Cyber Forensic
Uploaded by
instauser482Cyber Forensic
Uploaded by
instauser482lOMoARcPSD|42933711
Cyber Forensics - Need documents
Information technology (Malla Reddy Group of Institutions)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
CYBER FORENSICS
COURSE FILE
B.Tech -CSE IV Year – II
SemesterR18 Regulation
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING(2022-2023)
Compiled by
Dr. M. Jaganathan
Professor
Computer Science and Engineering
MALLA REDDY INSTITUTE OF TECHNOLOGY AND SCIENCE
(SPONSORED BY MALLA REDDY EDUCATIONAL SOCIETY)
Affiliated to JNTUH & Approved by AICTE, New Delhi
NAAC & NBA Accredited, ISO 9001:2015 Certified, Approved by
UKAccreditation CentreGranted Status of 2(f) & 12(b) under UGC Act
1956,Govt. of India.
Maisammaguda, Dhulapally, Post via kompally, Secunderabad – 500 100
www.mrits.ac.in
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
CS815PE: CYBER FORENSICS (Professional Elective - VI)
IV Year B.Tech. CSE II -Sem L T P C
3 0 0 3
Prerequisites: Network Security
Course Objectives:
A brief explanation of the objective is to provide digital evidences which are obtained
from digitalmedia.
In order to understand the objectives of computer forensics, first of all, people have to
recognizethe different roles computer plays in a certain crime.
According to a snippet from the United States Security Service, the functions
computer has in different kinds of crimes.
Course Outcomes:
Students will understand the usage of computers in forensic, and how to use various
forensictools for a wide variety of investigations.
It gives an opportunity to students to continue their zeal in research in computer
forensics
UNIT- I
Introduction of Cybercrime: Types, The Internet spawns crime, Worms versus viruses,
Computers' roles in crimes, Introduction to digital forensics, Introduction to Incident - Incident
Response Methodology – Steps - Activities in Initial Response, Phase after detection of an
incident
UNIT-II
Initial Response and forensic duplication, Initial Response & Volatile Data Collection from
Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic
Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic
Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate
of a Hard Drive
UNIT - III
Forensics analysis and validation: Determining what data to collect and analyze, validating
forensicdata, addressing data-hiding techniques, performing remote acquisitions
Network Forensics: Network forensics overview, performing live acquisitions, developing
standard procedures for network forensics, using network tools, examining the honeynet
project.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
UNIT -IV
Current Forensic tools: evaluating computer forensic tool needs, computer forensics
software tools, computer forensics hardware tools, validating and testing forensics software E-
Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the
client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail
servers, using specialized e-mail forensic tools.
Cell phone and mobile device forensics: Understanding mobile device forensics,
understanding acquisition procedures for cell phones and mobile devices.
UNIT- V
Working with Windows and DOS Systems: understanding file systems, exploring Microsoft
File Structures, Examining NTFS disks, Understanding whole disk encryption, windows
registry, Microsoft startup tasks, MS-DOS startup tasks, virtual machines.
TEXT BOOKS:
1. Kevin Mandia, Chris Prosise, “Incident Response and computer forensics”, Tata
McGraw Hill, 2006.
2. Computer Forensics, Computer Crime Investigation by John R. Vacca, Firewall Media,
New Delhi.
3. Computer Forensics and Investigations by Nelson, Phillips Enfinger, Steuart,
CENGAGE Learning
REFERENCE BOOKS:
1. Real Digital Forensics by Keith J. Jones, Richard Bejtiich, Curtis W. Rose, Addison-
Wesley Pearson Education
2. Forensic Compiling, A Tractitioneris Guide by Tony Sammes and Brian Jenkinson,
Springer International edition.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
UNIT 1
INTRODUCTION TO FORENSICS
Cybercrime or a computer-oriented crime is a crime that includes a computer and a network.
The computer may have been used in the execution of a crime or it may be the target.
Cybercrime is the use of a computer as a weapon for committing crimes such as committing
fraud, identity theft, or breaching privacy. Cybercrime, especially through the Internet, has
grown in importance as the computer has become central to every field like commerce,
entertainment, and government. Cybercrime may endanger a person or a nation’s security
and financial health.
Cybercrime encloses a wide range of activities, but these can generally be divided into two
categories:
1. Crimes that aim at computer networks or devices. These types of crimes involve
different threats (like virus, bugs etc.) and denial-of-service (DoS) attacks.
2. Crimes that use computer networks to commit other criminal activities. These
types of crimes include cyber stalking, financial fraud or identity theft.
Classification of Cyber Crime:
Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that result in
loss of life. This may include different type of activities either by software or hardware for
threatening life of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed through the use
of cyberspace or computer resources.
Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is subjected to or
threatened with repeated denial of service or other attacks by malicious hackers. These
hackers demand huge money in return for assurance to stop the attacks and to offer
protection.
Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of computers, online
control systems and networks. It involves both offensive and defensive operations
concerning to the threat of cyber attacks, espionage and sabotage.
Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet and could include
hiding of information or providing incorrect information for the purpose of deceiving victims
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
for money or property. Internet fraud is not considered a single, distinctive crime but covers
a range of illegal and illicit actions that are committed in cyberspace.
Challenges of Cyber Crime:
People are unaware of their cyber rights-
The Cybercrime usually happen with illiterate people around the world who are unaware about
their cyber rights implemented by the government of that particular country.
Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do anything to that person.
Less numbers of case registered-
Every country in the world faces the challenge of cyber crime and the rate of cyber crime is
increasing day by day because the people who even don’t register a case of cyber crime and this
is major challenge for us as well as for authorities as well.
Mostly committed by well educated people-
Committing a cyber crime is not a cup of tea for every individual. The person who commits
cyber crime is a very technical person so he knows how to commit the crime and not get caught
by the authorities.
No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is harsh punishment in
some cases like when somebody commits cyber terrorism in that case there is harsh punishment
for that individual. But in other cases there is no harsh punishment so this factor also gives
encouragement to that person who commits cyber crime.
What Is Internet Crime?
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Internet crime, sometimes called cybercrime or online crime, encompasses any criminal activity
carried out on the computer or via the internet. Committing an internet crime or being targeted
by one can have serious consequences.
Cybercrimes commonly fall into one of three categories:
Crimes Against People – Crimes that impact an individual, including stalking, identity theft,
online harassment, and more.
Crimes Against Property – These crimes impact an object or piece of property, such as servers
or computers. Crimes against property include hacking, virus transmission, copyright
infringement, and more.
Crimes Against Government – These are virtual crimes that violate a nation’s sovereignty, such
as cyberterrorism, online piracy, hacking confidential information, and more.
Although the three categories of internet crimes listed above give an overarching description of
the infraction, there are many subcategories of cybercrimes to be aware of. Below, we explore
various internet crimes that can impact you, your loved ones, or your organization at any time.
Understanding 12 Different Types of Internet Crimes
It’s important to understand the various types of internet crime out there to protect yourself or
your organization from an attack. Let’s look at the most common kinds of cybercrime committed
today:
1. Phishing
You’ve probably already heard of phishing, as it is one of the most prevalent kinds of online
scams seen across the internet since its inception. Phishing is a method hackers use to “fish” for
your personal information disguised as a legitimate business. For example, they might say your
account has been compromised, you’ve won a prize, or they offer another lie in exchange for
your private information.
In phishing, scammers send out fake links asking for confidential details. These links typically
come through your e-mail or cell phone as a text message or sometimes even as a phone call.
Unfortunately, phishing scams can look very convincing. Phishing scams might as you to
disclose confidential information, such as:
Bank Account Information
Social Security Number
Credit Card Number
Online Passwords
Personal Identification Number (PIN)
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
If you see a suspicious link in your inbox, do your due diligence. Make sure to check out who
sent the e-mail or message. Most often, phishing emails are a dead giveaway that something is
off and you shouldn’t share any information with the sender.
2. Online Scams
Just like phishing, online scams aim to gain access to your personal information. Pop-up ads,
professional-looking e-mails, online contests, and other seemingly innocuous online scams can
target you and take your information for personal gain. Again, never input any intimate details
into an unknown website or a reply e-mail to avoid being hurt by an online scam.
3. Social Media Hacking
Social media hacking occurs when someone gains access to your personal social media accounts.
Sometimes, social media hacks can be completely harmless. Other times, it can potentially
destroy a person’s life, causing them to lose work and sleep, or worse. Just look at all the
celebrities who have been victims of social media hacks that revealed private, sexually explicit
images without their permission.
4. Malware
When a piece of software is coded with the intent to cause harm to your data and devices, it is
considered malware. Contracting malware or malicious software can damage devices like
computers, tablets, and phones. Plus, culprits can gain access to personal information like your
credit card details. Malware describes a few different types of online viruses, including:
Trojan Horses
Spyware
Ransomware
Adware
Bots
Rootkits
Keyloggers
Logic Bombs
5. Ransomware
Although ransomware is a form of malicious software itself, this virus deserves its own spot on
the list. Ransomware attacks are part of internet crimes affecting many large, global corporations.
Ransomware is a virus that encrypts data and files after entering your network so that you can’t
access them.
Typically, ransomware attackers demand a large amount of money to retrieve encrypted data.
It’s a simple yet effective way for cybercriminals to make a quick buck off organizations with
substantial financial assets.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
6. Child Soliciting, Abuse, and Exploitation
Unfortunately, child abuse and exploitation are all too common on the internet. Between
grooming in virtual communities, human trafficking, and the dissemination of child
pornography, the cybercrimes units at state and federal levels have plenty of problems to track
down online.
In Minnesota, the possession of child pornography comes with a five-year prison sentence and
$5,000 in fines per photo. Those numbers increase to seven years and $10,000 per picture when
the images are sold.
7. Cyberstalking
Cyberstalking is just like real-life stalking, except it happens via the internet. Cyberstalking can
include any behaviors that utilize technology to threaten, extort, harass, or menace a person
online in a constant or consistent manner. Stalking of any kind, including cyberstalking, is one
of the classic warning signs of an abusive relationship.
