22CCC16 - CYBER FORENSICS

UNIT I - INTRODUCTION TO COMPUTER FORENSICS

Introduction to Cyber forensics: Forensics investigation process

–Forensics protocol– Digital forensics standards–Digital evidence –
Types of cybercrime – Notable data breaches– Case study- Challenges in
Cyber security – Cyber forensics tools.Windows forensics: Digital
Evidence – File systems – Time analysis–Challenges-Case Study.

What Is Cyber Forensics?

Cyber forensics is the process of collecting, analyzing, and preserving digital
evidence to investigate cyber incidents. It's also known as computer
forensics.

How it works?
● Cyber forensics professionals use specialized techniques to uncover
hidden data.
● They analyze data from networks, storage devices, and wireless
communications.
● They use tools like network protocol analyzers and hard drive
investigation software.
● They document their findings in a report and verify them with the
original device.

Forensics Investigation Process

The goal of performing a cyber forensics investigation is to gain thorough information
about the event. It involves finding and analyzing the digital evidence related to the
investigation. Cyber Forensic Experts follow the basic steps of investigation; the
intricacies of these steps may vary as per the model of the organization in charge of the
investigation.
The Forensic Investigation Process includes various forensic processes such as
identification, seizure, imaging, hashing, analysis, report, and preservation during a
digital forensic investigation as shown in Figure 1-1.
Figure 1-1. Forensic Investigation Process

Incident
This is the occurrence of a cybercrime instance where digital devices like computers, mobile
devices, etc., have been used to commit a crime.

Identification
Identification is a crucial step in the forensic examination process. It directly affects efforts to
develop a plan of action and ultimately the success of the investigation. Before starting a digital
forensic examination, the scope of actions must be identified:

• Who are the prime suspects?

• What are the best sources of potential digital evidence that will be
further investigated?

This information will help the investigator in many ways, so that:

 • No essential evidence is missed that might affect a case.
• Costs can be estimated in advance for the investigation, and the
scope of the case can be adjusted accordingly.

Seizure
Prior to the actual examination, digital media related to the investigation will be seized. In
criminal cases, law enforcement personnel, trained technicians to ensure that the evidence is not
tampered with, often perform seizing the digital evidence. There are various laws that cover the
seizure of digital media. For example, in any criminal investigation, there are laws related to
search warrants, which will be applicable here.

Imaging
After successfully seizing digital evidence, a forensic image of this evidence is created for
further analysis. This image is a bit-stream copy which is an exact bit-by-bit copy of a
computer’s physical storage device (SSD or HDD). Forensic image formats include disk dump
(dd) and encase image file format (.E01). This image contains all the files and folders along with
deleted files present on the hard disk of the digital evidence. The forensic image should be
created with hashing and without tampering with the contents of the digital evidence, so that it
can be admissible in a court of law.
5

Hashing
After successfully obtaining the forensic image of the digital evidence it is important to
maintain the integrity of the image. To ensure such integrity a hash value is created for
every forensic image using various hashing algorithms such as MD5 (Message Digest 5),
SHA1 (Secure Hash Algorithm), and SHA25. The hash value is generated in accordance to
the contents of the data stored in the digital evidence. Any tampering with evidence will
result in a different hash value, and thus the digital evidence will not be admissible in a court
of law.

Analysis
After the process of imaging and hashing, the evidence is taken for forensic analysis by a
forensic examiner to look out for findings that can support or oppose the matters in the
investigation. During the analysis the forensic examiner should maintain the integrity of the
digital evidence.
Reporting
Upon completion of a forensic analysis, all the relevant findings should be presented in a
report format by the forensic investigator. The investigator cannot present their personal
views in this report. This report should be precise and must consist of conclusions drawn from
the in-depth analysis. It should be easily understandable by any non-technical person such as
the law enforcement agency staff.

Preservation
Once evidence is collected, it is important to protect it from any type of modification or
deletion. For example, it might be necessary to isolate host systems such as desktops (a
suspect system in forensic investigation) from the rest of the network through either
physical or logical controls, network access controls, or perimeter controls. It is also
important that no other users access a suspect system.

