20IT84-Cyber Security �& �Digital Forensics

B.Tech. (OPEN ELECTIVE)

By

M. Vijay Kumar

Contents

• Introduction to Cyber Forensics
• History
• Disk Forensics,
• Network Forensics,
• Wireless Forensics,
• Database Forensics,
• Malware Forensics,
• Mobile Forensics,
• Email Forensics.

3

6 March 2024

4

6 March 2024

5

6 March 2024

6

6 March 2024

7

6 March 2024

8

6 March 2024

Background

• Cyber activity has become a significant portion of everyday life of general public.
• Thus, the scope of crime investigation has also been broadened. (source: Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer and the Internet,Academic Press, 2000.)

Jau-Hwang Wang

Central Police University, Taiwan

9

2024/3/6

Background (continued)

• Computers and networks have been widely used for enterprise information processing.
• E-Commerce, such as B2B, B2C and C2C, has become a new business model.
• More and more facilities are directly controlled by computers.
• As the society has become more and more dependent on computer and computer networks. The computers and networks may become targets of crime activities, such as thief, vandalism, espionage, or even cyber war.

Jau-Hwang Wang

Central Police University, Taiwan

10

2024/3/6

Background (continued)

• 85% of business and government agencies detected security breaches. (Source:http://www.smh.com.au/icon/0105/02/news4.html.)
• FBI estimates U.S. losses at up to $10 billion a year.(Source: Sager, Ira, etc, “Cyber Crime”, Business Week, February, 2000.)

​

Jau-Hwang Wang

Central Police University, Taiwan

11

2024/3/6

Background (continued)

• In early 1990s, the threats to information systems are at approximately 80% internal and 20% external.
• With the integration of telecommunications and personal computers into the internet, the threats appear to be approaching an equal split between internal and external agents.
• (Source: Kovacich, G. L., and W. C. Boni, 2000, High-Technology Crime Investigatot’s Handbook, Butterworth Heinemann, p56.)

​

Jau-Hwang Wang

Central Police University, Taiwan

12

2024/3/6

Background (continued)

• Counter measures for computer crime
• Computer & network security
• Effective prosecution, and prevention

Jau-Hwang Wang

Central Police University, Taiwan

13

2024/3/6

Forensic Science�

• Definition:
• Application of Physical Sciences to Law in the search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of society.(Source: Handbook of Forensic Pathology, College of American Pathologists, 1990.)
• Sciences: chemistry, biology, physics, geology, …
• Goal: determining the evidential value of crime scene and related evidence.

​

Jau-Hwang Wang

Central Police University, Taiwan

14

2024/3/6

Forensic Science (continued)

• The functions of the forensic scientist
• Analysis of physical evidence
• Provision of expert testimony
• Furnishes training in the proper recognition, collection, and preservation of physical evidence.
• Source: (Richard Saferstein, 1981, Criminalistics—An introduction to Forensic Science, 2^nd edition, Prentice Hall)

Jau-Hwang Wang

Central Police University, Taiwan

15

2024/3/6

Computer (or Cyber) Forensics �(Warren, G. Kruse ii and Jay G. Heiser, 2002, Computer Forensics – Incident Response Essentials, Addison Wesley)

• Definition:
• Preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well-defined methodologies and procedures.
• Methodology:
• Acquire the evidence without altering or damaging the original.
• Authenticate that the recovered evidence is the same as the original seized.
• Analyze the data without modifying it.

​

Jau-Hwang Wang

Central Police University, Taiwan

16

2024/3/6

Network Forensics

• Definition
• The study of network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime fostered by the continual expansion of network connectivity.(Source: Kevin Mandia & Chris Prosise, Incident response,Osborne/McGraw-Hill, 2001. )

Jau-Hwang Wang

Central Police University, Taiwan

17

2024/3/6

Challenges of Computer Forensics

• A microcomputer may have 60-GB or more storage capacity.
• There are more than 2.2 billion messages expected to be sent and received (in US) per day.
• There are more than 3 billion indexed Web pages world wide.
• There are more than 550 billion documents on line.
• Exabytes of data are stored on tape or hard drives.
• (Source: Marcella, Albert, et al, Cyber Forensic, 2002.)

Jau-Hwang Wang

Central Police University, Taiwan

18

2024/3/6

Challenges of Computer Forensics (continued)

• How to collect the specific, probative, and case-related information from very large groups of files?
• Link analysis
• Visualization
• Enabling techniques for lead discovery from very large groups of files:
• Text mining
• Data mining
• Intelligent information retrieval

​

​

Jau-Hwang Wang

Central Police University, Taiwan

19

2024/3/6

Challenges of Computer Forensics (continued)

• Computer forensics must also adapt quickly to new products and innovations with valid and reliable examination and analysis techniques.