8. Cyberbullying
Another hot-button issue is cyberbullying, while traditional in-person bullying has taken a back
seat. Cyberbullying is the use of electronic communication to threaten, intimidate, or harass a
person and is punishable by law, especially if it leads to self-inflicted harm by the victim. There
have been several big news stories concerning cyberbullying in recent years and federal
programs to prevent the perpetuation of cyberbullying.
9. Cyberterrorism
According to the FBI, cyberterrorism is any premeditated and politically motivated attack on
information, computer programs, systems, or data resulting in violence or harm against non-
combatant targets. Cyberterrorism can be carried out by sub-national groups or clandestine
agents. Examples of cyberterrorism include attacks that lead to:
Bodily Harm
Death
Explosions
Plane Crashes
Water Contamination
Severe Economic Loss
1. Worms :
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Worms are similar to a virus but it does not modify the program. It replicates itself more and
more to cause slow down the computer system. Worms can be controlled by remote. The main
objective of worms is to eat the system resources. The WannaCry ransomware worm in 2000
exploits the Windows Server Message Block (SMBv1) which is a resource-sharing protocol.
2. Virus :
A virus is a malicious executable code attached to another executable file that can be harmless
or can modify or delete data. When the computer program runs attached with a virus it performs
some action such as deleting a file from the computer system. Viruses can’t be controlled by
remote. The ILOVEYOU virus spreads through email attachments.
Basis of
Sr.No. Comparison WORMS VIRUS
A Virus is a malicious
A Worm is a form of malware executable code attached to
that replicates itself and can another executable file which
spread to different computers via can be harmless or can
1. Definition Network. modify or delete data.
The main objective of worms is
to eat the system resources. It
consumes system resources such
as memory and bandwidth and
made the system slow in speed
to such an extent that it stops The main objective of viruses
2. Objective responding. is to modify the information.
It doesn’t need a host to replicate It requires a host is needed
3. Host from one computer to another. for spreading.
4. Harmful It is less harmful as compared. It is more harmful.
Detection Worms can be detected and
and removed by the Antivirus and Antivirus software is used for
5. Protection firewall. protection against viruses.
Controlled Worms can be controlled by Viruses can’t be controlled
6. by remote. by remote.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Worms are executed via Viruses are executed via
7. Execution weaknesses in the system. executable files.
Worms generally comes from the Viruses generally comes
downloaded files or through a from the shared or
8. Comes from network connection. downloaded files.
Hampering computer Pop-up windows
performance by linking to
slowing down it malicious
Automatic opening websites
and running of Hampering
programs computer
Sending of emails performance by
without your slowing down it
knowledge After booting,
Affected the starting of
performance of web unknown
browser programs.
Error messages Passwords get
concerning to system changed without
9. Symptoms and operating system your knowledge
Installation of
Antivirus software
Never open email
attachments
Keep your operating Avoid usage of
system and system in pirated software
updated state Keep your
Avoid clicking on operating system
links from untrusted updated
or unknown websites Keep your
Avoid opening emails browser updated
from unknown as old versions are
sources vulnerable to
Use antivirus linking to
software and a malicious
10. Prevention firewall websites
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Internet worms, Instant Boot sector virus, Direct
messaging worms, Email worms, Action virus, Polymorphic
File sharing worms, Internet virus, Macro virus, Overwrite
relay chat (IRC) worms are virus, File Infector virus are
11. Types different types of worms. different types of viruses
Examples of viruses include
Examples of worms include Creeper, Blaster, Slammer,
12. Examples Morris worm, storm worm, etc. etc.
It does not need human action to It needs human action to
13. Interface replicate. replicate.
Its spreading speed is slower
14. Speed Its spreading speed is faster. as compared to worms.
There are several examples of crime that use computers they are as follows:
Espionage:
This is a process of spying on a person or business.
Malware creation:
The process of creating malware like viruses etc.
Cybersquatting:
It is a process of gaining personal information and trying to resell them.
Harvesting:
Here, hackers usually steal a person’s private information from an account and use it for illegal
activities.
Wiretapping:
Here, the hacker connects a device to a phone line and tries to listen to the conversations.
What is Digital Forensics?
Digital Forensics is defined as the process of preservation, identification, extraction, and
documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.
History of Digital forensics
Here, are important landmarks from the history of Digital Forensics:
Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
FBI (1932): Set up a lab to offer forensics services to all field agents and other law
authorities across the USA.
In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints
In 1992, the term Computer Forensics was used in academic literature.
1995 International Organization on Computer Evidence (IOCE) was formed.
In 2000, the First FBI Regional Computer Forensic Laboratory established.
In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first
book about digital forensic called “Best practices for Computer Forensics”.
In 2010, Simson Garfinkel identified issues facing digital investigations.
Objectives of computer forensics
Here are the essential objectives of using Computer forensics:
It helps to recover, analyze, and preserve computer and related materials in such a
manner that it helps the investigation agency to present them as evidence in a court of
law.
It helps to postulate the motive behind the crime and identity of the main culprit.
Designing procedures at a suspected crime scene which helps you to ensure that the
digital evidence obtained is not corrupted.
Data acquisition and duplication: Recovering deleted files and deleted partitions from
digital media to extract the evidence and validate them.
Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim
Producing a computer forensic report which offers a complete report on the
investigation process.
Preserving the evidence by following the chain of custody.
Process of Digital forensics
Digital forensics entails the following steps:
Identification
Preservation
Analysis
Documentation
Presentation
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Let’s study each in detail
Identification
It is the first step in the forensic process. The identification process mainly includes things like
what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using
the digital device so that digital evidence is not tampered with.
Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on
evidence found. However, it might take numerous iterations of examination to support a
specific crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime
scene and reviewing it. It Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.
Presentation
In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson’s terms using abstracted terminologies. All
abstracted terminologies should reference the specific details.
Types of Digital Forensics
Three types of digital forensics are:
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.
Network Forensics:
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer
network traffic to collect important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the tools
need to collect and analyze the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their
related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses,
worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw form
and then carving the data from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone
and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Challenges faced by Digital Forensics
Here, are major challenges faced by the Digital Forensic:
The increase of PC’s and extensive use of internet access
Easy availability of hacking tools
Lack of physical evidence makes prosecution difficult.
The large amount of storage space into Terabytes that makes this investigation job difficult.
Any technological changes require an upgrade or changes to solutions.
Example Uses of Digital Forensics
In recent time, commercial organizations have used digital forensics in following a type of
cases:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Inappropriate use of the Internet and email in the workplace
Forgeries related matters
Bankruptcy investigations
Issues concern with the regulatory compliance
Introduction to Incident Response
You’ve been hacked!
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
What will be your reaction to this? Panic, clueless, or helpless?
That’s not the way to react to a cyberattack, and organizations who face these must have a
properly configured Incident Response plan to counteract the attack. With around 26,000
cyberattacks every day, and 18 every minute, the threat is more imminent and dangerous.
Hence, organizations must protect systems and thwart any cyberattacks that are bound to occur,
and an Incident Response plan is where you can place your bets to protect your systems.
Steps Involved in Incident Response: Incident Response Flow
There are six primary steps involved in Incident Response. Every time a cyberattack/ incident
occurs, the below-mentioned 6 steps are performed in a sequence either manually or
automatically.
1. Taking precautions and securing the systems beforehand
2. Identifying the incident/breach
3. Containing the cyberattack/ breach activity
4. Terminating the threat and any options to re-enter the system
5. Recovering and restoring the systems
6. Application of feedback and preparing for any future attacks
Now, let’s get into details about these steps to give you an overview of what these statements
refer to.
1. Preparation and precautions
Reviewing the existing remedial and preventive measures are the first step, which involves
performing a risk assessment that can determine the vulnerabilities in the system. The data
obtained from this assessment are utilized to reconfigure the systems to eliminate any
vulnerabilities and focus on securing the assets.
The two outcomes of the first step in Incident Response are:
Policies and configurations can be re-written to counteract the latest types of
attacks in the industry.
Processes and tools required to face any attack are determined.
2. Threat/Breach Identification
The earlier the threats are detected, the lesser the damage to the system. The process and tools
determined in the first stage help teams/professionals to detect and identify any suspicious
activity or a breach in the system. Once the attack is detected, the cybersecurity team must
identify the following:
Type of attack
Source of the cyberattack
The motive of the attacker
The above attributes are determined by accessing the error messages, log files, firewalls, and
intrusion detection systems. The data obtained can be stored for analysis that can help to block
any impending attacks.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
An effective practice that must be followed after a cyberattack:
Once the threat is identified and a complete overview of the breach is determined, the details
are communicated with the security team, authorities, stakeholders, legal team, and the users of
the website.
3. Threat/Breach Containment
As per the Incident Response process, once the threat is identified, the containment and
remedial measures must be immediately enacted. The Incident Response system must be set up
in such a way that this step is attained as soon as possible once the threat is detected to
minimize the damage caused.
Threat containment can be categorized into two phases:
1st Phase: Short Term Containment
In this phase, the attacked server is isolated from the rest of the systems.
By doing so, the spread of the threat is eliminated.
And in the meantime, temporary servers can be allocated to handle the load of the
servers which are down.
2nd Phase: Long Term Containment
The isolated servers are provided with the reconfigured patched versions, and the
system is set into
the recovery phase. At the same time, the unaffected
systems are given extra privacy and the patch is updated for them as well to prevent
future penetration.
4. Threat Elimination
This step entails removing the threat and restoring the affected systems to their previous
optimal conditions. Proper steps must be taken to eliminate all the traces of the attack. The
systems undergo quarantine and are made free from any malicious content.