Forensic Protocol
A forensic protocol is a structured process for investigating incidents using scientific
methods. Forensic protocols can apply to digital evidence, crime scenes, and other types
of evidence.

Digital Forensics Standards

The current international standards and guidelines in the digital forensics domain are listed
below:
• National Institute of Standard Technology (NIST)
• National Institute of Justice (NIJ)
• International Organization on Computer Evidence (IOCE)
• American Society of Crime Laboratory Directors (ASCLD)
• Laboratory Accreditation Board (LAB)
• American Society for Testing and Materials (ASTM)
• ISO SC 27 CS1
• Audio Engineering Society (AES)
• Scientific Working Group on Digital Evidence (SWGDE)
• Scientific Working Group on Imaging Technology (SWGIT)
• Association of Chief Police Officers (ACPO)
Digital Evidence

● Digital evidence comprises physical devices such as computer systems, mobile phones,
flash drives, memory cards, routers, switches, modems, etc., and the electronic
information stored in these devices.
● Law enforcement and lawyers are becoming more aware of its
importance,not just for cybercrime but for other crimes too.
● Since we store a lot of personal data on our devices, it can be crucial in
investigations.
● However, due to its fragile nature, it’s best to have a cyber forensic expert
handle digital evidence.

There are four characteristics of digital evidence:

• Latent/Hidden
• Crosses jurisdictional borders quickly and easily
• Can be altered, damaged, or destroyed easily
• Can be time sensitive

What Is a Cybercrime?
● A cybercrime is a criminal activity that involves computers, networks, or
digital devices as the main tools or targets.
● It can include crimes like hacking, identity theft, online fraud, spreading
malware, cyberbullying, and illegal activities on the internet.
● Essentially, any crime that happens in the digital space or uses technology for
illegal purposes is considered a cybercrime.

Types of Cybercrimes
Malware Attacks (Ransomware, Rootkit, Virus, Trojan)
Ransomware: A type of malware that encrypts a victim's files or system, then demands
payment (ransom) in exchange for restoring access to the files.Example: WannaCry,
Cryptolocker.

Rootkit: A type of malware designed to gain unauthorized access to a system while

hiding its presence. Rootkits can allow attackers to control systems remotely without
detection.Example: Stuxnet (was used in cyber attacks on industrial systems).

Virus: A malicious program that attaches itself to files or programs and spreads when
those files are executed. Viruses can corrupt data, steal information, or disrupt system
functionality.Example: MyDoom.

Trojan: A type of malware that disguises itself as a legitimate program to trick users into
installing it. Once installed, Trojans can steal data, install more malicious software, or
give attackers remote access to the system.Example: Zeus, Emotet.

Phishing Attacks
Phishing attacks are a type of cybercrime where attackers try to trick individuals into
providing sensitive information, such as usernames, passwords, or credit card details,
by pretending to be a trustworthy entity. These attacks typically happen through
email, text messages, or fraudulent websites.

Misuse of Personal Information (Identity Theft)

and Cyberstalking
1. Misuse of Personal Information (Identity Theft): This occurs when someone
steals your personal details, like your name, Social Security number, or credit card
information, and uses them to commit fraud or other crimes in your name.
2. Cyberstalking: This is when someone uses the internet or social media to
repeatedly harass, threaten, or intimidate another person. It can involve sending
unwanted messages or spreading harmful rumors online.

Distributed Denial of Service Attacks (DDoS)

DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a
cybercrime in which the attacker floods a server with internet traffic to prevent users from
accessing connected online services and sites.
Notable Data Breaches of 2018
A data breach is any cyber security incident in which an attacker compromises a company’s
data, and information of its users is accessed in an unauthorized manner. The Top 10 most
significant data breaches and cybersecurity incidents of 2018 are given next.

Aadhaar
Aadhaar is a 12-digit unique identifier that is assigned to every Indian citizen. Aadhaar
records of all 1.1 billion India citizens were compromised.

Facebook
Hackers exploited Facebook’s vulnerability, which allowed them to steal Facebook
access tokens.

