re ar,on!>hips can be conven ient timesav ers. If machin e A trusts machin e B,
~~_:_ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _D_IG_I_TA
_ L-:
FOR~N
1
!36 • ~
. . ..
acce!,s mJchine A wuh no adJ1t1on,·1l eredcntta , · I If}'lrn are a system admini5rrator wirh dozens of S}'s t
s. cm~ to
· · · h' r can be ,'<'r}' cn1icin°.
ma1nr.11n, using t IS ieature ' . . od . ·r 1hcy pla)'c<l a p,lrt in the inciden1 l
lnvesti ate all os~ihlc uusl relauomhips 10 ctcrminc 1 . h c. . · rust rda.
. . g, P · c. 1 h crl fil
1 s such as /ctr/hom.cqu1v orany .r osts nle 111 a user's h
11onsh1ps are usually conngurcu I rout- 1 e. · Orne
dircc1ory throuoh shared keys and through NfS sh:1rcs. . . . b
·1· 1 . o ·h· can he cst:lhlishcd with S!,h. Ni)wadJys, trust rela11omh1ps seem to e ltss coninioll
rust re a11ons ips k I C . n nenvork scorn .
However, another type of 1rust is crcared through ncrwor · topo ogy. ommo O ent must trust
their pt·ers chat share networked computers.
7.3.8 Detecting Trojan Loadable Kernel Modules

On the various flavors of Linux, BSD and Solaris Loadable kernel modules (L_K.Ms) or ker~el extension!
are found . They extend the capabilities of the base operating S)'S~em kernel, typically to provide ad~irional
support withi n ,he operating sysiern for device and file_sys1em drivers. LK.Ms r~n al the kernel level instead
of at a normal user process level, when they are dynam1callr loaded by a_~ser w1th roo1-_level ~c~ess.
Several inrrusion-based LKMs have been developed, and once a malinous user obtams pnvtleged ace~
lO your system, she/he can install one. Some common malicious LKMs include Adore, Knark, and ltf.
7.3.8.1 LKMs on Live Systems

le can become complicated to detect Trojan LKMs on a live system, because these tool_s actually intercept
sysrem calls (viz., ps or directory li~ting) ro provide false information. _They a~e spec1fi~lly designed 10
prevent detection with traditional mponse metho<ls. To detect anomalies or d1screpanc1es, you can find
them by combining externally execured commands with local commands, in many cases.
You are a ~ystem adminisuaror with dozem of sysrems to maintain. Using this fearure can be very
enticing.
rr:·~TJ Investigating Applications
7.4.1 Web Browsers

Web browsers are used to execute different activiries on the Internet hy user!. (Figure 7.1S). Browsers are
useJ for many functio ns, such as information search, access ro e-mail accounts, e-commerce, making the
banking, instant messaging, online biogs, access ro soci.11 networks. Web browser records many data associ•
ated with user activity. Information such as URLs visited by users, search terms, cookies, cache files, access
time, and use time holds in memory on the system. In case of a different user to access the same computer,
a~e!>,ing to this data can be happen in a very easy way. Web browsers are significant tools on many of the
cnmr-. com mined on digital resources. Examining the evidence which i!, rhe subject of criminal records is an
import.int ~trp examination of your browser. To reveal offender's profile and connections depends on web
regi st ry. The suspects can me web browsers for actions, such as to collect information, ro hide the crime,
to get _in touch with ~~ime partners. The evidence found by using the Web browser is a key facror for the
forrnste expm. Su~p1c1o~!lness leaves a mark on his/her computer about every movement during the~
of web brow~er. Ir 1s po~~1ble to examine evidence, such as history, cache, cookies, downloads list, entering
URL '.1d~resscs, access ti'.n~ of visit, frequency of visits fro m che suspecr's computer. for conducting the
analym 1_n a com~~, ~ay, it 1s nerd~·J ~o probe registry of web browsers on image. The analysis of only aweb
browser 1s nor sufhnent to gc:t chc evidence.
j
15 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___:•~1~3~7
ANALY~S.:.,:.
~
. Op~ra: 1.52% Proprietary or undotectable: 0.23%
Satan: 4 33 1/o Android browser: o01 %
Other: 0.23%
Firefox: 12.24% _ _...,
Microsoft Internet Explorer: 50.03%
Chrome: 31 .41 %
Figure 7.15 Utilization ratio of web browsers.
l.4.1.1 Utilization Ratio ?f W~b Browsers

Inrernet Explorer,
his crucial to be able to examme evidence with different versions of browsers, such as
In this section , it is
Google Chrome, Firefox, Safari, and Opera for ensurin g genuineness of the evidence.
ions which are
discussed how 10 get user web browse r activities from image of an evidence. Usage of applicat
g information, such
employed in this field are describ ed and compared. Moreover, the processes of acquirin
as URL, visit date, visit counr, web browser type, system user name, browser profile,
URL size from web
browser files are also discussed.
7.4.1.2 Analyses of Web Browser Records

lnrernet activities
Web browsers arc the normally used applicat ions in digital devices. Users perform their
s, such as searchin g
with web browsers in various operatin g systems. Web browsers are used for several purpose
this reason, it is one
information, e-mail, e-commerce, news, e-banking, social media, and blog writing. Due to
by the user, which
of the most ~ignificant parts of evidence analysi~ . Information like which Ullli were visited
analyze the crime.
words were searched, when these actions were made, are used by digital forensics experts to
urce and licensed
Also, usage of differenr web browsers in the same period must be exa mined. A lot of open-so
7. 1 in web browsers.
tools are there to perform analysis. Users often perform activities as specified in Table
Table 7 .1 User activity on web browsers

User Activity Wordi11 URL
Search, word about search
Search
Mail, e-mail
I.
E-mail
Blog Blog
Social Media racebook, Twiner, Instagram, vb.
News News
Shopping Shopping, shop, fon;, vb.
Weather Condition Weather
Game Game
ViJeo, Visual Content Video
Music Music, mp3
Banking Bank, Credit
_ _ _ _D_IG_ I_TA-.:_
L FORE
1•~3~8_:•_ _ _ _ _ _ __ _ _ _ _ _ _ _ _ ~
- .. .
7.4. 1.3 Keeping Reco rds on Computers .
access the us,. .
· d·rcereJ'I, par,s of the operating system user. acnv,ry. lo
,H. h l,rowscrs are stores m 1111
""
• ,r infi
· · d d · I 1r.ur1h ermore ' data vanes as per web browsers type. w,or.b
· · ·
rnat1on, 1m·rs1w.111o n is nee e 111 sever J areas. • •
• y, ane
· t-user records on r: d'cr
mere nt serno· n.s·· C"ch
" e records' history recor.ds' cook ies registr
brow sers re1;11n iour
sto re data on operanng sy5terns, are demon~
<luwnloaJeJ files. The locations, which are web browsers that
w.ucd in ·fable 7.2.
system
Table 7.2 File locations in the web browser oper ating
Ope,·ati11g
__ __ __ __ __ __ __ __ _
\~bB rows er Syste
..::_
\Vindows
m File Path
-:-: --:- :::- ---: -::: ---- --
C:\Temporary Intern et Files\Content.ie5
---
Inrerne( Explorer
95/98 (:\Cookies
C: \H istory\History.ie5
Window!\ C:\Documents and Settings\o/o usernameo/o\Local Senings\
2000 /XP Temp orary Internet Files\Conrent.ie5
C:\Documenrs and Settings\o/o usernameo/o\Cookies
C:\Documenrs and Settings\o/ousernameo/o\Local Serrings\
Hi1>ro ry\history.ie5
Windows C:\Users\% username%\App0ata\Loca l\Microsofr\Windows\
Vista, 7 and Temporary Internet Files\
latest version C: \ Users\ o/ousernameo/o \AppData \ Local\M icrosofr\ Windows\
Temporary Internet Files\Low\
te
Firefox Linux /hom e/$USER/ .mozilla/firefox/$PROFILE.defau lt/places.sqli
MacOS-X /Users/$USER/Library/App lica1ion Support/Firefox/
Profil es/$PROFILE.default/places.sqlite
Windows XP C:\Documenrs and Settings\o/o usernameo/o\Applicarion Data\
Mozilla\Firefox\Profiles\%PROFILE% .default\places.sqlite
l
Windows C:\Users\% USERNAME%\AppData\Roaming\Mozilla\Firefox
Vista, 7 and Profiles\ %PROFILE%.defaulr\places.sqli te
latest version
Safari MacOS-X /Users/$USER/Library/Safari/
/Users/$USER/Library/Caches/co m.apple.Safari/
Windows XP C:\Documenrs and Scrrings\%usern amc% \Application Data\
Apple Computer\Safa ri\
C:\Documenrs and Settings\o/o usernameo/o\LocaJ Settings\
Appli cation Data\Apple Compucer\Safari\
Windows 7 C:\Users\%username%\AppDa1a\Roaming \Apple Computer\
Safari\
C:\Users\%username%\App0ara\Local \Apple Computer\
Safari\
ANALYSIS;::__ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __:_•~1_:3~9
~
e _2 (Continued)
1
~ Operating
System
1
~,:·1~:._:P.~"'~tl,~ - - -- - - - - - _ ;
\f~b o,ou:-_:s__e_r _ ~ ~ = - - - -11;::::-=-;;;~~:-;---::--_:R
_;--- Linux / home/$USE.R/.opcr.,/
()per.I
M.ic:OS-x /Uscrs/$USER/Li h rary/Opt·ra/
WinJows XP C :\Docu mcnrs and Setti ngs\% 11sername% \Application Dar.,\
Opera\Opcra\
\'v'i ndows C:\Uscrs\%n1sernamc%\AppDa ta\Roam ing\ O pcra\Opcra\
V ista, 7 .mJ
brest version
Linux / ho mc/$USER/.config/google-ch rome/Default/ Prefercnces
Google Chrome
l\bcOS-x /Users/$USER/L ibrary/Application Support/Google/C hrome/
Dcfaul 1/ Preferences
\X' indows XP C :\Docu ments and Sctt ings\%username% \ Local Sett ings\
Application Daca\Google\Chrome\User Data \Default\
Preferences "
\Vindows C :\ Users\ % username%\App Data\ Roaming\ Google\Ch rom e\
Vista, 7 and User Dara \Dcfoult\Preferences
laresr version
As per web brow5ers, system stores data in various folders and locations. In the analysis process, it is
rssential to test data in various folders. Folders should be searched for in four differe nt record types as
mentioned in rhe previous sect ion. Types storing of web browser are listed below. Internet Explorer is a
web browser which computer users generally use. Internet activity records are stored fo r each user ind ivid-
ually under rhe user profile folder. Data srores in Cookies, Cache, Download History, and Hisrory folders
~pmtely under the lolations is showed in Table 7.2. Data scores under folders in index.dat or container.
dat database files. Data is scored in binary format in this file. Safari scores web browser data in fil e which
i~ named Hisrory. plisc in binary format under the web browser data locations. It stores the information of
URL addresses, dace of visit, cime, and the number of visits for each website. Firefox stores web browsers
d~ta in a file called placcuqlite. File uses the SQLit e database format. Opera keeps data in different files
wnh the excen~ion .dat. These files are cookies4 .<lar, d ownload.dat, global_history.dat , search_field_histo ry.
d.31. Google Chrome stores data in che p references file. T here is separate file for each user. There is informa-
tion about user policic..•s, master p references, and local locations data.
~·!-;} .Time Formats Used by the Web Browser. . . .

in . enc,al to analyze the user behavio r in a given rime period for demonstratmg crame m forensic exam-
.
31100
i · ln order to find our rhe offender's activities, a time schedule should be made and followed. Thereby
t
t" can reve · w hich arc v1s1t
aI aho ut relacionships \\-ith other related websites · the same
· · cd by t he suspects m
:;e:dTime format which i~ used by web b rowsers is given in Table 7.3. The cxpcn who examines must
·
ns, er the time ·h)rmat that has heen used hv the web browser. r,__
r.ax, t
• o f suspect use cannot be
he amc
drt .
· • must do nmc
, r,ore. the expert who c.xammcs
· l 'here
· • Thc: tame · format o f t h e data
ohttrrn,ned
. correction.
.
i1ned fro m t he ('v1dence • • • f h' . ,r,
must be consistent with the users cxammaaon o as ame ,ormat.
140 ,
DIGITAL FQo
-· ~ ~ . . . . . : : ~ - - - - - - - - - - - - - - - - - - - - - - - - - - - . . : . .~
: ,El'
Table 7.3 Time format used by web browser
Web Browser T,me Fonnat
lnrcrnt't Explon·r f lLETIME: 100-n\(I0-9)

Sinu: January I, l GO I 00:00:00 (UTC)
firc·fox PRTimc:microsecond ( I 0-6)

Since January I , 1970 00:00:00 (UTC)
Google Chrome \VERKIT Time: mit.ro)econd (10-6)

Since January I , I60 I 00:00:00 (UTC)
Safari CG Absolure Time: 5econd

~ince January I, 2001 00:00:00 (UTC)
Opera UNIX Time: second

Since January 1, 1970 00:00:00 (UTC)
7.4. 1.5 Clearing the Web Browser History

The analysis process of web browsers record, suspicious could have delered browsers data. M.1ny v.ch
browsers offer options co delete cache, cookies, history, download files to users. \½en this information 1.1 ,
deleted, users will destroy what can be obtained in the examination by using function of browser. There are
rwo ways of deleting records: (i) by overwriting the existing data with the launch of applications, the old
data is lost and (ii) by deleting data from the browser menu or the index by users voluntarily. After the fim
method, accessing old dara is very hard. Bur, after the second method, accessing data is possible by recO\-
ering and disk scratching actions. Choice and access roads allowing the deletion of records by users of mt
browser is given in Table 7.4.
Table 7.4 locations of deleting data according to the type of browser

Web Browser Delete Options Path
Internet Explorer Smings/Internet Options//Deletes
Firefox Serrings/Privacy/History abour:preferences#privacy
Google Chrome Settings/History/Search Data
chrome:// sercings/clearBrowserData
Safari Settings/Privacy/Delete All Web Site Data
Secrings/Hisrory
Opera Settings/History/Privacy and Security/ Delete All
Search Data
Opcra://senings/clearBro~rD ara
7.4. 1.6 Tools for Analysis

WU·A NttAn~fa}'~i\, Hrow-.cr I li\wry Examiner, FTK, and Enc:aae • me sofuva~ char are ,omrn° ~
11
u,cJ for analp.111g Wl Ii lin,w\rn in <ligit:il fi>rrnsics ex.amin:ition,. In . . ~ . ka,ures of sp«ih~ "-di
hrow~rr an..1lr1t: tc)(Jh arr also pn:,c:mr<l.
_,
NALySIS
• 141
~ E
- . . .
vidence Finder)J. . IEF 1s a sofrware with license
. .
b M r ·
· fiee pro u·111ccd y agncc rore11s1cs
J,,ccrncl
. 111 th
Jf:f- ~ Prr~01i;tl comput ~n, arc U!,e c procrs~ 0 : examina tions of smart phones and tablets hy experts.
analysis of
_.,,111r•'.11yJiffrrcnt nwdds,_ti pres_rnt.~ rhc ch~rac1e nsucs, ~uch as examining internet TV series,
fiih 115 . cJ (rorn n,obile appl1can ons. Ii 1s w,cd on \'v'1ndows and MacOs operatin g !>ystems.
tool_. Jr runs on W indow.~NT and later vrn,ions. l1 supporcs
11.,lrs oh.~'. '~,EFA is a free, "'.ch l~~owse r analyze
WEf~: I irff (~ 11 ), McwllJ hrcfox. Apple Sa fa n, Opera, C hromium , Googl<.> C hrome Google C hro me
2~:,:odo
1111l'rn~r [)r.1gon , CoolN~ivo (Chrom e:lus), Swing hrowscrs. For rhcsc brows:rs, \X'EFA offers
image disk. T hese merho<l s include gath-
c:,11i.1r}, ' .. 1 Js ro pt'rform ,ul.ll)'!I IS from an active 1iy1,tc111 or an .
.111 s 1ncu10 . h k. . h"
v,1_n :hc: wrb hrow~er s GIL _r. ~oo _ic_s, m_ rcrn ct .•~Lory, ~ow1_1load h1_story, sc~sio~ da~a, 1e~ pora_ry inter_nc1
(fltlg d rhr rin1csheet d.ll.l rnforma tion. The obtamed da1a can
be displayed 111 tt mc·lme view, H fML view
. I
1·111'),. J!l ,C(t'r-'> view S(',trL lCS. . . .
VRL p,lf,\ll . . 1· exam-
or NctAnalysis: Nc1Analp)t1, ts a ite•~ scd rool develope d by Dig11al Derec-1i ve com pany for digital
. f weh browser.<.. lt 1,uppons M icrosoft . Int ernet Explorer, Mozilla Firefox, Google Chrome, Apple
II I· . f I . . compo-
d Oper,1 bowser.<. . t a O\\S t le exarn m,111on o ntcrnet history, cache, cookies and other
.111 111" O }I
r-_
ga thering evidence acc.ordin g ro user
5.i(.in, JI1\ ;1, a!si) an eflec-1ive reporting fra rure that allows quickly
I · I I
so 1·rware I1a.<. errecttve
nt'll rs._. l\1oreovcr, this • c
tn:- · ana yt1ca too s ro r decodin g and undema nd ing dara. At the
bdi:1v1or. .. SQL queries . .d .fy . .
· 1.. ir has ab1lirr ro u!le to I t'ntJ related evidence. T his sofrware can also be used ro
)tnlt'llll~ ,
· d-letrd web browser• compon ents. . • • • .
(tCO\'l'f t
Exam mer 1 s a licensed 1001 develope d by Foxron Forensic s
Browser Hiscory Examin er: Browser H,srory
Explore r, and Edge
C ipJnv and it ex1rJcts and analyzes web history. Jr supports Chrome, Firefox, Internet
fries. Internet
w:~\ro,~·sers. And it can analyze a lot of data type as downloads, cache data, and visited URL
by using
atiivicies in a specific timeline can be traced with web sire timeline feature. Data can be analyzed
.<.aved in the
various filrers like key word list and time-da te range with advance d filtering feature. Image files
sites stored
hrowscr cJche c.111 be easily shown in thumbn ail galleries with cache image viewer feature. Web
rent time zone
in browser cache can be reconstructed and analyzed with cache web page viewer feature. Diffe
data from
convmiom can be performed with Time Zo ne and DST Configuration feature and all obtained
1h~t' fe.uures are rt'poned.
ffK: FTK is one of the tools developed to analyze sy5tems entirely. It enables ro analyze
web browser
, Firefox, Chrome , Safari,
daia with its features. \Xleb b, owser hisrory is virtualized in detail. Internet Explorer
This software
and Oper.i browsers are suppone d. AJso, deleted web browser data can be recovered by FTK.
.tlso has a fc:arnre to report analysis resulrs.
Encase: Enc.1se system is an analysis rool developed to examine systems eatirely. It
enables ro examine
web browser data with its features. With rhe help of a simple script, all hrowser history,
cookies, and cache
/Chromium,
fib ;lit' copied into a Ille by usi ng 1hird-pJ rry software. Internet explorer, Firefox, Chrome
to recover
Opera Jnd S.1fJri are supported in Windows, UNIX and M.tc operating systems. Also, it enables
deleted internet components. Obtained dara can he analyzed hy filtering according to key
word and time
digital anal-
p~ramctm. \VEFA. NetAn.ilysis, and Hiscory Examiner are developed especially for performing
d examine files and systems. This
Y)ts of \\eb hrowsers . But, FTK and EnCase applications are develope to
software al so h.1s t·eatures as anaI}'1.mg · we b h"1story anJ ho1·ai,nc · anaIys1s. ·
7.4.2 E-mail
;·ndiail has emerged as one of the most widely usl'd communication applicat ion, used for exchange of data
. . . .
n alto c·irrv. ~)ut d Jta transactions. Due co an increased use o f e-ma1')s an e present scenario, us securny
h;u
th
E-in 1; b~~ 0 ~ 1e a _major issue. Nowadays, e-mails are being wed as the prime we-.ipon to conduce
a crime.
of viruses through e-mails
are / phi:,hing, lr.1uds, Sl'Xuc1I predation, sending spam e-mails, and injection
of dat.1
th~ft~mg th e n1Jjor crimes that 1he culprits carry our wich the hdp of e-mails. Also, different types
und of an individu al itself.
rough c.--m.iils nuy adversel y affect an organization's operation or workaro
142 • DIGITAL Fo
~,, ·h....ih.'-.r
. ... .l J'1~1tJ
~
,. I nr C\ hcrcrinH' tomes into existence, the lirsr ~rep taken is consulting dar .
. • • . a 1nve .
t~' N-. Difit.1I imrnig-J1ors c~llcc1. prrserYC, .rnd a1ulp.e e- m.11 1:~ 10 mwst'.~:11e ~ cnme.
For an cfncicn ~t1ga.
Jt'i..l'
. 1mes11r.,m
· · · nn of e-m.1ds ;1 wid· virit'IY of tools and p.1r11cular prou:durc s are med. In the t and
.· c • I . I
ss1i1)n, \\e wiil ~hcd some light nn the prol.°c<lures and vJnous rec rn1qul'S t iat are employed for anupc
• • •
0 .
cft'ng
·m,·'-"'tt~.m
· ·on ol· e-m.11·1s ·in :i parncu · I.1r crime.
· cie,11
7.4.2. l Procedure to Investigate an E-mail

In t'· nuil forensics. the snur(c JnJ content of c-m:iils i~ wnsidcrrd as evidence. The process includ .
ti~·ing the Jctu.1] st·nder, m:ipient. dJtc, rime and loCJtion of mail trans~ction, inte~tion of the ~eni:den.
It Jlso im-,)lves inw~tig:uion of metJdata. kt·~·word sear\'.:hing, port scanning, etc. Vanous techniques th ' etc.
usrJ tor. e-mJ1·1·mn·st1gJ11
. .on are JS lo
· 11ows: atare
l. Ht>ader Analysis of e-mails: \\1,ile inve~1igarin~ e-m.1ils, we usually start from the scratch and an I
the ht'JJe~ of the maik He.1ders rnm:iin inform.uion abou1 the senders of rhe e-mails and also •?:
nurion .about rhe p.nh throuah which the e-mails have travelled. During the time of a crime the •n °'.·
~
heJder:. are spoofc•J in order to hide the identity of the sender. If the messages passing through, e-mail
SMTP
server dn nor ix1s.~e.ss S~fTP idiosyncrasies, then they are faked.
2. link Aanalysis: Link analysis is a g.raphical data analysis method ro evaluate e-mails exchanged b _
tween lliers. Since a crime can involve multiple suspects, link analysis is used in order to examine ~
1
link ~erw~en the su.5p~ts. Since rh_ere can be thousands of mails that are _li~ked ?etween suspects:
theretore It bi:comes a nme--consummg task that defeats the purpose of e-mail rnvesrigation.
3. Bait Tactics: The basic aim of the bait tactics is 10 extract the IP address of the culprit. In this tech-
nique . .111 e-mail with hnp:<img sre>rag which has some image source at a computer that is monitored
hy im esrig.ators is sent co the- e- mail address that is under investigation. Now the recipient is the one
"ho origin.illy was sender during the crime. \Xlhen the e-mail is opened, a log entry which contains
the IP address of the recipient is recorded on the server which is hosting the image and the recipient is
tr.ac_ked. In a case "hen the recipient is using a proxy server, then the 1P address of the proxy server is
recorded hr the inH'5tigacors. The log of the proxy server is used ro track the culprit. In case, the logs of
the prox~· serwr are not a\'ailable, then a rac1ic e-mail is sem co the culprit. The tactic e-mail can either
~ :m HT~!L page or an Embedded Ja,·a Applet.
4. lnYestigation of ScrYcr: In the server inve.stigation, server logs and copies of delivered messages be-
twe-en sender and recci\'er are invesrigated. The e-mails from the sender and receiver, which are 001
re.:on·rJble, are recei\'ed or extracted from proxy or ISP servers, as 1he servers srore a copy of all ,he
e-mails .1fter th~ir re.specriw deli\'ery. In addition, SMTP server~, which store the derails like credir
ord number and other dau associJred with a particular user, may be used to identify rhe owner of the
pmirnlar e-nuil address.
5. lmeuigating ~ctwork DeYice: The ~ource of an e-mail message can also be investigated with the help
c...flvfl mainr:iined by nemork de\'ices, such as routers, firewalls, and switches. Owing co its complexiry,
thi\ t::chnique is only deployed in the absence of logs of ISP or proxy servers. Unavailability of server
lop ma~ ()(( Ur <lu~ to ,arious reJSons, such as absence of chain of evidences.
6. rmgerprints of &oder Mailers: The rec~i\·ed header field proves to be helpful in the identification
of ,1itn~ .irc· \~hi,h handJes e-mail at server. Also, different sec of headers such as "X-Mailers" can be
u"J 1,H the iJ enr1h(ation of the software, which handles e-mail at the clienr. These headers describe
infurm.,,!ion :,hour the Jrpl i..:Jtions and their servers used by the clienr to send e-mails.
-;. Softl'u~-('mbcdd~d i_denti6ers: The informatio n about the creator of e-mails may be included in~
~11w,:n r:eJJt'r) or in form of ~1l.\1E LOntenrs as a TNEF. The investigation may rn-ea.l names of p
t-.b, ~ L\C .1Jdr,,,. t tC. of th\' c,Jmpurt'r, "hich was used to send e-mails.
• 143
ALySIS
AN •
,_,\f~ · I l' lln~ to ·H I ,·111 ·il·y the ,ll ltia I
~ I' 1I 11 ntt rhc :,111J. •v of MH1r,·l ' and ltl lll 1•111 0 1· c -m .11' I ,1:, cv11
. . ,
. . cn~i,s t.t" · • .
of<." -111.lil 1r.rns.1ui1ln, i11te ndi11g
: 111,11I 1i,r_ •v.._.r 0 (;, mc:,~-1S<.' , ,l.,_t., lt_,mc t'I tr.t1blll~:.M,,_n . tlh~rrn1gh rn:onl I • ·
I r1"t" 1 J :-o ,,n. ·1·111· ·s k ·1tn1n1t'• 11u.:lud ,·:. C:\,lln1 n :1t1un .',,t 111l ·t · " t,11.1, M'ywo r, :.,·.in.: ""f.• p11rt :.l.',llllll ll~.
1 I I
.,,fer•'"' 111 nd u~·,kn ti.tls ol ,·111ail M.am:. . V.1riou s m e thod:. that Jrl' u ., l·d 1;,r
il'.hc '"'''l.t·r. • ,h,>r:-hip .1,kiw wkd~m l'lll ·~
10 bricth• dcs1: rihcd 111 till' lnllow mg Sl'l.tio ns.
"' 11111,rt' 1t1r:
,11• . f,,rrm•' .1rc' .
1"111J
11 ,
Header A_naly~~s .. . . . . . . . . .
7,4.2.2 .11 the c- n1.11I nK~'·1~<.: t:- 1hl g~wnn 111 g 111l,1n11 ,1110n , th.11 1.~. cnvdu pe and hl·,1dcrs
mu hud 0 ~
1 n .,bout thl' M.'nJa ,tnd/u r the tr:H k aln11g
~1c1.1d;1t.l _. 1todc1s in the ntl'S.' :'f.l' bnd)' ,·nmprtS<.' t11fn,. m.11iu
,~ctl1rr''
1th
. . , . b.,s tr.1vn: .,·J. ~ntllt' nfthcs c may he trtl.'kt·d to t.ov,·r thl' idc r11i1y of the :.mtrc..c. A 1hnr-
I · ··· I I .· . . . · . ·. . .
1,.-. lc.-flll'l>- '••~t: . analy~is.
,duih ' 1 . ii>II ul I ht-·sc IH' ,h u :- ,\Ill t 1ur ,11-sou.1t 1011 1s do Ill' 111 hl·adn
.-\11n1ll,11
I
,111!! l ' . '
Bait Tactics icd." L,bd- dl·vi.~ing im.,ge :.o 1ircl'

