CYBER FORENSICS

INTERNAL TEST 1

INTERNAL ASSESSMENT- I (2 marks)

1.
Computer crime Digital crime
Computer crime has been traditionally Digital crime has been defined as any
defined as any criminal act committed criminal act in which a computer is
via computer involved, even peripherally

2. TYPES OF COMPUTER CRIME

 Hacking
 Phishing
 Computer Viruses
 Cyber Stalking
 Identity Theft
 Electronics Spamming

3.
Identity theft Identity fraud
The illegal use or transfer of a third party’s A vast array of illegal activities based on
personal identification information with fraudulent use of identifying information of
unlawful intent a real or fiction person

4.PHREAKING
Phreaking involves the manipulation of telecommunication carriers to gain
knowledge of telecommunications, and/or theft of applicable services. It is also known as
telecommunications fraud, and includes any activity that incorporates the illegal use or
manipulation of access codes, access tones, PBXs, or switches.
5.TASK PERFORMED BY COMPUTER FORENSIC TOOLS
 Acquisition
 Validation and discrimination
 Extraction
 Reconstruction
 Reporting
6.FILE ALLOCATION TABLE
File allocation table is a file structure database that Microsoft originally designed for
floppy disks. FAT is used on file systems before windows NT and 2000
7.SOFTWARE FORENSIC TOOLS
 Smart
 Helix
 Backtrack
 Autopsy and Sleuth kit
 Knoppix-STD

8.WRITE BLOCKERS
Write-blocker prevents data writes to hard disk. It is of two variants,
 Software- enabled blockers
 Hardware options

Software write blockers are os dependent. Example :PDBlock from digital Intelligence
Hardware options are ideal for GUI forensic tools. It act as a bridge between the suspect
drive and the forensic workstation.
9.DIFFERENT TYPES OF DATA ACQUISTION METHODS
 STATIC ACQUISTION
 LIVE ACQUISTION

10.DIGITAL FORENSIC INVESTIGATION

Digital forensic investigation is a branch of forensic science encompassing the
recovery and investigation of material found in digital devices, often in relation to computer
crime
 PART –B
12a)Explain the following
(i)Need for computer forensics
o To produce evidence in the court that can lead to the punishment of the actual
o To ensure the integrity of the computer system
o To focus on the hitech offenses started to intertwine
(ii)Various ways to occur identity theft
o Dumpster Diving
o Stealing Personal Items
o Credit/Debit Card Theft
o Man-in-the-Middle Attack
o Pretexting
o Phishing
o Pharming
(iii)KEYLOGGER
o A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a
hardware device or small program that monitors each keystroke a user types on a
specific computer's keyboard.
o As a hardware device, a keylogger is a small battery-sized plug that serves as a
connector between the user's keyboard and computer.
o Because the device resembles an ordinary keyboard plug, it is relatively easy for
someone who wants to monitor a user's behavior to physically hide such a device "in plain
sight." (It also helps that most workstation keyboards plug into the back of the computer.)
o As the user types, the device collects each keystroke and saves it as text in its own
miniature hard drive.
o At a later point in time, the person who installed the keylogger must return and physically
remove the device in order to access the information the device has gathered.
(iv)DDOS: A distributed denial-of-service (DDoS) attack is one in which a multitude of
compromised systems attack a single target, thereby causing denial of service for users of the
targeted system.
o The flood of incoming messages to the target system essentially forces it to shut down,
thereby denying service to the system to legitimate users.this free guide
o There are two types of DDoS attacks: a network-centric attack which overloads a service by
using up bandwidth and an application-layer attack which overloads a service or database
with application calls.
12b)Procedures for corporate high tech Technologies:
Employee Termination cases
o It involves employee abuse of corporate assets.
o Incidents that create a hostile work environment ,such as viewing pornography in the
workplace
Internet abuse investigations
o Use the standard forensic analysis techniques
o Using tools such as DataLifter,extract all web page URL information.
o Contact the network firewall administrator and request a proxy server log.
o Compare the recoveredfrom forensic analysis to the proxy server log data to confirm that
they match
Email abuse investigations:
o For computer based email data files ,Use the standard forensic analysis techniques
and procedures .
o For server based email data files, the email server administrator
o For web based email data files,use tools to extract all related email address
information.
o Examine header data of all messages.
Attorney Client privilege investigations
o Request memorandum from the attorney direction
o Request a list of keywords
Media leak investigations:
o Extract internet messageboards
o Examine proxy server log
o Examine known suspect workstations
Industrial espionage investigations
o Determine whether the investigation involves a possible Industrial espionage
incident
o Consult with corporate attorneys
o Determine what information are needed
Interviews and Intrrogations in high tech investigation
o Interrogation is the process of trying to get a suspect to confess to a specify incident
o Interrogation is different from interview
13)a)list the steps for systematic approach for preparation of computer investigations?
 Thenumberofsuggestedandproposedinvestigationmodelsisnotsmall,assuch,itwouldb
equiteadauntingexercisetoreviewthemall.
 Wehaveindeed,selectedthemodelstobereviewedbasedonthechronologicalorder,ensur
ingatleastoneproposedmodelperyear.
 Wearenotsuggestingthattheselectedmodelsarebetterorsuperiorthantheothermodelsth
atwerealsointroducedinthesameyear.
Ourobjectiveistoidentifyandextractthephasesintheinvestigationmodelsratherthansele
ctingwhichmodelisthebest.
ComputerForensicInvestigativeProcess(1984)
Pollitt[2][3]hasproposedamethodologyfordealingwithdigitalevidenceinvestigationsothatther
esultswithbescientificallyreliableandlegallyacceptable.Itcomprisesof4distinctphases.