• In the month of March, 50 million records were breached.

• In the month of September, 90 million records were breached.
• And in December, 7 million records were breached.

Quora
Quora is a platform where its users can ask and answer questions. A malicious third party
attacked it. Account information of 100 million Quora users including their name, email
address, and encrypted password were compromised.

Marriott Hotels
Marriott Hotels suffered a data breach in which personal information of 500 million hotel
guests were stolen. This included names, emails, addresses, dates of birth, credit card
information, and passport numbers of the guests.

TicketFly
Ticketfly, an event ticketing company, was the target of a malicious cyberattack.
Information of approximately 27 million Ticketfly users, including their names, addresses,
email addresses, and phone numbers, were compromised. Any financial information such as

credit and debit cards were not compromised during this attack. MyHeritage
MyHeritage Company is an online genealogy platform, which tests its users’ DNA to find their
ancestors and build their family trees. Ninety-two million records of users who signed up before
October 26, 2017, were breached. But DNA information and family trees were stored on separate
systems, which were not breached.

Exactis
Exactis’s database was on a publicly accessible server. Exactis exposed approximately 340
million records in which information was comprised of an email address, phone number,
physical address, etc.

British Airways
British Airways faced a serious attack on its website and application. Approximately 380,000
card payments made to British Airways between August 21st and September 5 were
compromised. The hackers in this attack used the credit card skimming technique.

Cathay Pacific
Cathay Pacific is an airline company from Hong Kong. The company’s data breach
exposed personal information of 9.4 million passengers.

Under Armour
The company’s food and nutrition app was hacked, exposing 150 million records, but
payment information was safe because payments are processed through a separate channel.

Case Study 1: SIM Swapping Fraud

In another SIM swap case, a young 20-year-old hacker stole more than $5 million worth of
cryptocurrency by hijacking at least 40 victims’ phone numbers with a SIM swapping
attack. He pleaded guilty and was sentenced to 10 years in prison. Astoundingly, he was the
first hacker that was sentenced to prison for a SIM swapping crime. Authorities want
to send a clear message that they will not tolerate this kind of crime and will prosecute the
fraudsters with severe penalties.

Case Study 2: Google Nest Guard

The Google assistant present in Nest Guard is a home security and alarm system that
provides you with a variety of features like allowing you to get real-time information
about traffic conditions, flight status, control your smart home devices easily, and
manage tasks like setting reminders and much more. But Google has built in a secret
microphone into its Nest security system and forgot to tell everyone about it.
According to Google, this is not enabled by default. But as it turns out, the company
never disclosed it was there until recently. Google announced an over-the-air software
update that enables the microphone in the device to support a digital assistant triggered by
voice commands. You didn’t know you bought something with a microphone inside, and
now you do.
Nowadays you cannot trust anyone, and if big companies like Google can hide
something like this, just imagine what the small gadget makers can do? Can you trust
them? We are living in a virtual world with virtual risks at every stage.

Challenges in Cyber Security

1. Evolving Threats: Cyber threats are constantly changing, making it difficult to
keep up with new attack methods like ransomware, phishing, and malware.

2. Human Error: Many security breaches happen due to mistakes made by

employees, such as weak passwords or falling for phishing scams.

3. Lack of Awareness: Many individuals and organizations are not fully aware of
cybersecurity risks, making them more vulnerable to attacks.

4. Data Privacy: Protecting sensitive data, especially with laws and regulations
constantly changing, is a major challenge for businesses.

5. Advanced Persistent Threats (APTs): These are long-term, targeted cyber

attacks that are hard to detect and defend against.
 6. Insufficient Resources: Many organizations lack the budget or skilled staff to
effectively protect against and respond to cyber threats.

7. Insecure Devices: With the increase in IoT (Internet of Things) devices, securing
all connected devices becomes more difficult.

8. Third-Party Risks: Businesses that rely on third-party vendors may face

cybersecurity risks if those vendors have weak security measures.

9. Compliance and Regulation: Keeping up with ever-evolving cybersecurity laws

and regulations can be overwhelming for companies.