7.4-~-~ ·tic cxplor.Hil>ll, .111 e- nuil wi1h http: "Error ! Fikna mc not ~pccif
11
In 1,.ut · ' ,utcr uhserv ed .111J supl·rv isl'J by the detccti vl's is S<.'llt to the somt.·e of e- mail unda cxami 11,1-
.. the
·t JJ ress. WI1cn t 1c c-m :u, ·1ts· , rcad, or opene d, a lo"c-> ,·rury compr ising
I
JI )· l10lt'
contl• •
· )
.., rl•,tl (gl'tllll lll' l'- tn;\I • ;\ • ,
,
, (l>IIIJlflSII1::, '- , holdin ~
1100 I • . f the rt'ciptc nt (sourn: o f the e-mail under t'X:tm mauon ) 1s record ed on the http server
O k d H . f' I . . ( o f the e-mail under cxami na1ion ) is
IP aJ, . n:ss 111J ,hus Sl' lldl·r ,s trac ·c . oweve r, 1 t 1e rt'ctptl 'tlt s01m.:e
•
'° f I . I . on proxy server ca n be used 10

scn·cr. then l P at-id rcss o 1 1e proxy server 1s oggl.'d. 1 he log
1
1hr,. ·•~· '
,roxy
If I ·
' I ·ts 111acce ss1·bl etI ue to some reason ,
l·e of· the e- rn:u· 1unul' r examm a 11on. . t 1c proxy server s og
1
min~ f
·k: aho\lUr
• •
tr.I• I J I . ·1 .
ih(n dr:tc.-ctives nuy Sl'tl t 1e t.1c t1c e- ma1 contam mg:
t. embcJJc:J J:n-a Apple t that runs o n rel'.eive r's compu ter or
rl·n·ive r's compu ter and
Active X O hjcc r. both targeti ng to extrac t IP addres s of the
2, HTML p.1gc: "ith
c." -111.1il ir 10 tht.· invc~tig.11ors.
7.4.2.4 Server Inves tigati on

logs are exami ncJ to classif y source of an
In 1his research , Juplka res of Jistril nm·d e-mail s and server may
rs) whose recove ry is impos ,ible
e-mail mt'~sage. E-m.,il s purge d from the clients (scn<lt·rs or receive
h( fl'q11r:s1cd from servers (proxy or ISP), as most
of them store a copy of all e-mail s after rhcir ddiver i,·s.
addres s of the compu cer ,1.:cou ncable for
Fur1hrr, logs prc:scrvc<l by ~erver~ ca n be studie d ro track the
nuking rite.' e-mail 1r.111sa~ 1ion. Howev er, server s store the copies
of e-mail and servt.·r logs nnly for restric ted
gators . Furthe r, SMTP servers . whi<.:h store
a111u11111 of time and som e m.1y not coopl· rarc with the investi
x, c.m be use<l ro identif y the
Jm like." crt'dit card numbe rs an<l od1er data rda1in g to the owner of a nrnilbo
person bt'hinJ an e-m.1il .iddre~ s.
i.4.~.SformNetwork Device Investigation

th 1
of e-m.,il invest igation , logs preser ved by rhe netwo rk Jevict>
s such as router s, firc.·walls, .rnd
",. hs · 1s· d'fl. I I·
·1 Tlus· ,orm o f cxanu· nauon I KU t anl 1s
u J ~s are u.sed to exam ·me the source of an e-ma1 messag e.
t':
swuc
Jue to some cause (e.g., when ISP or proxy
d: only when the logs of savers (proxy or ISP) are inacce ssible
1 001 prc-serve chain of cvidcm .e).
Ptt'Serve a log or absenc e of collab oratio n by lSPs or failure ro
7.4.2.6 s0 ft
Sornc inf, . ware Emb edde d Ident ifiers
ents may be includ ed wilh the
ITl~'lagt t~Jtio n about the owna of the e-mail , attach ed files, or docum
s.ing e-mail . This inform ation may be induJ eJ
iii thr fo y 're e-mail softwa re used by the sende r for comnn
1
h r - - I I .
rm o ·u. a Encap su auon form.u
n-...
11 ,'\f.F). E. '. ~tom eadl"rs or in chc form of MIME teJtt u a Transp ort Nc:urr
impor W1t inform ation about thr
x.unini ng the e-mail for chesc panic ulan may reva1 some
144 • DIGITAL FORE
~
source c.·-mJil preferences and choices that could assist client-side proof collecting. The examin .
1100
disclose PST file names, Windows logon username, MAC add ress, and more of the client comput: can '
srn J e-ma1·1message. r Used to
7.4.2.7 Sender Mailer Fingerprints

Crt.·J cmials of software handling e-mail at server can be revealed from the received header field and
tials of softw:1re hanJling e-mail at client can be determined by means of diverse set of headers like "X-~c~tn: 1
or equivalent. These headers describe applications and their versions used at the clients to send e-mail ~t'.
information regarding the client computer of the sender can be used to help investigators formul · his '
. ate an
opcrauve plan, and thus prove to be very uscful.
7.4.3 Mail Forensic Tools

There are numerous tools which may contribute in the study of sender and text of e-mail message, so th
an arrack or the mischievous mot ive of the invasions may be examined. These tools, while giving easy-to- at
browser setup, computer-generated repons, and other features, help to recognize the origin and destinat~
of th(' message, track the route pass through by the message, recognize spam and phishing nerworks, and on
on. This section presents some of these tools. so
7.4.3. 1 eMailTrackerPro
eMailTrackerPro examines rhe headers of an e-mail to sense the IP address of the computer that directed
the message, so that the source can be chased down. Ir can track numerous e-mails at the same time. The
geographical position of an IP address is important and crucial evidence for defining the risk level or legiti- ,
macy of an e-mail message. This tool can locate the city that the e-mail most probably came from. It rccog-
ni1.es the network provider (or ISP) of the source and offer contact information for further examination.
The real path to the source's IP address is stated in a rouring table, offering additional position information
to help find out the source's correct and accurate position. The misuse reporting feature in it can be used 10 1
make additional examination stress free. It checks the mail against DNS blacklists, like Spamcop, to addi-
tionally defend agai nst junk and mischievous e-mails. It supports Japanese, Russian, and Chinese language 1
junk filters in addition co the English language. A main feature of this tool is misuse reporting thar can
generate a report that can be sent to the ISP of source. The ISP can then take steps to take legal action agains1
the account holder and help put a stop to junk.
I 7.4.3.2 Emai/Tracer
EmailTracer is an Indian effort in cyber forern.ics by the Resource Centre for Cyber Forensics (RCCF), a
leading center for cyber forensics in India. It develops cyber forensic tools grounded on the necessities of
law enforcement agencies. Among numerous other digital forensic tools, it has established an e-mail 1raccr
lOol named EmailTracer. This tool tracks the initiating IP address and other particulars from e-mail header,
produces 1horough HTML report of e-mail header analysis, discovers the city-level particulars of che source,
plots path craccd by rhc mail, and show the initiating geo~raphic position of the e-mail. In addition co chese,
it has keyword s('arching ability on e-mail content together with attachment for its classificacion.
7.4.3.3 Adcomplain ·w
Adcomplain is a tool for rcporring unsuitable marketable e-mails and make use of net postings, along WI
chain letter~ and "make money f.ist" po~tings. It robocically examines the message, composes a misuse ,c~rt~
a_nd mails rhe report Lo the offender's internet service provider by carrying out an effective h~der exami;
t1on. The report ~hows the support preccJing the U.S. Federal Trade Commission.Adcomplam can be
back from the command line or robotically from numerous news and mail readers.
ANALY:;.Sl;,_S_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _:_•_!1~45
~
4 Aid4~~il Forens~c . . .
7,4.3· . f rensic 1s an e-mail mvesugat1on software for fi . I . .
·d4Ma1l O I • ·t I . orensic ana ys1s, e-d1s(overy, and court c;l,c
A• . upPort· c 1s an e-ma1 re ocauon and cranslari I h• h . . .
roeced1ng~ s O tlook (PST, MSG files), Windows L' o.n too ' w ,c suppor_ts various mail formats
P thcr w11h u . ive Mail, Eudora, Thunderbird, and MBOX. It can
,ogt through mail by date, header content, and by message body conte11r M ·1 c Id d r.1 b
lore d' d~ h . . • a1 10 ers an II cs c.an e
~p ed even when isconnecte rom t eir e-mail clienr, together with those storeJ on CO DVD USB
Jfl~nag flash drives, floppie s, portable HDDs, and so on. Aid4Mail Forensic can hunt PST files ~nd all :i,ain-
dnv~, •t c mats by date range and by keywords · h . b J • •
ined ,na1 ,or . . . m l e message o y or m the headers. Extraordinary
t,1 lean operations are ~am~med. le is ~pable to recover the deleted e-mail from MBOX files and can
~ b k deleted e-mail dunng exportation.
bring ac
7.4.3.5 Abu~ePipe . . .
A}JuscPipe examines a~us.e obJcc~ion e-_m~ls and regul~tes which of ESP's clients arc distributing spam
grounded on the marer!al me-mailed .0 bJectJons. It roboucally creates reports recording clients dism,peccing
E.SP's suitable user poli~, so th at arno~ to. c~ose them down can be taken instantaneously. AbusePipe can
be configured t~ robouc~ly answer r~ md 1~1duals reporting abuse. It can support in meeting au thorized
respansibilities like reporting on the clients linked to a given IP address at a specified date and time.
7.4.3.6 AccessData's FTK

Acc~Data's TTK is typically court-validated digital investigations platform computer forensics software,
passing on computer fore~s.ic analysis~ decryption, and password cracking within a spontaneous and person-
able interface. Ir has rap1d1ty, analytics, and enterprise class scalability. It is recognized for i1s instinctive
interface, e-mail study, customizable data views, and solidity. It maintains popular encryption technologies,
like Crcdanc, SafeBoot, Utimaco, EFS, PGP, Guardian Edge, Sophos Enterprise, anJ SI.MIME. hs present
maintained e-mail types are Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Ourlook Express DBX,
Eudora, Microsoft Internet Mail, Earthlink, Thunderbird, Quick.mail, Netscape, AOL, and RFC 833.
7.4.3.7 EnCase Forensic

EnCaseForensic is computer forensic application that offers detectives the capability to copy a drive and
reserve it in a forensic way by means of the EnCase evidence file format, a Jigital evidence container
examined by courts universally. Ir comprises a full set of enquiries, bookmarking, and reporting fcarnres.
Guidance software and third-parry vendors offer support for extendedabilities to make sure chat forensic
impmors have the most complete set of services. Together with many other network forensics researches,
it also suppo11s lncernet and e-mail examination. Ir comprised Instant Messenger toolkit for Micro~oft
lmernet Explorer, Mozilla f'ircfox, Opera, and Apple Safari. The e-mail support coniains for Outlook PSTs/
0STs, ~farosoft Exchange EDB Parser, Outlook Express DBXs, Lotus Notes, Hotmail, AOL, Netscape
Mail, Yahoo, and MBOX record~.
7.4.3.8 FINALeMAIL
~INAL.eMAIL can bring back the e-mail database file and finds lose e-mails that do not h.1ve data position
tnforma1ion related with chem. FINALeMAIL has the ability of reestablishing lost e-mails to their ~oun.:c
s~are, reobcain full e-mail database files even when such files are criticized by viruses or spoiled by uninten-
tional layout. It can recover e-mail messages and attachments t.·mptied from the "Deleted Items PolJcr" in
;-.;l'tscape Mail, ~fo:rosofc Outlook Express, and Eudora.
:~!:3._9 For~nsics Investigation Toolkit . . .

tn~,q, lnwmgacion Toolkit (FIT) is content forensics toolkit to read and examine chc content of the
1
ntl·rntt raw data in Packet CAPture (PCAP) format. FIT offers auditors, security administrative officers,
146 • DIGITAL FOR
~
!1.1a,I..mJ hll f ll'K · .1Inng w111
· Jrtc:u1,·l's · I I·lg,1 I Pt<l',l,,111ion
, .
offacrs the powl'r to carry out cont1:nt
3
1 l ·t · 11 All
I f 111 wirc<l or wirclc~s. .nrrworks.•. . . proto n;iJ\ 'I1·
~o Isand \t·rv:
.
llh1 re ,u, J111g ('Ill prrl',ll'lllfCl ntcflll'l r.1w l ,llJ ro .
,~.. muwJ .mJ n:built JI(.' ~hown in l'l',1J.1hlc prrn·nta110n 10 ,he l~Scrs. J he otl1ermd1v1<l11al1ry of the H;'t'\
:lw thi:- imp('lth"I.I r.iw d.tt.l fib l'Jll be: dirndy Jc\cribcJ and rrhutlt. It supports ca\c managcrnrnr funl . 11
0
ihir,,ugh ;nt~,rnlJlilln wgl'thc:r with D.1tt·-1imc, Uc~tin~tio,_1IP, Sou rce IP, Source MAC._WholS, and (;'.' n,,
~bp intl'fr,n 111 n purpo~rs. Ex.unining and rebuilding ol vanou~ Internet_tr,1ffic types which cornpri\c\/glt
\P\)i'.\, ~\ITP, 1~1AJ>). IM or Ch.it (MSN. ICQ_, Y?hoo, QQ,_~~ypc VotCe Call Log, ~T Char Room, c.:::1
IRC Ch.it Room), Webmail (read and \cnt ), file framfer (FI P. P2P), Telnet, HTTP (Content U k,
I
l:.,"n!o.1J. \'"i,ko Streaming, Rcq11c~t), and Othl'rs (SSL) cm he achieved using chis toolkit. ' PoadJ
p:r .- l di
t • at: '! Malware Han ing
Ma..lware Jnalysis is a process to pt'rform analysis of malware and how co study the components a n ~
of mal_wa1e. l_n this se_ct '.on, it will use rwo methods o~ mal~ar~ analysis:.(i) static an_alysis and (ii) dyn::~;
A,,~y~1s. St.me analysis 1s a method of malware analysis which 1s done wHhour running the malware, whil
dynamic analysis is a method of malware analysis, which the malware runs in a secure system. Mal\\are
analysis is important, si nce many malwarcs at this day are nor detectable by anrivirus. Now viruses are mad:
"ith special abiliry to avoid detection from antivirus. On this research, we will focus on implementation of
malware analysis using static analysis and dynamic analysis method.
Stacie analysis is a method of analysis of malware that is done without running rhe malware, and analnis
u~ing this method _is much_more secure rhan _u~ing ~he method of dy.nami~ anal~~is. Mal_ware analysis u;ing
the method of srauc analysis can be further dmded into rwo stages: (1) basic srat1c analysis and (ii) advancrd
~~Jtic analysis. Dynamic malware analysis is a method of analysis of malware by running the malware. To
make it more secure, malware will run inside a virtual machine, so the malware will nor damage your
computer system. Malware analysis using the method of dynamic analysis can be divided into rwo stages:
(1) bl5ic dynamic analysis and (ii) advanced dynamic analysis. Malware analysis method can be seen in Fig. 7.16.
- Basic static
analysis
~
- Static
analysis
_,.
Advanced
4 dynamic ~
Malware analysis Malware
analysis ► ~ analysis
report
Basic
r+ dynamic ~
analysis
~
Dynamic
analysis ~
.... Advanced
dynamic
analysis
..
Figutt 7.16 Malware analysis method.
:-.. • :.1~
.
-------------- ..... 47
~A ::
L:
YS I
~S= = ~ = = ~-----
AAN~
_1 Basic S ta ti c A n a ly si
I ,
s
t . . I .
i.~called as ma ware with
5
7· d .rn starrc a na ysis carried ou rest111g ·1,hga1nhst
. which pr ogram . '
d d ectton of packed or O bfu scated ar
' .
· a
basic merho. . . . ore over also do lllg as Ill
r he e scanning usin g ant1
·ng rh II
v1rus, m
d ·n g an analysis o f th e st . ctureg,oan
ru
et
f p bl e executable which is owned by
A
J01program. s we as con u rn orra
h
re
,he program.
a n c e d S ta tic Analysis
.2 A d v . b h
rther an ayI s1.sw1 11 eundert aken of t e meth od of static analysis.
7.5 hod o fstat ic analysis, fu
. IDA d ' bl
m er.
In rhe advanced
.
met h . gs, 1·mked libraries and fiunction as well as using isasse
. ain st r e st ri n
virh analysis ag .
i
s
namic Analysi
7,5.3 Basic Dy
d
l be bui'Jd · uaI mach'me rh wi.11 be use as a place to do af
wil vm
a . ar x and · · process o
amic analysis '
in dyn I
ysi sa ndbo momcorrng
The basic method In ad di tio n , malware will be an al s using ma ware
. are.
ma/ware analysis ckers data made by malw
ys is pa
ma/ware and an al
.
c e d D yn am ic Analysis d k f dynam1·c analys is
7.5.4 Advan ic analysis, further
b o
analysis wI"ll e un erta en· d s sysrem.
· on a wm ow
nced m et h f
od o ldy n am
the regi stry and do an an aJys1s
adva
In die · is
analys
d
· h d eb uggm g on ma ware,
met ho s w 11
rain a
re A n a ly si s Report analysis method, we will ob
7.5.5 Ma/wa and dynamic
an alysis using static analysis
alware
of m are.
From th e. result s. o n th e charac teri stics o f malw
report o f rnform
arion
aterials
io n's go al an d scope, rhe m
1he investigat ding on rhe
al evidence dep
end e ca sks to perform. Depen
g d ig it needed, an d th ify rour
Examining and
an a lyzi n
amount u m ight have to mod
f rh e in ves tig ation and the evidence you find , yo
on 1he nature o r forensics t.
gin a compute an at some poin
ocess. Y otJ be fines investigation pl
of dara 10 pr es tig atio n plan that de
an in v
case by creating
r--~ for evidence or

to identify files
L J Key Terms files. Ir is used
the investig,nion
om
if rhey arc
• es s o f sh if ti n g one o r more eliminate them fr
Bir.sh'ft
• d' ~ mg: The pr
oc right to n
na ry n u m b er ro r_he Jefr o r legitimate files. The result o f an. i~vestigatio
irs in a bi
• Scope cree p: ca use
ig
fere n t va lu e. er yo nd irs orig inal descnpnon , be
• r od uce a d if
igned to rcc:ov expanding be ence increases rh
e
ch n o lo g y des un ex pe cted ev id
ey escrow: A te rg et rheir pa.uph
rascs or rhe discovery o f
if us ers fo quim:I.
~n ~l )'preJ data
p re d af re r a sy srcm &ilure am ount o f work n:
is corru g
• ~ e user key atabase conaiain
own File Filte r (KFF): A d . ua
. ec
d suspc:
fk n le~itimare an
the h~h vaIues o own
148 •
• Stcg-.wography: A cryptographic 1echniquc for • Multipurpose Internet Ma.ii Extensio

· r-. . c ns
crnbc<lding informa1ion in another file for the (MIME): A spccJrJcauon ror formatti
. . ng
purpo~e of hiding thar informatio n from casual non-AS CIJ messages, sue h as grap h1cs, audio, and
oh.\crvers. video, for t ransmission over the Internet.
• Client/server architecture: A ncrwork archi- • Phishing: A type of e-mail scam that is typical!
tecture in which each compuler or process on sent as spam soliciting personaJ identity inform:.
rhc network is a client or server. Clients request rion that fraudsters can use for identity theft.
services from a server, an<l a server processes • Post Office Protocol Version 3 (POP3): A
requests from clients. protocol for retrieving e-mail messages from an
• Enhanced SimpJe Mail Transfer Protocol e-mail server.
(ESMTP): An enhancement of SMTP for • Simple Mail Transfer Protocol (SMTP): A
sending an<l receiving e-mail messagt·s. ESMTP protocol for sending e-mail messages between
generates a uniyue, non-repeatable number that servers.
is adde<l to a transmitted e-mail. No rwo messages • Spoofing: Transmitting an e-mail message wich
transmitted from an e-mail server have the same its header information altered so that its point
ESMTP value. of origin appears to be from a different sender.
• Mbox: A method of storing e-mail messages in a Spoo~ed e-mails .are ~lso referred to as forged
flat plaintext file. e-mail. _Spoofin~ 1s typ1caJly ~s~d in phishing and
• Messaging Application Programming Interface spamming to hide the sender s 1denriry.
(MAPI): The Microsoft syslem that enables other
e-mail applications 10 work wi1h each other.
r--..-]_ Review Questions

t_
I . \V~at is hacker? Explain hacker tools concept. 5. Explain the process of restoring the forensic du-
2. ~me_ a s!1ort note on steps of UNIX sy.\tem plication.
111vest1ga11on.
6. Desc~ibe _the basic investigative steps for formal
3. ~am~ di~crcnt log files use<l during Windows examrnauon of Unix System.
rnvest1gat1on.
7· What do you mean by data analysis?
4. Ot..,c~ibe _rhe basic investigative sreps for formal
examrnauon of Windows System.
Net wor k For ens ic
LfARN'NG OBJE CTIVE S

-;;;::-reading this chapter, you wiJI be able to:
, Understand the concept of network forensic . • Interpre t and apply tools for network forensic.
, Understand the various attacks in comput er
network.
within your
Network monitori ng software or abnorm al user behavior are two ways to detect an attacker
network, but new ma/war e dubbed "skeleton key" can evade both.
--Sara Peters
[Jjl] Introd uction to Netw ork Foren sic

determine che source
Network forensics is capture, recordin g, and analysis of network packets in order to
tries co analyze
of network security arcacks. The major goal of network forensics is to collect evidence. It
ents, such as fire-
network traffic data, which is coJlecte d from differen t sires and different network equipm
the nature of attackers.
walls and IDS. In addition , it monito rs on the network ro detect attacks an·d analyze
activity.
Network forensics is also the process of detectin g intrusion patterns, focusing on attacker
A generic nerwork forensic examin ation include s the followin g seeps:
1• ldenrificacion
2• Preserva~ion
3. Collection
4. barn inatton
· ·
5. Analysis
6. Presenrarion
7• Inc1·denc rc:sponse
The follow· ·
•ng 1s a brief overview of each seep:
. . d d eterman :-.-:~-- t
. an l(K;IUAl
. ang L--~ k . di .
Th.1s step 1s
I, Identification•• R . ecognm ng an U11KU on nctWOr an cacors.
signifi .
cant since It has an impact in che followin& ..,._
150 •
2. Presrn•ation: Securing and isolating the stJte of physical and_logical evidences from being altered, \Uch
JS, for example, protection from electromagnetic damage o~ 1'.11erfc~encc. . .
3. Collection: Rt·cording the physic.ti scene and duplicating dtgttal evidence usmg standardized rnciho<l,s
.md procedures.
4. Examination: In-depth srstenuric se.m h of evidcn(e relating ro the ne1wo 1k at~ack. This focuses on
identi~•ing and discovering potential evidence and building detailed documentation for analysis.
5. Analysis: Determine si~nihcance, recomm1n pJckers of network traffic data and draw conclusions
based on evidence found.
6. Presentation: Summ.arize and provide explanation of drawn conclusions.
7. Incident rcspome: The response to attack or inrrusion detected is initiated based on the information
gathered to \'aJidate and assess the incident.
Understanding Password Cracking

?-.1J>..im11m time ind1"idu.ils use name and password to gain access to any system. Passwords are very easy 10
be cral"ked by the hacker, and then the hac.ker can use that password to imitate the genuine user. Passwords
cc1n be c.rackcd in the following ways:
J. u~e of brute forte.
2. Re\.over and exploit the pllmord stored on the sym·m.
3. ~1Jke use of password dt'cryption sofrware.
4. Social engineering.
8.2.1 Brute Force

Rrure force might not be the ~nun est solution for a hacktr in ~e.irch of a p.mword, bur it can be very dfec-
ti\'e, pJrtirnlJrly if strong p.issword policies are nor applied. A brute force att:ickt·r auemprs one possible
pa~\l.01d afier anorher until hr/she hits on the right one. Although this proce1is can be done physically b)'
somcboJy with a 10 1 of rime and tolerance, it is gcnt·rally done ll\ing a pror;ram rhar ~ca ns all the words in a
Jil"tionarr file, which is merely J large list of words and ocher pos~iblr character arra11gements.
Some of these cracking programs are refined and permit the uacker w implemt·nt rules or criteria. For
t'xample, if the cracker is able to artJin some informJrion about the password and further consider that rhe 1
auacker rnmes ro know th.u pa~word comiscs of five alpha characters and three numeric characters, thi:n
he/she can ere.ire guidelines whiLh will, in turn, remicr the attempts conducted by the program which wiU
follow the specified criteria (e.g., apple123, six789, etc.). This strategy constricts the numbrr of possibk
pJmvords and speeds the cracking prol"ess.
Also. p~ssword-crac~ing programs have a genuine use. An employee might leave a company or die unes·
pecrrdly w1tholll revealmg passwords that were used ro safeguard important files, which other employees
now neeJ _to acce~~. Even if they are still around, sometimes employees forget their passwords. PrograJll5
markcteJ tor gcnume purposes are typically called "pa~ord recovery programs."
8.2.2 Exploitation of Stored Passwords

ALtempting ~o ~orecast p:tiSwords even with software to quicken the process is an annoying busindS- It
\\Ott~d ~e ~aster sf a hacker could just find a list of passwords saved around everywhere. In anumberofc;a.iCS,
st 1
the li ~ nghr at hand for the raking on the computer's hard disk. Passwords luve to be s t ~ at so~•
• 151
K FORENS IC
~ will not be able to know thar a user h as entered the. .precise and accurate password or nor.
.
he sys rem d ' rr ords tn addm o n ro their logon passw ords used for
else r . mos! peop le have_ nume rou~ rnere nr passw
entry to restn cted webs ites, and so on. Rath er than reme mber ing all these secon dary pass-
1,ikewise,
·1 access , users opt to h ave t h e syst em " reme m er tI1e password optio n. Since comp uters have shor t
b "
t-fllal d ·rn a file some wher e. All a cracker has to do
d" d b h
words ' .rnany these "rem em bere passw or s must e ware ouse
In a lot of cases ' passw ords are not ware hous ed in
rnernories'. his/h er impa tient linle hand s o n that file. . a
. o acquire d read , e.xcep t tn case~ in. whic h a .careless user creat es such
1s \:un re:xt file rhar ch~ hack er can open an.
appl1cauons. Typtcally' stored passwords are
aP • rently recor dtng passw ords for vario us services and
file, pers1s
ed or hashed.
encod
Inte rcep tion of Pas swo rds

