CYBER FORENSICS

INTERNAL TEST III

INTERNAL ASSESSMENT- III (2 marks)

1.Mention the two main transformation types that form the basics of IPSec?

There are two main transformation types that form the basics of IPsec, 1. The Authentication Header
(AH) and 2. The Encapsulating Security Payload (ESP). o Both AH and ESP are two protocols that provide
connectionless integrity, data origin authentication, confidentiality and an anti-replay service. o These
protocols may be applied alone or in combination to provide a desired set of security services for the IP
layer. They are configured in a data structure called a Security Association (SA).

2.What is TLS protocol?

 In TLS, the major version is 3 and the minor version is 1.

 TLS makes use of the same algorithm.
 TLS supports all of the alert codes defined in SSL3 with the exception of no _ certificate.

3.Define CRL?

 The Certificate Revocation List that contains information about certificates whose validity the
issuer has prematurely revoked.
 The information consists of an issuer name, the time of issue, the next scheduled time of issue,
a list of certificate serial numbers and their associated revocation times, and extensions. The
CRL is signed by the issuer.

4.Define firewall?

 A firewall is a device or group of devices that controls access between networks. 11

 A firewall generally consists of filters and gateway(s), varying from firewall to firewall.
 It is a security gateway that controls access between the public Internet and an intranet (a
private internal network) and is a secure computer system placed between a trusted network
and an untrusted internet.

5.Mention some problem associated with Computer Forensics Evidence?

 Computer data changes moment by moment.

 Computer data is invisible to the human eye; it can only be viewed indirectly after appropriate
procedures.
 The process of collecting computer data may change it—in significant ways.
  The processes of opening a file or printing it out are not always neutral.
 Computer and telecommunications technologies are always changing so that forensic processes
can seldom be fixed for very long.

6.List some digital forensics Tools?

 DriveSpy and Image

 FTK
 X-Ways Forensics

7.Write down the two modes of Windows 9X OSS?

 DOS protected-mode interface (DPMI)

 Protected-mode GUI

8.What is meant by acquisition and list out its functions?

Acquisition means making a copy of the original drive.

Acquisition sub functions are,

 Physical data copy

 Logical data copy
 Data acquisition format
 Command-line acquisition
 GUI acquisition
 Remote acquisition
 Verification

9.Define OOV?

The order of volatility means how long a piece of information lasts on a system. Data such as RAM and
running processes might exist for only milliseconds; other data such as files stored on the hard drive
might last for years.

10.List out some Knoppix –STD tools?

 Dcfldd, the U.S. DoD dd version

 memfetch forces a memory dump
 photorec grabs files from a digital camera
 snort, an intrusion detection system
 inkmaster helps manage your snort rules
 john
 chntpw resets passwords on a Windows PC
  tcpdump and ethereal are packet sniffers

11ai. Explain the Framework for SA management and cryptographic key establishment

for the Internet.

 When a Security Association Payload is created, the transmitting entity (initiator) must determine
the Domain of Interpretation (DOI)
 When a Security Association payload is received, the receiving entity (responder) must determine
if the DOI is supported, determine if the given situation can be protected, and process the
remaining payloads (Proposal, Transform) of the SA payload.
 If the SA Proposal is not accepted, then the Invalid Proposal event may be logged in the
appropriate system audit file.
 An Information Exchange with a Notification payload containing the No-Proposal-Chosen
message type may be sent to the transmitting entity (initiator). This action is dictated by a system
security policy.

11aii. Explain different places of Authentication header in transport mode and tunnel

mode of transmission

II-IP Authentication Header

 The IP AH is used to provide data integrity and authentication for IP packets.

 It also provides protection against replays.
 The AH provides authentication for the IP header, as well as for upper-level protocol (TCP, UDP)
data.

The ESP provides a confidentiality service.

The primary difference between the authentication provided by ESP and AH is the extent of the
coverage.
ESP does not protect any IP header fields unless these fields are encapsulated by ESP (tunnel mode). The
current key management options required for both AH and ESP are manual keying and automated keying
via IKE..

AH Format
The IPsec AH format is shown in Figure.
 Figure 7.4 IPsec AH format.

The following six fields comprise the AH format:

• Next header (8 bits): This field identifies the type of the next payload after the AH. The value of this
field is chosen from the set of IP numbers defined in the Internet Assigned Number Authority
(IANA).

• Payload length (8 bits): This field specifies the length of the AH in 32-bit words, minus 2. The default
length of the authentication data field is 96 bits, or three 32-bit words. With a three-word fixed header,
there are a total of six words in the header, and the payload length field has a value of 4.
• Reserved (16 bits): This field is reserved for future use. It must be set to ‘zero’.
• SPI (32 bits): This field uniquely identifies the SA for this datagram, in combination with the
destination IP address and security protocol (AH).

• Sequence number (32 bits): This field contains the monotonically increasing counter value which
provides an anti-replay function.
• Authentication data (variable): This field is a variable-length field that contains the Integrity Check
Value (ICV) or MAC for this packet.
• AH Location
Either AH or ESP is employed in two ways: transport mode or tunnel mode. The transport mode is
applicable only to host implementations and provides protection for upper-layer protocols. In the transport
mode, AH is inserted after the IP header and before an upper-layer protocol (TCP, UDP or ICMP), or
before any other IPsec header that may have already been inserted.

Tunnel mode AH can be employed in either hosts or security gateways. When AH is implemented in a
security gateway to protect transit traffic, tunnel mode must be used. In tunnel mode, the inner IP header
carries the ultimate source and destination addresses, while an outer IP header may contain different IP
addresses (i.e. addresses of firewalls or other security gateways).

In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header. The position
of AH in tunnel mode, relative to the outer IP header, is the same as for AH in transport mode.

11.bi)Describe how series of message is exchanged between client and server by handshake
protocol
 SSL Handshake Protocol
The SSL Handshake Protocol being operated on top of the SSL Record Layer is the most important part
of SSL.
This protocol provides three services for SSL connections between the server and client.
The Handshake Protocol allows the client/server to agree on a protocol version, to authenticate each other
by forming an MAC, and to negotiate an encryption algorithm and cryptographic keys for protecting data
sent in an SSL record before the application protocol transmits or receives its first byte of data.
The Handshake Protocol consists of a series of messages exchanged by the client and server.
Phase 1: Hello Messages for Logical Connection

Hello messages
• Hello request
• Client hello:
– Client version:
– Random:
– Session ID :
– Cipher suites:
– Compression method :

Asterisks (*) are optional or situation-dependent messages that are not always
sent
 Figure 8.5 SSL Handshake Protocol.