Acquisition Identification Evaluation

Figure1:ComputerForensicInvestigativeProcess

Acquisitionphase:
InAcquisitionphase,evidencewasacquiredinacceptablemannerwithproperapprovalfromautho
rity.
Identificationphase:
ItisfollowedbyIdentificationphasewherebythetaskstoidentifythedigitalcomponentsfromthea
cquiredevidenceandconvertingittotheformatunderstoodbyhuman.
Evaluationphase:
TheEvaluationphasecompriseofthetasktodeterminewhetherthecomponentsindentifiedinthe
previousphase, is indeed relevanttothe case being investigatedandcanbe
consideredasalegitimateevidence
Admissionphase:
Inthefinalphase,Admission,theacquired&extractedevidenceispresentedinthecourtoflaw.
GenericComputerForensicInvestigationModel(GCFIM)
Phase 1
 Phase 1ofGCFIM is knownasPre-Process.
 Thetasksperformedinthisphaserelatestoalloftheworksthatneedtobedonepriortotheact
ualinvestigationandofficialcollectionofdata.
 Amongthetaskstobeperformedaregettingthenecessaryapprovalfromrelevantauthority
,preparingandsetting-upofthetoolstobeused,etc.
Phase 2
Phase2isknownasAcquisition&Preservation.Tasksperformedunderthisphaserelatedtotheidentifyi
ng,acquiring,collecting,transporting,storingandpreservingofdata.Ingeneral,thisphaseiswhereallrel
evantdataarecaptured,storedandbemadeavailableforthenextphase.
Phase 3
Phase3isknownasAnalysis.Thisisthemainandthecenterofthecomputerforensicinvestigationprocess
es.Ithasthemostnumberofphasesinitsgroupthusreflectingthefocusofmostmodelsreviewedareindee
dontheanalysisphaseVarioustypesofanalysisareperformedontheacquireddatatoidentifythesourceof
crimeandultimatelydiscoveringthepersonresponsibleofthecrime.
Phase 4
Phase4isknownasPresentation.Thefindingfromanalysisphasearedocumentedandpresentedtotheaut
hority.
Obviously,thisphaseiscrucialasthecasemustnotonlybepresentedinamanner well understood
bythepartypresentedto,it mustalsobesupported withadequateand acceptable evidence.
Themain outputofthisphaseiseithertoproveor refutetheallegedcriminalacts
Phase 5
Phase5isknownasPostProcess.Thisphaserelatestotheproperclosingoftheinvestigationexercise.Dig
italandphysicalevidenceneedtobeproperlyreturnedtotherightfulownerandkeptinsafeplace,ifnecess
ary..