8.2. 3
route to guess ing (e.g., brute force ) to study func-
Crackers do not have .rn entra nce to passw ord files or
throu gh the netw ork via local or remo te access
. ·ng passwords every time . 'IX'hen passw ords are sent
non• diver ted using sniffe r software. Telne t sessio ns to
connecrions in plain text form , they can be seized and
can be inferr ed if secur ity meas ures h ave not
UNIXcomputers ca n be captu red and the plain text password
like Password Auth entic ation Protocol (PAP ), for
been caken. Use of non-s ecure authe ntica tion proto cols,
s the link and shouJ d be evade d when possi ble.
remoce access effects in sendi ng plain text passwords acros
. This is a hardw are devic e or softw are prog ram
Other ways of stopp ing passw ords is to use a keystr oke logger
inclu ding passw ords.
rhar capcures and a rchives every chara cter that is enter ed,
It is often possible ro d etect an illegal packe t sniffe
r on the wire using a devic e called a time doma in
and creates a graph of the reflec tions that are
re0eccornerer (TOR), whi ch sends a pulse down the cable
read the graph can tell whet her and wher e illegaJ
recurned. Users who a re know ledge able abou t how to
devices are acra(h ed to the cable .
8.2.4 Pass word Dec rypt ion Soh war e

decry pt every thing . Neve rthele ss, jf the encry ption
Maximum password crack ing progr ams do nor actua lly
ional ly likely to use a meth od name d one-b yte
algorit hm is feeble or impl emen ted inaccurately, it is occas
by alteri ng one byte in the packa ge or datab ase.
patching, which is skilled ar decry pting the passw ord
the hacke r has foun d one or more files in decry pted
Addirio1ul techn ique used with weak algor ithms requi res
ical proce dure. This is term ed as the know n
for'.11 earlier, then they can be used to decry pt ochers using ident
plain text method. This pract ice is famo us as an attac
k again st passw ord prote cted .zip, .rar and .arj files.
n robus t crypt ograp hy is used and comp ound
All. th ese are extensions used fo r comp acted archi ve files. Whe
basic and direc t decry ption . In these cases, a dictio -
CO<Je words are chose n, it is much more diffic ult ro use
nary or brute force arrack is often successful.
8·2-S So · I E · eerm
· g
c,a ngm . of
th e oth er attack types , socia. l engm . g does nor .-acr
. eerm __r. ro a teehno1og1.cal mam. pulauon
Contra
corn srino
does not need much technical skills. As an alterna-
t>
tive p~'.er hardware or softw are weak nesse s. and ir

acc~ t type ~f attack abuses hum an weak ncssa like carclasnes
s or rhc desire ro be supportive to obtain
~ QlOSf bcndicial to the stalker, who depe nds on
social ~enuine netw ork quali ficati ons. The talent cbac
O
cornrn:ngd•.neering techn iques , is che so-ca lled .-nl.~.skillf./l~.g.. an attr ac~ or influential perso nality or a
n 1no- a h . . r;-.:
Soc·a.1 t>'. ur o ntattv er presence). W,.rmaa. on 1..- f
uy fflog a o hum an comm u-
_.J__
. , eng1n eenn
n1cation v
. g .1s rererred to as acco tll!~ Nl•i ll &act
. iou ca h. k f social t'ng·
n t m·o ..,-,·~• •---...•, llll• d med con pafo rmcn . They gain
---
users' or allmini!ltrators' trust, and then use this trust to find our user a~co~nt n~me~ and pas~words or hav~
the innoctnt users log them onto the system. As_it is ba~ed on convmcmg a_ ega nerwor u~er to open
the door, social engineerin g can positively get an invader mto a network th at is protected by high-security
me,\Sures.
8.2.6 Prevention and Response

Because passwords are the first, and in some networks, the only line of shield in safeguarding a network from
inv-Jders, it is important that steps are taken to guarantee the integrity of all users' pa~swords.
8.2.6. 1 General Password Protection Measures

Administrators and users can take a number of actions to protect passwords, including the following:
1. Follow guidelinrs for generating strong passwords. .

2. Configure settings so that user accounts arc deactivated or locked out after a sensible number of incor-
rect password attempts.
3. Use EFS on Windows 2000/XP/.NET computers to encode files.
4. Store critical data on network servers instead of storing it on local machines .
5. Do not rely on the password protection builr into most applications.
6. Permit password shadowing on UNIX/Linux systems.
1·
7. Deactivate LAN Manager Authentication on Windows networks.
8. Confirm that passwords are never sent across the network in plain text format.
9. Use antisniffer software and sniffer detection techniques to protect against hackers who try to capture
passwords traveling across the network.
8.2. 7 Protecting the Network Against Social Engineers

Administrators find it parricuJarl y exciting to safeguard against social engineering attacks. Accepting strongly
expressed policies that forbid exposing passwords and orher network information co anyone over the tele-
phone and educating users about the occurrence are understandable steps that administrators can take to
reduce the probabiliry of this rype of security break. Human nature being what it is, however, some users on
every network will always be susceptible to the social engineer's con game. A clever social engineer is master
in making users distrust their own doubts about his legitimacy.
The invaders might entertain the users with miserable stories of the extra cost the company will incur
if they spend extra time confirming their identities. The invader could pass himself off as a member of the
company's t~p ma~agement and intimidate the users- intimidating the employee with penalizing action or
even loss of Job--1f he/she does not get their help. Or the social engineer could try to make the employ«
feel ~m~arr~ed by fantasizing to be a low-level employee who is just trying to do his/her job and who will
be d1,m1\Sc<l 1f he/she does not get access to the network and take care of the problem right away.
Understanding Technical Exploits
8.3.1 Protocol Exploits

Protocol exploits use the features of a protocol, like the handshake method TCP IISl':I •amcca (OIIUDufli.
cation seS!tion, to a11ain J result that was never planned, for example, overpowaing die ta,gea,d sy5fl:JIJ '°
oRENSI C
• 15 3
oRI( F
~Er-#
. . · CJpablc of commu nicatin g with genui nc mcrs. Th c:re are many ways that the norm.al
here 1t 1s in b . fl d
k ococols can e m uence to clog the network or server to tnc 1 . •
•0 r w point where no genuine
Jic p0 1 ( erwor pr
0
h,vior 0 . scan ger through .
bl nicauon
(11f11U
'° oOS Attack s That Exf?loit TCP/IP _
up a
s.J.1- c:ks are one of the most widespr ead collecti ons of Internet auacker s who wane to jumhlc
1
biggest wcbsitl'S,
oOS a;.a actions. In Februar y lOOO, DOS attackc; brought down several of the world's
of rhe TCP/JP protoco l
11ccW0r swith Yahoo.con: and Buy.com . Many such attach abuse various features
1~echer anack rypes include:
05 b D ·
suI1c, D 1
NS pOS attacks: It a uses rne om:un Name System protocol~.
1- ~/LAN D attacks: le abuses the way the TCP handsha ke process works.
2- 'fhe Ping of Death: It makes use of a "ki ller packet" to overpow er a system.
3· . flood fraggle, and smurf attacks: It uses numero us approac hes to overflow the nerwork or
4. ring '
st"rver.
UDP bomb and UDP snork: Ir abuses the User Datagra m Protoco l (UDP).
!: Teardrop anacks: le abuses ~he IP p~cker ~eader fi~lds.
_ Exploitations of SNMP: Ir ts combm ed w1Lh maximu m TCP/JP activities.
7
g Attack s
8 3.1.2 Source Routin cransmi ning, which refers to license the sender of nerwork data to route the packets
TCP/IP supports source
through a derailed point on the ner"vork. There are two types of source routing:
1. Strict source routing : The dispatch er of the data can lay down the exact route.
This is rarely used.
2. Loose source record route (LSRR) : The dispatch er can lay down certain routers
called hops by which
the packet must pass.
s that are
The source path is choice in the JP header that permits the sender to overrule routing decision
Networ k adminis tra-
generally made by the routers in the middle of the source and destinat ion equipm ent.
nication s problem s.
tors use source routing to map the network or for troubles hooting routing and commu
the best perform ance. Unfortu nately.
h can also be used 10 force traffic through a route that will provide
source rouring can be exploite d by hackers.
s on the LAN
If the system allows sourc~ routing, an invader can use it co reach private internal addresse
machin e chat
that normally would not be reachab le from the Internet , by routing the traffic through another
can be deactiva ted on most
is ~chable from both the Internet and the internal machine . Source routing
routers to prevent this type of attack.
8·3-1-3 Other Protoc ol Exploi ts
~e attacks we have discussed so far include misusing some feature or weaknes
s of the TCP/IP protoco ls.
ackcrs can also abuse weaknesses of other commo n protocols, such as HTTP. DNS,
Commo n Gateway
1nterfacc (CCI)
, an d other commo nly used protoco ls.
.
8.3.2 ApP1·•cation
. Exploi ts
Applicatio
· program s. These
n software exploits are those that take benefit o f thc Oaws o f spec•"fjc appt·acanon
f~ulu I
COrnp arc call~ b ugs. s·1m1lar
__ .J use app1·acaoon
· to protoco l exploits. ·mYaUCJ'S · abuses toob tam . 'II
I ega access to
. service
Utt"rs or n erworks or to crash or block up the systcmS to reject . to oth crs.
154 l~ t'3tf .:\ L
•
8.3.2. 1 Bug Exploits

l ' ommun bu~~ ( ~m ~ dur.Ktai,c<l ,ts:
1. Buffer o,·erflows: Numt·r'-,us nm1u.1l s.1t~·ty dum1's .m: i~1,,111hfl,d l'I\ butl:•r '" nil,,,, ~litdil·:-. 1' .
lWt·rtl1\\\~ ol.'.'-·ur \\hc'n tht' numh--·r nf hnl·s or lh,lr.K{t'f~ int'Ut ~,w:- bl">'''"-1 thl· ll\,l\imun, I\ 111111\-r titll'r
•
.tt:,xpt.thlt' ~y the- prnp .tm. .
2. l'ne~pected input: The u,mputt·r l'fl'~r.ttnmt·r mi~!·, 1\\ll t.tkl· st,·p), ti' '-1~·-.'-nhl· " h.H h.,l'l't'lh if i
11
liJ input is p.b..-;n.l. This mi~ht cmst· the pwt~r.1m hl n .,sh ,,r Pj'l'll ,t " ·•~· ant ,, tlw sy:-trn1 . '-I•
J. Confi~urat:ion bug..-s: Tht':-t' .in.· 1wt tntl\'• bu!._")\ . .-\s ,Ill .1l1t·rn.niH-. t hn·.
, lfl' '-·,,n1..hh t, uf H'nf1 11
,,
,__
r·
Ill•• th
0 •
sofcw.m.." dut lc.•.tH·s ic nilna.1blt' tn cir1..ul.t1inn .Hhl ,ii:-uib11ti,,n. ' c- l'
8.3.2.2 Mail Bombs

A m.iil lx,mb is a me.ms of ovaix'lwt·rin~ J m .1il sawr. 1...".tusin~ ic to swp ,n,rkin!~ .1111.I rh11.!I rt·jtTtino ~. .
" . \ n t,r
. . . • . . , . • .
to us:rs. A m.ul ~~,mb 1s .1 n)mp.1r.1t1Ydy s1mplt' f~,rm ot .1tc.1d-.._.Kn~mpli:-hl·'-J hy :-,·nd111~ .1 hug" qu.intiiy \,f
e- m.uJs to .1 ~pccthL user or system. P~ogr.1ms .1,·_.ubbk· \lll h.Kkm~_sues tm tlw_l_ncernl·t .tllnw .1. ll:-t·r c.., <"-l.,il}
bunch .1 m ..ul ~mb :nt,Kk. .mwm.u11:.11ly st·nding tlt,l,Js o f t'- m.uls tn .1 :-p,Ythl·J .1J,lrt'!\.'- wlult· rrotl'l.'tini-
tht' JHJt·kc-r's indi, iJu.1Jiry. A numba of cyp<:·s ,)t m .1il- b'-)mbin~ tt·~·hniqul'S ...-.m he ust"d con tr.try to ,h;
popubr Send nuil pmp·,1m. compri~ing ofrh.1in bombs. error tnt'SS,lt,t' homhs. cowrt distrihmi,)n 1.·. h.intll•I,
.and ahuse-of-nuil exploders. ·
One ,·.1ri,1tion on the nuil b o mb robotic.1lly concrihuces a c:1rgetcJ \IS<:'r to hundre-ds or thl)US.tnds of
high-volume Internee m.1iling lists, which fill the user·s nuilbox .mJfor nl.lil server. Rombers '-·all 1his .m.,\k
Ii~c linking. Ex.1mples of chese maiJ bomb progr.1ms <.·omprist·s of lln.1hnmber. £:-..creme M .1il, A\".tl.uh·hc,
\'oodoo, and Kahoom.
The solution to repe-.irc.-d m.iil bomb a tcacks is co block tr.dliL from the- originacing nem·,,rk u:-ing p.i.:kl·t
.. chi:> soluti1..m d1.Xs nor w o rk with lisc linkinr_, hec.msc the orir_in.Hor·s
filcers. Re~rectabh-. '-
.1Jdrt'ss is hid,lrn.
... '-
The overflow of tr.1ffic come-s from the mailing lists ro whid1 the Yictim lus accidentally ht·en ~uhsl.:'ri1't·J
8.3.2.3 Browser Exploits

\'\'c-b browsers are cusromer softw.ue progrc1ms like Chrome. Nc.·cscapt·. and Oper.1 th.1t att.Kh hl s<:rvtl"$
running \X'eb ~t'rYer software like US or Apache and rt·que!,C \X'eb p.1~c:s ,·i.1 URL. which is :1 re~p\)1bi\'c
.1ddress ch.it inJicues an IP aJdre:>.S and spe\.·ific t1lc:s on che ser\'c-r ac dur .1ddress. The.• browst·r n."\.·ein-s ltk"li
thclC .1rt" en\.·"'"1ed .ind must understand the- code: 1h:1c governs how the pa~e will be Jispl.1yeJ on thr usds
Jispl.iy screen. Browsers :ire open ro a number of rypt'.!> of .m.11.:k.
8.3.2.3.1 Exploitable Browser Characteristics

lnitiJ.lJy, browser programs were- simple. bur tod.iy'.!> brow~c.•rs are nrn1plt'x. They arc c.apabl~ of not only
Jispbying text anJ graphics, but also .1hout pl.iyin~ ~ounJ fik-s anJ moYies and running excXutahle codt.
Tht> browser sofcw.1re also typically stores infomurion ahouc the computer on which it is inst.JlcJ anJ t\"tn
.ihom the user, whidl cm be uploaded co \X 'c-b servers either purposdy by the usc-ror in ttply to the progrilll
on .i \X"c-hsitt'.
8.3.2.3 .2 Web Spoofing

\\'eh sp<><lfing is a medium by which a h.icker is able to see and even make changes to Web ptgt'S c~ar ~
conveyc-J to o r from anorher computer. These pages comprise confidential information likr crcdir ~
numhc.·rs '-'ncereJ inco online commerce forms and passwords that are used co access restricted W~rc:
J.n·.1Scripr c.in I~ med co route \X'eb p.1ge-s and information through the anackcr's computer. _which int•~
rhe Je-scin.Hio n \X 'c:-h -.erver. The hacker can send e-mail to the \;ctim chat compnaal afa lilak IO the
1 I'~ f l) Rl N ~I('
• 15 5
--_:,.;;__
tJI 1Wl : ' : . ; . . . ; . . - - - - - - - - - - - - - - - -- - - - - - - -
' ' (S· n llrl' ,sOl krt I..,ya) l Ol'\ 1101 l'~\l'llll, 1 y pit VUI
I · II ... r 111 1' ,
•r pr p111 'I link i11111 . . Ii rn1•i11•·
. a jllljH1l.1r ~l'.ll'l • '' 'SSI
un· l1na11,c it i~~l'tllfC.
I'•1'!· of111,111•it1 tlw-muldk .tll ,llk. I hec111111n1i1111 appr.1r., to rlH' vi(lin, 11\rr to lil· ~n
~,'.,~:. ,,,,,lik111 i., th,tt
th t· M'l'ltrl' lllllnl'l rion i, lo a din,:rrnt .,i ll' rl1:111 rlu: ()fl(' thl' viuim think \ "" or ~lie i.~
II
,111ll'llit1 µ Ill,
_3. 2.4 Web S~rvcr Exploits

11 ~1 _\, rh 1'·1~\l'~ 1hat :Ill' lll.ll!c rl'ad:,ll,k· and 111.111,1gt•,il1k· lO oil1l·r,
~ -l.i, ~c1 vcr~ h_
aw ," die lntt'rnct or an
d1ara<.: -
. ,rilll'I' PulilK Wrh M 'rVl'lS :Il l'Idinsl' .wl 11 d1 ,trc 1t•,1d1,1hlc f1111u thl· l111nnl' t whid1 ilw.1y, 11mc a
1
111 • . . I •
they .ire !> Uppo~ed to do.

tl•ri~ti1· ~.,kty n,k .,~ 1 H')' 111 ~1' 1 ll' .tv,11 l.1hl1• to the lntl"rll('I in ordl'r 10 do what
Wd1 !,l'rVCr for the p11rpo., t·
Clirn1~. lil-t· \X'rh hrllw~rr Milrw.m·, IIHl~I hl· rap.1hk- of .,rnd:.,g l,rnadr.1,1, 111 the
nr1 wo1k 10 1he Wrb .\l'fl'cr
tlwi,hing Web p.igrs. Nl'Wt t_hdc~!,, authori zing Ira11s111i.,!,iom to wme into rhc
q1.1r.11c the W1·h server from
ni.lkl'Stht' ~r~tl'lll ,11\J tht· l'nt irc nctwmk, unb~ nH:a~urc~ arc wmntl'nred to ~
w adJrc~~ rhi~ issue.
th~ rl'~t of rill' i11wn.il lll'twork, llltsrcptible to inva<ll'r.~. Sl·ruri1y p,1tchl'~ art· ;1vailable
B.3.2.5 Buffer Overflows

111a11y M,frwa rc programs
/\ [iulfrr is .1 l)'j'l' ~f tl'mpm.iry arr.1_ to hole the data. To acn:lrr,11c the procc~.,ing,
, llll'lllllf )' bulll·r ll> Sllllk altt'r:111ons to data, and tl1d1 tht·
informa1io11 in the huffrr is copied ro the hard
11 0
w happen s, Ovcrnows
di~k. Whl'n mo rt' d.11.1 i~ pur inw tlw huffer 1han it is able 10 handle, a huffl'r ovcrno
l',111 Ill' pmdun..J ddihcr.1td)' hy ktrkrn, and then
broken 10 run maliciou~ code. ThC'rc arc two rypcs of
0wrllllw~:
J, S1.Kk owrllows
2. l k.1p m allows
when a program is run.
Thl' ~t.ll k and till' hl',1p Jr e rwo pam of thC' memory organization 1ha1 arc owC'd
in the heap. A particular
fonl 1io11 l,,lh .m· ~,orl'J in dw st.Ilk and dynamically a~.\igncd variables an· ston·d
,111 rnunt of llll' lllllf)' il, .11loca1ed to the hulfrr. Hacker
s can use buffer overnows in I he hl·ap 10 ovcrwrire a
will be openc<l. If this is an
p.1sswnrd, a lill'n,unc, or other J .11,1. If the fill'llam e is overwrirtt'll, a different file
l'M'rn1.1hk- ltk'. rnJt: will he run that was 1101 planrH'd 10 run.
8.3.3 Operating System Exploits

systems. These hacks abuse
Some exploit~ .,re on ly rn J panirnlar opl'rating system or fomily of operating
ng systems have rlieir own
spccill1: l~'.1t1m·s nf rht· oper.11ing syl,ll'lll code ro carry 0111 the atrark. All opcrari
we.1km·s~l'S.
8.3.3.1 The WinNuke Out-of-Band Attack

ks, so it is occasionally
Thr om-ot~b.111d (0013) anark is one that abuses a flaw in some Microso~ ncrwor
broadcast that crashes the
l',1lk-J the \'\'indows OOB bug. The WinNuke program creates an 008 data
nl,I\ hinc to whkh it is direm:d . Ir works as follows:
l. ATCP/IP rnnrwninn is rcrngnized with rhe cargcr IP address using port 139.
2. Thl·n, the progr.1111 sends dara using a Aag called MSG_OOB in the packet header.
,l. lhi~ ~ag instrurrs rhe compurer's Winsock to send data called 00B data.
4. llpon fl'l-ripr of this fl.1~. the targl·ted WinJows server expects a pointer to the position in ll1e pac.ket
the packet created by
wht rr th\:' urgent dat.1 rnd~. with normal data following, but the 00B pointer in
\\'in Nuke poi111s to rhc end of the frame:, wi1h no data following.
156 • DIGITAL Fo
~
8.3.3.2 Router Exploits
M:iny of the new cheap routers intended for broadh:rnd connections come with tkfuult .i<lminis
'f I I . . d tratorpa~.
words that can be used on any of the vendor's devices, 1 t 1e at 1111111~1 rator ocs not change the
This means a hacker with knowledge of the <lcfoulr pJ~sword rnul<l log 0 11 and nuke changes 10 t~a~w~rd. '
table or routcr_configuration. This differs fr~m _mo:,t o~erating sys~e_ms that do nor_n~me with a dcfaul~Uting
wor<l but require the user to ere.He one during 1mtallat1on. In a<ld111011 to the :idm1111mator passw d Pa.is.
. <l r I _,. or , so
routt'r vendors have created special so-c:illed back-door pa~swor s 1or t l l ir systems, proposed to b Ille
the ven<lor's tech ~upport personnel, so that if :in adminimator forgot the ad min password, the vcn;o~sccl by 1
help the administrator get back in. Of course, this system coul<l also he misused hy hackers with kn owed clouJJ
of the secret master p:issword. gc
·fu~l Introduction to Intrusion Detection System

The network intruder or attacker h:is tradirionally heen able to boast of a certain amount of skill• unl'IkC
.
the cyber scam arnst who needs to know only enough about computers to send mass e-mail or the ch'ld 1
1
pornographer whose technical knowhow is limited 10 uploading and downloading files.
Monitor servers: The

IDS devices notify the
Intrusion Detection System (IDS) monitor servers of any
itM ·fi"l change in the network.
I
Internal IDS
~I
~00
___ ..-- - -•j

Firewall
I ,.!
I
I
I
• ;¢-.~]
.I •l
,;
b- ltd Ls;;ch lililll

Monitor servers
I
·n r1n
-~ ... ; lie • ""i . --:
Workstations
Figure 8.1 Detection system: Intrusion .
. As di~nissed in e-arlier chapters, all kinds of cybercriminals committed many diffcttnr types of~-
cnnw, ~nmc of whom have very liccle technical knowledge or skill. Included in this narrow definition~
malicious artalks dc-~igncJ ro crash computers and cong~r network~, even when no acrual "illegal entr)'
c.1ke~ plJce.
Fvc.:n chough incrudns and acrackcrs need not necessarily understand the trcbnicaliries of what they 2JC
doing, it i~ important for cybercrime invrsrigacors, who build ca~es chargingtanh~ aa:esl or &,each
Kf,:.O~R[_N_s_,c_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _~-~1~5 :;_7
~• r•rity to undl'r11tand the ha\ics of I · · I . 1 ·r·1

,,•or k 1ntrt> ' . . · · ww mtru~1on rer in1ques and 11y:irrn1 at 1,1t ks wor ~. tc
.,rnc1 fJDS inhown 111 figure 8.1.
0
s . (10S!1). hdp inforr11 ,,llon •
.. · ~ys1cms prepare for and dl',tl wit· II alt,tl k~. ·1·1 HY
ro<'~ . I ·1cc1ion system
P Jniru~io n t l . .
I, a11d then analy,int~
t1pli~h 1hi~by collec_ring mlor_matton from 3 variety of ~y!,ttm~ anJ network 11ourc..e!
01
JCL r . ion for po!>!l1ble M'currty problem s.
·1n1orn1,1 1
I
(le
offeri ngs of Intrusion Detec tion System

s.4. 1 .
Os(".n offer the follll\v111g:
1·he I ,,
J, Add 3 superior Jcgn·c of ir~tl'gri~y to the remaindn of your infra!ltructure
, Recognize an~ report mo<l1fic1t1ons co knowledge
2
. Trace user acuon from purp~sc of entry to purpose of impact
3
11e a ca11k _o f obscrvauon- the net finding out the moM recent mach
4. Auwm:
. Notice mist:ikcs 111 your _system configuration
5
Sense once your s_YStcm 1s under fire
6.
7, Make rhe protecuon _mana?e,~enr o~ your system potential by non-expert employees
s. Guide system supervisor within the important step of building a policy for your computing assets
The IDS cannot offer the following:
J. Conducr invesrigations of attacks but nor human intervention
2. Compensate for a weak identification and authentication mechanisms
3, Deal with a number of the trendy nerwork harJware and options
4. Compensate for Aaws in nerwork protocols
5, Always alter complications involving packet-level attacks
olTers
6. Compemate for is~ues within the excellence or integriry of knowledge che system
7, Analyze all the traffic on a busy network
[Qfo~} Types of Intrusion Detection System

hose based, knowl -
IDSs are dassificd in many dilTerem ways, including active and passive, network based,
eJge based, and behavior based:
8.5.1 Active IDS

are configure-cl co automat-
It i~ also called lnrrusion Detection and Prevention System (IDPS). Systems that
operator arc called active
ically block mistrusted attacks in progre~s without any interference required by an
to an attack, but has many
l~S. IDPS h.1s the advarmge of providing real-time corrective action in reaction
in-line along a network
di~advanragcs also. To enable }OPS, itself susceptible to attack, it mwt be placed
access, if false alarms and
boundary. Au1 horized users and some applications may be inappropriately denied
genuine traffic have nor been properly recognized and clarified.
B.s.2 Passive IDS

alert an operator to
The sy~tcm that is rnnt,gured only to observe and analyze network traffic aaivity and
protective or corre,civc
potenttal vulnerabilities Jnd attacks is called passive IDS. le cannot perform any
158 • DIGITAL fOR
EN'"ic
~
fu11l1iom un its own . It only Jctcm and Jlcm 1hc 11,cr abou1 ir. Wlicn \u,piriom
or maliciou\
<l t·tectc d, ·IL nn1111l'\
· " the mer or :tLIminl\tra
· · 1or. Now, ·11 dl'pc1H I' _0 11 1I>c· 11\tr
· or ··1J m11u,tra
· · 1or all, traffic I\·
hlock the activity. Thi.., nmir.l'ation c::rn either be ,cnt by e-mail, pager, td l phonts, 10
and mc~,a c/w ~r
ncte~,a.iy 10 ~l'nd th e 1101iftca1io11 in a ~ccure way .'iO that the at lalker/hackcr UOl'.'i 1101
intercept 0 ; r~a~t 11
altn th em.
or
8.5.3 Network-Based IDS