• Server hello

– Server version:
– Random:.
– Session ID :
– Cipher suite:
– Compression method :

Phase 2: Server Authentication and Key Exchange

• Server certificate
• Server key exchange message:

– params:
– signed-params

md5-hash : MD5(ClientHello.random||ServerHello.random||serverParams) sha-hash :

SHA(ClientHello.random||ServerHello.random||serverParams) enum {anonymous, rsa, dsa}
SignatureAlgorithm;
• Certificate request message:
enum{
rsa_sign(1), des_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
rsa_ephemeral_dh(5), dss_ephemeral_dh(6), fortezza_dms(20), (255)
} ClientCertificateType;
opaque DistinguishedName<1..216-1>; struct {
ClientCertificateType certificate_types<1..28-1>; DistinguishedName
certificate_authorities<3..216-1>
} CertificateRequest;

– certificate types
• Server hello done message:

Phase 3: Client Authentication and Key Exchange

• Client certificate message:

• Client key exchange message:
• Certificate verify message:
struct{
Signature signature; } CertificateVerify;
CertificateVerify.signature.md5_hash MD5(master_secret||pad2||MD5(handshake-message||
master_secret||pad1))
Certificate.signature.sha_hash
SHA(master_secret||pad2||SHA(handshake-message|| master_secret||pad1))
 Phase 4: End of Secure Connection
• Change cipher spec messages:
• Finished message:
MD5(master_secret||pad2||MD5(handshake_messages||Sender||
master_secret||pad1))
SHA(master_secret||pad2||SHA(handshake_messages||Sender||
master_secret||pad1))

12 ai)Explain about the enhanced security services of S/MIME

Enhanced Security Services for S/MIME

The security services described in this section are extensions to S/MIME version 3. Some
of the features of each service use the concept of a triple wrapped message. A triple wrapped
message is one that has been signed, then encrypted and then signed again. The signers of the
inner and outer signatures may be different entities or the same entity. The S/MIME specification
does not limit the number of nested encapsulations, so there may be more than three wrappings.

9.2.3.1 Triple Wrapped Message

The steps to create a triple wrapped message are as follows:
1. Start with the original content (a message body).
2. Encapsulate the original content with the appropriate MIME content-type headers.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The resulting
message is called the inside signature.
– If it is signed using multipart/signed, the MIME construct added consists of a content type
of multipart/signed with parameters, the boundary, the step 2 result, a content type of
application/pkcs7-signature, optional MIME headers, and a body part that is the result of
step 3.
– If it is instead signed using application/pkcs7-mime, the MIME construct added consists of
a content type of application/pkcs7-mime with parameters, optional MIME headers and
the result of step 3.
5. Encrypt the step 4 result as a single block, turning it into an application/pkcs7-mime object.
6. Add the appropriate MIME headers: a content type of application/pkcs7-mime with
parameters, and optional MIME headers such as Content-Transfer-Encoding and Content-
Disposition.
7. Sign the step 6 result (the MIME headers and the encrypted body) as a single block.
8. Using the same logic as in step 4, add an appropriate MIME construct to the signed message
from step 7. The resulting message is called the outside signature, and is also the triple
 wrapped message.

9.2.3.2 Security Services with Triple Wrapping

This subsection briefly describes the relationship of each service with triple wrapping. If
a signed receipt is requested for a triple wrapped message, the receipt request must be in the
inside signature, not in the outside signature. A secure mailing list agent may change the receipt
policy in the outside signature of a triple wrapped message when the message is processed by the
mailing list.
A security label is included in the signed attributes of any SignedData object. A security
label attribute may be included in either the inner signature or the outer signature, or both.
The inner security label is used for access control decisions related to the original
plaintext content. The inner signature provides authentication and cryptographically pro-tects the
integrity of the original signer’s security label that is in the inside body. The confidentiality
security service can be applied to the inner security label by encrypting the entire inner
SignedData block within an EnvelopedData block. The outer security label is used for access
control and routing decisions related to the encrypted message.

9.2.3.3 Signed Receipts

Returning a signed receipt provides to the originator proof of delivery of a message, and
allows the originator to demonstrate to a third party that the recipient was able to
verify the signature of the original message. This receipt is bound to the original message
through the signature. Consequently, this service may be requested only if a message is signed.
The receipt sender may optionally also encrypt a receipt to provide confidentiality between the
sender and recipient of the receipt.
The interaction steps in a typical transaction are:
1. Sender creates a signed message including a receipt request attribute.
2. Sender transmits the resulting message to the recipient(s).
3. Recipient receives message and determines if there are a valid signature and receipt request
in the message.
4. Recipient creates a signed receipt.
5. Recipient transmits the resulting signed receipt message to the sender.
6. Sender receives the message and validates that it contains a signed receipt for the original
message.

9.2.3.4 Receipt Request Creation

Multilayer S/MIME messages may contain multiple SignedData layers. Receipts are
requested only for the innermost SignedData layer in a multilayer S/MIME message such as a
triple wrapped message. Only one receipt request attribute can be included in the
signedAttributes of SignerInfo.

12bi)Explain in detail about dual signature and signature verification in SET

11.4 Dual Signature and Signature Verification
SET introduced a new concept of digital signature called dual signatures. A dual
signature is generated by creating the message digest of two messages: order digest and payment
digest. Referring to Figure 11.2, the customer takes the hash codes (message digests) of both the
order message and payment message by using the SHA-1 algorithm.

Figure 11.2 Dual signature and order/payment message authentication.

These two hashes, ho and hp , are then concatenated and the hash code h of the result is
taken. Finally, the customer encrypts (via RSA) the final hash code with his or her private key,
Ksc, creating the dual signature. Computation of the dual signature (DS) is shown as follows:
DS = EKsc (h)
where h = H(H(OM)||H(PM))
= H(ho ||hp )
EKsc (= dc) is the customer’s private signature key.