​

Jau-Hwang Wang

Central Police University, Taiwan

20

2024/3/6

On Going Research Projects

• Search engine techniques for searching Web pages which contain illegal contents.
• Malicious program feature extraction and detection using data mining techniques.

Jau-Hwang Wang

Central Police University, Taiwan

21

2024/3/6

Disk Forensic

Disk forensics is the science of extracting forensic information from digital storage media like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc. The process of Disk Forensics are Identify digital evidence

• Seize & Acquire the evidence
• Authenticate the evidence
• Preserve the evidence
• Analyze the evidence
• Report the findings
• Documenting

​

22

2024/3/6

Identify digital storage devices

• First step in Disk Forensics is identification of storage devices at the scene of crime like hard disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy disk, Mobiles, PDAs, flash cards, SIM, USB/ Fire wire disks, Magnetic Tapes, Zip drives, Jazz drives etc. These are some of the sources of digital evidence.

23

2024/3/6

Seizure and Acquisition of Storage devices

• Next step is seizing the storage media for digital evidence collection. This step is performed at the scene of crime. In this step, a hash value of the storage media to be seized is computed using appropriate cyber forensics tool. Hash value is a unique signature generated by a mathematical hashing algorithm based on the content of the storage media. After computing the hash value, the storage media is securely sealed and taken for further processing.��

24

2024/3/6

Seizure and Acquisition of Storage devices�(continued)

• One of the cardinal rules of Cyber Forensics is “Never work on original evidence”. To ensure this rule, an exact copy of the original evidence is to be created for analysis and digital evidence collection. Acquisition is the process of creating this exact copy, where original storage media will be write protected and bit stream copying is made to ensure complete data is copied into the destination media. Acquisition of source media is usually done in a Cyber Forensics laboratory.

​

25

2024/3/6

Authentication of the evidence

• Authentication of the evidence is carried out in Cyber Forensics laboratory. Hash values of both source and destination media will be compared to make sure that both the values are same, which ensures that the content of destination media is an exact copy of the source media.

26

2024/3/6

Preservation of the evidence

• Electronic evidences might be altered or tampered without trace. Once the acquisition and authentication have been done, the original evidence should be placed in secure storage keeping away from highly magnetic and radiation sources. One more copy of image should be taken and it needs to be stored into appropriate media or reliable mass storage. Optical media can be used as the mass storage. It is reliable, fast, longer life span and reusable.

27

2024/3/6

Verification and Analysis of the evidence

• Verification of evidence before starting analysis is an important step in Cyber Forensics process. This is done in Cyber Forensics laboratory before commencing analysis. Hash value of the evidence is computed and compared it with the hash value taken at the time of acquisition. If both the values are same, there is no change in the content of the evidence. If both are different, there is some change in the content. The result of verification should be properly documented.

28

2024/3/6

Verification and Analysis of the evidence

• Analysis is the process of collecting digital evidence from the content of the storage media depending upon the nature of the case being examined. This involves searching for keywords, picture analysis, time line analysis, registry analysis, mailbox analysis, database analysis, cookies, temporary and Internet history files analysis, recovery of deleted items and analysis, data carving and analysis, format recovery and analysis, partition recovery and analysis, etc.

29

2024/3/6

Reporting the findings

• Case analysis report should be prepared based on the nature of examination requested by a court or investigation agency. It should contain nature of the case, details of examination requested, details of material objects and hash values, result of evidence verification, details of analysis conducted and digital evidence collected, observations of the examiner and conclusion. Presentation of the report should be in simple terms and precise way so that non-technical persons should be able to understand the content of the report.

30

2024/3/6

Reporting the findings

• Case analysis report should be prepared based on the nature of examination requested by a court or investigation agency. It should contain nature of the case, details of examination requested, details of material objects and hash values, result of evidence verification, details of analysis conducted and digital evidence collected, observations of the examiner and conclusion. Presentation of the report should be in simple terms and precise way so that non-technical persons should be able to understand the content of the report.

31

2024/3/6

Documentation

• Documentation is very important in every step of the Cyber Forensics process. Everything should be appropriately documented to make a case admissible in a court of law. Documentation should be started from the planning of case investigation and continue through searching in scene of crime, seizure of material objects, chain of custody, authentication and acquisition of evidence, verification and analysis of evidence, collection of digital evidence and reporting, preservation of material objects and up to the closing of a case.