A ncrwork-bJsed IOS can be a d<.'Voted hardware appliance, or an appli(..ation runn i11g on a
computer h' h
is atlached to the network (f-igure 8.2). It oh,ervc, all the trafftc in a netwo1 k or corning
point (e.g., an Irmrnct connection).
through an :r,~c
ry
The network intcrfJce card (N IC) of the ncrwork-bascJ IOS optratcs only in unrestra
ined mode whi h
mean.'i that it will pick up all the traffic coming from the media even when 1he de~tinat
ion or final addr c
is not present in the IDS, It basically am or works like a sniffer. Other hom arc generall
y not consciou/~~
the IDS and no extra burden is placed on the ncrwork . A nctwork-ba.'icd IDS can observe
traffic only in its
native ncrwo,k .'iegment , unless it employs 11ensors. In switched and routed networks,
a sensor is mandato
in each segment in which network traffic is to be observed. When a sensor semes a
probable intrusion,
wi ll report it 10 a central management con.'iole which will take care of the suitable passive
ft
or active response.
Comm unication berween the remote sensor and the management console should be
protected to avoid
intcrfen:nce or modification by the intruder.
Protected switch
Figure 8.2 Working of nerwork-bascd IDS.
8.5.4 Host-Based IDS

A host-ba.,t'd IDS (Figure 8.3) is generally a software application fixed on a sy~ccm
and observes acti~I)'
only on the local ~ystcm, which has software application installed on it. Jc communicates
Jirectly wll~
tht op<·raring sptt:m and has no informa1ion of low-level ntrwork rraffic. Must hose-bas
ed JDSs depend
on i1,forma1ion from aud i! ~11d syst~m l~g files to semc intrusions. They can als? observe
\y~tl'm rr:!>uuu..n, a11d amvmg .1ppl1cat1on data. An CJ< tra administrative load 1s placed
system
only on er ral
fJ~;~
~rvns lw<.a11,e a limt~ha_\t:J IDS Lan yidd a lot of data. To reduce the load, rhe
IDS can report to acent
rnm1,h-.
r-, .r - -'- ,.
r-1
'
:---; ~ ~-L
~
A=-?.. : I
__.__
S.5.6 Behavior-Based IDS (Anomaly Based)

.\ t-."!"..i\ ic,-t.i...--.:.•J lDS r.:~:100:-.s, b.;,sclir.e or k.m:d rJrurn oi nor:1u1 5\·s::~ ..,--::\ i• .- ;0 r.:..: ,':::-:-...:~ ..:.-:: . _.
,:;::-..,.:.-n .!::-el!),~. B.::!c.,.Yi.Jr-h.1..,d im:n.:s ion ~ct.::..1il'ln is ..l--o b0w-:1 ..s ~-,,~:::iv-:- -=-";:-J ~: ~::.::::: :.....:...-:-.:s • .:
.::::-...,:,·n 2.:-!_-,--r:0n. .\s L½.is n.1.r.e ce::ores. a ~hJ,i0r-b.1..x"'J IDS cl:-~n~ r.i:~:..: :.:-.~ ,. 5:::"::-: .;:..:: ·. . :·, --.·:
~::.::0;:rr.:0n b2:..a, !ur- !:rq..~n!~~ b.:.Sed 0:1 ~!l:~m~. To disri.~g·3\,!) r:~ :';:_:..:'"..:..) ~--:..~, :~, ~·:-..:'::-? :-:_~::--..~-2
~f~_.,,l,:, it ii:~[ h.1., to s;:.:Jy \\h.:a bcn:l\ior is nOr.!~.ll. \\""hen you JCCY.il:'.' a h::'l:...,-:0r-1-~~~ :0~ ;,; ::-: :~:-~:
t.~l". II wi:.I rc,0rJ r.t't\\ urk b.rnJwiJ~½ u~--- rn.xess.or and rr.emon· .;..--u,·i:Y. dsk L--.;.,:_._ .:::J .:-~\.r ~ --~:~ ::1
i:t;,1~ · l'' er J dt11ni:::- rer:oJ (0 rr~u.:t' a b.1.>dine.. .¼er me t.·.uni;.g. ~noJ. ~.:-ti, ::y ~~•.H 2,"ll..-S x::: ~:.;i..::1
• :-5:.:,:~~~:~
:.-_ • !r~~,.ir
· 1 system •
f'Cr!drm.J.n~t, l he bJSCllne"S.
•· "l•-,1 (ttt\:"1
- ·tn Jn 4.~r1a
1 n .t ~-4•~· l~\..i..!:!,:;~
· (:· ~::_~
·
,.-j': oi ms i~ dm I( d~1:amiw.!!y :..:l jum tu r.ew <'.}.f'-bUf::S. NwU~ sys~l'!':1 bd:i, ;,,r ,--..:n \'.:!'y f,'\f !':,'!':::ll
..--<~°). it fi:r.;:r.i:ly rrv~':.!-.:e-s .1 hifh nJml-cr oi t.11i: J.!.mm. Ot'\ i.1ri0ru fr~,r.1 ,J::~t'.i:-:::::e .:>r ;:-~:.~=r: .;.:,__,_. .,::
~::1 rn ~ J.,TinreJ. Hi~ha fa!~ ah.nm .tre frcq:;end:, !~-.x:..n d ,,lt..1 l--..-~1,:0~-~.l!-;"~ 11:'~s
Understanding Network Intrusions and Attacks
8.6.1 Intrusions versus Attacks

I •
..; -' ,:: i,•:.:.ir,t !~'Ir i::xesti·;:..1.turs w re.Li.le che Ji::er~n--=~ l"l-n, ccn ;in imrl,4.)i~)r. ,rnJ .w ,rr.....:l, ~w ....-< ·" \~ !::.-r
i•: ·.,; :~~~ ".1, .. re.tl un..1.~.~orize.J emrv rv the nerwork or 5:·sre.m, it on Ix J. sifni.iu--:t .i.--ra;t i:t e..--.~.:r.~r:.g
~~-t c.c.:1::i or· J cri~i:1.ll offi:n~:: . .-\s i.,~ r.½e ~ of DOS :ma..:h, \"J.n0:!5 o:.ha- .itT...:WU ~n N- c.-,:-.:-:.;:,:·J
....· ;..., •..;t ,!:"t.ill1i;-.~
. 17 .I. . •
l."r:rrv to t.1-:e ne"\ o rk or S\·stem. ne .;.rr;.a.er r.t:"·er g-~s :l.:ces!' to .ir.~- cc"!l;-..rc.r en :.:'.e
' -J ,
1',::'.6~0'..._:_•_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _D_IG_I_T..,:.AL:....:._:FOREt-..i I
- ~
ner.vork, as ihe~e anacks overload networ~ resource~. to make rhe n:rwork inaccessi~le to _genuine Users. It
is more imponan1 10 be exact while referring 10 prerne compuier ~rime~. When no ,~rrw,ion occurs, Dos
arrackers ~hould nor be referred IO as in1ruders. Similarly, nor a_ll mtruders c~n prernely be categorized
attackers while those who gain access and then abolish information or plant viruses are correctly named:
both names. y
8.6.2 Recognizing Direct versus Distributed Attacks

Against
• a system or network , there are two different ways rhac attackers can. launch. their attacks · Ad'irec1
a1 tack i~ launched from a computer used by the a11acker (often after pre-mtrus1on/artac k tools, such
pore scanners, are used ro find potential vicr~ms). As compared to direct attack, the distributed attac~
1s more complex. lnstead of attacker performmg all rhe necessary task~ to launch an attack directly, th
distributed attacks use some ocher individual's system for the same. This type of attack includes mult' t
victims, which include not only rhe target of the attack, but also intermediary remote systems
zombies are referred by r~
e r:~
which the artack is launched chat are controlled by the attacker. The agents or
intermrdiarie~.
Because the attack packets rhat reach the victim have multiple source addresses, and none of these is the
Jddress of the arrack's originator, this type of artack, of course, makes it more difficult to track down the
perpetrator. Attackers can launch their atracks simultaneously from dozens, hundreds, or even thousands
of Internet hosts all over the world using che distribured method. This means that far more traffic can be
generated than is possible with standard one source artacks. Table 8.1 shows the distributed arrack process
with different components and their respec1ive actions.
Table 8.1 Distributed attack process
Step Compo11e11t Artio11
Daemon (or agent) Announces itself co the "masters" that have been predefined
2 Master Lists daemon as "ready and willing" to be used for attack
3 Atracker Issues command to masters to launch attack

4 Master Issues command ro daemons on agents to launch attack {wirh specific
paramerers such as identity of rarget and duration of arrack)
5 Daemon Launches attack on specified vicrim
The rea~on for arranging rhe components of this model in pyramid form is char one attacker concrols
manv · turn, contraI various
' ,~ h'ich, 111
. , oth er rnd:'tcrs 1 · other daemons or agents, which makes u · co
· easier
dt\abl~ or deactivate the system attack which is nearer to the top of the pyramid. The ropmost level of me
pyramid_ha~ tht' lea,c syHems to be dealt with. If che masters are deactivated the agents and their guiding
forte ~ohware will not he a0Lie. ro
.
•__ .J •m a py,-mid
t'11_nc 11·011, because t h'1s model's components 'are systemauzcu ....
.
~ rm, '~1th one Jtlackt·r admrnist('nng numerous masters, which in cum control many agentsldaemons, fl
1
l.\. Jbo likely th Jr die agl'nr~ anJ thei r guiding force software will not be able ro function if the masters a,t
disabled. The moM rfticient di!labling technique is to find the arracker, thus disabling die entire strid of
artJck.
Accidental Attacks
s.6.4
·m~, intru5ioru and atw:k.s may real!:, be u::in-:m.ion.~1 We ~o k::cr...,· t~1 r::a:::, T.:-o;,:i r.cr~ 2r.d
So~'11 ~e wrincn to ~pread therrud·.-es by getting into L~e ,·icti.m's adc.r~s book a::d ser:c:ir.g ir.feaed e-:.:.d
,.o,!?U ( d h Th h L_ .L . . __ :,. r , • •
~I the :ic!drcsses roun u.ere. .e ~r w .o appears w nave w.1t u.e Ylrus na e-n-...w u t:eq!l..•·:m:,- a •;.:-1!:n
~ h- aruck hirruelf/her!>df. In numerou s~. huge quantitjes of viffi.S aru.cb are mrrodu~ed a.:.ci:.!;:nt~;y
• CJ ·knowingly. "v;'hen a lov.er stare of obligation is present, some aru ate sti:.J c.cnsicered crir.i_i.r.21.
0
. - d :o an
.
or unle is \·ery impan..a.nr ',or .mv~ugators to be aYlare of uhe lwr'.,_,le '
--•...,,J.. rr:em.aJ state m.at . s~1::~
1s
demenc of each offen.se to be char?e~: 1:1e cri~inal ~ corn:r.on1;,· refers co a d.ei~~c b·el _o[ re:spor.s;b?r: •
t/ilt applies, if no level of mpom1b1lity 15 specified_ Cmmem1onal att..cks can be Jt.5t a.s cr.acal a5 o.u:wm
onc:1, and nerwork security personnel must be just as alen in taking act.ion a.::oairm d:em.
8.6.5 Preventing Intentional Internal Security Breaches

5(curiry breaches is an event char afferu unaurhoriud acce5s of daca, applications, ser\'ices, networ~ and/or
de-,·iw by a\'oiding their core security rnechanis~. It happer15 when an individual or an applic.at.ion illegally
mO\·e in a private, confidential, or unauthorized logica1 IT perimeter.
Bot position to gain a ~ co information or block che network's imegriry i~ u.5ers iruic~ the nerwork.
Intern.al anackm a.re more hazardous for several reasons:
1. People inside the network generally know more about the companr, che nerwork. and the layout of the
buildings, n,,rmal working process, and other information that makes it ~ier for ther.1 to gain acces.s
wi1hout ri:cogr1ir:nn.
2. Internal :ina, ~crs generally have at least some degree oflegaJ access and could find it easy to cktermine
pa'>'>wor~ , and Aeapits in the current security symm.
3. Internal hackers know what aaivi1i~ will incur 1he most damage, what information is on the network_
In a high security environment, acrions should be taken to aven this llind of theft. For eumpie:
1. ln\tall compu1ers lacking floppy drives or even totally d~kless workstations.
2• Apply \r,tem or g1uJp macegy that avoids users from insu.lling s.>ftware.
3. Lock PC casts and cover physica1 access co seriaJ ports, USB poru, and other connection points, so char
removable n,edia devices cannot be connecrecl.
86 6
· · Preventing Unauthorized External Intrusions
~lltn it wm~ to nerwor·k secumv · and a
. .•~ues, execmaJ •muus1ons ---•-- • f
we DUJOr concerns o mmy
~ arr .L_
<.ompanit~. The Web \Crvc.-rs of pr~mincnt organizations, such as \'ahoo! and Microsofi. have bttn h.iclcd_
11~6~2__:•~_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _D_IG_IT_A...:.L..:_:FOR(N
..:. ~
..
Attempts to peneirate sensmve government net.\,orks· ' such as the Pentagon'sdsystems, occur on a regu!
. T I1c r
has1s. . d , b , D00S attaLks when rhey crash servers an prevent lntt'rnet use r :tr
I rant page news 1s ma e ) . . h () I
. . Th e goo d news abour cxrernal intrm1ons is th.n t e area s r 1at must be co11trs rroll\
acc(:ssmg popu Iar sites.
· · I k Tl .
h kr ro 11ed
·ue much more focused than mtema auac s. ,cse a,c · points of
·. entry to t e networ rrom
. the 0 uts1de.
.
· Unaut I,onze • d intrusion
· · can ""lso be J,,c-_
1 11 ed a~ anack.s in which the attacker g.
c ts access into the ·S)•si e1n h
di •· ' • . . .
means of different hacking or crJcking techniques. Thi~ type of activny ~viii be performed by some Otttsid!r
who wants to have access of the system in order to use I t for some negauve purpose.
8.6. 7 Planning for Firewall Failures

Even againsr outside intruders, organizations should never depen~ on the firewall to provide 100 percent
protection. A security plan must be both multifaceted and multilayere_d _to be secure and effective. Th(
following questions must be taken into consideration, even '.hough admm_1strators ~an h~pe that a firewall
will keep intruders om of the network completely. The planning must take 1111 0 cons1derat1on the pos~ibility
that 1he firewall will fail:
I. If intruders do get in, what is the contingency plan?
2. How can they reduce the amount of damage attackers can do?
3. How can the most sensitive or valuable data be protected?
It is highly likely the firewall was deployed several years ago, for most organizations wirh minimal
enhancements made to it over rhe years. It is also necessary rhar proper maintenance and testing for firewall
should be carried our on a regular basis. Therefore, when considering maintenance and testing and exam-
ining firewall failure, organizations should ask rhe following questions:
l. When was the last time the firewall rule ser was fully verified?
2. When was the firewall rule set updared?
3. When was 1he lasr time the firewall was fully tested?
4. When was the last rime rhe firewall rule ser was optimized?
8.6.8 External Intruders with Internal Access

External intruders are basically outsiders who physically break into your facility to gain access to your
network, although nor ac.rually a true insider because he or she is not authorized to be there and does not
have a valid account on 1he network.
Tactical planning requires administrators to plan responses in derail, which means thinking in specifics ,
ways rarher 1han generalities. The security threat assessment must be based in in part on the technical aspects
of the type of attack that is initiated and also in part on understanding the motivations of people initiating the
attack. In a high-security environment, rhese tasks should be 1he responsibility of an indek11t mpomt tt11m.
I 8.6. 9 Recognizing the "Fact of the Attack"

The next step for network administrators is to move into reactive mode and try to minimize the damage, if '
prcvcnrai~ve actions Jo not work. Before the network administrators an do that, they must have a mcch~
ro rerngn11..e that an au;ick is raking place. To recognize that an attack is happening, IDSs use twO methods:
l. ~auc_m recognition: Investigatin g files, network traffic, series in . . . oilier data fur recurrent or
idennfiable marks of attack, like mysterious increases in file sizeo, c::bi.ac:ttr strings.
16l
,, ...'
.
,t ·' " '
h,'" ,I II I\ I II I h l.-1 ' 1h1.111\\ ,h 1 , · , \ I I I \ IIll I 1 1 Ill IIHI 11· I "I I h ' I\\ 1 ,d, ,I Ill I \\ Ii .11 dll' .II I.II l,1 'I
'" · ! .. ~- \ \ , ·" I\ , , I ' I •'
, , ..... ~-. ,\,. 1• :, !' n.",1, ", " d,, 1'\ ,~ .111.1. k,. ~, .11, "1111 1.11111 ~,,, ,, 1,; "r. "" 1,,· .11 "" 1,,, .,"" ,1,,,, i11" a""
:: ... ',',',,,:, . ,,,:\I,' ,,t 1h, \\\,'I,' ',,q,, 11,11, I\ I'•' ,,t' h,h k',111,11 k,, ii1111,:1,11g \II\ 1.11 l'IIJ',i11,·1·1i1q•, .111.11 I,,.
'.·. ,, : !, ,,, .: \\;, .. ,,,,,\ 111 \,lkfll.ll,l .11:,1111\1 1h,• ,111,h k \\l11·11 ''"' h .111• ,I"'"""' 11111l,·1, 1.111,l111r. of hmv
' ' I •,• ,,! ,:,,.t. \,. \\," \\
\ ... . t
:, ,, \ ,, ..1••, ,,,,, 1h, ,, ,l. tkl\'1\1 1111111,11111, ·""' ,111.h k, 1111,, 1l.1\\ili, .,ti,111,:
l. :',• ', , ',,., .Ill h l,_ ,I, II\ 1\1, ,
.,, r~''"''.J , ...,

'
,l : ,, ,, ' , ..' , ' t'\' \'
~ •,.. .... h lh,,l,
'1 \ I, 1, 1,'u' ,,,\, .ll\ h " '
\ .,\\,\ ~ !,': , .,,, ' I,\.., ,Ill\ ,,,h.-1 t, 1, 11,;, ;,,,,.,ll!\·lli1II\, l'"'\('l\l~ Ill.Ill)' l h.1lk111w~. lhr li, ,1 d,.,1
,Pl,\11 , 1, , 1
., ·;:.: ,, .: ..... ,\ "' 11 ,1:1;, ,l.11.1 ,11,1i;11i: I '.-1 1 , 11.l111i-: ,111 dw th' l\\1111, u111fig111.11i1111 ,111,I ~n 111i1 y 111e-.1,11ll'\
"\, , 1'·, , ,, 11 ),1 ,, ,I, I'I,,,, J . 1h.- ",. ,I 111.11 11111 , ,11 ,, 11 h' .111 ,l,·,i, 1•,l 11.llli,· ,l.11 .1. I; 1 :.ol\'l' this i:.,lll'. I hr IH'I w,11"
.l,:.~ :,,.,.:.,,, ,!1.,,1\,l 11,, 1 'I'·"' I'•'" ,11111,1\\,,1\.. ,k,11,, i11 11111hil'I,· l'l.1,t·:. ,iftlw m·1wu1I,,.
\ \ \,· 1,,! " 11, 1.1,\.. 111 1\;,· lh 1", ,, \.. I,'" 11 '" ,, 1h,· ,l.11 .1, ,1111·1.11 i, 111. I ),11.1 ,·,111 d.11 i1111 r.111 he ridwr \ ,111\,11 or
1
;, ",\'t :~. l,,, 1k· l.11,.1 ' .1,:, llllh ,1.11111 ,h,,111.I 1,,· l, 1~:,·,t .,~\\\·ll.
1, 1
\:\.1;.,1,\.., 11:u, ,·1hl'\'I 1h, 1, .11l,, . 11,11.ilh 11,1111~ .111 SSI \ 'l'N 111111\\'dinn. For .a m·twu1I,, invc:stii~•llm,
,\• ..1.-l.t,,, ,\'hi \"'" .1i-· :-1 111, 1,,t,I<. "''"' ,,·,. d,,. ,l.11.1 ~l h .1111 i, 111H ,l\,1il.1hlc. l\lorc 101~\inl~ ;md ,hl,litinn.,I
,'.-.:.\.·i: ,\i.,,1l,I k 1, ·11,,1m,,l m ,,1,k1 "' ,l.-1,·1111i1w dtl' i11tll11.11,·,I d.11.1.
\ ~,,,h,1 .:.\.In ,,,n.11 , h.1lk11,·,· ,, ,\.-11·1 111i11i1w dtl' M,111, ,· of ,111 .111.1, "• ~inn· ,II\ .au.ad,,·r 111.,y usr ii wmbi<'
1:·~:\1:,-. ,n i111,·11\h\li.11.· h,\\;·1,1 ,-..-11~11111 ,II\ ·.:11.1,k. 1lf ~i1111'lr II\\'~ ;I 1'('11\\ll( plllll,)' M.'IVl'r. This 111,lll·~ i,
,::,,, n'.: I~'' .\ n,'l\'1'1\- "'"·,ik.•"'' 111 t,,ll,"' ,Ii,· .11 1.1,l-.l·•~· 111i1:i11.1I .1,l,lll·'"·
IA ..·~ ,r:,, ,1'\l:-hkl,1111'1; ,h,,,· 11'1l1\"l\l~. the 111.1i11 ..,,k ,if ., 111'1\\\ll" forensio invri.1isJtor i~ h> iltl.lly,c
~.~~11:·~ 1-.1, \..,1 ,·.i,,rn,,-. "'"'"" .,, I\ ' \P t'il,~. h,·111, l''"~l'III in 1wtw,HI-. tr,lllk whkh 11hnulJ he l'x.unincJ
• \, ,;:1- l-.:i ,\I,' 11''1 h111n,,l 1,,: l'n,1,,,,,1, m,,I. 11' .,,Id,,·,~,·~. p,111 l\lllllh,n. tim~t.lnlfU, malidou, r;tt:kru,
1··'._'' 1, :1,,I 1,:,,. l \ ,·1 ,, :,11 h , ., , ,11, .11 i,,n ''"" l't , · \\'1:.i,111:., .111J ''l"-'r,11 ing S)'\ttm "'niuns. This inform.uinn
1 11
.
• d,', I lh'II\
' ... ~ - ' \ 1r\ • 1',ll I'I~ .
, I,lll• ,'t\'1'l I\\"-'' , 1 11
1•~6_:4_:•~_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _D_
IG_IT_A~
l FORE
- ~
f.:.itt Collecting Network-Based Evidence
Th~ wlit.1ry, rno~t cooperative network-based inci<.!en~ m ponse ac'.ivity is 10 sec up com_rut: r systerns
th
do nothing but capture or gather network com mun teauons. Capturin g network communications
. I . . is a . at
anJ essential step when examining su~pcctcd crimes or exp 01tat1ons. . ser1olis
In chis chapter, we demonsrr.ite how to capture network trafGc the <l1sagreeable and hare metal
'W
wi th software like tcpdump and Wi nOump. We also discu5S how to assemble a healthy, safe,
ptot ay,
network-monitoring system, and conduct 1u r 11 content . .ng of networ k tra ffiIC. ected,
monitori
8.8.1 What is Network-Based Evidence?

We talk about the result of full content network monitoring or the inrerception of electroni
c corn
nications as network-based evidence. Collecting network-hase d ev1'dence .mvo Ives sett1ng . up a
cornprnu-
. d . h
system ro carry out network moniroring, setting up l he network monitor, an assessing t e efficiency ofUter
the
network monitor.
Catching the traffic is only a porrion of the work, extractin g meaningful results is the other challen
· es you r networkb
After you have collected the raw data that constitut - ase d ev1'dence, you must examine that
ge.
dJta. The analysis of nm.vork-based evidence involves reforming the network activity, executing
low-level
protocol analysis, and understanding the network activity.
8.8.2 What are the Goals of Network Monitoring?