Example 11.1 Computation of dual signature:

Assume that the order message (OM) and the payment message (PM) are given, respec-tively,
as follows:
OM = 315a46e51283f7c647
PM = 1325f47568
Since SHA-1 sequentially processes blocks of 512 bits, i.e. 16 32-bit words, the message padding
must attach to the message block to ensure that a final padded message becomes a multiple of
512 bits. The 160-bit message digest can be computed from hashing the 512-bit padded message
by the use of SHA-1. The padded OM and PM messages are, respectively,
Padded OM (512 bits):
315a46e5 1283f7c6 47 8 00000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 000000 48

Padded PM (512 bits):

1325f475 68 8 00000 00000000 00000000
00000000 00000000 00000000 00000000
 00000000 00000000 00000000 00000000
00000000 00000000 00000000 000000 28
Referring to Figure 11.3, H(OM) = ho and H(PM) = hp each are obtained as follows:
h
o: c4511d95 4556f627 fa491c85 a5a8cf0c 6af4f62c (160 bits)
h
p:6e94de9c ab3cb005 35d792ca 05aac971 76a17d65 (160 bits)
Concatenating these two hash codes and appending pads yields ( ho ||hp ):
c4511d95 4556f627 fa491c85 a5a8cf0c
6af4f62c 6e94de9c ab3cb005 35d792ca
05aac971 76a17d65 8 0000000 00000000
00000000 00000000 00000000 00000 140
Taking the hash (SHA-1) of this concatenated message digests results in:
H(ho||hp ) = h
= ee3e 9a3d ba2d da59 c663 1a58 1c7c dd9e 1bec 3e99 (hexadecimal)

Customer
Order message Payment message
order message: 31 5a 46 e5 12 83 f7 c6 47 payment message: 13 25 f4 75 68

OM PM

H SHA-1 H SHA-1 H SHA-1 H SHA-1

| |
||
ho hp ||
H
Result Result H
C4511D95 4556f627 6E94DE9C AB3CB005
Merchant FA491C85 A5A8CF0C 35D792CA 05AAC971 Bank
6AF4F62C H 76A17D65
1360134486714001519823723727533031546268859252377 h 1360134486714001519823723727533031546268859252377

K K K
D pc E sc D pc
DS

INTEGER:
3044018001682013330813613420039503951740
0977022706040082090003630103

HEX : EE3E8A2D BA29DA59 C6631A58 1C7CDD9E 1BEC3E99

INTEGER : 1360134486714001519823723727533031546268859252377

Figure 11.3 Computational analysis for the dual signature relating to Example 11.1.

Transforming this resulting hash into decimal numbers yields:

H(ho ||hp ) = 1360134484714001519823723727533031546268859285377 (decimal)
The concatenated two hashes become the input to the SHA-1 hash function. Thus, the
resulting hash code h is RSA-encrypted with the customer’s private key Ksc = dc in order to
obtain the dual signature.
To generate the public and private keys, choose two random primes, p and q, and
compute the product n = pq. For a short example demonstration, choose p = 47 and q = 73; then
n = 3431 and φ(n) = (p − 1)(q − 1) = 3312. If the merchant has the customer’s public key ec = Kpc
= 79 that is taken from the customer’s certificate, then the customer’s private key dc is computed
using the extended Euclidean algorithm such that:
dc ≡ ec−1(mod φ(n))
≡ 79−1(mod 3312) ≡ 2767
In the digital signature process, the roles of the public and private keys are reversed,
where the private key is used to encrypt (sign) and the public key is used to decrypt for
verification of the signature.
To encrypt the final hash value h with dc, first divide h into numerical blocks hi and encrypt
block after block such that:
d
DS = h ic (modn)
This is the dual-signature formula. Now, the dual signature represented in RSA-encrypted
decimals can be computed as:
DS = 3044 0180 0168 2013 3308 1361 3420 0395 0395
1740 0977 0227 0604 0082 0900 0363 0103

12bii)Explain in detail about the firewall design

10.4 Firewall Designs
This section concerns how to implement a firewall strategy. The primary step in
designing a secure firewall is obviously to prevent the firewall devices from being compromised
by threats. To provide a certain level of security, the three basic firewall designs are considered:
a single-homed bastion host, a dual-homed bastion host and a screened subnet firewall. The first
two options are for creating a screened host firewall, and the third option contains an additional
packet-filtering router to achieve another level of security.
.
10.4.1 Screened Host Firewall (Single-Homed Bastion Host)
The first type of firewall is a screened host which uses a single-homed bastion host plus a
packet-filtering router, as shown in Figure 10.4. Single-homed bastion hosts can be configured as
either circuit-level or application-level gateways. When using either of these two gateways, each
of which is called a proxy server, the bastion host can hide the configuration of the internal
network.
NAT is essentially needed for developing an address scheme internally. It is a critical
component of any firewall strategy. It translates the internal IP addresses to IANA-registered
addresses to access the Internet. Hence, using NAT allows network admin-istrators to use any
internal IP address scheme.
The screened host firewall is designed such that all incoming and outgoing information is
passed through the bastion host.
10.4.2 Screened Host Firewall (Dual-Homed Bastion Host)
The configuration of the screened host firewall using a dual-homed bastion host adds
significant security, compared with a single-homed bastion host. As shown in Figure 10.5, a
dual-homed bastion host has two network interfaces. This firewall implementation is secure due
to the fact that it creates a complete break between the internal network and
Bastion host
 Internet

Packet - filtering
Server
router (Web and FTP) Internal network
host
Figure 10.4 Screened host firewall system (single-homed bastion host).

Bastion host

Internet

Packet - filtering Internal network

router hosts

Server (Web and FTP)

Figure 10.5 Screened host firewall system (dual-homed bastion host).

the external Internet. As with the single-homed bastion, all external traffic is forwarded directly
to the bastion host for processing. However, a hacker may try to subvert the bastion host and the
router to bypass the firewall mechanisms. Even if a hacker could defeat either the screening
router or the dual-homed bastion host, the hacker would still have to penetrate the other.
Nevertheless, a dual-homed bastion host removes even this possibility. It is also possible to
implement NAT for dual-homed bastion hosts.

10.4.3 Screened Subnet Firewall

The third implementation of a firewall is the screened subnet, which is also known as a
DMZ. This firewall is the most secure one among the three implementations, simply because it
uses a bastion host to support both circuit and application-level gateways. As shown in Figure
10.6, all publicly accessible devices, including modem and server, are

Bastion host

Internet

Packet - filtering Packet-filtering Internal

router (External) router (Internal) network

Server Modem
(Web and FTP)
De - militarised zone

Figure 10.6 Screened subnet firewall system.