5. Recovery and Restoration
The systems are brought back online with the latest patch and reconfigured codes. If you’ve
made it a point to backup your systems periodically, then recovery and restore would be a
walk-in-the-park for you. The cybersecurity team must ensure that the restored version of the
software is the cleanest version backed up before the attack.
The systems are tested, monitored, and validated before being made live after the attack. This
is to ensure that:
The reconfigured codes have been implemented properly
Monitoring any abnormal activity
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Hackers don’t return for round two
6. Feedback consideration and refinement
This is the concluding phase of Incident Response. The details accumulated and insights
received from the attack are reviewed in this step. This step allows organizations to figure out
whether their existing Incident Response plan went well, or if it needs reconfigurations if the
plan didn’t work.
The incident must be documented for future references and can be used as training and
improvisation material.
UNIT-2
Initial Response and forensic duplication
Initial Response:
Initial Response means the time it takes from Intel's initial report of the defect until Intel speaks
with the appropriate LMI subject matter expert. A forensic duplication is an accurate copy of
data that is created with the goal of being admissible as evidence in legal proceedings.
Furthermore, we define forensic duplication as an image of every accessible bit from the source
medium.
• Initial response is an activity that typically begins the entire IR process. Once the team confirms
that an incident is under way and performs the initial collection and response steps, the
investigation and remediation efforts are usually executed concurrently. The investigative team’s
purpose is solely to perform investigatory tasks.
•During the investigation, this team continually generates lists of what we call “leads.” •Leads
are actionable items about stolen data, network indicators, identities of potential •subjects, or
issues that led to the compromise or security incident. These items are immediately useful to the
remediation team, whose own processes take a significant amount of time to coordinate and plan.
In many cases, the activity that your team witnesses may compel you to take immediate action
to halt further progress of an intrusion. A forensic duplication is an accurate copy of data that is
created with the goal of being admissible as evidence in legal proceedings.
•Furthermore, we define forensic duplication as an image of every accessible bit from thesource
medium.
•We encourage you to consider all data you collect as evidence that may contribute to a legal
process. To that end, you should perform duplication with methods that are generally accepted
in the forensic community
A file that contains every bit of information from the source in a raw bitstream format
•Tools that create forensic duplicates:
•1. dd (ddis a command-line utility for Unix and Unix-like operating systems)(Data Dump)
•2. FTK Imager, Access Data
•3. Dfcldd, US DOD (Defence of computer forensics lab
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
•Computer Forensics Lab version of the dd command Volatile data collection from windows
systems:
Investigation: It is a process that develops and tests hypotheses to answer questions about events
that occurred. In general, computer forensics investigates data that can be retrievedfrom a
computers hard disk or other storage media.
Volatile Data: It is stored in system memory(system registers,cache,RAM) and is lostif the
machine loses its power,is shut down,or rebooted.
A simple duplication consists of making a copy of specific data. The data may consist of a
single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of
data storage devices and the information stored on them.
A forensic duplication is an accurate copy of data that is created with the goal of being
admissible as evidence in legal proceedings.
Furthermore, we define forensic duplication as an image of every accessible bit from the
source medium.
We encourage you to consider all data you collect as evidence that may contribute to a legal
process. To that end, you should perform duplication with methods that are generally accepted
in the forensic community.
Type of image formats are
1. Complete image
2. Partition
3. Logical
Volatile Data Collection
Volatile data is the data that is usually stored in cache memory or RAM. This volatile data is
not permanent this is temporary and this data can be lost if the power is lost i.e., when
computer looses its connection.
During any cyber crime attack, investigation process is held in this process data collection
plays an important role but if the data is volatile then such type of data should be collected
immediately. Volatile information can be collected remotely or onsite. If there are many
number of systems to be collected then remotely is preferred rather than onsite.
It is very important for the forensic investigation that immediate state of the computer is
recorded so that the data does not lost as the volatile data will be lost quickly. If the volatile
data is lost on the suspects computer if the power is shut down, Volatile information is not
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
crucial but it leads to the investigation for the future purpose. To avoid this problem of storing
volatile data on a computer we need to charge continuously so that the data isn’t lost. So that
computer doesn’t loose data and forensic expert can check this data sometimes cache contains
Web mail.
This volatile data may contain crucial information.so this data is to be collected as soon as
possible. This process is known “Live Forensics”.
1. Initially create response tool kit.
2. Storing in this information which is obtained during initial response.
3. Then obtain volatile data
4. Then after that performing in in-depth live response.
5. Collecting Volatile DataRecord the system time and dateSandwich your data-retrieval
commands between time and date commandsDocument the commands used during
initial responsedoskey /historyScripting your initial response
6. OutlinePrefaceCreating a Response ToolkitStoring Information Obtained during the
Initial ResponseObtaining Volatile DataPerforming an In-Depth Live Response
7. PrefaceFind evidence and properly remove rogue programs without disrupting any
services
8. Creating an In-Depth Response Toolkit
9. Collecting Live Response DataTwo key sources of evidence on Windows NT/2000The
event logsThe Registry Four approach to obtain quite a bit of informationReview the
event logsReview the RegistryObtain system passwordsDump system RAM
10. Review the event logsauditpolNTLastdumpel
11. Successful logons
12. Enumerate failed console logons
13. List all successful logons from remote systems
14. Review the RegistryregdumpCreate an enormous text file of the Registryreg
queryExtract just the Registry key values of interest
15. Obtaining System Passwordspwdump3eDump the passwords from the Security
Accounts Manager (SAM) database
16. Dumping System RAMuserdump.exe (MS OEM Support Tools)Two types of
memoryUser mode (application) memoryFull-system memory
Forensic Duplication
Forensic duplication is the copying of the contents of a storage device completely and without
alteration. The technique is sometimes known as bitwise duplication, sector copying, or
physical imaging. Forensic duplication is the primary method for collecting hard disk, floppy,
CD/DVD, and flash-based data for the purpose of evidence gathering.
Types Of Forensics Duplication Process with Example.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
What are the benefits of using forensic duplication?
Forensic duplication is the process of copying information from a source device to a
destination device. The benefits of using forensic duplication are that it can be used to recover
data from a broken or damaged storage device. It can also be used as an evidence-gathering
technique in legal or criminal investigations. This is because it preserves the original evidence
and doesn't alter the data on the source device. What are the drawbacks of using a forensic
duplicate?
There are many reasons why a forensic duplicate of a hard drive may not be the best option.
1) The copy process is time-consuming and can take weeks to complete.
2) There is always the risk of data loss or corruption during the copy process.
3) The original drive might be damaged or corrupted before a forensic duplicate can be
completed, so it would be pointless to create one in the first place. How do I use a forensic
duplicate in my workflow? A forensic duplicate is a copy of an entire disk volume, which is
created by copying all the files and folders on the disk volume to a separate folder. The
forensic duplicate is typically used when an original disk has been corrupted or damaged so
that it cannot be mounted.
The forensic duplicate can be used as evidence in court, but this may not always work. In cases
where courts need to determine if data was changed or deleted, they will need to examine the
original evidence rather than relying on a copy. How do I create a forensic duplicate?
A forensic duplicate is a copy of a file or folder that is created in order to make it easier to
retrieve information from the original. There are three ways to create a forensic duplicate
which are: 1. Command line 2. Disk Utility
Admissibility of evidence
Evidence is legally admissible when it:is offered to prove the facts of a case; and
does not violate the Constitution or other legal statutes.(2)
The golden rule of admissibility is that all evidence which could be relevant is admissible and
evidence that is irrelevant is inadmissible.(3) Therefore, the courts must determine whether
digital evidence could be relevant to the disputed facts of the case and whether it is suitable and
safe to be admitted in proceedings. In practice, admissibility is a set of legal tests carried out by
a judge to assess an item of evidence according to the following criteria:
Relevance and reliability – digital evidence should be examined for traces of
tampering, deletion or other changes. The system that gave the relevant results must
function properly and produce accurate results. In this respect, a recent Supreme
Court decision upheld a first-instance judgment ordering the appointment of an IT
expert who could obtain information from the server of a third party which was
essential for the case.(4)
Illegally obtained evidence – in principle, evidence obtained in violation of the
Constitution is inadmissible. As a result, some forms of digital evidence, such as IP
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
addresses, may not be accepted by the courts, as the IP address of a user is closely
connected with their privacy, a human right that is protected under the
Constitution.(5) However, pursuant to Law 183(I)/07, evidence concerning the
privacy of a person may be given to the police for investigation purposes. The ability to obtain
such evidence is limited to cases where the police are investigating felonies and a court order
has been issued for that purpose.(6)
Assessing authenticity of evidence – the courts must be satisfied that evidence was
acquired from a specific system or location and a complete and accurate copy of
digital evidence is needed. Further, evidence must remain unchanged from when it
was collected. This can be achieved by hashing the digital evidence (Md5, SHA). If
the hashed code is the same, it proves that the digital evidence has not been
tampered with.
Documents to demonstrate and support the authenticity of the evidence – a chain of
custody to record the transfer of the evidence, integrity documentation to compare
the digital fingerprint of the evidence, taken at the time of collection and the
fingerprint in its current state are required.
Best evidence – the best available evidence should be provided to the court. Courts
generally accept identical duplicates, especially in cases where it is adequately
proved that the original evidence has been lost or destroyed,(7) unless a question is
raised about the authenticity of the original and the accuracy of the copy.
Search warrants – evidence may not be admitted in court if it has been obtained
without authorisation.
Scientific evidence and process – the admissibility of digital evidence and the tools, methods
and techniques used in the investigation can be challenged in court
Forensic Duplication Tool Requirements:
It satisfy the following criteria
1. The tool shall make a bitstream duplicate or an image of an original disk or partition.
2. The tool shall not alter the original disk
3. The tool will be able to verify the integrity of a disk image file.
4. The tool shall log I/O errors.
5. The tool’s documentation shall be correct.
6. The tool should create a mirror image or forensic duplicate of the original storage media.
7. The tool must be able to handle read errors.
8. The tool should not make any changes to the source medium.
9. The tool must have the capability to be held up to scientific review . Results must be verifiable
by the third party.