Network monitoring is not plan ned to prevent attacks. Instead, it permits investigators to complete a
numha of t:tsks:
1. Confirm or dismiss suspicions surrounding an alleged computer security incident.
2. Collect additional evidence and informc1tion.
3. Verify the scope of a settlement.
4. Identify additional parries involved .
S. Determine a timeline of events occurring on the network.
6. M.1ke sure of the compliJnce with a desi red act iviry.
8.8.3 Types of Network Monitoring

Network monitoring consists of seve-ral different types of data collection:
1. ~vent monitoring: Event monitoring is based on rules or thresholds working on the network
111
monitor·
S platform . hcnts are simply warnings that something occurred on your network. Traditional events
arc generated by a 111:twork IOS, but events can also be created by network health monitoring software
~u'-h J) MRTG (Multi Router Traffic Grapher) or NTOP. The Snore tool is used to capture che events.
2. Trap and trace monitoring: Noncontent observing records the session or transaction data briefing th
c
nc"mork activity. Law enforcement refers to such noncontent observing as a pen register or a trap
~d
tr Jc~. _Ii u,uJ!ly comprises_ of the protocol , IP_addresses , and ports used by
a nctWOrk ~ommu~icat::~
Addn,on~I d.m 1my rnns1st of Aags seen during the conversation, counts of bytes of anformauon
a
by e.ich ~•Jc. ,rn<l counts of packets sent by each side. Session data does not care about the content
of
conversation. To ~umrnariLt· the ~c~sion, tcptrace tool is used.
t( r o RENSIC • 165
~
. ti content monitorin~ F~ll contcm ~hservin g produces data 1hat contains the raw p:Kkct~ colkctt·d
J. fu 1 till' wire. Ir t)fTcrs th e h,ght'SCfiddary, hccause it represent s 1hc actual conununicJtion p:1ss1.'<l bc-
fr,~~c:n i:oniputcrs on ·1 ~ictwmk. Full contrnt data contJins pal.'. kct lwallers anJ payloads. The tool usc<l
,,H e th(' p.ickt·ts 1s tcpd11mp.
tll l•\rl\lf
Setting Up a Network Monitoring System

8
t.
8· ,re· anJ sofrw.trr-h.isc<l netw~rk Jia~nostic tools, IDS sensors, an<l packet capture utilitirs all have
II•'.'. Jt•Jir.lll'd purposes. ;'.nd tro11hkshooting hardware can capture d.na consistently,
Nl'tW~1•:k d,.,gno~tte
1htirf •nrl)' are the most d lactcnt atl capturin g data at the full rate of the monitored ncrwork segment.
J rcqut • . d l 11ooting tools have st·vcral dr.twbac ks 1h.11 make them in:tppro·
Jll • . • network diagnnsrtc an tro11 ) l'S
lit'" cH r, . k. " . .
. r pcrfonn111 g nctwor tm csuga11on. d
,n,1te fllr . 1 . .l Id .. . . ent and ~tora_ge, an
I Intrusion drrt-c11on so ut,ons i.tve :\l ttsscd the d1fficultt cs of remote managem
, . t'.t~il)' swkcl. However , these platform s c:tnnot consistently perform hoth intrusion dcm.:uon andS
1hr) .,re ., ·1· .
. k surveillance rl'spons1 011ttes concurrently. Still, it is very common for an organiz:t tion 10 use its ID
oen,<H . • d •
as network mo111ton ng e,·1ces. • •
sctlSlH'S •
Cre.iiing a successful network observatton system includes the following steps:
l, Define your go.11s for pl·rforming the nerwork surveillan l.'.e.
you have the proper legal standing to pl·rform the monitoring activity.
2. ~t.ike sure that
, Obtain and implement proper hardw:tre and software.
3
4. MJke sure the sernrity of the platform , both by electroni c means and by physical means.
5, Confirm the :tppropriatc placement of the monitor on the network.
6. Assess your network monitor.
ies
Af.tulr in any one of these steps could yield untrustworthy and unsuccessful surveillance capabilit
within your org.rnization.
8.8.4.1 Decidin g Your Goals

The first stt'p for carrying out nerwork investiga tion is to know why you are doing it in the first place.
filters
Rrgulate the goals of your nerwork monitoring, because they will impact the hardware, software, and
you use rn collect evidence. Decide what you intend to achieve, like:
1. Watch traffic to and from a spl·cific host.
2. Ohser\'Ctraffic to and fro m a specific network.
3. Observe a specific individual's au ions.
4. Confirm intrusion :tttempt~.
5. Look for spl'.cific attack signatures.
6. Emphasis on the use of a specific protocol.
Once you have established your goals for nerwork surveillance, make sure that the policies you have
in
phce suppon these goals. Make sure these policies arc openly defined before investigation begins.
B.8.4._2 Choosing Appropriate Hardware

~rganrr.atio ns can purchase the commercial system or they might develop their own network monitor.
mponant to note is that the system muse have the horsepower to perform the monitoring functions.
The
~mall organiz.uiqns will depend on home-grown solutions. How much data y"ur system can collect.
ic
e!)(nch on the following thrl'.e p:uameters: .
•
DIG IT AL FOR(~•
•~s,c
\. \.Tr \"\ \'< ~~.i RA\t JnhllllH~ rb.· ~' ~t, m rnnnin~ dh· 11hltlitM 1-h,,11ld he .ll k,ISl ,l l\'11ti1101-c]
·.-., :: ,, .·: .~.\' \ ~:!. ,'i ~~:::h, r. \ \.\~,· ~11r~ th.n the ~~:-t~m h.1~ .11 le.1st 256i\lB nf ll-\i\,t. Ii ·~~1
.. ,:~ , -...: ·:. :·.• •' , ...· :: :·( -~l ~-.•~t r~ h.:tnft ' 1'(\\h \ Hll) X\bh,\:1)1111). ,l RAi\t ,llll()llnt of 512MBt C
·· .' ·: : ~..:-.-.· :..:: ,·.:,:,•-1. l:1 ~!~,, ;1. t ht· m,,r,· R. \\ \ it h.1,. di,· 1',·ttcr the nctworl-. mnnitor will p,·rfor or
: .-.:•:. ~ ~ /~,•w~ ,..: :·.; ~.:::;_(:,,,,J ~-~:-J\\.lt,· ,,,nti~m.ui1,ns th.11 )'tHI c.m 11~e .,.~g11iddincs for your n,(:::
;,.;::-'~s.:: \' ~--·~.:< 'S ~~~tem h.mfo3re riacommendations

\\rll s...~fll T-1 to Sp.1rufr Well ustd T-J 1111d Higher
c:~cJ T-3
r,•mium ll 3l)l)\ \Hz Pentium 111 50MHz or higher
1GB or more
20(~B lDE 72GB or more SCSJ
' E .:.:-J .i:i,-:-: ~-:-.~ .:.:::,• .::-.t \,:· h.i.:-J .:rin· sr.1,e y,,ur sysrem requi rt'S depends on the specificity of your
•·:-:. :- : --:- .::~..: ::-:: :_-:~,•:..:-.i '-' I r..:!'\,·Nk tr.utic (ro:.5ing che ohst'r\'t'd segment. Hard drive space is gettino
~-~--: .-~- ,,, ,:· ...::-c:: .:.::3 ~~1 .u l:2Sc J -iOGB driw nn .l bpwp and 80GB drive on a cower. The botto~
-. ., ::::..: , ,::.: /.,.::J :,;~...1 1'\: dri, e. )~~u c.in oYerc<,nH.' mmgt' insufficiencies by repeatedly cransfer-
• : ::. ·, .• • ,.,,:-:.::-: ~.:.~ t...' .:.i e:1.:.:-rn.;.l n1t-diJ. le is !tOL)d prJcti(t' co transfer the binary files to an external
> :...,;.: :_ -;.' '.:.: ,•~ ~.2:-2 ~: :,·.: ~ril~i.:Jlly tor d~pli"'Jtitrn. in CJ.Se of any emergency.
:3 5 .!. :; C'"..=:-s·r~ A_cprcpriate Sofnvare
:'.·:-· ·- .-.. ·: :-::,1.:.:·:~~-....:: .:.!:.:'.~cf~· in J,i::umul.uin~ .l nerwork monitor is choosing its software. Monitoring
: ·,.· · ~ : :- ..: ,·!: .. :,•t cf :::,•~c~. J::J ~ l,...i mif_ht neeli different tools to meet different needs. You will disc0\ er 1
·. - : -.::..-·, ~- ~ ~.,·\ ...·..:,::.:~.: n~rwl, rJ.. rr.1tr'i ( J.\ \\t'II J\, or bmer thJn, their commercial corresponding item.
:-: .., . ~ .:. ,,·:--.:::~r..-:J :,. .,,:~;::..:.::er.iJly lt'J\'t' hehind free milities, when it comes to exJmining and under-
··--..: ·; ::-: -.:.. :2 ::.,,::~.:. E..i.:h 5eni.:e ~et'ms to otter something the ochers do not, so you should know
· ~: , • .! :,-~ :,, ;t: ..., _: l,i ,l1~:- r.,•mork in\'t.·srigJtion sofrw.1re before you obtJin it .
'
•=--:~: •
_:: !::-:.t ~.:::0:-s --
: t.....i.r "-m .1tre.-1" 1· sof,nun: you choose:
h'ch
' · • .. ,.~ :., ~: • ;'C.-::::;s~stem ,,ill you u~e?

' : ' ' t .: ·.. .:::: : ..'.' i'."r:::;t r.::noce .i.:cess rn your monitor or access your monitor only at the console?
.~. ~ : . ; .1 w.:::t :,~ i:-r.r:er:~er:t J. silenr network sniffer?
4. .'. ·., - :-.'."t.: 0":-..:!':::~· l.'f the c.1rrure files?

"· . : -:: .:..:": :::: ~:J-.:-.i:J ~L:!.s of those resrvnsible for the monitor?
'~- , ,.... __..,:-. ~.;,:1 ~~.1,~r.~e5 th~ nen,·ork.?
.,
l \.,..... - _ .... ;,--:.::--1
' . ~--::-: . :.: __.:c,~
. ..
: ' -~-· ~ ...--~~:~
K FORENS IC
~ • 167
the Network Monitor
4 Deploying
B.B.4· ,cnt 0 f the neMork monitor is mayhc the most • . .
111c pl:icen dcvi1..'CS and network technolo l'k . impor~~ltlt 1ss11e in setting 11p an invc~iig.1tion
. ,. Newer nr•"s
gy, 1 c. network switdws, YI.AN.~.•.1111I m11 Itip . .:
· I•c l I.11.i-r.11c.
s)•stcll ks I1JVC er,"ated ·some nt'w ch·1llr
· r .
ior invt·1111gators..
· r1VC1f • I f k. . . ti'
pical go,1 o nctwor · 1nvc1,11g.u1011 is to cai1 tur • II , •

I
ue I
The ty ' , kb , , . •. c.: a ,lCIIVlty n· .11ing to a ~pl'rific: t.tft'l'I .\yMl'.111,
ill ~cnmcnt a nc.: two r y not1c111g and M'nsmg ti • '
5,vitcI1cs w O
h . I l 'Id M · · ic presence o1 work\taiions h,l\cd on tl1t·ir MAC
Once r e sw1tc 1 rn1 s a port to a AC''addrcss reIa11om · I · taI>le, .it will ·rdc.,~c packet~fwrn a
Jdrcsses. . . . 11p
~ ly jf the rcce1v111g system 1s pre~cnt.
I I . .
Poreon !so important to p ,Ke t 1e 1nvcs11gation r I
· IIy 1-a1t·
systcrn ·111 a PI1y.'1L,1 • ·
h ..1s a · . . . .. . . · · oc,111011. In gc1wral, phy111(al
• • m:Kh'111c
logical auc.:ss. In other wrnds· '.anyone w\10 "r,111 PI1ys1·caII y acrrs~ your •mv<:st1gauon
.,,,e~ IllC·tns•
·e, 11 evade'any •software controls }'OU have .on 11 · When you arc dcpIoying · a syst<·m to pcnorm r •
network 111vt·s-
1
. ou need to pro teer the ~}'Stem Ill a' lockc·d room wI1ere . on Iy a scIcu number of tru~tcd employt·cs
1ig:111on,.>'
can obtam acces5.
8.8.4.5 Evaluating Your Network Monitor

When carrying out nl'rwork monitoring, ~ou_cannot just start tcpdump and walk away from the c.onsole.
You will wa~t to check to make s~re the disk 1s not ftlling rapidly, verify that the packet capture program i!I
executing ~u11ably, and see what kind of load the network monitoring is carrying.
8.8.5 Performing a Trap and Trace

To cap1ure noncontcnt information from a network, you can use pen register or rrap and trace. On Internet-
based networks, applying a trap and trace on your network refers to observing the IP and the TCP headers
without obmving any content within the packers themselves. This is a nonintrusive way of defining the
source of a network-based attack. Ir also can be used to sense network traffic irregularities, like backdoor
programs that permit ~ccret fi le transfers that challenge the detection by a normal IDS.
Trap and trace monitors are helpful in DOS cases, where they may provide the only evidence other than
verbal testimony. If your neMork has an IDS, router, or web server that strangely crashes on a regular basis,
a trap and trace of all ncrwork traffic to and from the victim system not only helps IO locate the source of
the problem, but will also, perhaps, oITer good hints about the appropriate technical solution. It may also be
used as evidence that the atrack occurred.
You can accomplish a trap and irace by using free, standard tools like tcpdump. TcpJump and Win Dump
capture ftles have the same binary format, so you can capture traffic using tcpdump and view it using
WinDump.
1. Initiate a tarp and trace with rcpJump at command line or perform a trap and trace with WinDump
fo r the Windows operating sys1em.
2. Create a trap and trace output file. It is easy ro create a permanent output file than to view the data live
on console. If we do nor have the output file, then the information is lost the minute you terminate
your tcpdump or WinDump process. UNIX "cat" command is used to view the capture file.
8.8.6 Using TCPDUMP for Full Content Monitoring

We conduct full content monitoring for com purer security incident response. For instance, if an employee
of an organization is alleged for transferring business secrets to a conspiring party, do you just want the
transaction information or would you also prefer ro intercept the content of the data transmitted? When an
.:.1~6~8=--~·- - - - - - - -- - -- - - - - -- -
-- -- -o _,_Ci_lT_A..:,_Lro
h·, 111<·: ih the !in uli1 y ,,f one ,,f you r ~t' tVC'I \,
J lt :1,
ii•> y n11 aho w:11_11 tn i11l<'rl t'p~ the lull amount
~
v nd \ .i11tl 1c.·t 1 ivn f'r11111 tlic vtLtirn ~y1i1n11? of da '
Wli c11 y1111 ,tr<' d11111• wllh your 11101111 or 1iy,1
a,c rrail y (II lw,,,i,1 r,,11 (1/111 ( 111111011i1111itt1',· T, r,n St' l up , ti •i lit
pd11111p 111111 h 11,rd fur f11ll U)lll t'III lll<H
1i1oring. lr n Yl)tl
8.8 .6.1 Finding Full Content Oat,,

Wl,ilc: 1111,11i11iri11 , till' ~y\1r 111 , wr wll nt du . , .. . ,
1I .. 1n.1 x 111111111 11:tflt< • l lii1i u:111"- m:,·d , 10 he lll1n
tlar full J.11:1 t 11111,·m from rlar wl111lr Ir;1lliL , A, <·J 10 fi .1
W<' know, 11 p1I11mp re: 1·tn °11 I11 ·11· 1 I' k
~o, tlicrc:: arc v:iri,111, 11p1io11~ nlfrll'd l,y ,lie
1qulump tool ~ IO d1:1w the att t lllton toward
~ mg lCr dcy Pat kt-, lily
1
Filto,. 11
1-t pt•Lifk p:1Lkc,,~''·
8.8.6.2 Maintaining Your Full Content
Oat,, Files
Tltc i111pott,1 11 1 a•,pt< 1 of rnlkui11 ~ full 1.011H·111
~b,a i1i flit 1~a111ing and t1111u.ring ~he ftl(' intl'r
i111p11rt:1111 1,1 1jvc a filc11.1111 l'. 10 a Lap11 ,tity. Ir i
11e file w11h 11rnn c: 111111111e drnwtll 10 tdl'n
pw111,•,c:. ~ 'I , we i11dudt d1l' 1i1111:\l :imp , h11\1 l1fy tlie origin and 1
11a111c, and in1t 1r.1l e in the <.ap111rc filcn
,.,:11np i11 wrill<'II :I\ d,11c and rime form at. Aftt :irnc, where ihe ti l1ic
r ~iving d11: unique naming conwnrion , perform
\ 1IA lia\lii11~ of full Lt1111 cn1 J a1a fib for cn~ MD;c-
uri11~ ,ltc in1q~ri1y of the evidence .
or
8.8 .7 Co llec ting Ne two rk-B ase d Log

Files
WI.en Yl!ll u ,llr<.t thc- tviJ c11Lt:\, m:rk t , urc
rh:11 you :If{' lookin~ ovtr the potential sou
yo11 1n p1m d to :1 11 i11<.idc111. It lia ppl'm rhat n.e~ of evidence when
tnO\ I nttwork lraffk ll'avc11
path it 1r:1vdlcd . ~,,,n c cxa rnpb a,c: an aud it trial somewhere along the
l. H,,111cr, , fin:wall,, ,trvc-r,, IDS ,cmc,rs, a11d

other ncrwork <.ltviu:~may pm,crve logs that
I1a\n l <·vc·111 ,. record network-
2. DI ICI' 1>ct Vtt\ n·w rd llttwork au.c ,, whe
n a PC rt<1ue,1~ an IP le:t~e.
3. Mrnkru firt wall , permit rl,e adrnini\lraro
r~ a11 cxtc111,ivc amo1111t of granularity whe
ti,in l11g11. n creating inspec-
4, II>) "·11 ,01 ~ may c.:nd1 a 911111a of an atta<
1
.k due 10 a ., ignaturc recognition or irreg
filter. ularity uncovering
5, I l1"1 -li:1wd \l' II\O r\ may i,cm c 1ltc modific.a
rio11 of a 1>yHem library or the a<ldirion of
111( :ni,,n. a file in a subtle
6. ~y,1cm log filc, rlirt c rime Z..tJIH:s away on
I he primary domain; cont roller may Jisp
au1h c111i (ation during a lo[jOII a11cmp1. lay an unsucmsful
Wl1rn all 1lic: cxi,ti11~ ,, tgmc111, of the 11<:tw
ork .. ba,cJ cvidt11cc arc: combined, then they
pm irnl ar 11ctwo1k event like: falc tram ftr, a buff reconstruct a
er ovrrfluw atm k, and a ~tolcn usc:r account
li<·in~ um J 011 your 11ctwork. and password
All invC\tiv111ivc due~ have M11nc unique: lhallcng
cs for the i11vcMigator. Those challenges arc:
I. Tl,r 1,c·twork-ba,cd log,-. arc ,rorcd in many
formJts.
2. 'Jhr'>C lo(~' may originat e from !>Cvtral Jifft
rcnc operating sy~tcms.
3. l },nt' lo~, may rt(1uirc ~pct ial ~ofcwarc: LO
acce!>s an<l read.
4. ·1hC\<: log, :.a rc gcographic1lly <li,pcr~c<l and
sometimes use an inaccurate current time
.
-, he rn:1i11 d,:illcngc for i11vc\ti~atorli i~ in trac
ing all the~ logs and associating them. Thi
u ,mw ning .1 n_d :.h,, rc\our,c dcm:anding tu s is very tifflC
obtain geographically discrete logs from man
prc ~rw a t hain ,,f tu\to<ly for cad1 of them y diffcrcnts)'Stcms.
, :rnd rcco rutruct a nccw
w1,11pi11g of all the'><' lo~\ ~till painr, a horriLlc, imperfect pict ork-baaed event. Many rimes, chc propCf
ure.
,c _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _~•:__1~6:.:9
KFO~~R~E_Ns__
~
Evidence Handling
• hould be some rules and regulacions for performing forensic investigation.
fherc s
Rule 1, An exa~ination should nev~r be per~ormed ?n the original media.
!
Rule 2. copy rs made or~to forensically st erile me~ra. Ne~v media should always be used if av~ilabl
e.
m
Rule 3, [he copy of the evidence must be an exact, b11-by-b1r copy (Sometimes referred to as a brr-screa
cop1~e 4. The comput~r and the data _on ir mu:~t be protected during the acquisition of 1he media to ensure
data is not mod111ed (Use a wme blocking device when possible). .
1ha1 Ihe .. . . b d . of the
Rule 5, The exammat1on muse e con ucred m such a way as 10 prevent any modiFicauon
. . .
evidence. maintained to provide an audit log of
Rule 6. The chain of the cusc?dy of all evidence must be clearly
ight have accessed the evidence and at what time.
whom m
~ Investigating Routers
investigators as
During various inciden1 s, routers .play many different roles. Routers can be tools used by
nerwork
,heycan be 1argets of artac~, sreppmg sr~nes for ~ttackers. To allow investigators to resolve complex
incidents, routers can provide valuable mformat1on and evidence.
examined in
Rou1ers lack the da1a storage and functionality of many of the other technologies we have
previous chapters, and •~us 1hey are les~ likely to be the uhimace tar~et of att~cks. During network penetra-
rourers, such as
rions, rou1ers are more likely to be springboards for attackers. The mformatron stored on
first step for arcackers
passwords, rou1ing tables, and nerwork block information, makes rourers a valuable
be111 on penetrating internal networks.
8.10.1 Obtaining Volatile Data Prior to Powering Down

in memory
We always begin the response process by obtaining rhe most volatile data first. Thar informa1ion
relatively stable;
isvol:11ile, while information stored on rhe hard drive or in nonvolatile RAM (NVRAM) is
1his is the order of volatility states.
ir must be
Accordingly, if any of the information in memory may be important to the investigation,
in memory is
saved before powering down or altering che stare of rhe operational router. The information
current rouring
almost always imponanr wirh routers. The sysrem state information in memory, such as
down or rebooted.
tables, listening services, and current passwords, will be lose if the router is powered
B.10.1.1 Establishing a Router Connection

You will have to establish a connection co the router, before you do anything. The console
pon is the best
to che network, by
way to access rhe router. You are less likely to tip-off any attacker who still has access
and learn
connectin g dire:::rly co the router. An arracker with a network sniffer can potentially s« your traffic
1hat an investiga tion is being conducted, if you telnet ro the router. A dial-up connect ion or an encrypt ed
ble.
protocol, such as Secure Shell (SSH), is a better choice than telnet, if console access is unavaila
to che router. Wach
Make sure to log rhe enrire session when you are establishing a connection
~rperTt'rminal, simply select rhe rransfer/capture cext option co log che session. The multiple
modes which
serup, login prompt,
b ~ lniernerwork Operating System (10S) command language consists are initial
15 0
asic command, enable, configuration, and interface configuration. The mode, which allows
you to display
11 !_
7~0_:·: .__ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _DIGITAL FOR-,
_ _-.::..::
- t ~5,,..
~
. . . . Jb,d f
u 111figu rJt1on ~,·11111~,, Vi b:t\lC mo e an ) e ·111 I1 You arc in that mode.
d You mmt enrer enable rn0 d
• fi · · d ave dwm to
NYRAM -,·1 , c, b,
rntnini; >tn,1blc ro modify co n 1gura110n setungs an s . ierc I\ an enable ;
pa~,wo1J
:\!)~U1.:iJ1cd with rrivik-ged level aCLCSS.
8.10. 1.2 Saving the Router Configuration . r. r. .

· m are gcm:raII d · Jn a •·1n11le co nfiguraunn 111c, a11con11gurc1uon · r
Router configurario y stra1·ghnorwar
r
" o , . in,orn, 3•
d 1·111s
· rnr111gu
. r. r.1t1on ru Ic·~all
· r ,.
· aspects of
·
. th<' rou tco behavior' and ir 1
110 11 ,or Cisco routers 1s store . · ·~s1ored
in NVRAM . Wh<'n the router boots, it mes thi~ stored t..onfigura uon: However, th e configuration of the
rout er can hl' ch:rngcd wi1hour modifying the configuratio n rile sto red 111 NVRAM . l~M.ead, '.he changt" t<i
the configuration arc mad<' in RA M, and they .ire saved to NVRAM only by an _adn:i ini~trauve cornrnand.
T hus, you ~houlJ save the configuration that is in RAM as wel l as the configu rauo1~ m NVRANt.
You mu~t have enable (privileged) level acces, to the router. Use the s_h ow run nmg-config cornrnand or
the equivalent (but oldt r) write terminal command to view the configu rauon currently loaded on the router
Cisco r o utet#sho w running - config
Use the show srartup-config or equivalent show config comma nd to view the configuration med in r
NVRAM .
cisco r o uter#sho w startup- c o nfig
8.10.2 Finding the Proof

What is the next !>tep, once you have saved mmr of the evidence you need? T he next step depends on the
type of incident suspected, based on your initiaJ investigatio n. Here, we look at how to identify corrobo-
ratinr, evidence, including responses for several incident rypes involving routers. We categorize the types of
incidents that involve router!> as:
l. Direct compromise
2. Rou ting rable manipulation
3. T heft of information
4. Denial of service
Handling Router Table Manipul ation Incidents

I~_outcrs can. use a varicry of protocols to update their routing tables, including RIP. Open Shortest Path
hm (OSPt), Enhant..ed Interior G.neway Routing Protocol (EIGRP), Interior Gateway Routing Procoeol
0GRP). Border Gateway Protocol (BGP), and so on. These protocol\ communica te information about tht
hc~t p~th between ne.rwo rks to neighbor routers, and they have varying degrees of securiry. Some, like the
11 l•iqu1tom ~m. provide no authenticati
on capabiliry. A router will accept RIP updates without requiring
~ny autlim~ica t 11.> n. Other protocols offe r the capability of requiring pas~words, but it is up to the admin-
i,trJt~r 10 . impkmc:nr pas~word ~ecuriry. Attacks involvi ng routing cable manipulation compromist rbt
fu1Kt1n11.tlity of the router, rather than the router itself.
8. 11. 1 Investigating Routing Table Manipulation Incidents

Dt·term~ninA th~ Lu_rrrnr_routing tJble is as simple as reviewing the output of rhc show ip route command.
a~ J~·-~u ihcd C':ul1n in th l) thaptn • Hown·c·r, knowl,.doc
.. 0
.
of t he nerwork ·LS ncccuan lo unucn
•- rand if chert
L
~ ~ :- -- -- -- -- -- --__ __ __ __ ____:,___.::._:_:.
• 171
oRK FORENSIC
th the common-sense test, or if packets appear to be

n)' inconsisrencies. If any of (" routes do not pass
is required. If unfamiliar static routes appear in
;:;:d
1
•
th
through dist ant networks, en careful investigation
uring rable , then the router may have suffered direc
t compromise .
r
~e~
n Incidents
_11.2 Recovering from Routing Table Manipulatio
8 and reboot the
attacks is si1~pl~: Remove unwanted static routes
Temporary recovery frot~ rouring table
ever, prevencm g th e attacks from occurring. m the future is a bir more difficult · AC u can be
r How d pro_co-
route · . . source addresses. However, because some routing
introduced to ltmir route r up ates to known-goo~ l!sts
ofing AC u can further limit exposure, but th~se
cols are UDP. these addresse~ can be spoofed. Antt-spo n
foolproof. The roun ng proto col chosen should allow for authentication, and the authenr1cauo
are not
should be enabled.
@:®] Using Routers as Response Tools

useful
especially during recovery. A couple of r.he more
Routers have man y uses during incident response, n on
addition, there are specific actions that can be take
rourer features are AC u and logging capabilities. In capabil-
remainder of this chapter, we will discuss these
routers ro mitigate the effects of DoS attacks. In che
ities and how co implement rhem .
8.12.1 Understanding Access Control Lists

can be
restrict traffic passing through the router. Packets
Access Control Lists (AC u) are mechanisms that
ding (but nor limited ro) the following:
restricted based on a dazzling array of attributes, inclu
I. Protocol
2. Source or destination IP address
3. TCP or UDP source or destination port
4. TCP Aag
5. lCMP message rype
6. Time of day
ies. A well-configured router can provide many of
Normally, ACu are used to implement security polic
are often used to supplement firewalls.
the capabilities of commercial firewalls, and routers
8.12.2 Monitoring with Routers

ork traffic. Routers can be used for chis cask. and
they
During incidents, it is often helpful to monitor netw -
r monitoring software cannot keep up with the band
can prove invaluable in many cases, such as when othe
width passing through the router.
8.12.3 Responding to DDoS Attacks

