Professional Documents
Culture Documents
INTERNAL TEST 1
3.
Identity theft Identity fraud
The illegal use or transfer of a third party’s A vast array of illegal activities based on
personal identification information with fraudulent use of identifying information of
unlawful intent a real or fiction person
4.PHREAKING
Phreaking involves the manipulation of telecommunication carriers to gain
knowledge of telecommunications, and/or theft of applicable services. It is also known as
telecommunications fraud, and includes any activity that incorporates the illegal use or
manipulation of access codes, access tones, PBXs, or switches.
5.TASK PERFORMED BY COMPUTER FORENSIC TOOLS
Acquisition
Validation and discrimination
Extraction
Reconstruction
Reporting
6.FILE ALLOCATION TABLE
File allocation table is a file structure database that Microsoft originally designed for
floppy disks. FAT is used on file systems before windows NT and 2000
7.SOFTWARE FORENSIC TOOLS
Smart
Helix
Backtrack
Autopsy and Sleuth kit
Knoppix-STD
8.WRITE BLOCKERS
Write-blocker prevents data writes to hard disk. It is of two variants,
Software- enabled blockers
Hardware options
Software write blockers are os dependent. Example :PDBlock from digital Intelligence
Hardware options are ideal for GUI forensic tools. It act as a bridge between the suspect
drive and the forensic workstation.
9.DIFFERENT TYPES OF DATA ACQUISTION METHODS
STATIC ACQUISTION
LIVE ACQUISTION
Figure1:ComputerForensicInvestigativeProcess
Acquisitionphase:
InAcquisitionphase,evidencewasacquiredinacceptablemannerwithproperapprovalfromautho
rity.
Identificationphase:
ItisfollowedbyIdentificationphasewherebythetaskstoidentifythedigitalcomponentsfromthea
cquiredevidenceandconvertingittotheformatunderstoodbyhuman.
Evaluationphase:
TheEvaluationphasecompriseofthetasktodeterminewhetherthecomponentsindentifiedinthe
previousphase, is indeed relevanttothe case being investigatedandcanbe
consideredasalegitimateevidence
Admissionphase:
Inthefinalphase,Admission,theacquired&extractedevidenceispresentedinthecourtoflaw.
GenericComputerForensicInvestigationModel(GCFIM)
Phase 1
Phase 1ofGCFIM is knownasPre-Process.
Thetasksperformedinthisphaserelatestoalloftheworksthatneedtobedonepriortotheact
ualinvestigationandofficialcollectionofdata.
Amongthetaskstobeperformedaregettingthenecessaryapprovalfromrelevantauthority
,preparingandsetting-upofthetoolstobeused,etc.
Phase 2
Phase2isknownasAcquisition&Preservation.Tasksperformedunderthisphaserelatedtotheidentifyi
ng,acquiring,collecting,transporting,storingandpreservingofdata.Ingeneral,thisphaseiswhereallrel
evantdataarecaptured,storedandbemadeavailableforthenextphase.
Phase 3
Phase3isknownasAnalysis.Thisisthemainandthecenterofthecomputerforensicinvestigationprocess
es.Ithasthemostnumberofphasesinitsgroupthusreflectingthefocusofmostmodelsreviewedareindee
dontheanalysisphaseVarioustypesofanalysisareperformedontheacquireddatatoidentifythesourceof
crimeandultimatelydiscoveringthepersonresponsibleofthecrime.
Phase 4
Phase4isknownasPresentation.Thefindingfromanalysisphasearedocumentedandpresentedtotheaut
hority.
Obviously,thisphaseiscrucialasthecasemustnotonlybepresentedinamanner well understood
bythepartypresentedto,it mustalsobesupported withadequateand acceptable evidence.
Themain outputofthisphaseiseithertoproveor refutetheallegedcriminalacts
Phase 5
Phase5isknownasPostProcess.Thisphaserelatestotheproperclosingoftheinvestigationexercise.Dig
italandphysicalevidenceneedtobeproperlyreturnedtotherightfulownerandkeptinsafeplace,ifnecess
ary..
Forensic Duplications
• A forensic duplication means to make a complete, byte-by-byte copy of the contents of a
storage device
• The goal is to transfer all data from the suspect system to the forensic copy without altering
the suspect system in any way Special devices that block writing operations to the suspect
system is used
Law enforcement officers often find computers and computer components as they are
invstigsting crimes,gathering other evidence,or making arrests.
Computers can contain information that helps la =w enforcement officers determine the
chain of events leading t he crime or info providing evidence that more likely to lead to a
conviction.
For eg:a case which the computer were involved in a crime, the police raided a drug dealer
home and found a computer , a several floppy disks and usb drives ,a pda ,and a cellphone in
a bedroom
EXAMPLE:
Companies often establish polices for employee use of computers.employeesurfing the
internet , sending personal e-mail,or using company computes for personal tasks during
work hours can waste company time.
Because lost time can cost companies millions of dollars,example describes a company
policy violations.
Manager steve billings has been receiving complaints from the customers about the job
performance of one of his sales representative ,George Montgomery, George has worked as
a representative for several years.he has been absent from work for 2 days but has not called
in sick or told anyone why he would not be at work.another employee,Martha is also
missing and has not informed anyone of the reason for he absence.steve asks the it
department to confiscate George hard drive and all storage media in his work area.