13ai)Explain various types of CF techniques
3.1 Modern Forensic Science Technologies
1. Laser Ablation Inductively Coupled Plasma Mass Spectrometry (LA-ICP-MS)

2. Alternative Light Photography

3. High-Speed Ballistics Photography

4. Video Spectral Comparator 2000

5. Digital Surveillance For Xbox (XFT Device) :

6.3D Forensic Facial Reconstruction :

7.DNA Sequencer

8. Forensic Carbon-14 Dating

9.Magnetic Fingerprinting and Automated Fingerprint Identification (AFIS)

10. Link Analysis Software for Forensic Accountants :

13aii)Describe in detail about identity theft and identity fraud

2.1 Identity Fraud

A typology of ID change

Identity fraud can roughly be described as the unlawful changing of someone’s iden- tity.
Rost, Meints, and Hansen [Le06:52-55, RoMe05] distinguish four closely related
subcategories of identity change:
 identity takeover, when someone takes over the identity of another person with- out that
person’s consent;
 identity delegation, when someone uses someone else’s identity with that per- son’s
consent;
 identity exchange, when two or more people, with mutual consent, use each other’s
identity;
 identity creation, when someone creates the identity of a non-existing person.
A comparison with computer-related crime may be instructive here. Although computer fraud
can be conceived of as simply another means to commit fraud, it has been considered a category
in its own right since the 1980s, when computers started fundamentally changing the way in
which society functions. As a result, from the OECD’s 1986 report Computer-related Crime to
art. 8 of the 2001 Convention on Cybercrime, computer-related fraud has featured prominently
in instruments to combat computer crime. This is not primar- ily because forms of computer
 fraud were not punishable under traditional criminal provisions such as fraud or forgery, al-
though there certainly were some legislative gaps. Rather, specific attention and crimi-
nalisation were warranted because combat- ing computer fraud requires special knowl- edge of
computers. Investigation and prose- cuting computer fraud implies that the police and judiciary
know how to investi- gate and judge the technical odds and ends of computers and computer
data. Moreover, successfully combating computer fraud is not only a matter of prosecution, but
also – and perhaps even more – a matter of pre- vention. For this, awareness must be raised,
since computers create specific vulnerabili- ties that organisations and individuals tend to
disregard through ignorance.

2.2 Identity Theft

Having focused on identity fraud as a useful target of research, we have still the preva- lent
term of ‘identity theft’ to consider. What is usually meant by this term is the subcategory of
unlawful identity takeover from the broader category of identity fraud.
‘Identity theft’ is a rather awkward term, since identity is not something that is typi- cally
stolen. A characteristic of theft, after all, is that the owner no longer possesses the stolen
thing. With identity, this is usually not the case: the victim of identity takeover still retains
her identity. We should therefore speak of ‘identity „theft”’ rather than of ‘identity theft’.
Another reason to be hesi- tant in using this term broadly, is that it invites overlooking the
other forms of identity fraud. The consequences for third parties of identity takeover with
consent (as in unlawful identity delegation or exchange) may be equally serious as those of
identity takeover without consent (as in identity ‘theft’). Policy-making and action plans
should therefore not be confined to uncon- sensual identity takeover.
Having said this, we admit that identity ‘theft’ is a major issue and probably the most
important subset of identity fraud and identity-related crime at large. Giving a definition is,
however, not straightforward. The definitions in section 1 focus on the assumption or use of
the identity of another existing person. As in our discussion of identity fraud, it is
questionable whether this strikes the right note. By focusing only on the element of another’s
identity, it is implied that the crime is targeted at the person whose identity is taken.
Mitchison’s description explicitly calls this person ‘the victim’ of the crime. However, from
the perspective of the perpetrator, the target is not so much the identity bearer as the per-
son or institution who is fooled by the false identity. The latter may equally truly be called a
victim of the crime. Again, it seems a matter of focusing on the preparatory act of assuming a
false identity as such versus focusing on committing a crime by using a false identity. The
former has, almost by definition, the identity bearer as victim. In the latter approach, the
victim of the crime is the one who bears the loss; depending on the allocation of liabilities in
the legal sys- tem, this may be the shop or institution who provides goods or services to the
wrong person, the bank accepting the means of payment, and/or the person in whose name the
transaction is being done and who may be blacklisted as a result. This is context- dependent.
Since identity ‘theft’ is not primarily tar- geted at the person whose identity is used, and
 since the question who is the victim of the crime depends on the context of the modus
operandi and the legal distribution of liabilities, we propose to stress the ‘target crime’ –
usually fraud, and occasionally other crimes such as slander or extortion – rather than the
subsidiary element of using another’s identity. The latter element is nevertheless relevant,
from the perspective of awareness and the grave consequences for identity bearers if they
are victims. This leads to the following definition.
Identity ‘theft’ is fraud or another unlaw- ful activity where the identity of an ex- isting
person is used as a target or prin- cipal tool without that person’s consent.

13 bii) Explain about Access Data FTK imager in detail

Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard
drive looking for various information. It can for example locate deleted emails[2] and scan a disk
for text strings to use them as a password dictionary to crack encryption.[3]

The toolkit also includes a standalone disk imaging program called FTK Imager. The FTK
Imager is a simple but concise tool. It saves an image of a hard disk in one file or in segments
that may be later on reconstructed. It calculates MD5 hash values and confirms the integrity of
the data before closing the files. The result is an image file(s) that can be saved in several
formats, including DD raw.

14ai)Analyze the processing of incident and crime scene

THE SEVEN S’s OF CRIME-SCENE INVESTIGATION

SECURING THE SCENE

SEPARATING THE WITNESSES
• When did the crime occur?
• Who called in the crime?
• Who is the victim?
• Can the perpetrator be identified?
• What did you see happen?
• Where were you when you observed the crime scene?
SCANNING THE SCENE
SEEING THE SCENE
SKETCHING THE SCENE

N
Scale: 1/4” = ______ feet
Case number __________
Date __________________
Location _______________
Name _________________

SEARCHING FOR EVIDENCE

SECURING AND COLLECTING EVIDENCE.
The evidence log should contain all pertinent information, including:
• Case number
• Item inventory number
• Description of the evidence
• Name of suspect
• Name of victim
• Date and time of recovery
• Signature of person recovering the evidence
• Signature of any witnesses present during collection
Packaging Evidence
The size of the bindle depends on the size of the evidence. If the evidence is small, the bindle can
be constructed from a sheet of paper. If the evidence is large, the bindle might be constructed
from a large sheet of wrapping
paper.. The steps are as follows:
1. Choose the appropriate-size sheet of clean paper for the bindle.
2. Crease the paper as shown in the figure.
3. Place evidence in the X location.
4. Fold left and right sides in.
5. Fold in top and bottom.
6. Insert the top flap into the bottom flap then tape closed
Demonstration of packaging of dry evidence.
a. Placement of evidence. b. Allow evidence to dry. c. Place dried evidence on bindle paper.
e. Secure bindle in labeled evidence bag using stick-on label. f. Place evidence in a plastic bag
with an inserted evidence label. (Note that this is a different evidence source than the bloody
cloth above.) g. Seal and tape the edge of the baggie. Fold bindle. Tuck the top flap into the
bottom h. Write the collector’s signature across the baggie’s taped edge.17
7. Place bindle inside a plastic or paper evidence bag. Fold the bag closed.
8. Place a seal over the folded edge of the evidence bag.
9. Have the collector write his or her name over the folded edge.
CHAIN OF CUSTODY
Chain-of-custody procedures.
a. Original evidence bag b. Opened evidence bag maintaining signature on first seal c.
Original evidence bag with uncut seal and signature, updated chain-of-custody log in a
new sealed and signed evidence bag

14bi)Apply varios computer forensics hardware and software tools to deal forensics
investiogation

Computer forensics tools:

Computer forensics is a very important branch of computer science in relation to computer and
Internet related crimes. Earlier, computers were only used to produce data but now it has
expanded to all devices related to digital data. The goal of Computer forensics is to perform
crime investigations by using evidence from digital data to find who was the responsible for that
particular crime.