10. If there are no errors accessing the source, then the tool shall create a bitstream duplicate or
image of the source.
11. If there are I/O errors accessing the source , then the tool shall create a qualified bitstream
dplicate or image of the source.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
12. The tool shall log I/O errors in an accessible and readable form, including the type of errors
and location of errors.
13.The tool shall be able to access disk drives through one or more well-defined interfaces.
14. The tools working procedures should be correctly documented so that it should be matched
with expected result.
15. It also keep information of copied data over larger destination area.
16. Whenever destination is smaller that source documents in terms of memory then it will be
notified to source regarding copy or transfer action
Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive
Types of forensic copies:
There are two main types of forensic copies.
Copy ‘drive to drive’ – when acquiring like this, the data from the hard drive (digital source) is
transferred to another one. If the destination drive has a larger size, then the unused drive space
is filled with zeros.
Copy ‘drive to file’ – when acquiring like this, the data from the hard drive (digital source) is
transferred to a file located on another drive. This creates a sector-by-sector copy of the hard
drive under study. Usually, this image has the format DD (RAW) or Encase (E01).
Extracting the hard drive.
For our example, we will consider creating a forensic image of the FUJITSU SIEMENS Amilo
M3438G hard drive.
Creating the forensic image of the hard drive.
When creating forensic images of media, used hardware or software recording blockers. This is
done in order to exclude the possibility of accidental modification of data on them. We will use
the hardware lock WiebeTECH Forensic UltraDock V5. This blocker emulates the functions of
writing, moving, deleting files on a connected hard drive for proper operation in a Windows
environment. In this case, in fact, no data on the source drive is changed.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
UNIT-3
Forensics analysis and validation
Objectives
Determine what data to analyze in a computer forensics investigation
Explain tools used to validate data
Explain common data-hiding techniques
Describe methods of performing a remote acquisition
Approaching Computer Forensics Cases
Some basic principles apply to almost all computer forensics cases
The approach you take depends largely on the specific type of case you’re investigating
Basic steps for all computer forensics investigations
For target drives, use only recently wiped media that have been reformatted
And inspected for computer viruses
Inventory the hardware on the suspect’s computer and note the condition of the computer
when seized
Remove the original drive from the computer
Check date and time values in the system’s CMOS
Record how you acquired data from the suspect drive
Process the data methodically and logically
Digital forensics is a computer forensic science that involves the process of seizure,
acquisition, analysis, and reporting of evidence found in electronic devices and media to be
used in a court of law. Following is a detailed description of each phase.
1) Seizure
The seizure step involves marking the elements that will be used in later processes.
Photographs of the scene and notes are taken. An important question to answer in this phase is
whether or not to pull the plug on the network. Leaving the system online while proceeding
may alert the attacker, allowing him to wipe the attack traces and destroy evidences. The
attacker may also leave a dead man switch, which destroys the evidence once the system goes
offline. In such circumstances, it may be necessary or advisable for to gather evidence from the
system while it is running or in a live state, being fully aware that this causes changes to the
system and reasons for taking this approach must be explained.
2) Acquisition
After the seizure phase comes the data collection/acquisition. The data must be acquired
without altering or damaging the source to be analyzed later. Notice that an illegal seizure or
improper methodology can affect the admissibility of the evidence in court. Following the
applicable rules of evidence, evidence is admitted into court when permitted by the judge. For
this reason, methods of acquiring evidence should be forensically sound and verifiable.
Acquisition can be physical or logical. In physical acquisition, a bit stream image is captured
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
from a physical storage media, while in a logical acquisition, a sparse or logical image is
captured from storage media. In both cases, write blockers are to be used to prevent the
evidence from being modified. The duplicate image must be verified that is identical to the
source by comparing the hash value of the acquired image/copy and the original media data.
It is always recommended to start capturing from the most to the least data. The order of
volatility is:
Registers, cache
Network state (ARP cache and routing table)
Running processes
Kernel modules and statistics
Main memory
Temporary files on disk
There are several tools for acquiring data, most of which are software-based and require
training to successfully perform the collection phase. InfoSec Institute offers hand-on labs to
learn and practice data acquisition and evidence collection using popular commercial and
open-source tools in a real forensics environment and real use-cases.
3) Analysis
In the analysis phase, evidence should be extracted by interpreting the acquired information.
Appropriate methodologies and standards should be followed during this procedure (described
in the next section). The investigator should examine the acquired copy/image of the media,
not the original media.
The examiner may use additional tools to conduct special actions and help retrieve additional
information, such as deleted files. Those tools must be validated to ensure their correctness and
reliability, as noted above. Referring to the requestor documentation, the examiner extracts
evidence from the collected data. Typically, there are two approaches: The examiner looks for
something he doesn’t know within something he knows. This can be infected programs,
opened programs, erased documents, Internet history, or chat/calls history. Otherwise, he looks
for something he knows in something he don’t know, trying to extract meaningful information
from unstructured data, such as URLs, email addresses, or cryptographic keys through the use
of carving techniques. The evidence found is then assembled to reconstruct events or actions to
provide facts. In the case of multiple sources, the evidence is aggregated and correlated
together. The facts may identify the attack scenario, attacker identity, attacker location, or any
other relevant information, which is provided to the requestor.
In contrast with the seizure phase (which can be conducted by non-experts), acquisition and
analysis phases must be conducted by experts. Examiners must have knowledge and be
properly trained. InfoSec Institute offers accelerated in-depth computer forensics boot camp
sessions that include seminar-style lectures and hands-on labs focusing on identifying,
preserving, extracting, analyzing, and reporting computer forensic evidence.
4) Reporting
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
After the examination is complete, the results are reported, along with a detailed description of
the steps conducted during the investigation. An examination report typically includes the
following details: information related to the acquisition phase (the person who did the
examination, when it was done, what software/hardware tools were used, and what version
numbers), the original data hash and the acquired data hash, photographs taken. Detailed
information related to the examination phase, such as descriptions of the examined media
(volatile memory, hard disk, etc.), are also included in the report. This allows another examiner
to be able to identify what has been done and to access the findings independently. Further
actions are determined after the report is reviewed.
Data Hiding Techniques
Data-hiding techniques include:
Hiding Partitions • We can create a partition and then hide it using a disk editor.
• We can get access to hidden partitions using tools such as: GDisk, PartitionMagic, System
Commander, and LILO.
• We should account for all disk space when analyzing a disk. Windows creates a partition gap
between partitions automatically; however, we might find a gap that’s larger than it should be.
Marking Bad Clusters
• One data-hiding technique is placing sensitive or incriminating data in free space on disk
partition clusters. This method is more common in FAT file systems.
• This technique involves using a disk editor, such as Norton DiskEdit, to mark good clusters
as bad clusters.
• The OS then considers these clusters unusable.
• The only way they can be accessed from the OS is by changing them to good clusters with a
disk editor.
• To mark a good cluster as bad using Norton Disk Edit, we type the letter B in the FAT entry
corresponding to that cluster.
Bit-Shifting
• Bit-shifting is an old technique that shifts bit patterns to alter byte values of data and makes
files look like binary executable code.
• A well-known technique for hiding data is shifting bit patterns to alter the byte values of data.
• Bit-shifting changes data from readable code to data that looks like binary executable code.
• Hex Workshop includes a feature for shifting bits and altering byte patterns of entire files or
specified data. To shift bits in a text file, follow these steps:
1. Create a file in Notepad and Save it as Bit_shift.txt.
2. Start Hex Workshop and open the file Bit_shift.txt from the menu.
3. To set up Hex Workshop for the bit-shifting exercise, click Options, Toolbars from the
menu.
4. In the Customize dialog box, click the Data Operations check box, and then click OK.
5. Click the Shift Left button (<< icon) on the Data Operations toolbar. The Shift Left
Operation dialog box opens, where we specify how we want to treat the data, the
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
ordering scheme to use for bytes, and whether we shift bits for selected text or the
entire file.
6. Click OK to accept the default settings and shift the bits in Bit_shift.txt to the left
Acquiring a remote device
Acquiring a remote device image with Belkasoft Evidence Center (BEC) is straightforward.
The process looks like this:
First, you need to deploy an agent to a remote computer. BEC provides you with
two deployment options, remote and local.
Second, you can acquire an image of the PC. Also, you can collect data from RAM
and mobile devices connected to the PC.
Third, you can schedule such an image to be uploaded to the central storage of your
choice at a specified time.
How-to
Click on the "View" main menu item.
Then click on "Remote acquisition". The following screen will be shown:
Network Forensics
Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is spreading
malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet
grew cybercrimes also grew along with it and so did the significance of network forensics,
with the development and acceptance of network-based services such as the World Wide Web,
e-mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence,
the network protocol data that enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols and
applications such as web protocols, Email protocols, Network protocols, file transfer protocols,
etc.
Investigators use network forensics to examine network traffic data gathered from the networks
that are involved or suspected of being involved in cyber-crime or any type of cyber-attack.
After that, the experts will look for data that points in the direction of any file manipulation,
human communication, etc. With the help of network forensics, generally, investigators and
cybercrime experts can track down all the communications and establish timelines based on
network events logs logged by the NCS.
Processes Involved in Network Forensics:
Some processes involved in network forensics are given below:
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Identification: In this process, investigators identify and evaluate the incident
based on the network pointers.
Safeguarding: In this process, the investigators preserve and secure the data so that
the tempering can be prevented.
Accumulation: In this step, a detailed report of the crime scene is documented and
all the collected digital shreds of evidence are duplicated.
Observation: In this process, all the visible data is tracked along with the metadata.
Investigation: In this process, a final conclusion is drawn from the collected shreds
of evidence.
Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:
The biggest challenge is to manage the data generated during the process.
Intrinsic anonymity of the IP.
Address Spoofing.