, and TCP packm are part of the attack. Attacks
~DoS :macks are mulriprotocol attacks. ICMP. UDP
quickly by blocking ICMP and UDP packets.
involving IC~f P and UDP packets can be mitigated
172 •
Ol(illl\ L ~ORt
Ns1c:
~
Il l Summary
Rou1c·rs arl' ui1kal nc1work lkvil t·s th.11 ran pL,y hull linnali1 y of 1011tl'I',. By 111Hll' r~t:i11di 1~
m.my rolc·s in nl'1work .iuacks . As you have lcarn(·d, I11'I'111,·~
, o(' m111ns , yo11 w1'II I<110w
how to c,invC..C~I\I
1••
•
router~ ca11 be acccssurits 10 nime, 1he viuim, or a and "'l' mutrrs tn yo11r adv.1111 :wc during ·{St1g11
1nul 1l'11e
. •
valu.1Lle ally durini:; rcspome. Por 1he inwsiig:uor, l'l'S pllml', r,
I
th(" import~llll poim to 11nJrrs1and is the varitd
Key Terms
• FI'P account: Used 10 uploaJ and downloaJ files
ro and from your Web site. You have unlimitl'd
e-mail, Wt·b pagt·s, and ima~cs . Sec "Monthly
Traffic,"
access to your account 24 hours a day. You will • C2 att.1ck:
Sometimes wriucn "C2-a1ta"k"
-
need to have FTP client software. Abbrcviat ion for command and control allack
l ,
• Acti'Yc attack: A form of attack in which data is Any action against any dcnwnt of the enemy';
actually modified, corrupted, or demoyl·d. command and control system.
• Adapttr: A device that serves as an interface • C2 counte
rwar: Presumed synonym for
betwee n the system unit and a device attached command and control countcrwar.
to it such as a SCSI adapter. Ofren synony mous • Bootstrap: To load
and initialize rhe operating
with expansion card or board. Can also refer lo a system on a computer. Often abbreviated 10 boot.
special type of connec tor. • Denial of sef'Yicc: Al:t ions Ihat prevent any pan
• Anonymous FTP: Allows visitors to upload or of an automated inform ation system (AIS) from
download predetermined files from designated functioning in accordance with its intended
directories without usernames or pa~swo rds. For purpose. OC'nial of service attacks may include
example, dimihure your bresr softwar e package denying services or processes limited to one host
by allowing visitors to download it 1hro11gh an ma<:hin c.
anonymous ftp. This is differe nt from a H·gular • Firewall: A metaphorical label
for a set of hard-
ftp acco unt, ware and software components protec1ing system
• Bandwidth: lhnJwi<lth is the sum of all the data resourn·s (scrvns, LANs) from exogenous atmk
transfem·d from and to your Web site, including via a rwtwork (from Internet users) by inter•
ctpting and checking network traffic.
- Review Questions
I. 'Wlm is the differtncc hcrwern puhlic and pri- 6. What arc some sniffing tools that can be uscJ
v.atcIP addrt'\~cs? to capture and analyu packets on UNIX net·
2. Explain the attJlks on Nc1work and its preven- works?
tion. 7, \'VhaL is intrusion dtt«tion? Explain.
3, W'ritc a !.hon note on muter exploit s, 8. ExplJin the attacks on network and the prtVcn·
4. Diffcrrnu· hc1wctn viru!., worms, and Trojan. tion from att.icks in detail.
S. Where can I find a Ulmpl<."tc li,t of the wdl- 9, \'«hat are network.based evidence?
known TCP JnJ UDP port,? I 0. Explain the step& in rourcr investigation.
NETWOR K FO RE NS IC
• 17 3
11. What are the goals for nen vo
rk mo nit ori ng? 14. Ho w do you recover routers
12, What are the typ es of net wo from direct com -
rk m oni tor ing ? promise incident?
13, List dow n the nam es of any
fou r net wo rk sur - 15. Ho w do you investigate DO
veillance/ inv est iga tio n too ls. S arrack in rou ter
and recover from it?
Report Writing
~RNINGOBJECTIVES
LEA
d~g this chapter, you will be able to:
:.:-----::---
Afrer rea ,
Understand the_ i1~port~ce_ of documentation • Apply writing skills for completing che report
in digital forensic 111vesugat1on. of forensic.
Dommentation ofcrime scene has same importance as an investigation process has.
-R. Michel
[if] Goals of Report

To ensure rhat a repeatable standard is met by your organization, report writing requires a documented
process. Goals musr meet the "golden standard" established by your organization, if you want your investiga-
tive reporrs co be accurate, wrirten in a timely manner, and understandable to your audience. Your computer
forensic reports should achieve the following goals:
I. Accurately describe the details of an incident.
2. Be understandable ro decision makers.
3. Be able co withstand a barrage oflegal scrutiny.
4. Be unambiguous and nor open ro misinterpretation.
5. Be easily referenced (using paragraph numbers for the report and Bates' numbers for attached documents).
6, Conrain all information required ro explain your conclusions.
87. Offer valid conclusions, opinions, or recommendations when needed.
· Report should be ready in time.
[i']_ Layout of an Investigative Report

llit layour of an investigative report consists of rhe following:
1. tecut_ive su_m~ary: The contextual informaci~n o~ the s~a~e of affai~ that brought a~out the essential
. an _1nvest1gat1on is che "executive summary umr. This ts the scc.:1on that the senior management
)U\t might read; they will probably not get much further into the repon. Therefore, the things chat
176 •
matter should be included in chis section in ~hort detail. The following can be done when we use ..
ccutivc summary" .section:
~-
(a) Inc.lude who authorized 1he fo rensic examinacion .
(b) Describe why a forensic examination of computer m_ed1a wcti nec~ary
(c) List what the significant findings were (in short detail)
(d) Include a signature block for the examiner(s) who perfo'.m~d the work
le is nec~y to include the dates of iniciaJ commun_ica11ons ful_l, proper ~ames of all perso
involved in the case and chcir employer and job tirles. We include a high-level view of the signifir, Ill
l f . ·fi
findin~ as part of the "executive summary" section. Here are some examp es o s1gni JCant finding,:
....n,
(a) Employee Xe-mailed nine company confidentiaJ documents co Company B, a competitor, threr
days prior co leaving employment. .
(b) To intcrc.epc.e-mail communications between corporate executives, employee X used a network
monitor program.
(c) The p~word cracking tools, along with "cracked" executive user passwords, were found on his
computer even though employee X did not have authorized access co these documents.
(d) A thorough forensic o:.amination of the contents of the SANJAY did not reveal any evidence char
the user of the system downloaded or intended to download pornographic images.
2. Objectives: Sometimes, there could be a sudden requirement to perform hard drive fo rensic examina-
tion. The goals of your forensic examination can be related to virtually any subject, since any type of
~/action can calr..e place. Sometimes, many instances you may not always perform a full-scale inves-
tigation or "fishing expedition" when reviewing the contents of media; in other words, your forensic
examination of media may include criceria chat focuses and narrows your examination.
We use the "Objectives" section to outline all the tasks that our investigation intended ro accom-
plish. Pnor to any forensic anaJysis, chis task lisc should be discussed and approved by decision makers,
legal counsel, and/or che client.
The ta~k list should aJso include those tasks undertaken by the forensic examiner, the method by
which che examiner undertook each task, and the status of each task at the completion of the report
3. Computer nidtnu anaJyz.ed; The detailed information regarding the assignment of evidence tag
numbers and media seriaJ numbers, as well as descriptions of the evidence, is provided in this section.
While creating the investigative report, all the evidence chat was collected and interpreted are intro-
duced in this ~tion, hence, rhe cide "computer evidence analyzed."
This information is sometimes best communicated using a cable similar to Table 9.1. To create the
inves-tigative report, readers can reference rnch a table to understand the evidence that was considered
or im~rpn:tcd.
Table 9.1 Sample list of computer media analyzed
E,,;Jn,c, N111nbn- Typ, SwiAJ n11n,bn-
Tag 1 Western W2701-Y733 Laptop used by and belonging to SANJAY.
Dig;tal-31302 Referred to throughout the rcpon as the
SANJAY LAPTOP
Quantum 8233981996 One of two hard drives found in the~
fireball CR web server belonging to SANJAY. Refe
to chroughom this report as XYZ WEB
SERVER DISK J
Quantum 35681¾615 One of two lwd driYa found in rhe S~
Fireball CR web server hdoaging m SANJAY. Refe
to throughout .,_ aq,on u XYZ WEB
SERVER DISK 2 ____.,
,.,,,1 I Ill''
~ - ------~ ~ --.,.__....,~~===--.=~
r,,bla q,2 '.J,1111r,I,, 11•,tir, J t,f ,,IJj'1' ti , ,!1;
1
,,,_,--, 'Ji11/;
--- -- ...
·· : ~. 1,-,· '1, Jt•· .1 w111l•11,i 1 (''l'Y (/,,,, 1,ii,
•111~" ' '
. ,, 11) ,,I dw I vid, 111 , .
I •
111 1 .jj.,
I Iill'III . 111
'I~~~ 2, ldr111dy .111y 1,-w.f flt 1 1 11111.1
1,.,n,I l,b
•1~~k 31 ltlr111ily •·vi,1 ·11, ,. ,,f 111• d,·.p,,

1
f l r'/ll" /Itl1r l,1 11/N f J,J',!11/ / , I /;,;., j 11,:,•1 :,•, '.:.:! ~:.;
~
·11 j011 111 ·,11111 i1/ol,1.1in 1,·wd ,,, 1,11,1,., ,,d,,·t /1!, ~ 1,n ',A~ :Jf,t~1,1,,11 I ( ,t~ 111 ,111 r::.,:, 11~ 1·:,r/ 1 1
l,:11ul nln ''' 11 111 ii h l1~,.J/ tL~, J,r l r, 11 // 1!,A 1,f :;,'.. • ,·11! 1, ,,1 r 1,t
ill,-1,id f,h .
·1a~k /4 1 I), 1rn11 iw ii 11,1111:1lw1il ,,, J1,..1ir•11 ,1,,. l1t1J'lt:I f '11·•1,r; I". ,, , I 11 • ,,., • •,•,1l1 .,,,, / ,, ....
... I ;, ,
~ ,, ,., , . , , . ; ... ;
lrwJ f,k, w1·1 1: di-.111l1111rd ,,, ,,111:Jiw-d f1h 'ill '1/'.,) :J/1'/ \ l,J,.fll f JI' t,, 1! -••·r::.i:,-: 'If!.,...:., , 1,1,# 1 1 ,:
wi1h rlH• i1w111 111 ·.,·II i1 h l1hl1 ,b, J,,. ;,,,,.,,,f,.,t ,,, ,!:~'/::.::.:.·,. >r;,! 1 , : ..,..,. •
f,h
T.i11k 5: C:,,11 d.11 c d.11 :1 fr,1111 J>c:,I ~crn rc Jlr 1i""I/ 111 1 )1r.1
...,• 1'1·:il',,.. ()Jfl"
, _,. 11 1
, , f'''I
1• ,,, ,I,,,,. , •, .(/ •~ ••
1
,.,.., , , . ,- .., , 1 · / lt• r ,.••
l<w,, II) d:tlJ 1111 d,c \A ~JJAY'. I.AJYJ'( )I' 1,11 ~Al iJP,Y\ LfiVI c11' ,h:.t ,.,,r,,,!,;,::., 1·t. rt-; t .;,;,>A
~y~·1·1·.M l1.J•,,1 ';i'.(.. 11((: '' ~.'.,•
'fa11k (,: l.i \t ,11f1 w:m·/1r1:Hni:ih tl1:,1 111:iy l'rvi 1Mt1 tl,I': n,,i,-: u,r,1,;111i ,,I ',f.~:JXI\ 1./-.VJ ( JV ,1,
he l'ir:11ril id1·111ify t1if1·11MC ,, , f,l.,;t. 11.::it ((;:q f.:. I ': l , .1:11 ,,:,•.:.'. t,...tf
wirl, 1, tJt a li,.1."11•1-:, ,,,,,,11:r f1"11f1h~i ,M, F',;;;, vq::.':':.•, 1
:111'1 (///Jf(;
4. ltdevant finding\: C., 11111rn:iry ,,f rbc fi11dini\ d ,,,,A,..

,i-fe v:ilue h r,r,nw.t! in rf,:\ WA !l,n , h :,r.,. ,,-:n
tlu: c1u1·,Lion, "Wliat ,dc-v:mt i1rn1, wrrc found duri,,g rl,c i,m:;ri;.,;ttior,f' 'f l11: rdl:'14r.r fo,d.:,¥,~ ~ti, ,!d
he li,tl'J in 111Jrr d imp1,rt.it,<.t, 1,r rclev:,11t.e 1,, the u·1:, Vi11dini, in an ,,ry;u,iJ.t:.A "11--! lr,ijl',..J w:.;
are liridly dnu il,c:d in thi, \C.·oi,m. Wl,1.:11dc·.uil,iri6 11,e rt~ul,-. ,,f rl,c imcvi;.,;,11,n, 1dc-1:i1,t f.rd,r,1)
p1ovidc tl1t 1p1i1.k rcfcrcnu that l,i1j,-lcvtl dc<..hi1Jn rmhn r,i::rA ar,d m.-h u'loC d . 'Jl..t r.r~ dt,4:!i 1-:.;>--
poni11i; dint findin 1~., \liould be written in a Jiffcn:r,r 1,t:<..ti1,n, 'Jl,i., CJ,r,(<,rrrn 11, d,c •rr,2(.m UJ rr,:u,,"
1rpo11 orw111i'l.a1 ion, rcc:ommcndcd earlier.
TIH· ,.1111pl1: rdl'vaflt 11ndi11~, \idd,ar pr1111idi:, ,1 ,w,plc li•.1 d rdc-1;,nr firidi11g, fo,~u.~ in'll,f·,ir;g
•ht po,.,t·.,,i,,11 ,,f d1ild p,,mo~rapl,y. :\rite b1Jw c.iLh paragt?J,l1 i, numt~rcd vii.I d,e C1,nd•.1.~it,ri1 arc in
ordtr of tlH:ir irnpcm.ant.e. 0Jn'>idcr 'fable ~.2 :t\ an eumplc.
(,1) Srxu:illy cxpli1.i1 mau:r~I wa\ fi,und on SANJAY'• l.AVlOI~ 11~ filaumtt ar.d ,Jae c1Jnta1r ,,f r~.c
lilc., ,ut';i,c,t that SANJAY'• LAPTOP may o,n~in mim,n tnpging in tnuaJ aaivir1, • hul, i1 .a
violation of U\ Ft dtral L.w (lk USC S2252),
(h) l .vidt111.e ~utgcm the: U'>tr of SANJAY't LAl'TOP vie-wed the il!ic.it fala.
{l) 1-.vidcn<.e \ lll'P'Jft\ that rhc U'lt'.f clSA."JAY\ l.Al'fOP bt,wingly rcaived me illi(.ir fila.
(d) lht mer of \ANJAY\ l.Al'TOI' med a file-•.haring u,iliry calltd Bar Shart ro obtain the w::uially
cxplil it rrmcrial. The way tl1i\ "1ftwarc w,.,,h, chc U\tr who obwned chc tnually nplicic mattrul
h~J 111 i111rn1i,,nally and lmowini;ly 'loearch for fib chat likdy conuincd dlild p,mogr~y.
1.:_7_:8_•_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ 0 _1G_1T_A...:...:..
L FORE
.:
~
(c) The lku Sh.ue software also requires the user to overtly_ select the files they want to down!
RL·1..--ausl' the user o[ Iku Sh.uc must _hot_h s::irch for specific filenames an~ also _actively sdeq0~d.
fik·s _he/~he downloads. tl_,c_re ~re no 111d1Cat1ons tlut the user of SANJAY s LAPTOP accitlentalle
rere,n·d the sexuall)' explirn v1Jcos. Y ,
(f) The user of SANJAY's LAPTOP disscmin.ued the sexually explicit files. T here were five e- .
sem from SANJAY's LAPTOP by the acco11nt s:[email protected] that had the file RSANJA;~ils
as :m attachment. The recipients of this e-mail were hotguy [email protected], [email protected]~ IP
(g) A review of the web browser history reve.tled that the user of SANJAY's LAPTOP did not rout' rn,.
. 1ne y
connect to web sites that contained pornographic or Iewd matcna1s.
5. Supporting details: An in-depth look and analysis of the relative findings is provided in this sectio
It outlines hor, ,we found or arrived at the conclmions outlined in the "Relative Findings" section. Th~-
15
scction should include tables listing along with any other relevant information:
(a) Tables listing with full det.1ils
(b) Pathnames of importanr files
(c) The- number of files m ·iewed
(d) String search results
(e) E-mails or URLs reviewed
We use this section to outline all the tasks we undertook to meet the objectives and where we go
into techni.:.1] depth. \X'e include many of the following points in our forensic reports, because·we are
strong believers that tables. chans, and illustrations convey much more than written text. To meet
the objectives outlined, we also introduce many subsections to tailor the organization of the repon.
Tr-aditionally, this is the longest section in our reports. We usually begin this section by providing back-
ground details about the actual media analyzed. It is critical to report the number of files reviewed and
the siz.e of the hard drive in language a human can understand. ln order to arrive at your conclusions,
your consumer or audience should know how much information you needed to review.
Table 9.3 illustrares how to report 1he size of the media examined.
Table 9.3 Report size

Files --88 19
Size 6 GB
Directories --482
The geometry of the evidence media, as shown in Table 9.4, is also something that should be
described in your report.
Table 9.4 Geometry of evidence media

P11rtitio11 Fil~ System Siu L~
FAT32 4.00 GB C:\
3 Extended 12.57 GB
6 NTFS 5.00 GB
8 NTFS 8.00 GB
G_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.....:•:..._1.:_7:_:9
WRITIN::::_
~ . ....
. •ve leads: In dm sewon, we outlrne ac11on llems that could be performed to discover addi-
• · h · · . · · If morl' lllne ··
· or add111onal ·
6, 1flvesugau
. r rrnatJOn per11nent to r c mvcmga11on.
h cl'
resources were provided
. nal ,n,o . . I
11° jner or invemgator, t 1c\e are t e ou1stan rng tasks that could be completed. To a law en-
1he eJ<an1 . . . r . . I Ti
ro . officer, rhis section 1s o,ren cmJCa . o generate more compelling evidence to help your case
1t0rccrrtcntalways 1hc goa I of your rorrnsic ana Iy\1
r , . . . . . .
s. 1 hcrcforc, It 1s cm·nual to document further inves-
1.~alrnO\I h h h b d I
.rive ~rep~ rhat, alt oug per aps eyon t 1c ~cope of your foremic report, could genera re actions
11 g3 d 10 rhe 5ucces~ful resolution of the ca.\e.
1h31 1c~ rhe other hand, f?r the hired foremic consultant, this section is also important. "Because you
0
1h
e opportunity co li\t all of 1he tasks you could have performed, but simply did not," therefore I
c . call this 1he "CYA section.
have · · I 'fI your examination Jid not yield substantive conclu-
· " 1"h'1s 1·s criuca
. and your c1·1cm or consumer 1.s ask'rng, "WI1y d'<l
orten I n't you try th'1s~'" or "Wh y don't you know who
s1ons, I I. . h
did rhi\?" To advance t 1e case, t 11s sernon suggests r e additional tasks that could unearth the infor-
mation required. 1
Some examples of investigative leads are:

(a) The Linux partition ~n .the L~PTOP contained Palm Pilot files. A review of the data stores for rhe
Palm Pilot personal d1g1ral assistant can be conducted.
(b) Determine whether there are any firewall logs or intrusion detection logs that da1e far enough into
the past ro provide an accurate picrure of any attacks that cook place.
(c) Subpoena AOL co pierce the anonymity behind the online user [email protected].
, AdditionaJ report subsections: In our computer forensic reports, 1here are several additional subsec-
7
tions that we often include. We have found the following subsections to be useful in specific cases, but
not every case. It depends on the needs and wants of the end consumer.
(a) Attacker methodology: To help the reader understand the common attacks performed or the exact
311 ack conducted, this section is an additional primer. If you are investigating
a computer inrrusion
me, 1hi5~ection is very useful. In standard logs, you can examine how the attack was executed and
wha1 1he rC'mnant5 of the attacks look like.
(b) User applications: The applications present on the system are extremely relevant, in many
cases. Any relevant applications that were imralled on the media analyzed are discussed in this
section. We outline where the applications were found and what they do. We often title this
section "Cyber A11ack Tools," when invesrigaring a system that was used by an attacker. \Y/e have
employed this section when looking for accounting software on a fraud case, image viewing
applications on a child pornography case, and credit card number generation software on credit
card fraud cases.
(c) l11ter11et activity or Web browsing history: This section is a breakdown of the Internet history
or Web surfing performed by the users of the media analyzed, and included during adminis-
trative case~ where an employee is simply surfing the Web all day. The data that often harbor
evidence vital to an investigation, browser history can also be used to suggest intent, online
research/predisposition, downloads of malicious tools, downloads of secure delete programs, or
evidence elimination type programs thar wipe files slack, unallocated space, and temporary files
on system.
(d) Recommendations: In this section, for the next computer security incident, we provide some
recommendations to posture our consumer or client to be more prepared and trained. Specifically,
we addre~s the host-based, network-based, and procedural countermeasures the client can take to
eliminate or reduce their risk ro the security incident we investigated.
180 •
Ill Guidelines for Writing a Report

Following points are to be considered for writing a report:
1. Document investigative steps immediately and clearly: Through our experience of writin
number of forensic reports, we have developed some report writing guidelines. We used thesegr: vast
to re,res · dunng
r h our recoII ecuons · · -1 m.1
· cnm1mu · ·mg numerous empIoyees new to the field
• Is an d tram ports
computer forensics. These represent general principles that should he followed to ensure your or a ~f
. can exceed expect:mons . · · · reports.
. h rour mvesngauve g n,.
zation wll
1c requires discipline and organiz.ation in documenting investigative steps immediately, bur it .
15
essential to be successful in report writing. Do nor use shorthand or shortcuts-write down everythi
in a fashion that is understandable to you and others. Unclear notations, incomplete scribbling ng
unclear documentation will e\'enrually lead to redundant efforts, forced translation of notes, confir~::
tion of notes, and a failure to comprehend notes by yourself or others.
\Xlriting something clearly and concisely the moment you discover evidence saves time and promoies
accuracy. At any moment, ir also ensures that the details of the investigation can be communicated
more clearly to others, which is critical should new personnel become involved or assigned to lead the
mvest ig:uion.
2. Know the goals of your analysis: Before you begin your analysis for examination, know what the goals
are. Every crime has elements of proof, for law enforcement examiners. Your report should unearth
evidence that confirms or dispels these elements. The bottom line is that the more focused your repons
are, rhe more effective they are.
You should also address the following issues, while hashing out the objectives of your forensic
exam ma non:
(a) Does the diem/consumer of your report want a single forensics report for each piece of media
examined or a report of the investigation that encompasses all media analyzed?
(b) How does the client/consumer wish you to communicate your findings: verbally or in written
form?
(c) How often does the diem/consumer want a srarus report of your forensic examination?
(d) Should the interim status reporrs be verbal or written?
(e) \X'hich examiner should sign as the provider or author of the forensic report?
W'hile attempting to scope the objectives of our examination, we address these issues. By doing th~
it saves a lot of headaches in the long run. ,
3. Organize your repon: \Xlrite "macro co micro." Organize your forensic report to scan at the high l~d
.md have the complexity of your report increase as your audience continues to read it. This way, to ff
the essence of your conclusions, the executives need to read only the first page or so, and there is no
need to understand the low-level details that support your claims.
For longer repom, include a table of contents. The table of contents enforces a logical approach to
documenting )'Our findings, and it helps the reader understand what )'Ollr report accomplishes. . .
4. Follow a template: A standardized report template should be followal. This maka your report wn~
111
scalable, t"Stablishes a repeatable standard, and saves time. In praa:im, JIDU can organii.e your rcpe>rt
many different fashions, but it needs to make sense. You can use mr ample gt,cn as follows:
• 181
---------.. ...:~
wRITI : : ' . . - - - - - - - - - - - - - - -
NG
~ -- -- -- -- -- -- -- -- -- -- -- -- -
Incident Response Report
an incidence response process. To develop
. document explains the st~ps which are taken during and precise
fhis 1he steps in the following case must be changed with the contact information
plan, fi · · · f
a qucnce of action or ~our_ 1~srnur1?n. )'k the case, date, name of the investigator, and
sc p ge: This cont:uns 1mor mat1 on 1·e name o
fide \form ation with 1he derailed description of the case.
contact I
fable of Contents:
the grounds dispatch office. List the like-
The individual who realizes the incident will demand
ent. The already known sources must be
J. ly possible sources of the one who may realize the incid
cts. Sources which require the contact
provided with the contact procedure and the list of conta
information could be as follows:
(a) Helpdesk
(b) Intrusion detection monitoring personnel
(c) A syste m administrator
(d) A firewall administrator
(e) A business partner
(0 A manager
(g) The security department or a securiry person
(h) An outside source
the necessary contact information
List all the possible sources and check whether they have
ct one of the 24 X 7 reachable
and the related procedures. Generally, every source will conta
the IT department might have multiple
individual like rhe grounds security office. The ones in
who do not belong to IT deparcmenr.
differenr conract methodologies as compared to the ones
ber of the IT department or any of the
2. If the individual who realizes the incident is the mem
ed to step number 5.
other affected department then they will directly proce
member of the IT department or any oth-
3, If the individual who is realizing the incident is not the
available grounds security department.
er affected department then they will directly caJI 24 X 7
list of contacts or any other affected
4. The grounds security office will refer to the IT emergency
intended numbers in order from the
department's list of contacts and call the designated and
mation:
list. The grounds security office will log the following infor
(a) The name of the caller.
(b) Time of rhe call.
(c) Conract information about the caller.
(d) The n,\ture of the incid ent.
(e) Which equipment or persons were involved?
(f} Location of equipment or persons involved.
(g) How was the incident detected?
chat the incident occurred.
(h) When the event was first noticed that supported the idea
(or realized the incident) will refer to
5. The staff member of IT department who receives the call
cted and incidence response members
the list of contacts for both management staff to be conta
and intended person from the list.
to be contacted. The staff member will call the designated
ger by both e-mail as well as phone
The staff member will contact the incident response mana
and designated and intended man-
messages while being sure other suitable and backup staff
sary information received in the same
agers are contacted. The staff members will log the neces
format as the grounds security office as mentioned un
the previous step. The staff member
could add the following information as listed as follows:
(a) Has the equipment affected business critical?
182 •
(b) What is the severity of rhe po1ential impacr?