These computer forensics tools can also be classified into various categories:

 Disk and data capture tools

 File viewers
 File analysis tools
 Registry analysis tools
 Internet analysis tools
 Email analysis tools
 Mobile devices analysis tools
 Mac OS analysis tools
 Network forensics tools
  Database forensics tools

1. Digital Forensics Framework

2. Open Computer Forensics Architecture

3. CAINE

4. X-Ways Forensics

5. SANS Investigative Forensics Toolkit – SIFT

6. EnCase

8. The Sleuth Kit

.9. Llibforensics

10. Volatility

11. WindowsSCOPE

12. The Coroner’s Toolkit

13. Oxygen Forensic Suite

14. Bulk Extractor

15. Xplico

16. Mandiant RedLine

17. Computer Online Forensic Evidence Extractor (COFEE)

18. P2 eXplorer

19. PlainSight
20. XRY

21. HELIX3

22. Cellebrite UFED

Software and hardware tools:

Disk tools and data capture

Name From Description

Arsenal Image Mounts disk images as complete disks in Windows,
Arsenal Consulting
Mounter giving access to Volume Shadow Copies, etc.
Generates physical memory dump of Windows
DumpIt MoonSols machines, 32 bits 64 bit. Can run from a USB flash
drive.
EnCase Forensic Create EnCase evidence files and EnCase logical
Guidance Software
Imager evidence files [direct download link]
Encrypted Disk Checks local physical drives on a system for
Magnet Forensics
Detector TrueCrypt, PGP, or Bitlocker encrypted volumes
Edit EWF (E01) meta data, remove passwords
EWF MetaEditor 4Discovery
(Encase v6 and earlier)
Enables large capacity disks to be formatted as
FAT32 Format Ridgecrop
FAT32
Web Content
Forensics Acquisition
Protection Browser designed to forensically capture web pages
of Websites
Association
FTK Imager AccessData Imaging tool, disk viewer and image mounter
Multi-threaded GUI imager under running under
Guymager vogu00
Linux
Live RAM Capturer Belkasoft Extracts RAM dump including that protected by an
 Name From Description
anti-debugging or anti-dumping system. 32 and 64
bit builds
Network analysis tool. Detects OS, hostname and
NetworkMiner Hjelmvik open ports of network hosts through packet
sniffing/PCAP parsing
Nmap Nmap Utility for network discovery and security auditing
Captures physical memory of a suspect’s computer.
Magnet RAM
Magnet Forensics Windows XP to Windows 10, and 2003, 2008, 2012.
Capture
32 & 64 bit
Boot utility for CD/DVD or USB flash drives to
OSFClone Passmark Software
create dd or AFF images/clones.
Mounts a wide range of disk images. Also allows
OSFMount Passmark Software
creation of RAM disks
Wireshark Wireshark Network protocol capture and analysis
Creates Virtual Hard Disks versions of physical
disks for use in Microsoft Virtual PC or Microsoft
Disk2vhd Microsoft
Hyper-V VMs

Name From Description

Open and view (not export) Outlook EDB files
EDB Viewer Lepide Software
without an Exchange server

Viewer for Outlook Express, Windows

Mail/Windows Live Mail, Mozilla
Mail Viewer MiTeC
Thunderbird message databases and single
EML files
 Name From Description
MBOX Viewer SysTools View MBOX emails and attachments

Open and view (not export) Outlook OST files

OST Viewer Lepide Software
without connecting to an Exchange server

Open and view (not export) Outlook PST files

PST Viewer Lepide Software
without needing Outlook

Return to top of page

Name From Description

Search multiple files using Boolean
Agent Ransack Mythicsoft
operators and Perl Regex

Computer Forensic Collated forensic images for training,

NIST
Reference Data Sets practice and validation

Copies data between locations, with file

EvidenceMover Nuix
comparison, verification, logging

Self labelled ‘fastest’ copy/delete

FastCopy Shirouzu Hiroaki Windows software. Can verify with SHA-
1, etc.

File Signatures Gary Kessler Table of file signatures

Identifies over 1000 file types by

HexBrowser Peter Fiskerstrand
examining their signatures

HashMyFiles Nirsoft Calculate MD5 and SHA1 hashes

MobaLiveCD Mobatek Run Linux live CDs from their ISO image
 Name From Description
without having to boot to them

Automatically moves mouse pointer

Mouse Jiggler Arkane Systems
stopping screen saver, hibernation etc.

Notepad ++ Notepad ++ Advanced Notepad replacement

NSRL NIST Hash sets of ‘known’ (ignorable) files

A Linux & Windows GUI for individual

Quick Hash Ted Technology
and recursive SHA1 hashing of files

Enables software write-blocking of USB

USB Write Blocker DSi
ports

Application that simplifies the use of the

Volix FH Aachen
Volatility Framework

Windows Forensic Guide by Brett Shavers to creating and

Troy Larson
Environment working with a Windows boot CD

Mac OS tools

Name From Description

Audit Preference Pane and Log Reader for OS
Audit Twocanoes Software
X

Parses keychain structure, extracting user’s

confidential information such as application
ChainBreaker Kyeongsik Lee
account/password, encrypted volume
password (e.g. filevault), etc

Disk Arbitrator Aaron Burghardt Blocks the mounting of file systems,

 Name From Description
complimenting a write blocker in disabling
disk arbitration

Epoch Converter Blackbag Technologies Converts epoch times to local time and UTC

FTK Imager CLI for Command line Mac OS version of

AccessData
Mac OS AccessData’s FTK Imager

Lists items connected to the computer (e.g.,

SATA, USB and FireWire Drives, software
IORegInfo Blackbag Technologies RAID sets). Can locate partition information,
including sizes, types, and the bus to which
the device is connected

Displays the physical partitioning of the

specified device. Can be used to map out all
PMAP Info Blackbag Technologies
the drive information, accounting for all used
sectors

Volafox Kyeongsik Lee Memory forensic toolkit for Mac OS X

Mobile devices

Name From Description

iPBA2 Mario Piccinelli Explore iOS backups

Leo Crawford, Mat Explore the internal file structure of Pad, iPod
iPhone Analyzer
Proud and iPhones

Extracts phone model and software version

ivMeta Robin Wood and created date and GPS data from iPhone
videos.
 Name From Description
Parses physical flash dumps and Nokia PM
Last SIM Details Dan Roe records to find details of previously inserted
SIM cards.

