Investigative Tools and Equipments for Cyber Crime by Raghu Khimani

Introduction
• In most cases, items or devices containing
digital evidence can be collected using
standard seizure tools and materials.
• Avoid using any tools or materials that may
produce or emit static electricity or a
magnetic field as these may damage or
destroy the evidence.

Tools and Materials for Collecting
Digital Evidence
• In addition to tools for processing crime scenes in
general, first responders should have the following
items in their digital evidence collection toolkit:
• Cameras (photo and
video).
• Cardboard boxes.
• Notepads.
• Gloves.
• Evidence inventory
logs.
• Evidence tape.
• Paper evidence bags.
• Evidence stickers,
labels, or tags.
• Crime scene tape.
• Antistatic bags.
• Permanent markers.
• Nonmagnetic tools.

• First responders should also have radio
frequency-shielding material such as faraday
isolation bags or aluminum foil to wrap cell
phones, smart phones, and other mobile
communication devices after they have been
seized.
• Wrapping the phones in radio frequency-
shielding material prevents the phones from
receiving a call, text message, or other
communications signal that may alter the
evidence.

Software Recommendations
• Guidance Software’s EnCase
– www.encase.com
• AccessData’s Forensic ToolKit (FTK), AccessData
Password Recovery Toolkit (PRTK).
• Prodiscover
– www.techpathways.com
• AccessData’s Distributed Network Attack
– www.accessdata.com
• Irfanview (freeware for non commercial use)
– www.irfanview.com

Software Recommendations (Contd.)
• Windows Forensic Toolchest
(WFT)
– http://www.foolmoon.net/secu
rity/wft/
• Computer Online Forensic
Evidence Extractor
• The Sleuth Kit
– http://www.sleuthkit.org/
• CD-R Diagnostic
• DIBS Computer Forensic
Workstation
• Image
• E-mail examiner
• MOBILedit! Forensic
• Oxygen Forensic Suite
• Photorecovery
• Safeback
• SIMCon
• Stego Detect
• Steghide
• Write Blocker
• Undelete SMS
• VOOM

• Passware Kit (Forensic & Enterprise Editions)
• Mobile Phone Examiner Plus (AccessData)
• CHAT Examiner
• PDF Password Cracker
• SIM card seizure
• X-Ways Forensics
Software Recommendations (Contd.)

IMAGE
• Image: exact copy of a hard drive including
deleted files and areas of the hard drive that a
“normal” backup software would not copy
– Normal backup software only copies data, no
deleted files or areas of the hard drive that may
contain information from previous activity

• Imaging of a computer is a forensically sound
method of collecting computer evidence
• A proper image MAY be admissible in court
• If performed properly the process will not
alter anything on the target hard drive

Imaging Tools
• Safeback
• EnCase
• ImageMaster
• Ghost

EnCase Forensic
• EnCase is a computer forensics product produced
by Guidance Software used to analyze digital
media (for example in civil/criminal
investigations, network investigations, data
compliance and electronic discovery).
• The software is available to law enforcement
agencies and corporations.
• EnCase includes tools for data acquisition, file
recovery, indexing/search and file parsing.
• Special training is usually required to operate the
software.

AccessData’s Forensic Toolkit
• FTK® Imager is a data preview and imaging
tool that lets you quickly assess electronic
evidence to determine if further analysis with
a forensic tool such as AccessData Forensic
Toolkit® (FTK) is warranted.

PRTK (Password Recovery Tool Kit)
• AccessData Corporation offers two software
solutions for password recovery: Password
Recovery Toolkit™, or PRTK, and Distributed
Network Attack®, or DNA.
• These applications work on the same
technologies, but provide a choice on
distribution, or how the work load of guessing
passwords is shared among multiple machines.
• For simple password recovery jobs, PRTK is the
perfect application. If large numbers of encrypted
files need processing, consider DNA the solution.

• PRTK operates on a single computer to recover
passwords from a wide variety of file types such
as Excel®, Zip
• Multiple files can be added as jobs, and each job
is prioritized based on the complexity of the
encryption algorithm used by the program that
created the encrypted file.
• Simpler encryption algorithms are faster to
process, so jobs with those kinds of files are
attacked first.
• Recovered passwords are displayed with their
corresponding job and are also stored in a file
called a Golden Dictionary.

DNA
• Distributed Network Attack (DNA) is a solution
that addresses this issue by allowing many
machines to be designated as resources for
password recovery.
• DNA is able to use each processor in a multi-
processor or multi-core processor machine,
enhancing the overall performance.

Passware Forensic Kit
• You can use the Password Recovery Kit to recover passwords of file, e-
mail and other Internet passwords, as well as search for password-
protected files.
• The Passware Password Recovery Kit can reduce the time you spend
recovering passwords, improves password recovery rates, and gives
you more control over the password recovery process.
• It can recover all kinds of passwords for the world's most popular
office application files, including Excel, Word, WinZip, Windows
2008/Vista/2003/XP, Internet Explorer, Firefox, Access, Outlook,
Acrobat, QuickBooks, FileMaker, WordPerfect, VBA, Lotus Notes, ACT!,
and more.
• The Passware Recovery Kit includes 30+ password recovery modules
integrated in an all-in-one user interface. Advanced acceleration
methods are used to recover difficult passwords. Instant online
decryption is supported for MS Word and Excel files up to version
2007.

MPE+ (Mobile Phone Examiner Plus)
• Mobile Phone Examiner Plus (MPE+) is a
stand-alone mobile device investigation
solution that includes enhanced smart device
acquisition and analysis capabilities.
• With a different approach to digital mobile
forensics, MPE+ allows mobile forensic
examiners to take control of the investigation
by providing them with unique tools
necessary to quickly collect, easily identify and
effectively obtain the key data other solutions
miss.

• With support for more than 7,000 cell phones
and mobile devices, including Legacy GSM/CDMA
devices, iOS® , Android , Blackberry, Windows
Mobile™ , MPE+ enables examiners to perform
advanced mobile device investigations without
having to purchase an overpriced suite of
modules or cumbersome hardware.
• Featuring advanced data collection capabilities,
MPE+ extracts more data from iOS and Android
devices 30% faster than any other solution on the
market.

Challenges for a
Cyber Crime Expert

Steganography
Information hiding
e.g.
Maps tattooed on heads
Books with pinpricks through letters
Low-order bits in image files
Difficult to detect, plenty of free tools
Often combined with cryptographic techniques.

Worse yet
CryptoSteg
SteganoCrypt
Combination of two techniques...

Encryption
Purpose
To increase the cost of recovery to a point where
it is not worth the effort
Symmetric and Asymmetric
Reversible – encrypted version contains full
representation of original
Costly for criminal,
costly for investigator

Other Software
• Other small software will be taught you in lab.
practically.

Assignment
• Make a list of all the equipments used for the
digital forensic investigation from internet.
• Make an assignment on any one software
used to detect and investigate Cyber Crime in
detail on whichever software you liked.

Investigative Tools and Equipments for Cyber Crime by Raghu Khimani

More Related Content

What's hot (20)

Similar to Investigative Tools and Equipments for Cyber Crime by Raghu Khimani (20)

More from Dr Raghu Khimani (13)

Recently uploaded (20)

Investigative Tools and Equipments for Cyber Crime by Raghu Khimani

Editor's Notes