Bit-stream disk-to-image files
This is the most common data acquisition method in the event of a cybercrime. It involves
cloning a disk drive, which allows for the complete preservation of all necessary evidence.
Programs used to create bit-stream disk-to-image files include FTK, SMART, and ProDiscover,
among others.
Bit-stream disk-to-disk files
When it is not possible to create an exact copy of a hard drive or network, different tools can be
used to create a disk-to-disk copy. While certain parameters of the hard drive may be changed,
the files will remain the same.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Logical acquisition
Logical acquisition involves collecting files that are specifically related to the case under
investigation. This technique is typically used when an entire drive or network is too large to be
copied.
Sparse acquisition
There are five steps in a digital forensics investigation, the first two of which are the most critical
during data acquisition (EC-Council, 2021b):
Identification
Preservation
Analysis
Documentation
Presentation
The first stage involves ensuring that all files and evidence related to the ongoing investigation
have been properly identified. This involves conducting an appropriate examination of the device
or network in question as well as interviewing the individuals involved in the network breach.
These individuals may have guidance for your investigation or other useful information and may
be able to tell you how the breach in question occurred.
The second stage is preservation of evidence: maintaining the data in the state in which it is
found for later examination and analysis. No one else should be able to access the information
in question. After completing these steps, you can move on to copying, examining, and analyzing
the evidence.
DEVELOPING STANDARD PROCEDURES FOR NETWORK FORENSICS
• Network forensics is used to determine how a security breach occurred; however, steps must
be taken to harden networks before a security breach happens.
• Layered network defense strategy, which sets up layers of protection to hide the most valuable
data at the innermost part of the network.
• It also ensures that the deeper into the network an attacker gets, the more difficult access
becomes and the more safeguards are in place.
• The National Security Agency (NSA) developed an approach, called the defense in depth (DiD)
strategy.
• DiD has three modes of protection:
1. People
2. Technology
3. Operations
If one mode of protection fails, the others can be used to thwart the attack.
Listing people as a mode of protection means organizations must hire well-qualified people and
treat them well so that they have no reason to seek revenge. Organizations should make sure
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
employees are trained adequately in security procedures and are familiar with the organization’s
security policy.
TOOLS
The following are a few functions of a Network Forensic Analysis Tool:
Network traffic capturing and analysis
Evaluation of network performance
Detection of anomalies and misuse of resources
Determination of network protocols in use
Aggregating data from multiple sources
Security investigations and incident response
Protection of intellectual property
Network forensics tools can be classified based on many criteria, for example host based or
network-wide-based forensics tools. In this article, we classify those tools as either general
purpose tools, specific tasks tools, or libraries/framework.
General purpose tools
This category include Packet collectors (sniffers), protocol analyzers and Network Forensic
Analyzers
dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets
from the network and store them on files.
tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to
inspect recorded traffic. They can be either packet-centric or session-centric.
Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-
centric which analyze the traffic content.
Specific Tasks Tools
These are often small programs written to do just one thing.
Intrusion detection (snort, suricata, bro)
Match regular expressions (ngrep)
Extract files (nfex) or pictures (driftnet)
Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)
Extract emails (mailsnarf, smtpcat)
Print network/packet statistics (ntop, tcpstat, tstat)
Extract SSL information (ssldump), Reconstruct TCP flows (tcpflow, tcpick)
Fingerprinting (p0f, prads)
How do honeynets work?
Building a realistic trap for a hacker isn't easy. Honeynets rely on a series of elements, all
working together seamlessly.
Honeynets contain:
Honey pots. These computer systems are set up to trap hackers. Sometimes, they're
used for research purposes. And sometimes, they're decoys that lure hackers away from
valuable resources. When plenty of pots come together, a net is formed.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Applications and services. Hackers must be convinced that they've entered a valid,
worthwhile environment.
No authorized activity or users. A true honeynet has no use aside from trapping
hackers.
Honeywalls. You must be able to study and learn from the honeynet attack. The system
should keep accurate records of traffic moving into and out of the honeypot.
A lure entices your hacker to enter one of your honey pots. Once there, the hacker attempts to
gain deeper access to your system. At that point, the attack has moved into your honeynet, and
the research can begin.
What Are Honeynets Used For?
Most security professionals spend every minute of the workday trying to keep hackers out.
Why would they want to bring them in? The data you pull from a honeypot can be crucial.
Imagine that you believe you've built the strongest, safest network for your company. You've
told everyone the system can't be breached. But are you really sure? What vulnerabilities are
you leaving behind? And if someone got inside, what would happen next?
Honeynets help you answer questions just like this. You'll watch a hacker move through a
mirror image of your system, and you'll see just where you went wrong. You can fix your
mistakes long before your company loses anything valuable.
You could use simple honey pots for research. But hackers expect to find more than one
machine when they breach a company's infrastructure. Building a honeynet allows the
deception to last longer, and that could result in more data.
Honeynet Research Continues
Individual system administrators aren't the only professionals interested in hacker techniques.
Governments, educators, and law enforcement officials also want to know how to stop theft
and build a safer online world. The Honeynet Project may help.
Started in 1999, the Honeynet Project exists to research hackers via honeypots and honeynets.
Volunteers within the group use normal computers set up as bait, and they monitor activity
closely to spot attacks.
The Honeynet Project's mission is to, "Learn the tools, tactics, and motives involved in
computer and network attacks, and share the lessons learned." The team follows three basic
pillars in their work.
1. Conduct research. Volunteers build networks and try out security tools for blocking
purposes. They gather up information on how hackers work and what software tools
they use.
2. Build awareness. The team shares the results of all research, so the security
community can understand current threats and prevention approaches.
3. Create tools. If organizations want to build their own honeynets and honey pots, the
team offers information about the tools and techniques they've developed.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
UNIT -IV
Current Forensic tools
Evaluating computer forensic tool needs
International Organization for Standardization (ISO) associated with the International
Electrotechnical Commission (IEC) created this standard in order to provide laboratories general
requirements to carry out, tests, calibrations and sampling. The main requirements are the
following:
• Management system
• Document control
• Subcontracting of tests and calibrations
• Purchasing services and supplies
• Service to the customer
• Complaints
• Corrective action
• Preventive action
• Test and calibration methods and method validation
• Assuring the quality of test and calibration results
• Reporting the results
NIST Standardised Approach of Tool Evaluation
In the Computer Forensics Tool Testing (CFTT) project, NIST developed methodologies
to validate a range of forensics tools, initally focusing on data acquisition tools and write
blocker
Before looking at solutions to validate and verify digital forensic processes, it isessential to
define:
Validation. This is the confirmation by examination and the provision of objectiveevidence
that the particular requirements for a specific intended use are fulfilled”
Verification. This is the confirmation of validation with a laboratories tools,techniques and
procedures”
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Some Computer forensics tools
Some computer forensics software suites, such as AccessData FTK and EnCase, provide separate
tools for acquiring an image.
• However, some investigators opt to use hardware devices, such as the Logicube Talon, VOOM
HardCopy 3, or ImageMASSter Solo III Forensic unit from Intelligent Computer Solutions, Inc.,
for acquiring an image.
• These hardware devices have their own built-in software for data acquisition.
• No other device or program is needed to make a duplicate drive; however, you still need
forensics software to analyze the data
All computer forensics acquisition tools have a method for verification of the data-copying
process that compares the original drive with the image.
• For example, EnCase prompts you to obtain the MD5 hash value of acquired data,
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
• FTK validates MD5 and SHA-1 hash sets during data acquisition, and Safe Back runs an
SHA-256 hash while acquiring data.
• Hardware acquisition tools, such as Image MASSter Solo, can perform simultaneous MD5
and CRC-32 hashing during data acquisition.
• Whether you choose a software or hardware solution for your acquisition needs, make sure
the tool has a hashing function for verification purposes
Image creation: FTK imager
Autopsy and The Sleuth Kit are designed to examine disk images of hard drives, smart phones
and so on. The benefit of analyzing an image (rather than a live drive) is that the use of an
image allows the investigator to prove that they have not made any modifications to the drive
that could affect the forensic results.
Memory forensics: volatility
Tools like The Sleuth Kit focus on the hard drive, but this is not the only place where forensic
data and artifacts can be stored on a machine. Important forensic information can be stored in
RAM, and this volatile memory must be collected quickly and carefully to be forensically valid
and useful.
Windows registry analysis: Registry recon
The windows registry acts as a database of configuration information for the Windows OS and
the applications running on it. These applications can store a variety of different data in the
registry, and the registry is one of the common locations where malware deploys persistence
mechanisms.
Mobile forensics: Cellebrite UFED
Mobile adoption is constantly growing, and many organizations allow employees to use these
devices at work either via BYOD programs or corporate-owned devices. Additionally, these
devices are a growing target of cyberattacks, such as phishing, making them a likely source of
valuable forensic information.
Network analysis: Wireshark
Many forensics tools focus on the endpoint, but this is not the only source of useful data in a
forensics investigation. Most cyberattacks occur over the network, and analysis of network
traffic captures can help with the identification of malware and provide access to data that may
have already been deleted and overwritten on the endpoint.
Linux distributions: CAINE
Many of the tools presented here (and many other digital forensics tools besides them) are free
and open-source. While this makes them easy to acquire, installation and configuration can be
complex. To simplify this process, a number of different Linux digital forensics distributions
are available as virtual machines. These VMs include a number of tools pre-installed and
preconfigured.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Computer forensics tools are designed to ensure that the information extracted from computers
is accurate and reliable. Due to the wide variety of different types of computer-based evidence,
a number of different types of computer forensics tools exist, including:
Disk and data capture tools
File viewers
File analysis tools
Registry analysis tools
Internet analysis tools
Email analysis tools
Mobile devices analysis tools
Network forensics tools
Database forensics tools
1. Autopsy/The Sleuth Kit
2. X-Ways Forensics
3. AccessData FTK
4. EnCase
5. Mandiant RedLine
Mandiant RedLine is a popular tool for memory and file analysis. It collects information about
running processes on a host, drivers from memory and gathers other data like meta data,
registry data, tasks, services, network information and internet history to build a proper report.