32

2024/3/6

Disk Forensics

• Definition: The scientific process of recovering and analyzing digital evidence from storage devices like hard drives and SSDs.
• Application: Used in legal investigations, cyber security incidents, data breaches, and more.
• Importance: Preserves data integrity, ensures chain of custody, and aids in uncovering crucial information.

​

The Disk Forensics Process

• Acquisition: Creating a forensic image of the storage device without altering any data.
• Analysis: Examining the image using specialized tools to identify deleted files, artifacts, and hidden data.
• Reporting: Documenting the findings in a clear and concise manner, adhering to chain of custody principles.

​

Common Disk Forensics Techniques

• File carving: Recovering fragmented data remnants to reconstruct deleted files.
• Steganography detection: Identifying hidden messages embedded within other files.
• Data carving: Extracting information from unallocated disk space.
• Keyword searching: Locating specific terms or patterns within the recovered data.

​

Challenges in Disk Forensics�

• Data encryption: Requires specialized tools and techniques to decrypt protected data.
• Data volatility: Recovering data from volatile memory (RAM) poses unique challenges.
• Data reminisce: Deleted data may leave traces, requiring careful interpretation.
• Legal and ethical considerations: Adhering to data privacy laws and regulations is crucial.

​

Disk Forensics Tools

The Sleuth Kit (TSK):

• TSK is a powerful open-source tool for disk forensics.
• It allows you to examine disk partitions, file systems, and file metadata.
• Use mmls to display the partition layout of a volume system.

Autopsy:

• Autopsy is a GUI wrapper for TSK.
• It provides an intuitive interface for analyzing disk partitions and files.
• You can explore partition details and MFT entries using Autopsy.

�

Disk Forensics Tools

• NTFS Filesystem:
• NTFS (New Technology File System) is commonly used in Windows.
• The basic unit is called a cluster.
• The Master File Table (MFT) is crucial for NTFS forensics.
• Each file or directory has a corresponding MFT entry.
• Locating the MFT:
• The MFT starts at the 63rd sector.
• Use the formula: MFT Sector = BaseSector + (MFTClusterNo * SecPerCluster).
• MFT entries contain essential information about files and directories.

​

��What is Network Forensics?��

• Network Forensics is a sub-branch of digital forensics that deals with the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
• It essentially involves the examination of network traffic going across a network that is suspected to be involved in malicious activities.
• This includes the investigation of networks spreading malware, stealing credentials, or analyzing cyber-attacks.

�The Network Forensics Process�

• Acquisition: Capturing network traffic using tools like packet sniffers and network tap devices.
• Analysis: Examining the captured data with specialized tools to identify suspicious activity, malware signatures, and anomalies.
• Reporting: Documenting the findings in a clear and concise manner, maintaining chain of custody principles.
• Presentation: Presenting the evidence to stakeholders, including investigators, legal teams, and security professionals.

​

�Common Network Forensics Techniques�

• Packet capture: Recording network traffic on the wire for further analysis.
• Traffic analysis: Examining captured data to identify anomalies, suspicious activity, and potential threats.
• Protocol decoding: Understanding the format and content of different network protocols for deeper analysis.
• Intrusion detection and prevention: Utilizing systems to detect and block malicious network activity in real-time.
• Forensic timeline analysis: Reconstructing the sequence of events based on timestamps and captured data.

​

��Challenges in Network Forensics��

• Encryption: Encrypted traffic can obfuscate evidence, requiring specialized decryption techniques.
• Data Management: Handling the large volume of data generated during the process is a significant challenge.
• Intrinsic Anonymity of IP Addresses: IP address spoofing complicates attribution.
• Address Spoofing: Attackers can manipulate source IP addresses, making tracing difficult.

​

Introduction to Wireless Forensics

• Wireless forensics deals with analyzing evidence related to wireless networks and devices.
• It involves collecting and examining wireless traffic data to uncover crucial information.

​

�The Wireless Forensics Process�

• Acquisition: Capturing wireless traffic using specialized tools like wireless network adapters and packet sniffers.
• Analysis: Examining the captured data to identify unauthorized access points, suspicious devices, protocol anomalies, and data transfers.
• Reporting: Documenting the findings in a clear and concise manner, including network configurations, captured data analysis, and potential security risks.
• Presentation: Presenting the evidence to stakeholders, including investigators, legal teams, and IT security professionals.�

�Common Wireless Forensics Techniques�

• War driving: Identifying available Wi-Fi networks while moving through an area.
• Wi-Fi sniffing: Capturing wireless traffic to analyze network activity and identify potential vulnerabilities.
• Understand protocols like 802.11 (Wi-Fi) and Bluetooth.
• Rogue access point detection: Locating unauthorized access points that may be used for malicious purposes.
• Wireless intrusion detection: Utilizing systems to monitor wireless networks for suspicious activity and potential attacks.
• Network protocol analysis: Decoding and analyzing wireless network protocols to understand data types and communication patterns.