Rubus CCL Forensics Deconstructs Blackberry .ipd backup files

Obtain SMS Messages, call logs and contacts

SAFT SignalSEC Corp
from Android devices

14 bii)Discuss the steps involved in examining NTFS disks

NTFS File System:

NTFS – New Technology File System – introduced for Windows NT and Vista provides
significant improvements over FAT, including:
� file and folder permissions – folder and file access can be controlled individually
� file encryption – NTFS enables strong encryption of files and folders extremely resistant to
attacks
� file compression – NTFS enables lossy compression on both files and folders
� disk efficiency – NTFS supports smaller cluster size than FAT32
� greater reliability – NTFS writes a log of changes being made to files and folders (NTFS
journal), which helps the OS to recover from system failures …

Windows Registry:
critical part of any Windows OSs - hierarchical database containing configuration
information about:
� system hardware;
� installed software (programs);
� property settings;
� profile for each user, etc.
�� OS uses instructions stored in the registry to determine how installed hardware and
and software should function
�� e.g. typical software comes with a Windows installer that writes to the registry during
installation
� system must be restarted for changes to take place …

Forensics implications – information (i.e. potential evidence) that reside in the Registry
make it a significant forensics resource
information that can be found in the registry include:
� general information about the OS
� startup (boot-time) applications
� logs of computers that have communicated with the host
� logs of USBs that have been connected to the host
� logs of Web site histories and typed URLs
� downloaded files/programs, e.g. wiping programs to destroy evidence
� auto complete Internet Explorer passwords

15ai)Explain the steps involved in examining in Microsoft e-Mail server logs

When investigating email, we usually start with the piece of email itself and analyze the headers
of the email. Since each SMTP server that handles a message adds lines on top of the header, we
start at the top and work our way backward in time. Inconsistencies between the data that
subsequent SMTP servers supposedly created can prove that the email in question is faked.
Another investigation is that of the header contents itself. SMTP allows SMTP server
ideosyncracies. If a message does not have these, then it is faked. If possible, one can obtain
another email following supposedly the same path as the email under investigation and see
whether these ideosyncratic lines have changed. While it is possible that the administrator of an
SMTP node changed the behavior or even the routing, these changes tend to be far and in
between. For example, in the following email that I sent to myself (with altered addresses), we
find a large number of optinal lines that the hotmail server added, in particular the X-fields.
Without these fields, the message did not originate through the bay area hotmail server.The
Message-ID field is also highly characteristic. Notice that hotmail also includes the originating
IP address. A simple check for this IP address might also prove that the message is a fake.
(Though in fact, it is not.)

Return-path: <tschwarz@hotmail.com>
Received: from MGW2.scu.edu [129.210.251.18]
by gwcl-22.scu.edu; Wed, 28 Dec 2005 20:12:45 -0800
Received: from hotmail.com (unverified [64.4.43.63]) by MGW2.scu.edu
(Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066471627@MGW2.scu.edu> for
<tjschwarz@scu.edu>;
Wed, 28 Dec 2005 20:12:44 -0800
X-Modus-BlackList: 64.4.43.63=OK;tschwarz@hotmail.com=OK
X-Modus-Trusted: 64.4.43.63=NO
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 28 Dec 2005 20:12:44 -0800
Message-ID: <BAY17-F13177DD86E6CA033897367C4290@phx.gbl>
Received: from 129.210.18.34 by by17fd.bay17.hotmail.msn.com with HTTP;
Thu, 29 Dec 2005 04:12:43 GMT
X-Originating-IP: [129.210.18.34]
X-Originating-Email: [tschwarz@hotmail.com]
X-Sender: tschwarzsj@hotmail.com
From: "Thomas Schwarz, S.J." <tschwarz@hotmail.com>
To: tschwarz@scu.edu
Bcc:
Subject: Test
Date: Thu, 29 Dec 2005 04:12:43 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
X-OriginalArrivalTime: 29 Dec 2005 04:12:44.0119 (UTC) FILETIME=[1E30EE70:01C60C2E]

test

In general, it is impossible to prove that an email is genuine, but one can build a good case that it
is genuine. Usually, spoofers are simply not that good. In a case where someone maintains that
email appearing to originate from that some-one is faked, the date and the originating IP address
could create a presumption that the email is not faked. But even in this case, the only thing one
can deduce for sure is that the email originated from someone who could put a packet with that
return address on the network.

As administrators get more concerned about fakemail, they put in access restrictions and also
place warnings in headers, as the following example shows. (For Spam protection, I changed the
email addresses used.)

De: <tschwarz@scu.edu>
Enviado el: Wednesday, December 28, 2005 11:19:47 PM
Ir al mensaje anterior | Ir al mensaje siguiente | Eliminar | Bandeja de entrada
Received: from CPSJ-EXCHANGE-1.calprov.org ([65.116.151.145]) by bay0-mc10-f12.bay0.hotmail.com with
Microsoft SMTPSVC(6.0.3790.211); Wed, 28 Dec 2005 15:19:15 -0800
Received: from endor.engr.scu.edu ([129.210.16.1]) by CPSJ-EXCHANGE-1.calprov.org with Microsoft
SMTPSVC(5.0.2195.6713); Wed, 28 Dec 2005 15:19:14 -0800
Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu
(8.13.5/8.13.5) with SMTP id jBSNA9h7023258for tschwarzsj@calprov.org; Wed, 28 Dec 2005 15:19:47 -0800
X-Message-Info: JGTYoYF78jFYzNJ5n6DdPGvy0zsH8v3C7lhJalOirZc=
X-Authentication-Warning: endor.engr.scu.edu: bobadilla.engr.scu.edu [129.210.18.34] didn't use HELO protocol
Return-Path: tschwarz@scu.edu
X-OriginalArrivalTime: 28 Dec 2005 23:19:14.0587 (UTC) FILETIME=[1E1796B0:01C60C05]

Analysis of source machine

Besides analyzing the email message itself, analyzing the machine from which an email might
have originated my yield some proof. We will see this when we come to discuss hard drive
evidence.