Read more here.
6. Paraben Suite
The Paraben Corporation offers a number of forensics tools with a range of different licensing
options. Paraben has capabilities in:
Desktop forensics
Email forensics
Smartphone analysis
Cloud analysis
IoT forensics
Triage and visualization
The E3:Universal offering provides all-in-one access, the E3:DS focuses on mobile devices
and other license options break out computer forensics, email forensics and visualization
functionality.
Read more here.
7. Bulk Extractor
Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images,
file or directory of files to extract useful information. In this process, it ignores the file system
structure, so it is faster than other available similar kinds of tools. It is basically used by
intelligence and law enforcement agencies in solving cybercrimes.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Currently, the latest version of the software, available here, has not been updated since 2014.
However, a version 2.0 is currently under development with an unknown release date. It can be
found here.
Registry analysis
The Windows registry serves as a database of configuration information for the OS and the
applications running on it. For this reason, it can contain a great deal of useful information
used in forensic analysis.
8. Registry Recon
Registry Recon is a popular commercial registry analysis tool. It extracts the registry
information from the evidence and then rebuilds the registry representation. It can rebuild
registries from both current and previous Windows installations.
Read more about it here.
Memory forensics
Analysis of the file system misses the system’s volatile memory (i.e., RAM). Some forensics
tools focus on capturing the information stored here.
9. Volatility
Volatility is the memory forensics framework. It is used for incident response and malware
analysis. With this tool, you can extract information from running processes, network sockets,
network connection, DLLs and registry hives. It also has support for extracting information
from Windows crash dump files and hibernation files. This tool is available for free under GPL
license.
Read more about the tool here.
10. WindowsSCOPE
Network analysis
Most cyberattacks occur over the network, and the network can be a useful source of forensic
data. These network tools enable a forensic investigator to effectively analyze network traffic.
11. Wireshark
Wireshark is the most widely used network traffic analysis tool in existence. It has the ability
to capture live traffic or ingest a saved capture file. Wireshark’s numerous protocol dissectors
and user-friendly interface make it easy to inspect the contents of a traffic capture and search
for forensic evidence within it.
Read more here.
12. Network Miner
Network Miner is a network traffic analysis tool with both free and commercial options. While
many of the premium features are freely available with Wireshark, the free version can be a
helpful tool for forensic investigations. It organizes information in a different way than
Wireshark and automatically extracts certain types of files from a traffic capture.
Read more here.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
13. Xplico
Xplico is an open-source network forensic analysis tool. It is used to extract useful data from
applications which use Internet and network protocols. It supports most of the popular
protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. Output data
of the tool is stored in an SQLite database or MySQL database. It also supports both IPv4 and
IPv6.
Read more about this tool here.
Mobile device forensics
Mobile devices are becoming the main method by which many people access the internet.
Some mobile forensics tools have a special focus on mobile device analysis.
14. Oxygen Forensic Detective
Oxygen Forensic Detective focuses on mobile devices but is capable of extracting data from a
number of different platforms, including mobile, IoT, cloud services, drones, media cards,
backups and desktop platforms. It uses physical methods to bypass device security (such as
screen lock) and collects authentication data for a number of different mobile applications.
Oxygen is a commercial product distributed as a USB dongle.
More information here.
15. Cellebrite UFED
Cellebrite offers a number of commercial digital forensics tools, but its Cellebrite UFED
claims to be the industry standard for accessing digital data. The main UFED offering focuses
on mobile devices, but the general UFED product line targets a range of devices, including
drones, SIM and SD cards, GPS, cloud and more. The UFED platform claims to use exclusive
methods to maximize data extraction from mobile devices.
More information here.
16. XRY
XRY is a collection of different commercial tools for mobile device forensics. XRY Logical is
a suite of tools designed to interface with the mobile device operating system and extract the
desired data. XRY Physical, on the other hand, uses physical recovery techniques to bypass the
operating system, enabling analysis of locked devices.
Email Forensic Investigation Techniques
Email forensics refers to analyzing the source and content of emails as evidence. Investigation
of email related crimes and incidents involves various approaches.
Header Analysis
Email header analysis is the primary analytical technique. This involves analyzing metadata in
the email header. It is evident that analyzing headers helps to identify the majority of email-
related crimes. Email spoofing, phishing, spam, scams and even internal data leakages can be
identified by analyzing the header.
Server Investigation
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
This involves investigating copies of delivered emails and server logs. In some organizations
they do provide separate email boxes for their employees by having internal mail servers. In
this case, investigation involves the extraction of the entire email box related to the case and
the server logs.
Network Device Investigation
In some investigations, the investigator requires the logs maintained by the network devices
such as routers, firewalls and switches to investigate the source of an email message. This is
often a complex situation where the primary evidence is not percent (when the ISP or proxy
does not maintain logs or lacks operation by ISP [2]).
Software Embedded Analysis
Some information about the sender of the email, attached files or documents may be included
with the message by the email software used by the sender for composing the email [2]. This
information may be included in the form of custom headers or in the form of MIME content as
a Transport Neutral Encapsulation Format (TNEF)[2].
Sender Mail Fingerprints
The “Received” field includes tracking information generated by mail servers that have
previously handled a message, in reverse order. The “X-Mailer” or “User-Agent” field helps to
identify email software. Analyzing these fields helps to understand the software, and the
version used by the sender.
Use of Email Trackers
In some situations, attackers use different techniques and locations to generate emails. In such
situations it is important to find out the geographical location of the attacker. To get the exact
location of the attacker, investigators often use email tracking software embedded into the
body of an emaqil. When a recipient opens a message that has an email tracker attached, the
investigator will be notified with the IP address and geographical location of the recipient. This
technique is often used to identify suspects in murder or kidnapping cases, where the criminal
communicates via email.
Volatile Memory Analysis
Recent research has been conducted in analyzing spoofed mails from volatile memory [3].
Since everything passes through volatile memory, it is possible to extract email related
evidence (header information) from volatile memory.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary email
which is a service that allows a registered user to receive email at a temporary address that
expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an email as
someone else’s. In this case the machine will receive both fake as well as original IP address.
Anonymous Re-emailing
Here, the Email server strips identifying information from the email message before forwarding
it further. This leads to another big challenge for email investigations.
Techniques Used in Email Forensic Investigation
Email forensics is the study of source and content of email as evidence to identify the actual
sender and recipient of a message along with some other information such as date/time of
transmission and intention of sender. It involves investigating metadata, port scanning as well as
keyword searching.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Some of the common techniques which can be used for email forensic investigation are
Header Analysis
Server investigation
Network Device Investigation
Sender Mailer Fingerprints
Software Embedded Identifiers
Electronic mail (email) can be defined as a process of exchanging information/messages
stored in a computer system by using an internet communication system. Emails generally
contain text but nowadays media and other types of files can also be attached. When an email
is sent then it goes to a remote computer say email server and stored there until the recipient
of the email go online and check it.
For sending and receiving any email an email address is needed, every email address comprises
three parts :
1. Username: It can be anything but following the guidelines decided by the email
provider.
2. Domain name/host: It is the mail server where the message will be stored. It can
be @gmail, @outlook, etc.
3. Domain Type: It tells whether a given email address is commercial like .com or
educational .edu and some other custom type.
For example, [email protected] is an email address, it has three-part, joy is a
username, @gmail shows a domain name, and .com shows a domain type.
Email System
A complete email system is formed with three things:
Microsoft Outlook: It is one of the best email clients as it has lots of features that
individuals can use for personal information management. It is a part of the Office 365 suite.
It can be used in both ways as stand-alone software and also as multiple-user software.
Some of the features of Microsoft Outlook are:
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
1. Task Management
2. Contact Management
3. Setting Reminders
4. Note Taking
5. Calendar Management
Mailbird: This email client is very useful in the management of multiple emails in a single
location with countless features and customizing options. It provides one of the modern
interfaces which is very easy to use even for new users. Integration of other apps like
LinkedIn, Whatsapp, Meet, and many more are possible here.
Some of the features of Mailbird are:
1. Email Tracking
2. Calendar syncing and integration options
3. The facility of speed reader
4. Feature of customizing themes
5. Events management
In order to understand the header information, it is necessary to understand the
structured set of fields available in the header. The following are some of the basic field
names and descriptions.
Uses of Mobile Forensics:
The military uses mobile devices to gather intelligence when planning military operations or
terrorist attacks. A corporation may use mobile evidence if it fears its intellectual property is
being stolen or an employee is committing fraud. Businesses have been known to track
employees’ personal usage of business devices in order to uncover evidence of illegal activity.
Law enforcement, on the other hand, may be able to take advantage of mobile forensics by
using electronic discovery to gather evidence in cases ranging from identity theft to homicide.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Process of Mobile Device Forensics:
Seizure and Isolation: According to digital forensics, evidence should always be
adequately kept, analyzed, and accepted in a court of law. Mobile device seizures
are followed by a slew of legal difficulties. The two main risks linked with this step
of the mobile forensic method are lock activation and network / cellular
connectivity.
Identification: The identification purpose is to retrieve information from the
mobile device. With the appropriate PIN, password, pattern, or biometrics, a locked
screen may be opened. Passcodes are protected, but fingerprints are not. Apps,
photos, SMSs, and messengers may all have comparable lock features. Encryption,
on the other hand, provides security that is difficult to defeat on software and/or
hardware level.
Acquisition: Controlling data on mobile devices is difficult since the data itself is
movable. Once messages or data are transmitted from a smartphone, control is gone.