​

�Mobile Phones in Wireless Forensics:�

• Mobile phones are a significant part of wireless forensics.
• Valid digital evidence can be extracted from mobile devices.
• This includes data and voice communications via VoIP.

​

�Wireless Traffic Collection:�

• Methods for collecting wireless traffic include:
• Capturing packets from Wi-Fi networks.
• Analyzing Bluetooth communication.
• Investigating cellular networks (e.g., GSM, 3G, 4G, 5G).

​

Tools :�

• Use tools like Wireshark, Aircrack-ng, and NetStumbler for packet analysis.

Visualizing the Process:

• Diagrams can illustrate the flow of wireless data, encryption methods, and communication channels.

​

Introduction to Database Forensics:

• Database forensics involves the application of forensic techniques to investigate unauthorized access, data breaches, data manipulation, or any other malicious activities within a database system. It aims to identify, preserve, analyze, and present digital evidence stored in databases.
• It focuses on data stored in databases, including relational databases (e.g., MySQL, PostgreSQL) and NoSQL databases (e.g., MongoDB, Cassandra).

​

�Sources of Data Breaches:�

• Major Sources of Data Breaches:
• Financially Motivated Attacks: Intentional or malicious system damage.
• Techniques include IP spoofing, sniffing/scanning, and credential misuse.
• Unintentional Disclosure: Due to negligence or misconfiguration.
• Weak Information Security Policies:
• Lack of role segregation.
• Compliance ≠ Security: Auditing focuses on compliance, not detecting security issues.
• Limited incident analysis and weak recovery techniques.

​

�Essential Techniques in Database Forensics�

• File carving: Recovering fragmented data remnants to reconstruct deleted files. (Image: Puzzle pieces being put together)
• Keyword searching: Locating specific terms or patterns within the database. (Image: Highlighting keywords in a text document)
• Log file analysis: Examining database logs for anomalies and suspicious activity. (Image: Security analyst reviewing log files)
• Metadata Analysis: Analysing metadata helps investigators understand File Information, Database Schema, User Activity, System Events.

​

​

�Common Challenges in Database Forensics:�

• Data Breaches: Unauthorized access to sensitive data.
• Insiders and Outsiders: Both pose threats to information security.
• Protocol-Level Vulnerabilities: Examples include SSL Heartbleed, Kernel Vulnerabilities, and Application Bugs.
• Web-Based Attacks: Such as SQL injection and Denial of Service (DoS) attacks.
• Malware: Trojans, RATs, and rogueware.

​

Tools :�

• Database forensics tools such as EnCase, FTK, Autopsy, and specialized database forensic toolkits are used to acquire, analyze, and recover digital evidence from databases.

​

�Introduction to Malware Forensics:�

Malware forensics involves the systematic examination of malware samples to uncover details such as how it operates, its purpose, and potential indicators of compromise. It's a crucial aspect of cybersecurity for identifying and mitigating threats.

�Types of Malware:�

• Viruses: Self-replicating programs that attach themselves to clean files or other programs.
• Worms: Standalone malware that replicates itself across networks without human intervention.
• Trojans: Malicious programs disguised as legitimate software.
• Ransomware: Malware that encrypts files or locks down systems, demanding a ransom for decryption.
• Spyware: Software designed to gather sensitive information from a computer without the user's consent.
• Adware: Malware that displays unwanted advertisements.

​

Malware Analysis Framework:�

The stages involved in malware analysis:

• Static Analysis: Examination of malware without executing it, including file header analysis, strings extraction, and code disassembly.
• Dynamic Analysis: Running the malware in a controlled environment to observe its behavior, such as network activity, file system changes, and system calls.

​

Static Analysis

• Examining malware code without executing it.
• Identifying suspicious code patterns, strings, and APIs.
• Analyzing file headers, metadata, and resources.
• Determining functionality and potential impact.
• Tools like IDA Pro, strings, and PEiD are employed.

​

Dynamic Analysis

• Observing malware behaviour in a controlled environment (sandbox).
• Monitoring network activity, file system changes, and registry modifications.
• Identifying hidden functionalities and communication channels.
• Understanding the full scope of the attack.
• Tools like Cuckoo Sandbox and VirusTotal Sandbox are popular.