10. Cloud Security: As more companies move to the cloud, ensuring the security of
cloud environments becomes increasingly complex.

Cyber Forensic Tools

A good cyber forensics expert works with the best of tools. Cyber forensics tools are
classified as two types – Closed Source and Open Source”

Closed Source Tools:

1. EnCase: A popular commercial tool used for acquiring and analyzing digital evidence,
often used by law enforcement.
2. FTK (Forensic Toolkit): Another commercial tool widely used for disk imaging, data
recovery, and evidence analysis.
3. Cellebrite UFED: A proprietary tool used for mobile forensics, specializing in extracting
and analyzing data from mobile devices.

Open Source Tools:

1. Autopsy: An open-source digital forensics tool used for investigating and analyzing hard
drives and file systems.
2. Sleuth Kit: A set of open-source tools that help analyze disk images and file systems.
3. Wireshark: An open-source network protocol analyzer used to capture and examine
network traffic for signs of suspicious activity.
4. Volatility: An open-source tool for memory forensics, allowing investigators to analyze
RAM dumps for evidence of cyber attacks.

Windows Forensics
Microsoft Windows is the most popular operating system, and most cyber forensic software is
designed for Windows. There are many resources available on Windows forensics, and the field
has great potential as new methods and tools are developed for investigations.
Digital Evidence in Windows-Volatile and nonvolatile evidence

File System
A file system is a structure that organizes and manages files on a storage device. It
defines how data is stored, accessed, and organized on the device.

Examples of file systems

NTFS
The New Technology File System, used by Windows NT to store and retrieve files
on hard disk drives (HDDs) and solid-state drives (SSDs)

APFS
The Apple File System, developed for macOS, iOS, and other Apple devices. It
includes features like cloning, file-level encryption, and improved performance on
 solid-state drives

ext4
A journaling file system that is the default file system for many Linux distributions.
It has backward compatibility with ext3 and ext2

HFS Plus
A journaling file system under Mac OS X that supports long filename support and
Unicode filename support

How file systems work

● File systems allow access to single files and address each file individually
● Files are used for all input and output (I/O) of information in the operating
system
● Input occurs when the contents of a file is modified or written to
● Output occurs when the contents of one file is read or transferred to
another file
 Windows File Systems representation

FAT32
FAT32 is still the default OS when a user wishes to format a drive. FAT32 supports a drive
size up to 8TB. Higher capacity storage devices are not supported by FAT32. It takes a
longer time to index, store, and retrieve files of larger sizes in comparison with its
counterpart, NTFS. However, FAT32 still remains the default file system for most devices
and is preferred and used by most cyber forensic experts to wipe and partition their
acquisition media.
The qualities of FAT 32 are more practical in a forensic situation than those of the
NTFS file system, especially when imaging hard drives. But from a computer user’s
perspective, the NTFS file system is always a better and preferred choice.

NTFS
The shortcomings of the FAT file system led to the creation of NTFS. It provided better
security, offered automatic encryption and decryption, better disk compression, support for
higher capacity storage devices, support for multiple file streams, and fault tolerance.

With NTFS, users could work with high-capacity storage devices with more ease. Better
cluster management allowed NTFS to retrieve files quickly and enhanced the user
experience. The MFT is a very important feature of the NTFS, which stores information
regarding all the files stored on the disk.
Timeline Analysis
Forensic investigators create a timeline of events based on the evidence collected, which
helps organize and analyze the case. Timeline analysis allows investigators to verify other
aspects of the investigation and reconstruct the crime, tracing the steps of the suspect or
victim. If any inconsistencies are found in the timeline, investigators alert the authorities.
Since hackers or criminals may alter data to mislead the investigation, this step must be done
carefully and with caution.

Challenges
Windows remains the most popular operating system, which leads manufacturers to create
different system configurations, making it challenging for forensic software developers to ensure
compatibility. Modern systems have large storage capacities, requiring more time and space for
forensic imaging. Additionally, the rise of anti-forensic techniques, like disabling logs or using
encryption, makes investigations more difficult. Forensic investigators today face issues with tool
compatibility, device encryption, and access to device firmware/software.