Despite the fact that various devices are capable of storing vast amounts of data,
the data itself may be stored elsewhere. For example, data synchronization across
devices and apps may be done either directly or via the cloud. Users of mobile
devices commonly utilize services such as Apple’s iCloud and Microsoft’s One
Drive, which exposes the possibility of data harvesting. As a result, investigators
should be on the lookout for any signs that data may be able to transcend the mobile
device from a physical object, as this might have an impact on the data collecting
and even preservation process.
Examination and analysis: Because data on mobile devices is transportable, it’s
tough to keep track of it. When messages or data from a smartphone are moved,
control is lost. Despite the fact that numerous devices can hold vast amounts of
data, the data itself may be stored elsewhere.
Reporting: The document or paper trail that shows the seizure, custody, control,
transfer, analysis, and disposition of physical and electronic evidence is referred to
as forensic reporting. It is the process of verifying how any type of evidence was
collected, tracked, and safeguarded.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
List of forensic data collected from a mobile
Phonebook or contact records
SMS content, application-based messaging and multimedia content.
Missed call, Incoming, outgoing call history.
Pictures, recordings, and audio-video files.
Passwords, swipe codes, client’s account details.
To-do lists, notes, timetable and calendar entries, ringtones.
Documents, spreadsheets, and other user-created data.
Internet browsing history, cookies, search history, analytics information
Historical geolocation information, phone tower related area information, Wi-Fi
association data
Data from different installed applications.
System files, usage logs, saved error messages
Deleted information from the majority of the entities as mentioned above.
Procedure for Seizing Mobile devices Forensic
1. Securing the Scene
Data Volatility at the Scene: Use of jammers
Questions to be Asked
Device and Data Security
Backups
2. Exploring the Scene for Evidence
Photographing the Mobile forensic evidence
Other items at the crime scene
3. The collection, Processing, and Packaging of Mobile Device Evidence
Prior to Collection
Bagging Sensitive Evidence
Types of Bagging Equipment
Properly Bagging Mobile Device Evidence
4. Documentation Of Evidences: Tags and label
5. Transporting Mobile Device Evidence
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
UNIT-5
Working with Windows and DOS Systems
Files and folders are the non-detachable part of human life. We daily go through these two
name and use them unknowingly. These files do have different types, that has been evolved as
the requirement of the user and developers changed. Some tech giants build their own file
system to increase the market of their products, they also did changes and enhanced the
technology of storing file on any kind of storage.
Some of the most popular file storage systems are: –
(i). FAT
(ii). NTFS
(iii). HFS
(iv). EXT
(i). FAT (File Allocation Table):
FAT stands for File Allocation Table and this is called so because it allocates
different file and folders using tables. This was originally designed to handle
small file systems and disks. This system majorly has three variant FAT12,
FAT16 and FAT32 which were introduced in 1980, 1984 and 1996
respectively.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
ii). NTFS (New Technology File System):
Windows NT has come with a new file system called NTFS in 1993. This
stands for New Technology File System. This was an enhanced and more
advanced version of FAT systems. All Windows installation is done on NTFS,
it first formats the storage in NFTS format and then install on it. Mostly NTFS
is done on internal drives.
(iii). HFS (Hierarchical File System):
HFS stands for Hierarchical File System, as the name suggests us this is a
hierarchy of files and folders. This is especially designed for mac OS by
Apple. The higher version which is in market is AHFS Apple Hierarchical File
System. This was originally and initially designed for medial like floppy and
HDD, at some extent use on CD – Rom as read only.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
(iv). EXT (Extended File System):
Originally developed for UNIX and LINUX like Operating Systems. Its first
variant came into market in 1992.Variant by variant this has overcome the
limitations like size of single file, size of volume, number of files in a folder or
directory. We have many software which could help in developing ext2
environment on Windows OS.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
The Windows Registry is a collection of databases of configuration settings for Microsoft
Windows operating systems.
What Is the Windows Registry Used For?
How to Access the Windows Registry
The Windows Registry is accessed and configured using the Registry Editor program, a free
registry editing utility included by default with every version of Microsoft Windows going
back to Windows 95.
Registry Editor isn't a program you download. Instead, it can be accessed by
executing regedit from the Command Prompt or from the search or Run box from the Start
menu. See How to Open Registry Editor if you need help.
This editor is the face of the registry and is the way to view and make changes to the registry,
but it's not the registry itself. Technically, the registry is the collective name for various
database files located in the Windows installation directory.
How to Use the Windows Registry
The registry contains registry values (which are instructions), located within registry
keys (folders that contain more data), all within one of several registry hives (folders that
categorize all the data in the registry using subfolders). Making changes to these values and
keys change the configuration that a particular value controls.
How to Add, Change, & Delete Registry Keys & Values
Making changes to registry values solves a problem, answers a question, or alters a program
in some way:
How to Auto Login to Windows
How to Prevent Programs From Stealing Focus in Windows
How to Delete the UpperFilters and LowerFilters Registry Values
How to Check Your PC's BIOS Version in the Windows Registry
Where Is the Windows Registry Stored?
The SAM, SECURITY, SOFTWARE, SYSTEM, and DEFAULT registry files, among
others, are stored in newer versions of Windows (Windows XP through Windows 11) in
this System32 folder:
%SystemRoot%\System32\Config\
Older versions of Windows use the %WINDIR% folder to store registry data
as DAT files. Windows 3.11 uses only one registry file for the entire Windows Registry,
called REG.DAT.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
MS-DOS Operations
In the booting process of DOS, the following steps are performed when we start a computer –
1. Once the computer system is turned on, BIOS (Basic Input /Output System)
performs a series of activities or functionality test on programs stored in ROM,
called on Power-on Self Test (POST) that checks to see whether peripherals in
system are in perfect order or not.
2. After the BIOS is done with pre-boot activities or functionality test, it read
bootable sequence from CMOS (Common Metal Oxide Semiconductor) and looks
for master boot record in first physical sector of the bootable disk as per boot
device sequence specified in CMOS. For example, if the boot device sequence is
–
1. Floppy Disk
2. Hard Disk
3. CDROM
3. After this, master boot record will be searched first in a floppy disk drive. If not
found, then hard disk drive will be searched for master boot record. But if the
master boot record is not even present on hard disk, then CDROM drive will be
searched. If the system is not able to read master boot record from any of these
sources, ROM displays the message “No Boot device found” and system is
halted. On finding master boot record from a particular bootable disk drive,
operating system loader, also called Bootstrap loader is loaded from boot sector of
that bootable drive· into memory. A bootstrap loader is a special program that is
present in boot sector of bootable drive.
4. Bootstrap loader first loads the IO.SYS file. After this, MSDOS.SYS file is
loaded which is core file of DOS operating system.
5. After this, MSDOS.SYS file searches to find Command Interpreter
in CONFIG.SYS file and when it finds, it loads into memory. If no Command
Interpreter specified in the CONFIG.SYS file, the COMMAND.COM file is
loaded as default Command Interpreter of DOS operating system.
6. The last file is to be loaded and executed is the AUTOEXEC.BAT file that
contains a sequence of DOS commands. After this, the prompt is displayed, and
we can see drive letter of bootable drive displayed on the computer system, which
indicates that operating system has been successfully on the system from that
drive.
Types of Booting :
1. Cold Booting/Switch Booting –
When the user starts computer by pressing power switch on system unit, the
operating system is loaded from disk to main memory this type of booting is
called Cold Booting. This booting takes more time than Hot or Warm Booting.
2. Hot or Warm Booting –
Hot booting is done when computer system comes to no response state/hang state.
Computer does not respond to commands supplied by user. There are many reasons
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
for this state, only solution is to reboot computer by using the Reset button on
cabinet or by pressing a combination of ALT + CTRL + DEL keys from keyboard.
The start-up folder
When a Windows system boots, shortcuts to programs contained in your start-up folder are
launched automatically. Many installed programs will add a shortcut to this folder as part of
their installation process. For example, if you have Microsoft Office installed, there’s a good
chance that you’ll find a shortcut to the Office toolbar stored in this folder. When the shortcuts
contained in this folder are deleted, the particular program will no longer launch automatically.
Although having some programs load immediately is useful, a number of those placed in the
start-up folder are more obscure and probably not of much use to you on a daily basis.
How to Add, Delete, Enable, or Disable Startup Items in Windows 10
Startup items are the apps, shortcuts, folders, drives, etc... that are set to run or open
automatically at startup when a user signs in to Windows. Startup items can be added by either
the programs or drivers installed, or manually by you.
Starting with Windows 10 build 17025, Microsoft has updated the Advanced
options under Settings > Apps & Features so that UWP apps that are configured to run at
startup will now have a new option to see all available tasks specified by the app developer and
their status.
Virtual machines: virtual computers within computers
A virtual machine, commonly shortened to just VM, is no different than any other physical
computer like a laptop, smart phone, or server. It has a CPU, memory, disks to store your files,
and can connect to the internet if needed. While the parts that make up your computer (called
hardware) are physical and tangible, VMs are often thought of as virtual computers or
software-defined computers within physical servers, existing only as code.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
What are VMs used for?
Here are a few ways virtual machines are used:
Building and deploying apps to the cloud.
Trying out a new operating system (OS), including beta releases.
Spinning up a new environment to make it simpler and quicker for developers to run
dev-test scenarios.
Backing up your existing OS.
Accessing virus-infected data or running an old application by installing an older OS.
Running software or apps on operating systems that they weren't originally intended
for.
What are the benefits of using VMs?
While virtual machines run like individual computers with individual operating systems and
applications, they have the advantage of remaining completely independent of one another and
the physical host machine. A piece of software called a hypervisor, or virtual machine manager,
lets you run different operating systems on different virtual machines at the same time. This
makes it possible to run Linux VMs, for example, on a Windows OS, or to run an earlier version
of Windows on more current Windows OS.
And, because VMs are independent of each other, they're also extremely portable. You can move
a VM on a hypervisor to another hypervisor on a completely different machine almost
instantaneously.