Analysis of Logs

Even more fundamental and important than these methods are the logs that SMTP servers (and
some email programs) maintain. Law enforcement has here an advantage over private
investigators because they can subpoena ISP records. Unfortunately, ISP servers tend to not store
the log data for a long time. It therefore makes sense to warn an ISP about a coming subpoena so
that they can safe-guard the log entry. A lucky investigator might be able to trace back a message
through SMTP servers to the first one that handled the message. If this server belonged to an
ISP, then information from RADIUS logs might give the name of the subscriber. Otherwise, the
investigator might connect the IP of the originating machine to a suspect. In case of criminal
enterprises such as spammers, fraudsters, phishers, etc. this investigation will be very difficult
because the originating message is often from a hacked machine that is controlled by another
hacked machine. The investigator needs to spend considerable resources and talents to follow
such a trail through various jurisdictions. It is possible to even set up a website in a way that
cannot be traced to a person, for example using untraceable or stolen credit cards.

Here is an example of a typical smtp log from endor. Chris Tracy - a truly talented and helpful
systems administrator - sent me fakemail:

Dec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: from=evil@evil.com, size=147, class=0, nrcpts=1,

msgid=<200601010225.k012OV1i030597@endor.engr.scu.edu>, proto=SMTP, daemon=MTA, relay=c-24-12-227-
211.hsd1.il.comcast.net [24.12.227.211]
Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865
Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded
Dec 31 18:26:15 endor spamd[28512]: spamd: processing message
<200601010225.k012OV1i030597@endor.engr.scu.edu> for tschwarz:1875
Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2 seconds, 525 bytes.
Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 -
MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42865,m
id=<200601010225.k012OV1i030597@endor.engr.scu.edu>,autolearn=no
Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II
Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597: to=tschwarz@engr.scu.edu, delay=00:01:02,
xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent

Information Technology Email Investigation Guidelines

This document describes the Information Technology policies and procedures related to handling
of emails related to transgressions of law or of questionable content.

Pursuant to the Computing Access Agreement, Information Technology does not monitor email
content or email accounts. Minimal, short-lived logging is done on the system for performance
and operational use showing messages queued for delivery or system load. Email account
contents may be accessed for technical reasons (assisting users or system troubleshooting)
without the knowledge of the owner.

Information Technology does not officially investigate or trace emails unless directed or
requested to do so from College authority offices like Campus Police, Human Resources, or
Student Life. In general all issues with objectionable email of a harassing or illegal nature must
be routed through one of these authorities, typically Campus Police.

Members of the College community who contact Information Technology about this issue are
directed to retain the message in its original form within their account and contact Campus
Police. Campus Police then typically makes an incident report and determines whether the
incident warrants action by Information Technology.

The majority of information used for tracing email is extracted from the message header. The
header format is a documented standard and is constructed as a product of message delivery by
all involved delivery agents (from the initiating client through to the final accepting server). To
some degree this information can be used to verify the legitimacy of a message. To a lesser
degree this information can be used to trace the message origin. However, mail clients are easily
reconfigured to obscure the identity of the sender, semi-anonymous email agents (like Yahoo!
and Hotmail) are widely used, and determined individuals can certainly add enough invalid
header information to make determinations very difficult.
Emails originating from The College of New Jersey systems are typically easier to trace than
messages originating from off-campus sites (this includes Yahoo! and Hotmail as well as emails
from other personal or commercial systems).

Information Technology NTS staff will review the message headers to determine origin,
destination, or ownership of the message as required. College UNIX account contents may be
reviewed to determine what roles investigation-specified users and potential suspects play in the
investigation.

In the event that an email must be traced through an off-campus system, Information Technology
must request the assistance of other agencies. For email originating from or destined to other
sites, respective system administrators at those sites may be contacted for assistance. Information
Technology staff often contact system administrators at these sites and may be able to acquire
the necessary information. Certain commercial email systems require legal documents before
they will release account information. For these services (like AOL, Yahoo! or Hotmail) a court
order or subpoena may be required to obtain the user identity and/or message contents of the
suspect account. Campus Police handles acquiring legally binding documents and may acquire
those documents and possibly the related account information before contacting Information
Technology.

Information Technology NTS staff maintain close contact with Campus Police (or the
appropriate investigating agency) throughout the division’s action in the investigation.
Information retrieved by Information Technology is provided to the investigators with
explanation as required.

In most cases the action taken against an individual determined guilty of a violation of the
Computing Access Agreement is determined by College authorities. The typical action is to lock
the user account for a specified period of time.

15 aii)Apply data hiding technique for effective forensics investigation

Data hiding is the process of making data difficult to find while also keeping it accessible for
future use. "Obfuscation and encryption of data give an adversary the ability to limit
identification and collection of evidence by investigators while allowing access and use to
themselves."

Some of the more common forms of data hiding include encryption, steganography and other
various forms of hardware/software based data concealment. Each of the different data hiding
methods makes digital forensic examinations difficult. When the different data hiding methods
are combined, they can make a successful forensic investigation nearly impossible.

Encryption

One of the more commonly used techniques to defeat computer forensics is data encryption. In a
presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure
Computing, Paul Henry, referred to encryption as a "forensic expert's nightmare".[6]

The majority of publicly available encryption programs allow the user to create virtual encrypted
disks which can only be opened with a designated key. Through the use of modern encryption
algorithms and various encryption techniques these programs make the data virtually impossible
to read without the designated key.

File level encryption encrypts only the file contents. This leaves important information such as
file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed
from other locations, such as temporary files, swap file and deleted, unencrypted copies.

Most encryption programs have the ability to perform a number of additional functions that make
digital forensic efforts increasingly difficult. Some of these functions include the use of a keyfile,
full-volume encryption, and plausible deniability. The widespread availability of software
containing these functions has put the field of digital forensics at a great disadvantage.

Steganography

Steganography is a technique where information or files are hidden within another file in an
attempt to hide data by leaving it in plain sight. "Steganography produces dark data that is
typically buried within light data (e.g., a non-perceptible digital watermark buried within a
digital photograph)." Some experts have argued that the use of steganography techniques are not
very widespread and therefore shouldn't be given a lot of thought. Most experts will agree that
steganography has the capability of disrupting the forensic process when used correctly.

According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist

publication) outlined the importance of using a steganography program called Secrets of the
Mujahideen. According to Carr, the program was touted as giving the user the capability to avoid
detection by current steganalysis programs. It did this through the use of steganography in
conjunction with file compression.

Other forms of data hiding

Other forms of data hiding involve the use of tools and techniques to hide data throughout
various locations in a computer system. Some of these places can include "memory, slack space,
hidden directories, bad blocks, alternate data streams, (and) hidden partitions."

One of the more well known tools that is often used for data hiding is called Slacker (part of the
Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack
space of other files, thereby hiding it from the forensic examination software. Another data
hiding technique involves the use of bad sectors. To perform this technique, the user changes a
particular sector from good to bad and then data is placed onto that particular cluster. The belief
is that forensic examination tools will see these clusters as bad and continue on without any
examination of their contents.