He wants to know wheather there is any info on George computer and storage media that
might offer a clue to George whereabouts and job performance concerns.
To help determine George and Martha’s whereabouts u must take a systematic
approach,described in the followind sections to examining and analyzing the data found an
George desk.
13)b)explain in detail about the procedure of incident and incident response methodology?
Werealwaysonaquestfortheperfectwaytoorganizeaprocess..
Sincethe incidentresponseprocesscaninvolvesomanyvariablesandfactorsthataffectitsflow,it
isquiteachallengetocreateasimplepictureoftheprocesswhilemaintainingauseful
levelofaccuracy.
However,wefeelthatwehavedevelopedanincidentresponseprocess that is both simple and
accurate.
Computersecurityincidentsareoftencomplex,multifacetedproblems.
▼Pre-incident preparation Take actions to prepare the organization and the CSIRT before an
incident occur
Detection of incidents Identify a potential computer security incident.
■ Initial response Perform an initial investigation, recording the basic details
surrounding the incident, assembling the incident response team, and
notifying the individuals who need to know about the incident.
■ Formulate response strategy Based on the results of all the known facts,
determine the best response and obtain management approval. Determine
what civil, criminal, administrative, or other actions are appropriate to take,
based on the conclusions drawn from the investigation.
■ Investigate the incident Perform a thorough collection of data. Review the
data collected to determine what happened, when it happened, who did it,
and how it can be prevented in the future.
■ Reporting Accurately report information about the investigation in a manner
useful to decision makers.
GOALSOFINCIDENTRESPONSE
Inourincidentresponsemethodology,weemphasizethegoalsofcorporatesecuritypro-
fessionalswithlegitimatebusinessconcerns,butwealsotakeintoconsiderationthecon-
cernsoflawenforcementofficials.Thus,wedevelopedamethodologythatpromotesa
coordinated, cohesive response and achieves the following:
▼ Prevents a disjointed, noncohesive response (which could be disastrous)
■ Confirms or dispels whether an incident occurred
■ Promotes accumulation of accurate information
■ Establishes controls for proper retrieval and handling of evidence
■ Protects privacy rights established by law and policy
■ Minimizes disruption to business and network operations
■ Allows for criminal or civil action against perpetrators
■ Provides accurate reports and useful recommendations
Who involved in the incident responses?
Incidentresponseisamultifaceteddiscipline.Itdemandsamyriadofcapabilitiesthatusu
allyrequireresourcesfromseveraldifferentoperationalunitsofanorganization.
Humanresourcespersonnel,legalcounsel,technicalexperts,securityprofessionals,cor
poratesecurityofficers,businessmanagers,endusers,helpdeskworkers,andotherempl
oyeesmayfindthemselvesinvolvedinrespondingtoacomputersecurityincident.
o Mostorganizationsestablishateamofindividuals,oftenreferredtoasaComput
erSecurityIncidentResponseTeam(CSIRT),torespondtoanycomputersecurit
yincident.
TheCSIRTisamultidisciplinedteamwiththeappropriatelegal,technical,and
otherexpertisenecessarytoresolveanincident.SincetheCSIRTmembershave
specialexper- tise, and incident response is not required at all times, the
CSIRT is normally a dynamic team assembled when an organization
requires its capabilities.
14.A)EXPLAIN SOFTWARE FORENSICS TOOL AND ITS SERVICES.
Grouped into command-line applications and gui applications
Prodiscover,x-ways forensics,guidance software encase,access data ftk.
Command-line forensics tools:
Investigation is that they require few system resources because they are designed to run in minimal
configurations.
Unix/linux forensics tools:
The *nix platforms have long been the primary command-line os’s ,but typically end users haven’t
used them widely
SMART:
smart is designedto be installed on numerous linuxversion,includingGentoo,fedora … smart including
several pluggin utilities.
Helix:
One of the easiest suites to use is helix because of its user interface.
Backtrack
back track is another linux live cd used by many security professionals and forensics investigators.
Autopsy and sleuth kit
Sleuth kit is a linux forensics tool,and autopsy is the gui browser interface for accessing sleuth kits
tools.
Knoppix-std
knoppix security tools distribution(STD)is a collection of tools for configuring security
measures,including computer and network forensics.
14.b)EXPLAIN HARDWARE FORENSICS TOOLS AND ITS SERVICES.
ANSWER:
FORENSIC WORKSTATIONS:
Many computer vendors offer a wide range of forensic workstations that you can tailor to meet your
investigation needs.
Stationary workstation
a tower with several bays and many peripheral devices.
Portable workstation
a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a
stationary workstation.
Lightweight workstation
Usually a laptop computer built into a carrying case with a small selection of peripheral
options
Building your own workstation
Write-blocker
15.a)EXPLAIN THE VARIOUS DATA ACQUISITION METHODS IN DETAIL.
We distinguish between Live system analysis ,Dead analysis
The dead analysis is more common to acquire data
A dead acquisition copies the data without the assistance of the suspect’s
(operating) system
A live acquisition copies the data using the suspect’s (operating)
system
Risk: During the data acquisition an attacker can modify data or software can
produce tampered data
The image has no evidence
Error Handling
Write Blockers :
Types of Blockers:
Hardware Write Blocker