, IP address, and locatio n.
(c) Name of system being 1a1ge1ed, a.long with operating system
.
(d) JP address a11d any info rmation about 1he origin of the arrack
the conditions over the phone
6. Contacted members of the response team will mee1 and discuss
and regulate or govern 1he response strategy.
(a) ls the incident real or perceived?
(b) Is the incident s1ill in progress?
(c) What data or property is threa1ened and how critica l is it?
d- minimal, serious, or critical>
(d) Whar is I he impact on the business should the arrack succee
d physically and on the network?
(e) What sysrem or systems are targeted, where are they locate
(f) ls the incide nt inside the trusted network?
(g) ls the response urgenr?
(h) Can 1he incide nt be quickly conrai ned?
(i) Will the response alert the attacker and do we care?
ion, abuse, damage.
(j) What type of incident is rhis? Example: virus, worm , intrus
charac terized and classified into rhe
7. An incident ticker will be generated. The incide nt will be
ries that are listed as follows:
highesr applicable level from the following mentioned catego
(a) Category one: A threat to public safety or life
(b) Category two: A 1hreat ro sensit ive data
(c) Category three: A th rear to computer systems
(d) C:uegory fo ur: A disrup1ion of services
of rhe below-menrioned proced ure
8. Members of the ream will launc h and keep the eye on one
based on their respec tive re~ponse on the incident assessment:
(a) Worm respo nse proced ure
(b) Virus response procedure
(c) System fa ilure procedure
(d) Ac, ive intrusion response procedure - Is critica l data at risk?
(e) Inacrive intrusion response proce dure
(f) System abuse procedure
(g) Property 1hefr response procedure
(h) Websire denial of service respo nse procedure
(i) Dar.1 hase or file denial of service respo nse procedu re
(j) Spyware respo nse procedure
ted. If no such application
The ream may develop additional procedures which aren'r predic
procedure exists in place, rhen rhe ream must make a note of
what was done and lately launch
the procedure for 1he incident.
iques which can include reviewing
9. The members of the learn can make use of forensic techn
S}"lttm logs, looking for gaps in rhe logs, reviewing intrusion
detection logs and, last but nor the
nt to find out how the incident
lea~, , in1erviewing the eye witnesses and the victim of rhe incide
iews or must be examining
rMk place. Only aurhorized individual must be perfo rming interv
ihc _e,·i~erm:· and the authorized individual may differ accor
ding to the situations and the or·
gJ111zarrun related ro it.
I 0. The mem has of_1he_team .will be allowed ro recommend
the necessary changes which, in turn,
m~y prcvenr the 111c.1dt'nt from happe ning ir again or infect
ing the orhcr systems.
ns or changa an be implemented
11. After rht' approv.11 lrom 1he management, Lhe modificatio
and broughr inro rhe action.
WRITING _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___:•~~1~83
~
bers of the team will restore the infected or affect d
, N1em f e sysrem(s) to an u · fiected state. .hey
nm 1
J;, lso do one or many o the following actions to b . h
c:tn a · Id b ring t e system back to normaI cruncr1on- •
.1n"• The actions cou e one or more of the follow·mg..
(a") Reinstall the affected system(s) from scratch and rest d r b
'd b c d .
Preserve ev1 ence erore omg this. ore ata irom ackups if necessary.
(b) Make users change passwords if passwords may have been sniffed.
( ) Be sure the system has been hardened by turning off O • , 11· d .
c · c II r unmsta mg unuse services ·
(d) Be sure the s~stem _is ru y pat~hed.
(e) Be sure real-time virus protect1on and intrusion dctecrioni·s runnmg. ·
. I
(f) Be sure rl~e system 1s ogging t~e corre~t events and to the proper level.
13, Documentat~on_Step: The ~ollowmg derails must be documented in the standard format:
(a) How the mndent was discovered.
(b) The category of the incident.
(c) How the incident occurred, whether through email, firewall, etc.
(d) Where the attack came from, such as IP addresses and other related information about the
attacker.
(e) What was the response plan?
(f) What was done in response?
(g) \xrhether the response was effective.
(h) A separate sub-file should be included with the following points:
Title Page: This page consists of the information like the name of the case, date of incident,
name of the investigator who is investigating this case and the contact information.
Table of Contents (ToC): This is not that important or necessary for short length reports or
for chose which do not have many sections in their respective case. However, if the report is
long and is classified into many different sections which may include ToC which can be huge
help to che end user or reader.
Executive Summary: Specifically, important for long-sized reports, this permits the reader to
obtain high level view of vital findings without having to explore into the specifics of the report.
Objectives: This section is specifically important to include if one was asked to implement a
directed investigation. Ocher information which could be included can be the search terms
which are requested by the client(s).
Evidence Analyzed: This secrion must include the serial numbers, the hash values (like MD5
or SHA or ere.), and che customer related information, if at all it is known. If photos are taken
at the incident scene, then one should include chat as well for the evidence.
Steps Taken: One must be informed in detail. Your outcomes must be reproducible. One must
include sofrware and hardware which were used during the investigation. And last but not the
least, it is important to note the version numbers as well.
Relevant Findings: You can further classify and categorize this section conditioning on the
length of the report. Sub-categories will depend on the examination, but can include things
such as interested documents, activity done on the internet, note of the software used, the
devices connected via USB, etc.
Timeline: Some of the reports may provide the benefit from s~marizing t~e ti_mcline ~bout
all rhe necessary and important events. A good graphic can help m commumcatmg the mfor-
macion in the long run. . . . . .
Conclusion: In this section, you can highlight the vnal issues. ThlS as usually m the form of
numbered or bulleted list of summarizing outcomes.
184 • DIGITAL FQ
~
14. Evidence preservation: Make duplicate copies of the logs, e-mails, or any other com .
tion medium used as evidence. Mail a detailed list of witnesses who witnessed the .rn~nica.
. in_cident.
Keep the evidences, at least, till the final verdict from the court arrives and also keep It, 1n
if an appeal files by the prosecution. case,
15. Notify proper external agencies: Alert the police and other appropriate agenci~s in .
prosecution of intruder is expected. Make a list of such agencies and their respectiv':5e if the
numbers in this section. coniaq
16. Assess damage and cost: Evaluate the damage caused to the organization and estim ate th
. er e
damage cost as well as the containment enorts cost.
17. Review response and update policies: Make a plan and then take the preventive steps s0 h
the intrusion shouldn't happen again in the near future. t at
(a) Consider whether an additional policy could have prevented the intrusion.
(b) Consider whether a procedure or policy was not followed which allowed the intrusion
then consider what couJd be changed to ensure that the procedure or policy is follow~~~~
the future.
(c) Was the incident response appropriate? How could it be improved?
(d) Was every appropriate parry informed in a timely manner?
(e) Were the incident-response procedures detailed and did they cover the entire situaiio n.>
How can they be improved?
(f) Have changes been made to prevent a reinfection ? Have all systems been patched, systems
locked down, passwords changed, anti-virus updated, email policies sec, etc.?
(g) Have changes been made to prevent a new and similar infection?
(b) Should any securiry policies be updated?
(i) What lessons have been learned from this experience?
5. Use consistent jdentifier: There can be confusion created in a report by referring to an item in differ-
ent ways, such as referring to the same computer as a system, PC, box, web server, victim system, and so
on. Developing a consistent, unwavering way co reference each item throughout your report is critical ,
to eliminate such ambiguity or confusion. For your report, it is a good idea to create a unique identifier
or reference tag for each person, place, and thing, which is referred repeatedly. For the remainder of the
report, the label will identify the corresponding item. For example, if the report is a summary of yow
forensic analysis of a laptop system belonging to a suspect named Sanjay, you could reference the items
(using all capital letters) in the following manner:
An employee of ABCD Corporation, "We performed a forensic duplication to the laptop system
belonging to S:mjay. The system was a HP laptop, CND4337DRY, hereafrer referred to as the SANJAY
LAPTOP.
6. Use attachmcnu and appendices: To maintain the Aow of your report, use attachments or appcn~-
ces. Right in the middle of your conclusions, you do not want to inrerrupt your forensic report wllh
15 pagrs of source rode. Any information, files, and file fragments that you point out in youi: report
ovc~ a page long should be included as appendices or attachments. In your report, you ca~~ •_nd:
a brief rcfm:-nce to the appendix. For example, you might say, "A printout of the informauon IS md
ed as Appendix A." Somerimes, i1 is unwieldy or difficult to produce large database files, lengthy_S()UJCt
code files, and ~preadshee1s in printed form. For this rype of reference, we provide an electronic copy
instead of che primed copy and call it an Appendix. . helps
7. Have coworkers read your rcporu: To read your forensic reports, employ other coworkers-~cidd1'
develop reports that are comprehens ihle ro nontechnical personnel, who have an impact on yourm
• 185
,;; ~~
• ,11186 ---- ---- ---- ---- ---- ---- --:. ..:. =
1/ reg)' 211 d re~lu1_ion. \\"rule writ}ng the repon, the coruumer le"·el would ilia be cor..iid-
,M'°r,:C:\~dgc 0 ( y~ur aud1en~ and tediniul apwilit )' _s hould~ be uktn into cor..s]de_r,rion. f~r
~~ .. .. good idea to pr0\1de•a gloss.u-y of terms c...ilomi Snt't"L~o. lly for mac rl'Tlnn
-r-
1..".Suna• 1f
, 1c LS• r-
~p•'· : ding a computer fo rem1cs report to a nomcchnic..l J,...,Jer.
,'\, 11 •rc P~~~bes: \X'hether it is an entire hard dri\'e or specific fib, create
and record the ~f 05 h.uh-
• ()t MD' oof. Performing ~105 h~hes for all evidence provides support to the cla.im
that you are
ti" ( ,•our pr . enu ofrroremIC
he spec1·a1 requ1rem . examination. The ~105 ru.shcs o.lcuuted
~o , d auentive tot
cf;ligl'.'.n_c~ set of data will always remain the ~e. if your evidena is hmdlcd proixriy and rema.ins
for a si;~oof. Your audience, becomes c.onfident that you are handling the data in the appropriate man•
¢11" rding these ~10) values.
net b~recocudata! Record and include the met.ad.au for every file or file fragment cited
in your report.
9. ID~ e :data
0
includes tht' rime/date stamps, full path of the file, the file si~. and the file's ~f05 sum.
~s ~ consumer confidence, this identi~·ing data wiU help to eliminate e\'en the confusion.
About
To -~ files you referena during testimony, those audience that read your report appreciate that you
~,~udc: all the der~ls, and you will likely need th~ details ~o remove any ambiguity. . .
tG The following 1s an example of a t.able we include m our reports
after we rne a specific file.
ifially, it pro\·ides the file mrudata for a Windows IIS Web acccs.s log found on the C: panition
,tw1s~
5
1 \sys1em32\LogFiles\\\ 3SVC3\ex001215.log), as shown in Table 9.5.
7
Table 9.5 Metadata Windows 11S Web access log

file Created I 1/06/15 10: I 5:26A.\,f
Last Accessed I /09/16 08:55: l lA.\1
Last Written 05/08/ l 6 09:06:05A.\ 1
Logical Siu 9,034,899
Hash Value eb40d0678cd9cdfbf22d2ef7ce093273
're oftc:n add a comment field to our file cable.s to provide a quick reference and reminder of why we
cited the file in me: report.
IJl1 Sample for Writing a Report

Tht following example i.s b~d on sample repon writing which explains about investigarion steps, experi-
~ ::t and procedure used.
I Sample of Writing Investigation Report

I
1 security and clarified
use description: A top official of a notewonhy organization called the directordoffrom
du1 he had quite rt'cendy got a debilirating message. The mes.sage was develope words and letters
nu ou1 of a magazine and stuck to a bic of paper. The mes.sage demonstrated that the official would
be
murdered. Later, the same official got a dead cockroach caped to a list card with a straight stick through
I the. body. The message composed on the card was, "... This could be you ... "
I f.puodt rcspoo.sc strattgy: The company's leader, director of security,
and corporate counsel quickly
ft('<,(nced and surveyed the actualiries with respect to the circumstance and built up a game plan. They
1
! tme~
1
1 1
th.u other law requi rement offices ought to be brought into the case. They additionally chose
to sceutt the official.
~ unique physical effom to establish safety mu.st be taken instantly
.,
186 •
21,000 individ I
Eumio auon steps: The company had an aggregate populace of more than
n of susp~;l: •
~hich included work~rs , guests,_ and visitors. The o_fficial _could not narrow th_e rundow
horne. Th~
1 hroughout, the official got various spontaneous things via the post office at his office and
U.S. Postal Inspector was reached to help with the case.
The agent
The first demands for the spontaneous things were recovered and penmamhip tests done.
._Roughly a year
comra.Med the specim:n and a larg~ number of notes and r~ports con_,po~ed by workers
things via the posr
lacer, a few representanves commumcated worry over accepting pestenng spontaneous
office.
person. Each
The first drmands were acquired, and it was inferred that they were made by the same
from all the list
worker was asked to give a list of suspects. The agenr found one common suspect name
the penman shi;
given by the workers. The agent had arranged for handwritten records beforehand and
to an investigative
seemed, by all accounts, to be that of the same individual. The data was sent over
ing. The indi-
group from another law requirement organization, who detai ned the person for question
mail. At last, the
vidual denied composing the undermining notes or being in charge of the bothering
office where he
individual yielded and gave the penmanship tests, then came back to his work area at his
ining note were
then composed a suicide note. The note explained why the pestering mail and underm
official or even
sent. The individual additionally clarified in the suicide note that he had never met the
know what he looked like.
Conclu sion taking into account examination: Despite rhe fact that it cannot
be resolved in the evenc
us lessons that
that anything could have changed the result of this disamous occasion, there are numero
can be learnt to avoid future episodes.
Lessons Learned:
Workers were being
1. The company was confronted with overwhelming rivalry and was scaling down.
ess include
requested to accomplish more with less. A few occurrences of work environment viciousn
organizations that are scaling back or that have as of late done as such.
who sub-
2. The representacive was commined and dedicated, and glad for his work. Representatives
mit work environment brutality are not generally underachievers.
they are
3. Ordinarily, best administrators turn into 1he objective of a displeased representative since
seen as the organiz.ation or corpora te picture.
4. Ir is imperative ro effectively seek after imtances of work environment savagery.
activi1ies.
S. Once the individual is discinguished, quick move ought robe made to evaluate his or her
their fami-
6. On the off chance rhar an episode occurs, it is imperative 10 consider all casualcies and
illuminate
lies. Utilize the adminisuations of a minister or ministry. Choose how you are going to
collaborators.
~~--,...·-] Summary
,\fany wmputer SC'curiry investigations require the scrutiny, be unambiguow and not open
co misin·
ed (using paragrap h
nt-c:d co document your findings in a manner than terpretation, be easily referenc
. for
can eJ\ily ht used in a judicial proceeding. Your numbers for the report and dates numbers
informa tion rtquired
foren,ic rcporrs need co be wrinen in a manner so attached documents),contain all
that chcy do chc following: Accurately describe the co explain your condusions, offer valid condusio:
details of an incident, be:- understandable to deci- opinions, or recommendations when needed,
your~ -
sion makers, be able to with~tand a barrage of legal ready in a timely manner and should assist
WRliiNG..._ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _•_1..:..,8.::...:..7
1
~
Key Terms
. . Monitoring resources to determine monitoring the events occurring in a computn
, .5a.seh11 •~g:I.' tion patterns so that signiGeant dcvi- system or network and analyzing them for ~igns of
.1·al uu ,za pos~ible incidents and attempting to stop dem:tcd
l}'P l, 11 be derected.
ario115 ca Security Incident Response Team possible incidents.
puter
, Cof11 T): A capabiliry set up for the purp?se of • Malware: A virus, worm, Trojan horse, or other
(CSI~ . respondinoV to computer secunry-re- code-based malicious entity that succe~~fully
.1st 10g JO infects a host.
ass . 'dents· abo caJled a Computer Incident
ed 1nc1 •
Ial Team (CIRT) or a CIRC (Computer • Precursor: A sign that an attacker may be
Re5ponse C I 'd preparing co cause an incident.
·d r Response Center, omputer nc1 ent
Jnc1 en .. • Profiling: Measuring the characteristics of
onse Capability).
Resp . A "Yobservable occurrence in a network expected activiry so that changes can be more
• Event, rw easily identified.
or sysrem. . . .
, false positive: A~ ~ler_t that m~orrectly md,cates • Signature: A recognizable, distinguishin g pattern
_1 t malicious acuv,ry 1s occurring.
associated with an attack, such as a binary string
uia · · h f · I in a virus or a particular set of keystrokes used to
, Incident: Aviolation or 1mm111ent t reat o vto a-
tion of computer security policies, acceptable use gain unauthorized access to a system.
olicie5, or standard securiry practices. • Social Engineering: An attempt to trick someone
, fncident handling: The mitigation of violations into revealing information (e.g., a password) that
of securiry policies and recommended practices. can b~ used to attack systems or networks.
, Indicator: A sign that an incident may have • Threat: The potential source of an adverse event.
occurred or may be currently occurring. • Vulnerability: A weakness in a system, applica-
, Intrusion Detection and Prevention System tion, or network that is subject co exploitation or
()DPS): Software thar automates the process of misuse.
[ ' J Review Questions

I. Explain goal of report writing. 3, Explain various guidelines for report writing.
2. What is layout of reporr writing?
.,
__ ___...,
.,. , ., , , .,. . I
1(Q) Comp uter Forensics Tools
·:_-,:_...J
~RNINGOBJECTIVES
LEA
::.:.--:--d~g chis chaprer, you will be able to:
Afier rea ,
Understand the concept of digital forensic • Interpret and apply digital forensic cools in
real-time scenario.
cools.
I constantly remind people that crime isn't solved by technology, it's solved by people.
-Patricia Cornwell
Introduc tion to Compute r Forensic Tools

Compurer forensics cools are continuously being industrialized, modernized, repaired, and reviewed. Hence,
checking vendors' websites regularly to look for new features and enhancements is significant. These enhance-
ments mighr report a challenging problem which you are having in an examination. Before procuring any
forensics tools, consider whether the tool can save you time during research and whether chat saving time
affects the consistency of dara you recover. Many GUI forensics tools are resource concentrated and demand
computers with more memory and faster processor speeds. Sometimes, they have need for more resources
1han a typical workstation has because of other applications, like antivirus programs which are running in
1he background. These background programs strive for resources with a computer forensics program, and
aGUI forensics rool or the OS can stop running or hang, producing suspensions in your analysis. Finally,
when you plan to purchase for your computer forensics cool, determine what a new forensics cool can do
bei~er than one you are presently using. In specific context, evaluate how well the software performs in vali-
dauon tests, and then verify the integrity of the tool's results.
rm
\ 'U need
Needs of Comput er Forensics Tool
to develop a business plan co rationalize the attainment of computer forensics hardware and sofr-
~~re. ~en researching tools, strive for versatile, flexible, and robust tools that include technical support.
~ e_~bJeciive is to discover che best value for as many features as possible. Some questions to ask when
~ 1ngtool5 · of the following:
comprises
l. On wh·1 h
c OS docs the forensics cool run?
190 • DIGITAL FQ
2. Is the 100\ versJt ile? For example, does it work in \Vindows 98, XP, and Vista, and produ h
~
result,; in all three OS~? ce t e
~me
3. Can the tool analyie more than one file system, ~uch as FAT, NTFS, and Ext2f.~?
4. Can a scripting language be used with the tool to au1omate repetitive functions and tasks?
5. Ooes the tool have any automated features that can help reduce the time needed to anal)'"le da . >
6. \X1hat is the vendor's reputation for providing product support? ta.
As you learn more about computin g investigations, you will have more queries about tools for cond .
these investigations. When you search for tools, keep in mind what file types you will be examininUcting
example, if you need to examine Microsoft Access databases, look for a product intended to read the;·fi~or
If you are examining e-mail messages, look for a forensic tool capable of reading e-mail conten1. 1
es.
When you are picking tools for your lab, keep an open mind, and compare platforms and applic:3 .
for difTerem tasks. Although many detectives are most comfortable using Microsoft platforms, yo~ions
encouraged to check into other options, like Linux and Macintosh platforms. are
[fi) Types of Computer Forensics Tools

Computer forensics tools are classified into two major categories:
1. Hardware
2. Software
Each category has additional subcategories, discussed in more depth later in this chapter. The following
sections outline basic features which are mandatory and predictable of most computer forensics tools.
10.3.1 Hardware Forensics Tools

Hardware forensics tools range from simple, single-purpose components to complete computer sysrems
and servers. Single-purpose components can be devices, like the ACARD AEC-7720WP Ulcra Wide SCSI-
co-1D E Bridge, which is intended lO write-block an IDE drive connected to a SCSI cable. Some samples of
complete systems are:
1. Digital Intelligence F.R.E.D. systems
2. DIBS Advanced Forensic Workstations
3. Forensic Computers Forensic Examination Stations and portable units.
10.3.2 Software Forensics Tools

Sofrw.ue forensics tools are clustered into command-line and GUI applications. Some tools arc dedicated to
perform one task, like SafeBack, a command-line disk acquisition tool from New Technologies, Inc. (NTI),
Other tools are intended to perform many different tasks. For example, Technology Pathways Pro-Discover,
X-\Xrays Forensics, Guidance Software EnCase, and AccessData FTK are GUI tools intended to pcrfonn
mos1 computer forensics acquisition and investigation functions. Software forensia tools arc normally_uscd
co rnpy da1a from a suspeds drive to an image file. Many GUI acquisition tools can read all structUrCS an an
image file as though the image were the original drive. Many analysis tools, lib ProDiscovcr, EnCasc, FTK,
X-\Vdy~ fore nsics, ILook, and others, have the abiliry to examine and invadgatc image files.
~
FOREN SICS TOOLS
. 191
[' . Tasks Performed by Computer Forensics Tools _

forcn~io rools, both hardware an<l sohwarc . r . . •
0111 p111i.:r · . . h . I Ir • cxc·urtc ~pcrn·r.rc ,unc11om. f'h e~e lunrrions arc
l IIc .
1' crcd ,nro 11
~vc rna1or ca1cgor1cs, rac wn 1 ~ u 1 nuio, r r I r. .
1~ ,or um tcr r<·11n111g d,11a .in,ilysis Jnd recovery,
r. r . • 111
dull .11 k:irn how 1he!>C11vc 111nct1011s and associ:itt<l subfunct' I . L
Ji1JY1J'' wi · . .. I r. k. • · ions app y to rnmp1111ng rcsc:arrn.
, • ·on·· Ac4u1
,i\cqu1s1t1 • s111011,
. t 1e . . msr tas .111. .computer fiorrnsics
, · ·111ve\t1gatrons,
· • .I\ making . a copy of rhe
I, origin;1l c.lrive. Suhfuncuons Ill the acqu1s111on car<'gory c.ompriscs of rhe following:
(a) Phy~ 1cal cfota copy
(b) Logical Ja~a. ~opy
(c) L),11a acqu1s1~10ll forr~~c.
(d) Conmia11~-!1~w acqu1s111011
(e) GUI acq u1~11 ~o·n·
(f) Rrino1c ~cq1m11 ,on
(g) Vcri1tc111on . . .
Some co111pu1 er fore nsics sofrware su11cs, l,ke AccessOata FTK and EnCase, provide discrete rools
for obraining an image. Neven hdcss, some investigators opt 10 use hardware devices, like the Logicube
,:1Jon, VOO~I HardC~pr 3. or. lmagcMASSter Solo Ill Forensic unir from Intelligen t Computer
~olutions, Inc., for obtarnrng an image. These hardware devices have 1hcir own built-in !,Oftwarc for
data acquisition. No other device or progra,n is needed to make a duplicate drive. But, you still need
fofl·nsic5 software to analrze rhe data disk acquisitions.
2. Validation and discrimination: Two concerns in dealing with computer evidence are critical. First is
guaranteeing the integri ty of data being copied (i.e., the validation process). Second i~ the discri mina-
tion of data, which includes soning and searching through all analysis and resea rch dara. The process
of authemicaring data is what allows discrimination of da1a. Many forensics !iofrware vendors propme
rime methods for discriminating datJ values. These are the sub-purposes of the validation and discrim-
ination function:
(a) Hashing
(b) Filtering
(c) Analy1ing Ille headers
Validating da1a is done by obtaining hash values. As a standard feature, mosr forensics tools and
many di!,k editors have one or more f)'pes of data hashing. How data ha!,hing is used depends on rhc
inves1igation, but ming a hashing algori1hm on the entire suspicious drive and all its files is a decc:nt
idl·a. This method produces an exclusive hexadecimal vJlue for data, useJ to make sure the original
da1J has nor altered. This unique value has other potcmial uses. For example, in the corporate environ-
menr, )'OU could creare a known good ha!,h value list of a fresh installation of an OS, all applications,
and all known good images and documents. With thi5 information, a detective could ignore all files on
this known good liH and focus on other files on the disk rhat are not on this list. This prom,s is l."alll·d
ftltl·ring. Filtering ca n also he used to find data for evidence in criminal investigations or to huild a case
for firing an employee.
The primary purpose of data discrimination is 10 rake away good data from suspicious data. GooJ
JJ1a COll!,iMs of known files like OS files and common programs like Microsoft Word.
3. Extraction: The extract ion function is referred as the recovery task in a computing investigation and
i~ 1hc mosr stimulating of all tasks to master. Recovering data is the first step in analyzing an invesciga-
twn\ J,1t.l. The followino subfunctions of extraction are used in invesrigarions:
(a) DJtJ vitwi ng to
1•:._9~2_:•:__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _D_ I_G_IT.:..:,A.:._LFORE
- ~
(b) Keyword searching
(,) Occomprc~~i ng
(d) Carving
(e) Occrypcin g
(f) Bookmarking
Many compmer foremics mols compri,es of ::1 d:tta-virwing mrcl~ani5m for digital evidence. Ho
Jata is viewed is to be determinC'd hy _the tool. Tools 1iuch as Pr~Discover, X-Ways r:orensics,
EnCa:ic, SMART, ]Look, and others offer numerous method~ to view dara, together WHh logical <lriv•
FT:
strucrurcs, like folders and ftks. These tools also show allocated file data and unalloc.11cd disk e
with special file and di!)k viewers. Being able to view th is data in its normal form makes examininga::
accumulating hints for the examinati on rasirr.
4. Reconstruction: The put pose of having a rcc.onstrucrion feature in a forensics tool is to recreate
suspect drive to display what happened during .t crime or an incident. Another reason fo r replicatin 3
suspect drive is to create a copy for other wmputcr detectives, who might need a fully functional co~a
of the drive so that they can achieve their own procurem ent, test, and study of the evidence. These ar~
the subfunccions of reconmuction:
(a) Disk-to-di sk copy
(b) lmage-ro-disk copy
(c) Partition-to-partition copy
(d) Image-to-partition copy
There arc several ways 10 recreate an image of a suspect drive. Under ideal conditions, the best
and most reliable method is obtaining the same make and model drive as the suspect drive, if the
suspect drive has been manufactured recently; tracing an identical drive is fairly easy. Nevenheles~,
~incc rnmpmer manufacrurers use just-in-time delivery systems for inventory supplies, a drive manu-
factured three months ago might be out of productio n and unavailable for sale, which makes cracing
matching older dri ves more challenging. The simplest method of duplicatin g a drive is using a tool that
makes a direct disk-co-disk copy from the suspect drive to the target drive. Many cools can perform this
t,1sk. One free tool is the UNJX/Linux DD command , but it has a major disadvantage: The target driv~
being written to must be marching ro the original (smpect) drive, with the same cylinder, sector, and
track count. If a matching drive is not available, manipulating the drive's cylinders, sectors, and tracks
to match the original drive might be possible through your rcrminal's BIOS. Bur ocher issues might
prevent chis technique from working correctly bccaw,c of the target Jrive's firmware. To address 1he
difficulty of matching a suspect drive, several vendors have developed tools that can force a geometry
change from a suspect drive to a target drive. .
For most foremics disk duplication tools, the target drive must be one and che same in size 10
or larga than the suspect drive. For a disk-co-di sk copy, both hardware and software duplicators arc
av.1i!Jblc; hardware duplicators are the fas test way co copy data from one disk to another. Hardware
duplicators, like Logicube Talon, Logicube forensic MOS, and lmagcMASSccr Solo Ill Forensics Hard
Driv<: f~11plica1or, adjust the target drive's geometry to match chc suspect drive's cylinder, sectors, 3nd
1m ks. "iofrware Juplic.nors, which are slow.:r than hardware duplicators, include SnapBack, SafeBack,
FnC:i,c, and X-Ways Forcnsin. .
For imag~~to-di~k an~ image-to-part!1 ion copies. many more tools an: available, but t~cy arc sign:
La11dy slower 111 1ramfomng data. The following are some of the rools daat perform an unagc-ro-d
lOp)':
(a) S.tfd.\Jlk
ER :F...:O=-R_E_N_s1_c _s _T_o _o _Ls_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __:_~1:!.:9~3
~ .
(b) 511,1eB.1cl-
(c) En( ,ase
(d) FTK ! mag~·r
(e) ProU1~covt:r .
(f) x-Wa)'S r:oremJCS
All ,hc~e· toob haved trademarked
I r. and cop)•righted format • s c at <...1n bc rc\lorc<I on ly hy t IIC' sJmr
h
. . ·
:ippI1c,111 .
0 11 that crc.ttc 11cm. s·or exam1>lc• a Pr0 o· . ·
tKovc r image (.eve ,orm,11)
r·
<an he rc·,torcd onIy by
in" Prol11~covcr.
us " d .
When you mu~t emonscrate in court how the criminal activiry wa\ carried our on a su~pect's
coi11pu1cr, yo~ nc_e<l a Prod u: t that ~h~dows the !.U~pect drive. This !.hadowing 1echnit111e requires a
hardware devi.ce like Voom lechn~logies Shadow Drive. This d<'vice connects chc ~u,pcc.1 drive to a
rt•,iJ-onl}' ~OE port and another dri_vc to_a rea~/write port. Th<' read/writ e port drive 1s rcfrrrcd to as a
~hadow drive. \'<lhen the Voo':1 device wnh dnvc:s is connected to a compurer, you can accc,s and run
applications on the 5_w.pect drive. All data that would typically he written 10 rhe ~uspcu drive i\ pa\,ed
on to rhe ~hadow dnv<'.
This tool !.aves ti me ~nd hdps solve problems you might encounter when trying ro make a working
duplicate of a !.Uspecr dnve.
5. Reporting: To complete a forensics disk analysis and examination, you need to c.rrace a r<'porc. Before
Windows forensics tools were available, this process required copyi ng data from a !.uspect drive and
extracting the digit al evidence yourself. The det ective then copied the evidence to a separate program,
like a word processor, to create a reporr. File Ja1a that could not be read in a word processor arc
dataha\eS, spread!.hects, and graphics, which made it challenging to imerr nonprintable characters, like
binary data, into a report. Characteristically, these reports were not warehoused electronically, si nce
inve)tigators had to collect printouts from several different applicariom ro combine e-vcryching into
one large paper report.
Ne-wer Window~ forensics rools can generate electronic repons in a variery of fo rmats, like word
procming documents, HTML Web pages, or Acrobat PDF files. These are the subfunctions of rhe
reporting function:
(a) Log reports
(b) Report generator
As part of the validation process, ofren you need 10 document the steps you took to obtain data
from a su!.pec1 drive. Many forensics tools, like FfK. )Look, and X-Ways foremics, can generate a
log report thar records activities performed by the detective. Then, a built-in report generator is u~ed
10 create a report in a variery of formats. The following tools are some that offer report g<'nerJtors
displaying bookma rked evidence:
(a) EnCa~r
(b) fTK
(c) !Look
(d) X-Ways Forensics
(c) ProDi~rnver
The log report can be addeJ ro your finaJ ~<'port as_additional d~,u~en~ation of the seeps you took
during the ex.tminarion , which can be useful 1f repeaung the exammauon 1s necessary. For a case that
requires pea review, log reporcs confirm what activities were performed and what results were found in
the original
' analvsis
,
and examination.
194 • DIGITAL FQ
~
, Study of Digital Forensic Tools
A number of DigitJI Forensic Tools/suites are availahle for investigators to ronJu~r digital f ~
. d'I . d J• • _, 1r . I n~,c •n\' .
i•J1ion .The sleuth Toolkit EnCase and Fl Kare rea 1}' acqmre urgita1 orens1C too s chat are ernero,n . l'S11.
• h . . Of I115 . s . .
r,
abide with tht increase in demand of forensic cook T e main aim l rrnon 1s to provide an ~ ~ to
· · d' · I r · I I · d O\ef\ r
of· rop 2S digital forensic tools. The follow111g 1gHc1 1orens1C too s arc exp amc : ~-
10.5. 1 Sleuth Kit Autopsy