Because of their flexibility and portability, virtual machines provide many benefits, such as:
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
lOMoARcPSD|42933711
R18 B.Tech. CSE Syllabus JNTU Hyderabad
Cost savings—running multiple virtual environments from one piece of infrastructure
means that you can drastically reduce your physical infrastructure footprint. This boosts
your bottom line—decreasing the need to maintain nearly as many servers and saving on
maintenance costs and electricity.
Agility and speed—Spinning up a VM is relatively easy and quick and is much simpler
than provisioning an entire new environment for your developers. Virtualization makes
the process of running dev-test scenarios a lot quicker.
Lowered downtime—VMs are so portable and easy to move from one hypervisor to
another on a different machine—this means that they are a great solution for backup, in
the event the host goes down unexpectedly.
Scalability—VMs allow you to more easily scale your apps by adding more physical or
virtual servers to distribute the workload across multiple VMs. As a result you can
increase the availability and performance of your apps.
Security benefits— Because virtual machines run in multiple operating systems, using
a guest operating system on a VM allows you to run apps of questionable security and
protects your host operating system. VMs also allow for better security forensics, and are
often used to safely study computer viruses, isolating the viruses to avoid risking their
host computer.
Cyber Forensics Malla Reddy Institute of Technology and Science
Downloaded by Insta User ([email protected])
You might also like
- Csol590-02-Fa18-Module 7 Final Project - Computer Forensic Examination Report - Keith AndersonNo ratings yetCsol590-02-Fa18-Module 7 Final Project - Computer Forensic Examination Report - Keith Anderson13 pages
- Zebra TC51, TC70x, TC56 and TC75x Android N 01-01-49-NG-00-A Release For GMSNo ratings yetZebra TC51, TC70x, TC56 and TC75x Android N 01-01-49-NG-00-A Release For GMS14 pages
- Lecture1-Introduction To Digital Forensics 2013No ratings yetLecture1-Introduction To Digital Forensics 201344 pages
- Example of An Expert Witness: By: Vincenzo Crawford BS. FORENSIC SCIENCE, University of Technology (U-Tech), JamaicaNo ratings yetExample of An Expert Witness: By: Vincenzo Crawford BS. FORENSIC SCIENCE, University of Technology (U-Tech), Jamaica8 pages
- Explain Process For Collecting Network Based EvidenceNo ratings yetExplain Process For Collecting Network Based Evidence10 pages
- Digital Forensics: Processing Crime and Incident ScenesNo ratings yetDigital Forensics: Processing Crime and Incident Scenes25 pages
- A Forensic Analysis of Android Malware - How Is Malware Written and How It Could Be Detected?No ratings yetA Forensic Analysis of Android Malware - How Is Malware Written and How It Could Be Detected?5 pages
- Network Forensics With Bro: Matthias VallentinNo ratings yetNetwork Forensics With Bro: Matthias Vallentin23 pages
- (All Variants) Intrusion Detection (Archive) - Ubuntu ForumsNo ratings yet(All Variants) Intrusion Detection (Archive) - Ubuntu Forums62 pages
- Digital Forensics in A Cyber Warfare Con PDFNo ratings yetDigital Forensics in A Cyber Warfare Con PDF9 pages
- CSC 411: Computer Network Security: Intrusion Detection SystemsNo ratings yetCSC 411: Computer Network Security: Intrusion Detection Systems3 pages
- Incident Response and Digital ForensicsWA.1No ratings yetIncident Response and Digital ForensicsWA.113 pages
- Cyber Forenseics: Damodaram Sanjivayya National Law University Visakhapatnam, A.P., IndiaNo ratings yetCyber Forenseics: Damodaram Sanjivayya National Law University Visakhapatnam, A.P., India21 pages
- Computer Forensics Processing Checklist PDFNo ratings yetComputer Forensics Processing Checklist PDF6 pages
- CMFF - Cellebrite Mobile Forensics Fundamentals 2019No ratings yetCMFF - Cellebrite Mobile Forensics Fundamentals 20194 pages
- Advanced Persistent Threat Attack Detection MethodNo ratings yetAdvanced Persistent Threat Attack Detection Method11 pages
- Computer Forensics Based On What I Have Read: Definition of Computer ForensicsNo ratings yetComputer Forensics Based On What I Have Read: Definition of Computer Forensics4 pages
- Forensic Cop Journal 2 (2) 2009-Standard Operating Procedure of Audio ForensicNo ratings yetForensic Cop Journal 2 (2) 2009-Standard Operating Procedure of Audio Forensic7 pages
- LO - 2 - Data Capture and Memory ForensicsNo ratings yetLO - 2 - Data Capture and Memory Forensics51 pages
- COCS70704 Digital Forensic Fundamentals (DFF) : Dr. Alexios MylonasNo ratings yetCOCS70704 Digital Forensic Fundamentals (DFF) : Dr. Alexios Mylonas19 pages
- CF Lecture 03-Digital Evidence and Forensic Investigation ProcessNo ratings yetCF Lecture 03-Digital Evidence and Forensic Investigation Process41 pages
- Digital Forensics - Notes For EverythingNo ratings yetDigital Forensics - Notes For Everything160 pages
- KUCS301 Operating Systems - 221001 - 134911No ratings yetKUCS301 Operating Systems - 221001 - 134911108 pages
- Resume - Kishan Kanabar Software Engineer.pdf-2No ratings yetResume - Kishan Kanabar Software Engineer.pdf-21 page
- Splunk SOAR Guided Automation With Use Cases ExamplesNo ratings yetSplunk SOAR Guided Automation With Use Cases Examples65 pages
- Updated CRCS Depositor User Manual - EnglishNo ratings yetUpdated CRCS Depositor User Manual - English20 pages
- Design Verification with SystemVerilog_UVM _ Udemy0% (1)Design Verification with SystemVerilog_UVM _ Udemy6 pages
- Lexical Analysis All Token List and DiffenceNo ratings yetLexical Analysis All Token List and Diffence4 pages
- Source Codes C / C++ / DS: Perfect NumberNo ratings yetSource Codes C / C++ / DS: Perfect Number114 pages
- Enhanced Student Management System JDBC API DocumentationNo ratings yetEnhanced Student Management System JDBC API Documentation19 pages
- GCP Cloud Native Reference Architecture T24No ratings yetGCP Cloud Native Reference Architecture T2419 pages
- Real-Time Artificial Intelligence Based Health MonNo ratings yetReal-Time Artificial Intelligence Based Health Mon21 pages
- Cracking The Shopify Software Engineering Interview - by Arun Rawlani - MediumNo ratings yetCracking The Shopify Software Engineering Interview - by Arun Rawlani - Medium6 pages
- Csol590-02-Fa18-Module 7 Final Project - Computer Forensic Examination Report - Keith AndersonCsol590-02-Fa18-Module 7 Final Project - Computer Forensic Examination Report - Keith Anderson
- Zebra TC51, TC70x, TC56 and TC75x Android N 01-01-49-NG-00-A Release For GMSZebra TC51, TC70x, TC56 and TC75x Android N 01-01-49-NG-00-A Release For GMS
- Example of An Expert Witness: By: Vincenzo Crawford BS. FORENSIC SCIENCE, University of Technology (U-Tech), JamaicaExample of An Expert Witness: By: Vincenzo Crawford BS. FORENSIC SCIENCE, University of Technology (U-Tech), Jamaica
- Explain Process For Collecting Network Based EvidenceExplain Process For Collecting Network Based Evidence
- Digital Forensics: Processing Crime and Incident ScenesDigital Forensics: Processing Crime and Incident Scenes
- A Forensic Analysis of Android Malware - How Is Malware Written and How It Could Be Detected?A Forensic Analysis of Android Malware - How Is Malware Written and How It Could Be Detected?
- (All Variants) Intrusion Detection (Archive) - Ubuntu Forums(All Variants) Intrusion Detection (Archive) - Ubuntu Forums
- CSC 411: Computer Network Security: Intrusion Detection SystemsCSC 411: Computer Network Security: Intrusion Detection Systems
- Cyber Forenseics: Damodaram Sanjivayya National Law University Visakhapatnam, A.P., IndiaCyber Forenseics: Damodaram Sanjivayya National Law University Visakhapatnam, A.P., India
- CMFF - Cellebrite Mobile Forensics Fundamentals 2019CMFF - Cellebrite Mobile Forensics Fundamentals 2019
- Advanced Persistent Threat Attack Detection MethodAdvanced Persistent Threat Attack Detection Method
- Computer Forensics Based On What I Have Read: Definition of Computer ForensicsComputer Forensics Based On What I Have Read: Definition of Computer Forensics
- Forensic Cop Journal 2 (2) 2009-Standard Operating Procedure of Audio ForensicForensic Cop Journal 2 (2) 2009-Standard Operating Procedure of Audio Forensic
- COCS70704 Digital Forensic Fundamentals (DFF) : Dr. Alexios MylonasCOCS70704 Digital Forensic Fundamentals (DFF) : Dr. Alexios Mylonas
- CF Lecture 03-Digital Evidence and Forensic Investigation ProcessCF Lecture 03-Digital Evidence and Forensic Investigation Process
- Digital Forensics Framework A Complete GuideFrom EverandDigital Forensics Framework A Complete Guide
- Ethical Hacking and Computer Securities for BeginnersFrom EverandEthical Hacking and Computer Securities for Beginners
- Splunk SOAR Guided Automation With Use Cases ExamplesSplunk SOAR Guided Automation With Use Cases Examples
- Design Verification with SystemVerilog_UVM _ UdemyDesign Verification with SystemVerilog_UVM _ Udemy
- Enhanced Student Management System JDBC API DocumentationEnhanced Student Management System JDBC API Documentation
- Real-Time Artificial Intelligence Based Health MonReal-Time Artificial Intelligence Based Health Mon
- Cracking The Shopify Software Engineering Interview - by Arun Rawlani - MediumCracking The Shopify Software Engineering Interview - by Arun Rawlani - Medium