15b)Explain in detail about mobile device forensics

ln the information age, every byte of data matters. Cell phones are capable of storing a wealth of
personal information, often intentionally, and sometimes unintentionally. This holds true for
almost all mobile devices, such as PDAs and iPhones as well. Cell phone forensic experts
specialize in the forensic retrieval of data from cell phones and other mobile devices in a manner
that preserves the evidence under forensically acceptable conditions, ensuring that it is court-
admissible. A cell phone forensic investigation includes possible full data retrieval dependent
upon the cell phone or PDA model. The cell phone and PDA forensic engineers at Kessler
International will conduct a thorough examination of the data found on the cell phone’s
SIM/USIM, the cell phone body itself, and any optional memory cards. Some of the kinds of
data that may be retrieved and examined during a cell phone forensic investigation, even after
being deleted, include:

• Call times;dialed and received calls, and call durations

• Text messages recovery of SMS message recovery
• Contact names & phone numbers
• Address book entries; residential addresses and email addresses
• Photos & graphics
• Videos

Law enforcement officials and legal firms realize the importance of evidence contained on cell
phones and other mobile devices, and how it can greatly affect the outcome of a trial. Whether
working to document evidence of “white collar crime” or tasked by law enforcement to extract
data for a criminal trial, the integrity of the firm selected for cell phone forensics is as important
as the integrity of the data recovered. More and more court cases are being won with the proper
submittal of electronic evidence, so it’s imperative that the cell phone forensic investigator
understands the legal issues and imperatives surrounding electronic evidence gathering.

Why and when to call Kessler International

 Parents should contact us if they suspect that their child is misusing the device or being
harassed by someone contacting or photographing them without their consent. Kessler
will discreetly investigate and, if necessary, assist law enforcement by providing court-
admissible data to corroborate legal claims.
 Kessler International can perform mobile phone forensics if an individual suspects his or
her spouse of cheating. Data such as placed & received calls and phone call times, text
messages, photos and other incriminating evidence can be retrieved from the spouse’s
cell phone or mobile device.
 Companies and corporations should contact us to perform cell phone forensics if they
suspect espionage by a competitor or disgruntled employee.
  Business owners who distribute cell phones to their executives and sales staff may
contact us to perform cell phone forensics to determine if these devices are being
inappropriately used to view and/or download porn, or defying restricted Internet usage
company policies.
 Individuals may contact Kessler International if they suspect they have been the victim of
e-stalking, the subject of inappropriate and non-consensual digital photography and other
forms of digital harassment.

Kessler International’s forensic cell/mobile phone, PDA, and computer investigations are
discreet, controlled, thorough and fully documented. Our professional staff is both certified and
highly-experienced in their respective forensic disciplines. Forensic cell phone audits by Kessler
International’s professionals yield superior results as our techniques and procedures far exceed
those used in routine data recovery investigations. Our forensic examinations will document the
evidence that the client needs and the respective circumstance requires. For all your cell phone
forensic investigative needs, Kessler International is the company to call.

A Leader in the Field of Cell Phone Forensics

For over 25 years, Kessler International has been a leader in the field of digital forensics. The
cell phone forensic engineers at Kessler International are fully trained in proper evidence
handling and litigation support services. Our broad knowledge of these complex electronic
systems combined with extensive legal training demonstrates the high standards Kessler
International maintains. These standards are critical to providing the data that support an accurate
presentation of the facts. Kessler has built its rock-solid reputation on it. Remember, when the
bar is set high, Kessler International is the company to call.

The explosive growth in the availability and use of cell phones and other mobile devices —
coupled with the expanded capabilities of these devices — has made this area of digital forensics
increasingly important. For many years now, cell phones have been a recorder of information,
often related to criminal or other nefarious behaviors, not to mention often being the instrument
— and, occasionally, the target — of that behavior. Mobile devices contain a plethora of data,
including contact lists, phone and Internet browsing history, text and multimedia messages, e-
mail, photographs and videos, geolocation information, and much more. Indeed, smartphones are
mobile Internet terminals and contain more probative information per byte examined than most
computers.

Examination and analysis of cell phones requires a very different forensic process than that
applied to computers. Every step — from seizure to preservation to transport to the exam itself
— requires processes and tools to ensure minimal alteration to the original evidence. The
complexity in performing a thorough exam of a mobile device and the analysis of the contents
should not be underestimated; while computers today largely employ only two or three different
operating systems (depending upon how you count), there are at least six major operating
systems used on mobile phones that are still in circulation.

Gary has been conducting mobile phone forensic examinations since 2006. Most of this work has
been on behalf of the local, state, and federal law enforcement community in Vermont and
Florida, including the U.S. Attorney's Office and Internet Crimes Against Children (ICAC) Task
Force. Gary has also examined mobile devices on behalf of clients in civil litigations. Gary has
acted as an expert witness in several federal criminal cases, as well as numerous civil matters.

Gary is also a frequent speaker at conferences about the process of mobile device forensics. He
has also conducted many training courses on mobile phone and smartphone forensics.

Gary Kessler Associates is capable of performing logical and physical analysis of most types of
cell phones, tablets, GPS devices, and other mobile devices. In conjunction with partners, GKA
is able to provide a broad range of services, including chip-off examinations and analysis of call
detail records and cell tower information. Mobile device forensics is a branch of digital
forensics relating to recovery of digital evidence or data from a mobile device under forensically
sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also
relate to any digital device that has both internal memory and communication ability, including
PDA devices, GPS devices and tablet computers.

The use of phones in crime was widely recognised for some years, but the forensic study of
mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones
(particularly smartphones) on the consumer market caused a demand for forensic examination of
the devices, which could not be met by existing computer forensics techniques.[1]

Mobile devices can be used to save several types of personal information such as contacts,
photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain
video, email, web browsing information, location information, and social networking messages
and contacts.

There is growing need for mobile forensics due to several reasons and some of the prominent
reasons are:

 Use of mobile phones to store and transmit personal and corporate information
 Use of mobile phones in online transactions
 Law enforcement, criminals and mobile phone devices[2]

Mobile device forensics can be particularly challenging on a number of levels:[3]

Evidential and technical challenges exist. for example, cell site analysis following from the use
of a mobile phone usage coverage, is not an exact science. Consequently, whilst it is possible to
determine roughly the cell site zone from which a call was made or received, it is not yet
possible to say with any degree of certainty, that a mobile phone call emanated from a specific
location e.g. a residential address.

 To remain competitive, original equipment manufacturers frequently change mobile

phone form factors, operating system file structures, data storage, services, peripherals,
and even pin connectors and cables. As a result, forensic examiners must use a different
forensic process compared to computer forensics.


computer" type devices.[4]



off or idle but at the same time, remaining active.