Autopsy is a digital forensics plJtform that with efficiency analyses smarrphones and hard disks. le 15•
worldwidt hy a largl' variety of users, as well a5 law enf0rcemenc agencies, 1he military, and corn pan,~U~d
. . . . . I . . (;
to cirry our mvcmganons on a compuung system. r 1s easy-co-use mter ace, proce5.5e~ data quick and .
cosr-effic.ienr. Sleuth Kir is a collection that consists of command line cools and a C library permircin 1his
analy!>is of disk images and file recovery. It is used at the back end within the Autopsy tool. g ~
Key features of :1Utop.\)' indude:
l. 'limclinc Analysis-Advanced inrerface for graphical event viewing.
2. Hash Filtering- Flags known bad fib and overlooks known good files.
3. Keyword Search- Indexed keyword search makes file search easier.
4. Web Anifam-Extracting bookmar~. history, and cookies from web browsers.
5. OJta Carving-Recovering deleted files from unallocated space by using hyperlink "http://w\\w.cgsc.
curiry.org/wiki /PhotoRec".
6. Multimedia-Exrracring EXIF from picrures and watching videos.
7. Compromi~e lndicaror5-Scanning a computer using STIX.
Pros: Good documentation and support
Cons: It requires special user ~kills because it is ba5cd on Unix.
About Disk Analysis: Once the right steps arc taken to secure and verify rhe disk image, the actual contents
of the image should be analyzed for suspicious or criminative proof. Once looking at the conrenrs of an
image, it's neu:5~ary 10 not only look a1 the clearly visible contents like folders on the desktop and pictures
in user files, however the image should even be checked for hidden, encrypted, or deleted files. 1c is always
bener to assume that a suspect might have acknowledged that they were robe investigated and cook steps 10
hide, delete, or otherwise make ir tough to ~eek our the data they'd been storing on their USB or PC.
About Kali Linux Sleuth Kit and Autopsy: Au1opsy and Sleuth Kit are open source digital invescig-Jtion
tools that run on Windows, Linux, Ma1.:OS, and alrern:11ivc OS systems. Autopsy is a custom from-<nd
;ipplic:ition of Sleuth Kir. They can be used to analyze di~k images and perform in-depth analysis of file
~~Mems (sud1 as NTFS, FAT, Ext3) and srn:ral other volume system types.
b.Jminl'rs and Jnalym will use the Autopsy graphical inrerface or the Sleuth Kie command line tools~~
con Ju(( an irm:srigation. In this ca~e. we will be launching the Autopsy graphical interface via the Sleuth Kit
lOrnmand line. Aut0p!>y/Sli:urh Kit provide an examiner to open a .dd or alternative form of disk image ~le,
ha,h vJlue of the file and look for fi!~s and different data conrained inside the file. Ir is additionally ~ble
to pm\'iJ.: rtpom of si:arthes, mults, and commems and notes in HTML and excel.
rhl" folio\\ ing fe.1tures arc Jvailahle through Autopsy/Sleuth Kit:
I. limdint AnJlysi~: Graphical evc:nr viewing interface.
2. HJ,h rilttring: Flag known bad files and ignore known good files.
3. hie S_v~1('m Forc-mic Analy\is: Recover files from most common formats.
4, Kl'ywor<l Scan.h: l11<lcxcd kcyworJ search to find files thar mention relevanr cerms.
,pLll I fl
u f()R[N SICS 1001S
•
195
~
, I1 \itrfot~: Ei-.tr.l l l hi~tor)', hookm.11k~. and rnokit·s from Vin.fox Chrom(' :ind IF
S, \\ <" ~
1
, 1·11 . htr,KI FXIF frnm pi, turl's and w.uch viJ,·os '' ..
1 1
1
~lttllllll .. ""
6,
.., \'.111,11•1J\ii ' il)•~is:
•
l',ml's M I\OX form,11 llll'~!>:t1'tll'!>, s11d1
.
:J!>
' .
ThunJ•·rl,·
"
,r•I' .
' ' . . •~ucori,,I: OlllC a di~k im,,gl' has hccn rn:.1tl'd, h:1,l1nl, and write-hlol'krd 10 prcvrnt di 11wcs 1·1 is
11,.~ 11 • I . ·1·1 I · ' ti ' .
h• 1 y 10 i1n•1·s11g.11t· Ill' ,m.igc. iroup, \Out the analy111s prtKt·~,. 1he in vc!>tiPator !>lw11ld look for info
c,'· r I · ·I I Tl · . 1·
1hc c1~1.· win~ romp, n · its 1111 P ics not only trying to find cum·n1 content, on rhe J rivr·
t,
"'' . . 1111
1
1"' ',''.:~.';, .uldiiin11ally l~ioking for ddctnl l,ks, mis!>ing or hiddrn dat.1, and hiJdc·n p.irtiriom which will no;
h1"' ( 11nr~, 1l:111Cl', hl'qucndy, a smpcn c.111 pl.111 to hidt· ,111d dclc1c data as a prt·L:1111 ion. Wl· will be rc·JJy
1
•1111 1c,ir ' unilwri:,

ol• tIus
· lI,Ila ·1ns1l· Ic Autop.,y/SI
. l'llt Il Ku
" .
1'1·~,·,· ,1 " I K' . r I . .
Sini:,· /\urop~)•/Skut l 11_ is a ~t't' too .' 11 1s a dcrcnt choice for di!>k image :inaly~is among Linux, and
.· Windows system.~. During dus turon.11, we arc going ro LOlllCntra1c on some of the add i1ional h,1sic
1
t: "",· ,ons of A1111,p~r/Skutl1 Ki1 sim:c we tl·nd to only have one file writtl·n 10 011r "smpcu's" drive.
""'
1
.
f 0.5,2 Autopsy
l.:iundi Autopsy . . .
" 1 m·w c:i~r and ,1d<l tht• appropriate disk unage file.
,'l,HI ' f I d' k .
Rl'l'invthe con1cnts o t 1c 1s · image II e.
r.1
Prinl 0111 a h.1sic report .
U,l' ,he s,•;irch feature to search by keyword.
l,Aul np•) tor•nuc thov.1• .t I ,,
l,• h., ,11• •\.I '
;,)' ,... v,,,1o<l"' l'I Orlwtl\OY. S.,,u111y ' K.ol1u11U• , k , t,Do<i o e•..,1<..,-c,o .....locoa,~•n9
V,>u du not naciJ J~vo !J.:npl to uoo Aulo1-,::y ~nd il 111 n:<."<Jmmandod Lhol 1l be Lui nad otT for :socurily rea::un::.
0..•HC....
10.5.2.1 Launch Sleuth Kit/Autopsy

I. Login to the Virtual Lah wchsire (hnps://v5.unm.cdu/doud/org/ialab). and enter the 'NEST Digital
torrnsirs vApp'. Click on rhc Kali Linux machine ro opt·n 1he VM.
2. At the login screen of the Kali Linux machine use the username root and d1t' password letmein.
3. NJvi!;.ltC ro Applications»Kali Linux»Forensics»Digital Forcnsics»autopsy.
4. A1ww window will oprn. CTRL + dick on the provided link within rhe window to launch the Autopsy
Forensic Browser.
L FORE
1~~_:__ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ __ _ _ _D_IG_IT_A-.:
~96 • ~
10.5.2.2 Create a New Case
CREATE A NEW CASE
1. Case Name: The name of this mvest1gat1on. It can contain only

letters, numbers, and symbols.
k moo1
2. Descripti on: An optional, one lme descnpbo n of lh1s case.

!Georges Drive Image Analys,s J
3. Investiga tor Names: The ophonal names (with no spaces} of the
mvesbgators for this case.
a [~ne~~ - - - ~- ' b. j ~ - - - - - -
c I _J l ______
d, ,;__ ---,
,. I f. j
9 I h. I----- -----
:_:_:=======-- - J. '
l r
CANCU Hu.,,
NrwC.ua:
1. Click New Case. The 'Crca re a New Ca~c· page will open. Fill in the 'Case Name', 'Description', and
'lnvrnigJro r Name'. Then 5eJcn 'New Case' near the bouom of the screen.
Ct1:ie: Cas.,OCI
Host: hosU
Ne.• 1mQ;if s hd'✓G l:G&n added to this host yot
S1:,l1.:L ltitt A,Ju lin-10~ F1l•l biJI ton below to ..tdd one
I Aou I M AG& .,,._. I
tCIIU'
- ------- - -- ------ -- -
FU /lcrMrYT.,1 l lHA HUH Ou ....,r.
VIEWNorn
2. Click Add Host on the following pJge. Leave the defaults on che 'Add a New Host' page and sdect
'Add Host' at the borcom of the page.
3. On the following p.1gc, select 'Add Image'. On c.he following page, select 'Add Image File'.
4. 'Jo add the im,1ge file for -1nalysis, enter c.he pach of c.he image file, /root/driveimage. •.The• will select
.1ny file wich an appropriate disk image extension. Since this image drive is from one parcirion, sclccr
thr 'P,11 tit ion' rJJio bu non. Click Next.
• 197
Ann A Nrw IMAG[
1. l or,11 Ill!\
l'ntcr 1111, r1:ll 11,1th {;:t,1rtm,1 with ,l tC\ tho ini.,Ql' nte.
I( tti-· itnJ<10 1.: r.pllt \1.'lllHT r,1w or Enc.,!;(.'). lhL•n enter·•· for the
,,'l:t ,'n!:ll,n .
:. I\"''
rk,1~,, ~:,,k•c-t tf Un:; 111 '-l\W nlll is for n ct1::;k or a sm,Jlo parl1t1on.
, l"'t~k • l~Jrt ition
J. lmpm I l\h.-lhnd
T,1 .,1~.11~·~0 th(' rn1.:11J0 111\) tl 11\ltsl be located m the evidence locker. It
c;in t,,, uni:-,'rtod !\-om 11.$ ~urront locat1011 usmg a symbolic link. by
,,,r\'ln~ it ('f l'y O\(WtnO it. Note lh,"lt tf n system failure occurs dunno
t!h' r.;c\.:. Uh' n tht> im,,i;w could become corrupt.
• Symlmk Copy ' Move
s. lh~ m·,1 l'·'St' " ill HTi~· dw dlt' rnrrt'l't im.1ge file has bl'rn selected. Click Next.
b. ~rk-t tlw h.,~hinµ O\'tinn on the next p.1ge. This will wrify the integrity of the disk image, and will
.,ll,m· y11u tll d,l·,-k this h.1,h v.1l11c .1g.1ins1 rhe onl's crl'ated in the imaging process. Leave the other
,k{1ul;s as thl'y .ire .uH.I rlil'k Add.
Split lmoge Confirmnlion
The follcwm11 1maocs will be addod to the case.

If this 1s net the co:,·e~~ ordllr, then you should change the naming convention.
Press the tlE•~:t button at the bottom 01' the page 1f this is correct.
0 / ro.it , 011,.1 ■aq• dd
lmngo Filo Dctulls
l.th·al Ndmo: "/root/dnve1mage.dd"

Datn lntegl'lty: i-\n 1\-105 hash can be used to verify the mtegnty or
the 1mJge . (\\'1th spilt images, this hash 1s the ror run
image file)
l.Q.M@ the hash value ror this image.
• C.U..:lll.lle the hasl1 value for this image.
~ the fullowmg f'.1D5 hash value ror this image:
--
1
Venf)1 hash after importing?
7
· ~h~ ~.ish m.,y t:1ke •1 moment l\) c.tlcul.1te, especially if the disk image file is large. The hash value will
pnntl'd ~)lit. I',· ~urt to n,p)' it a ci.>xr file for comparison. Click OK.
198 DIGITAL FOREN
could take a while)
Calculating MD5 (this
C u r r e n t M D 5 : El3857018A4AB521100AE2364F170E0
Testing partitions evidence locker

Linking image(s) into
with ID imgl
| Image file added
Volume image (0 to 0 ext-/1/) added with ID voll
OK
10.5.2.3 Analyze the Image File

1. On the following page, click Analyze. Note the other possible options, such as 'View
Activiry Time Lines, Event Sequencer, and Image Integrity. Image Integrity allowg View Notes,H
you
hash value of the image file at any time. File Activity Time Lines allows you to create a verify the
meline of fil
activities. This is highly useful, as it provides a report of exactly what was found on theimaee
Sequencer allows you to add new events in the course of the investigation. .Event
2. To complete the file analysis, select one of the tabs from the top of the screen. Start with File A-
Analyss
FL ANALrsrsKEwoRD SEARCH FLE TYPE MAGE DETALS META DATA DATA UNTT HEL CLo
3. A new window will open that displays the full contents of the disk image file. Since
there is an
one file on this
partition, it will not take long to display. Note that to make hashing easier, thert i
an option to make an md5 list of all files on the
image file. It is also possible to add a noteatthi
point.
TuANALYa KETWaDANCH FILETTPE JMAGE DEtALS META DATA DATA UNIT HELP Co
Directory Seek Current Dtrector a

ADeNOTE GDERATE MDS LAT 0F rLs
Enter the name
of a directory
that you want to Type
v16w. dir in NAMI Warr AGEEENED CHAOcD Ss
1 irah1calan
d/d 0000-0000 0000-c0-t0 Oco0-00-00
00:00:00 (UTC) 00.0000 (UTC) 00:00:00 (UTC)
d/d
Vw 2014-02 14 X014-02-14 2014-02-14 1024 0
01:08:39 (MST) 01:06.44 (MSTI 0106:39 (MST)
d/d 2014-02-14
File Name 2014 02-14 201402-14 1024 1
Search
Enter a Psrl
regu ar Hle Browsing Mode
expreesicn for
you want to nnd.

n this mode. you can view nlg and directory
contents.
More nla dotails
File contents witl be shcvn in this windon
can he found using tha Matadata link at the ond
TOu can also sort Lhe files or the
using the column heeade
TER FORENSIC TOOLS
COMP
199
D i r e c t o r yS o s k
dd DrreaEle 00c0 0000
Oo00-00.0O
000000(UTC) 0000 0
r t a rt h m o
dd
20140214 00 1UTC (000.00 UTCI
201402-14 2014 02 14
o l a d i r e c
Want
t o r y
to d/d 01:0039 (MST

2014 02-14
010:44 IMST) 01.0.39 (MST) L024 0
01 108 29 (MSTI 201402-14

you
that 201402-14
0108 44 1MST) 01.t6.39 1024 0
VRW.
Lut:fun 2014 02-13 tMST
08.08 51 (MSTI 201402-13 201402-13 127PR 0
080:51 IMST) C80951 tMST)
atAnt3.1t 2014 02-14 2014-0214
V w w
01 :00 30 201402 14
1457) 015:3 IMST) 149
01:06.33 (MSTY
l l e Name
Soarch ASC Idirplay iox Idiplay ,ASCIl Striigs idizpay

tpor
Enter a Fort
ontes of ila: /1/vacaljaninfo.tt

92ort
File Tvpe: AGCII Lext ExrNaLa
8gular
axpresslon lor
the ile names

to n d , Pa1ent1at Eipers
you
want ala mithS8aillion
tH 4 lan
Altart Eanstein22 an
Nent1 Fehrrt 214
ww.I1) o
10.5.3 SANS SIFT
IET stands for SANS Investigation Forensic Toolkit Snapshot as given in Figure 10.1. It is a toolkit with a
comDOsition of various tools that are used in virtual machines as a computer forensic tool. It majorly deals
withdata images, unprocessed images, and numerous fle systems (i.e., NTFSs, HFS, and UFS, and so on).
Wn7 SFT Worastation yMuare Workstation
Arests Forensic loc 25 Gs1shair iocaihoLa.e d

ie Fdt Vew Evdence Fer Toos Manage Heb
pat.
Flte: nttred
FierMerag
Explore Overview Emai Graohks Bookmarks uve Seach Index Search Vobtie
File List
ools
toma
Name Label 1tem Ext Path JCategory P Se
Ciu0.mo 2512
2513 tnp
ap_dblake.daNONAEExe
Ddbake.dapiONAE ZeroLe. 05
2343 KB
LJ hite htm 1043 hm p_dtiake.ddPIONIANE HIM 4198

inwte.htm 19344 hem AD_dbioke.ddNONAME. HL na
foce.
m[ 3553 x
Ddblake.ddAIONANE 1338
22376 xpdtiake.d3^NONAME. OLESt. nla
PMTIAOOLOHBHFAM.
0podorco 20090 1a711 273
O odpromo200901071 17412 Dcbake.d/NONNAME. Sad 5.. 1385
D 19 of 2672 ADdieke.ddNONANE. GIF 3618
671 n ia MNAS
Ready Expkore Tab Fiter:[tNonel

Program Dirsctory
SAYS COMPUTER
940 PM
N 1017/12
n toyour computer, movethemousepointer outside orpress Ctr-AR
Figure 10.1 SANS SIFT (SANS investigative forensics toolkit).

200
DIGITALFORENSIC
Summary
The five functions required for computer forensics They are designed to run in minimal configur
tools are acquisition, validation and discrimina- and can fit on a bootable disk. Hardware
tion, extraction, reconstruction, and reporting. For for computer forensics includes workstations a
your computer forensics lab, you should create a
and
devices, such as write blockers, to prevent Contatam-
software library for older versions of forensics util- ination of evidence. Bedore you purchase or buil
ities, OSs, and applications, and maintain older a forensic workstation, consider where you acod.
versions of software you have used and retired such
acquire
data, which determines the hardware configuraticn
as previous versions of Windows and Linux. Some you need. Tools that run in Windows and other
computer forensics tools run in a command-line GUI environments do not require the same of
interface, including those that can find file slack computing expertise as command-line tools and can
and free space, recover data, and search by keyword. simplify training and investigations
Key Terms
Acquisition: The process of creating a duplicate National Software Reference Library (NSRL:
A NIST project with the goal of collecting all
image of data: one of the five required functions
of computer forensics tools. known hash values for commercial software and
Brute-force attack: The process of trying every OS files.
combination of characters-letters, numbers, and Password dictionary attack: An attack that
special characters typically found on a keyboard- uses a collection of words or phrases that
might
to find a matching password or passphrase value be passwords for an encrypted file. Password
for an encrypted file. recovery programs can use a password dictionary
Computer forensics tool testing (CFTT): A to compare potential passwords to an encrypted

project sponsored by the National Institute of file's password or passphrase hash values.
Standards and Technology to manage research on Reconstruction: The process of rebuilding
computer forensics tools. data files; one of the five required functions of
Discrimination: The process of sorting and computer forensics tools.
searching through investigation data to separateValidation: The process of checking the accu
known good data from suspicious data; along racy of results; along with discrimination, one of
with validation, one of the five required functions the five required functions of compurer forensics
of computer forensics tools. tools.
Extraction: The process of pulling relevant data Write blocker: A hardware device or software
from an image and recovering or reconstructing program that prevents a computer from writing
data fragments; one of the five required functions data to an evidence drive. Software write blockers
of computer forensics tools. typically alter/interrupt 13 write functions ro a
Keyword search: A method of finding files or drive in a PC's BIOS. Hardware write blockers are
the
other information by entering relevant characters, usually bridging devices between a drive and
words, or phrases in a search tool. forensic workstation.
Review Questions
1. Explain the evolution of computer forensic tool. 4. Write a short note on comparison of computc
2. How do you perform reconstruction? Explain. forensic tools.
forensie
3. What are the various tasks performed by com- 5. Explain in detail the task of hardware
puter forensic tools? tool.

Digital Forensic by Nilakshi Jain

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Forensic by Nilakshi Jain

Uploaded by

Copyright:

Available Formats

Digital Forensic

Dr. Nilakshi Jain

Dr. Dhananjay R. Kalbande

About the Authors VII

Chapter I Introduction to Computer Crimes and Ethical Hacking l

Chapter 3 Incidence Response Process 37

Chapter 4 Live Data Collection 61

Chapter 5 Forensic Duplication 81

5.11 Creating a Qualified Forensic Duplicate of a Hard Drive

Chapter 6 Disk and File System Analysis 103

Chapter 7 Data Analysis 117

7. 2.3 Rt't'irwing Relt't11mt Filt's 129

Chapter 8 Network Forensic 149

Chapter 9 Report Writing 175

9.2 Layout of an lnvesrigarive Reporr 175

Chapter IO Computer Forensics Tools 189

Further Readings 201

• Explore prJ1.ti1.al knowkJg1..· dhout rd,it,tl • l>1,ri11bui,h Jttferrnt Lllc~nric\ of li,t(kin~.

Figure 1.1 Cyhcrcrime.

. h / h h· dopr <ligital forcmic cools to rtduce che

Figure 1.2 Categories of cybercrime.

1.2.1 Cybercrimes Against People

1.2.2 Cybercrimes Against Property

1.2.3 Cybercrimes Against Government

ftk&ll Types of Cybercrimes

1. An individual who enjoys learning details of a programming language or system.

Fi~urc 1..l I l.1l'ki11g.

1.3.2 Denial-of-Service Attacks (DoS Attacks)

Attacke~sends command for his

~{, -~i, ~,,

Figure 1.4 Denial-of-service attack.

1.3.3 Trojan Attacks

Figure 1.5 Trojan.

1.3.4 Credit Card Frauds

1.3.5 Cyber Pornography

1.3.6 Online Betting

1.3.8 Email Spoofing

1.3.11 Cyber Terrorism

1.3.12 Salami Attacks

1.3. 14 Cyber Stalking

[ccl] The Internet Spawns Crime

Worms Versus Viruses

. . l'J , . ... 1·11 , from ont· worb1:trll)n 10 :11101 . . . l'.1· I ·1 I

Figure 1.6 Virus.

Figure 1.7 Worm.

Computer's Role in Crimes

Computers as storage Computers as

Figure 1.8 Roles of computer in crimes.

Sim Cybercrime Statistics in India

Cyb" 111tllClt1 Cybn- security inddents Website hacking Spam

1h/1ll Whar /11111µ1•111 /11 All

Google 913,000 18 Million Youilti

25,000 1.1 MIiiion

[if~ ] Prevention of Cybercrime

· · . c,... ,are ro 0oinrd ·w·tinsc virus arrJi..:ks should be maintain

-·~,_'./; "$. . . ~...

Lots of knowledge and - Lo1s of knowledge and

Figure I .9 Hacker versus cracker.

Figure 1.10 Phreakers.

Steps of Ethical Hacking

Gaining Access Covering tracks

Figure 1.1 l Steps of ethical hacking.

■ Reconnaissance refers to the proparatory pha se whure an attacker aeoka to

■ Reconnaissance target range may Include the target organization's clients,