​

�Malware Forensics:�

• Malware Analysis: Techniques to dissect and understand malware behavior.
• Detection and Attribution: Identifying the presence of malware and tracing it back to its origin.
• Incident Response: Handling malware incidents effectively.
• Static and Dynamic Analysis: Examining malware without execution (static) and during execution (dynamic).

​

Stages of Malware Analysis:�

• Collection: Gathering malware samples.
• Examination: Analyzing code, behavior, and artifacts.
• Reconstruction: Understanding the attack scenario.
• Reporting: Documenting findings for legal purposes.

​

Challenges in Malware Forensics�

• Evolving malware techniques to evade detection and analysis.
• Limited access to resources and specialized tools.
• Data encryption and confusion techniques obstructing analysis.
• Need for continuous learning and keeping up with the threat landscape.

​

Introduction to Mobile Forensics

Mobile forensics is a branch of digital forensics focused on the investigation and analysis of data stored on mobile devices. These devices include smartphones, tablets, wearable technology, and other portable electronic gadgets. Mobile forensics is crucial in modern investigations due to the widespread use of mobile devices and the sensitive data they contain.

What is Mobile Forensics?

A forensic investigator examining a smartphone with specialized tools.

• Identification: Identifying the type of device and its operating system version, manufacturer, model, and other relevant information.
• Data Extraction:
• Preserving, collecting, analyzing, and interpreting digital evidence from mobile devices.
• Recovering deleted data, identifying suspicious activity, and reconstructing events.
• Analysis Techniques:
• Understanding mobile data, apps, and communication.
• Investigate call logs, SMS messages, contacts, and app data.
• Look for deleted files, GPS location history, and social media activity.
• Reporting: Documenting the findings of the analysis in a clear and concise report suitable for presentation in court or other legal proceedings.
• Incident Response: Handling security incidents involving mobile devices.

​

​

�Importance of Mobile Forensics:�

• Increase of Mobile Devices: With the widespread adoption of smartphones and tablets, mobile devices have become an integral part of daily life for many individuals and businesses.
• Storage of Sensitive Information: Mobile devices often store a wealth of personal and sensitive information, including contacts, messages, emails, photos, videos, location data, and application data.
• Crime and Investigations: Mobile devices are frequently involved in criminal activities such as fraud, theft, cyberbullying, harassment, and terrorism. Investigating these crimes often requires the extraction and analysis of digital evidence from mobile devices.
• Legal Proceedings: Mobile device data is increasingly being used as evidence in legal proceedings, including criminal investigations, civil litigation, and regulatory inquiries.

​

Mobile Forensics Tools

• Physical acquisition tools: UFED, Oxygen Forensic Suite.
• Logical acquisition tools: Cellebrite UFED Physical Analyzer, XRY.
• Data carving tools: PhotoRec, Scalpel.
• Password cracking tools: John the Ripper, Elcomsoft Phone Password Breaker.
• Reporting tools: Forensic Explorer, Analyst.

​

Mobile Forensics Challenges

• Diverse device platforms and operating systems requiring specific expertise.
• Encryption and password protection hindering data access.
• Short lifespan of volatile data like call logs and system activity.
• Legal and ethical considerations regarding data privacy and user rights.
• Cloud Services: Data may be synced to the cloud.

​

​

�Email Forensics �

A forensic investigator analyzing email headers and content with specialized software for

• Preserving, collecting, and analyzing digital evidence found in email accounts.
• Recovering deleted emails, identifying suspicious activity, and reconstructing events related to email communication.
• Used in legal investigations, corporate security incidents, and civil litigation.

�Tools and Techniques:�

• Use tools like Wireshark, ExifTool, and Email Header Analyzer.
• Understand protocols like SMTP, IMAP, and POP3.

​

Email Forensics Techniques

• Header analysis: Examining email headers for hidden information like sender IP addresses, timestamps, and routing details.
• Content analysis: Searching email content for relevant evidence by searching keywords, attachments, and embedded objects.
• Deleted data recovery: Utilizing specialized tools to retrieve deleted emails and other email-related data.
• Meta-data analysis: Extracting hidden information from email attachments and file properties.
• Logs and Traces: Look for email server logs and traces.

​

​

Challenges in Email Forensics

• Data encryption and password protection hindering access to email content.
• Ephemeral storage of email data on servers, necessitating prompt action for preservation.
• Legal and ethical considerations regarding user privacy and data ownership.
• Continuous evolution of email technologies and techniques used by malicious actors.

​