Forensic Duplications
• A forensic duplication means to make a complete, byte-by-byte copy of the contents of a
storage device

• The goal is to transfer all data from the suspect system to the forensic copy without altering
the suspect system in any way Special devices that block writing operations to the suspect
system is used

13)a)(ii) Give the overview of computer policy violations with examples?

 Law enforcement officers often find computers and computer components as they are
invstigsting crimes,gathering other evidence,or making arrests.
 Computers can contain information that helps la =w enforcement officers determine the
chain of events leading t he crime or info providing evidence that more likely to lead to a
conviction.
  For eg:a case which the computer were involved in a crime, the police raided a drug dealer
home and found a computer , a several floppy disks and usb drives ,a pda ,and a cellphone in
a bedroom

EXAMPLE:
 Companies often establish polices for employee use of computers.employeesurfing the
internet , sending personal e-mail,or using company computes for personal tasks during
work hours can waste company time.
 Because lost time can cost companies millions of dollars,example describes a company
policy violations.
 Manager steve billings has been receiving complaints from the customers about the job
performance of one of his sales representative ,George Montgomery, George has worked as
a representative for several years.he has been absent from work for 2 days but has not called
in sick or told anyone why he would not be at work.another employee,Martha is also
missing and has not informed anyone of the reason for he absence.steve asks the it
department to confiscate George hard drive and all storage media in his work area.
 He wants to know wheather there is any info on George computer and storage media that
might offer a clue to George whereabouts and job performance concerns.
 To help determine George and Martha’s whereabouts u must take a systematic
approach,described in the followind sections to examining and analyzing the data found an
George desk.

13)b)explain in detail about the procedure of incident and incident response methodology?
 Werealwaysonaquestfortheperfectwaytoorganizeaprocess..
 Sincethe incidentresponseprocesscaninvolvesomanyvariablesandfactorsthataffectitsflow,it
isquiteachallengetocreateasimplepictureoftheprocesswhilemaintainingauseful
levelofaccuracy.
 However,wefeelthatwehavedevelopedanincidentresponseprocess that is both simple and
accurate.
 Computersecurityincidentsareoftencomplex,multifacetedproblems.
▼Pre-incident preparation Take actions to prepare the organization and the CSIRT before an
incident occur
Detection of incidents Identify a potential computer security incident.
■ Initial response Perform an initial investigation, recording the basic details
surrounding the incident, assembling the incident response team, and
notifying the individuals who need to know about the incident.
■ Formulate response strategy Based on the results of all the known facts,
determine the best response and obtain management approval. Determine
what civil, criminal, administrative, or other actions are appropriate to take,
based on the conclusions drawn from the investigation.
■ Investigate the incident Perform a thorough collection of data. Review the
data collected to determine what happened, when it happened, who did it,
and how it can be prevented in the future.
■ Reporting Accurately report information about the investigation in a manner
useful to decision makers.

GOALSOFINCIDENTRESPONSE
Inourincidentresponsemethodology,weemphasizethegoalsofcorporatesecuritypro-
fessionalswithlegitimatebusinessconcerns,butwealsotakeintoconsiderationthecon-
cernsoflawenforcementofficials.Thus,wedevelopedamethodologythatpromotesa
coordinated, cohesive response and achieves the following:
▼ Prevents a disjointed, noncohesive response (which could be disastrous)
■ Confirms or dispels whether an incident occurred
■ Promotes accumulation of accurate information
■ Establishes controls for proper retrieval and handling of evidence
■ Protects privacy rights established by law and policy
■ Minimizes disruption to business and network operations
■ Allows for criminal or civil action against perpetrators
■ Provides accurate reports and useful recommendations
 Who involved in the incident responses?
 Incidentresponseisamultifaceteddiscipline.Itdemandsamyriadofcapabilitiesthatusu
allyrequireresourcesfromseveraldifferentoperationalunitsofanorganization.
 Humanresourcespersonnel,legalcounsel,technicalexperts,securityprofessionals,cor
poratesecurityofficers,businessmanagers,endusers,helpdeskworkers,andotherempl
oyeesmayfindthemselvesinvolvedinrespondingtoacomputersecurityincident.
o Mostorganizationsestablishateamofindividuals,oftenreferredtoasaComput
erSecurityIncidentResponseTeam(CSIRT),torespondtoanycomputersecurit
yincident.
TheCSIRTisamultidisciplinedteamwiththeappropriatelegal,technical,and
otherexpertisenecessarytoresolveanincident.SincetheCSIRTmembershave
specialexper- tise, and incident response is not required at all times, the
CSIRT is normally a dynamic team assembled when an organization
requires its capabilities.
14.A)EXPLAIN SOFTWARE FORENSICS TOOL AND ITS SERVICES.
Grouped into command-line applications and gui applications
Prodiscover,x-ways forensics,guidance software encase,access data ftk.
Command-line forensics tools:
Investigation is that they require few system resources because they are designed to run in minimal
configurations.
Unix/linux forensics tools:
The *nix platforms have long been the primary command-line os’s ,but typically end users haven’t
used them widely
SMART:
smart is designedto be installed on numerous linuxversion,includingGentoo,fedora … smart including
several pluggin utilities.
Helix:
One of the easiest suites to use is helix because of its user interface.
Backtrack
back track is another linux live cd used by many security professionals and forensics investigators.
Autopsy and sleuth kit
Sleuth kit is a linux forensics tool,and autopsy is the gui browser interface for accessing sleuth kits
tools.
Knoppix-std
knoppix security tools distribution(STD)is a collection of tools for configuring security
measures,including computer and network forensics.
14.b)EXPLAIN HARDWARE FORENSICS TOOLS AND ITS SERVICES.
ANSWER:
FORENSIC WORKSTATIONS:
Many computer vendors offer a wide range of forensic workstations that you can tailor to meet your
investigation needs.
 Stationary workstation
a tower with several bays and many peripheral devices.
 Portable workstation
a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a
stationary workstation.
 Lightweight workstation
Usually a laptop computer built into a carrying case with a small selection of peripheral
options
Building your own workstation
Write-blocker
15.a)EXPLAIN THE VARIOUS DATA ACQUISITION METHODS IN DETAIL.
We distinguish between Live system analysis ,Dead analysis
The dead analysis is more common to acquire data

 One of the most important phases during a forensic investigation


Not collected data may be lost . Not recognised as evidence!

Not properly collected data has a reduced expressiveness

 During data acquisition an exact (typically bitwise) copy of storage media is

created

Dead versus Live Acquisition

 A dead acquisition copies the data without the assistance of the suspect’s
(operating) system
 A live acquisition copies the data using the suspect’s (operating)
system

Risk: During the data acquisition an attacker can modify data or software can
produce tampered data

The image has no evidence
Error Handling

An acquistion tool MUST be able to handle read errors.

Sample error sources:

Physical problem where the storage drive no longer works

Limited number of HDD blocks are damaged

General behavior to handle errors:

Log the addresses of damaged sectors

Writing 0s for not readable data

Write Blockers :

 Allow acquisition of data from a storage device without changing the

drive’s contents.

 Write commands are blocked.

 Only read commands are allowed to pass the write blocker.

 Types of Blockers:
Hardware Write Blocker

Software Write Blocker