Professional Documents
Culture Documents
CS6004 Notes Rejinpaul PDF
CS6004 Notes Rejinpaul PDF
com
CS6004 / CYBER FORENSICS
UNIT I NETWORK LAYER SECURITY &TRANSPORT LAYER SECURITY
IPSec Protocol – IP Authentication Header – IP ESP – Key Management Protocol for
IPSec. Transport layer Security: SSL protocol, Cryptographic Computations – TLS
Protocol.
Part-A
The IPsec protocol is a set of security extensions developed by the IETF and it
provides Privacy and authentication services at the IP layer by using modern
cryptography. To protect the contents of an IP datagram, the data is transformed
using encryption algorithms.
There are two main transformation types that form the basics of IPsec,
1. The Authentication Header (AH).
2. The Encapsulating Security Payload (ESP).
Both AH and ESP are two protocols that provide connectionless integrity, data
origin authentication, confidentiality and an anti-replay service.
2. write the basic components of IPsec architecture Protocol.
The basic components of the IPsec security architecture are explained in terms of the
following functionalities:
• Security Protocols for AH and ESP
• Security Associations for policy management and traffic processing
• Manual and automatic key management for the Internet Key Exchange
(IKE), the Oakley key determination protocol and ISAKMP.
• Algorithms for authentication and encryption
The seven-group documents describing the set of IPsec protocols are explained in the
following:
Architecture:
The main architecture document covers the general concepts, security
Requirements, definitions and mechanisms defining IPsec technology.
ESP:
This document covers the packet format and general issues related to the use
of the ESP for packet encryption and optional authentication.
AH:
This document covers the packet format and general issue related to the use of
8. Define IP ESP.
The ESP header is designed to provide security services in IPv4 and IPv6.
ESP can be applied alone, in combination with the IP AH or through the use
of tunnel mode.
Security services are provided between a pair of hosts, between a pair of
security gateways or between a security gateway and a host.
The ESP header is inserted after the IP header and before the upper-layer
protocol header (transport mode) or before an encapsulated IP header
(tunnel mode).
ESP is used to provide confidentiality (encryption), data authentication,
integrity and anti-replay service, and limited traffic flow confidentiality.
Confidentiality could be selected independent of all other services.
9. Define Packet Format
SSL is a layered protocol. It is not a single protocol but rather two layers of
protocols.
At the lower level, the SSL Record Protocol is layered on top of some reliable
transport protocol such as TCP.
The SSL Record Protocol is also used to encapsulate various higher level
protocols. A higher-level protocol can layer on top of the SSL protocol
transparently.
11.Draw the SSL Protocol Overview stack.
1. Session identifier
2. Peer certificate
3. Compression method
4. Cipher spec:
5. Master secret
6. Is resumable
The seven-group documents describing the set of IPsec protocols are explained in the
following:
Architecture:
The main architecture document covers the general concepts, security
Requirements, definitions and mechanisms defining IPsec technology.
ESP:
This document covers the packet format and general issues related to the use
of the ESP for packet encryption and optional authentication. This protocol document
also contains default values if appropriate, and dictates some of the values in the
Domain of Interpretation (DOI).
AH:
This document covers the packet format and general issue related to the use of
AH for packet authentication. This document also contains default values such as the
default padding contents, and dictates some of the values in the DOI document.
Encryption algorithm:
This is a set of documents that describe how various encryptions algorithms are
used for ESP. Specifically:
– Specification of the key sizes and strengths for each algorithm.
– Any available estimates on performance of each algorithm.
– General information on how this encryption algorithm is to be
used in ESP.
When these encryption algorithms are used for ESP, the DOI document has to indicate
certain values, such as an encryption algorithm identifier, so these documents provide
input to the DOI.
Authentication algorithm:
This is a set of documents that describe how various authentication algorithms
are used for AH and for the authentication option of ESP.
Specifically:
– Specification of operating parameters such as number of rounds, and
input or output block format.
– Implicit and explicit padding requirements of this algorithm.
– Identification of optional parameters/methods of operation.
– Defaults and mandatory ranges of the algorithm.
– Authentication data comparison criteria for the algorithm.
Key management:
2.1 AH Format
The IPsec AH format is shown in Figure 7.4. The following six fields comprise the
AH format:
Next header (8 bits): This field identifies the type of the next payload after the AH.
The value of this field is chosen from the set of IP numbers defined in the Internet
Assigned Number Authority (IANA).
In the IPv6 context, the ESP appears after hop-by-hop, routing and fragmentation
extension headers. The destination options extension header(s) could appear either
before or after the ESP header depending on the semantics desired. However, since
ESP protects only fields after the ESP header, it is generally desirable to place the
The exact steps for reconstructing the original datagram depend on the mode
(transport or tunnel) and are described in the Security Architecture document. The
receiver processes any padding as given in the encryption algorithm specification.
For transport mode, the receiver reconstructs the original IP datagram from the
original IP header plus the original upper-layer protocol information in the ESP
payload field. For tunnel mode, the receiver reconstructs the tunnel IP header plus
the entire IP datagram in the ESP payload field.
3.3.3 Authentication
4.2 ISAKMP
ISAKMP defines a framework for SA management and cryptographic key
establishment for the Internet.
This framework consists of defined exchange, payloads and processing
guidelines that occur within a given DOI.
ISAKMP defines procedures and packet formats to establish, negotiate,
modify and delete SAs.
It also defines payloads for exchanging key generation and authentication
data.
These payload formats provide a consistent framework for transferring key
and authentication data which is independent of the key generation
technique, encryption algorithm and authentication mechanism.
ISAKMP is intended to support the negotiation of SAs for security protocols at all
layers of the network stack. By centralizing the management of the SAs, ISAKMP
reduces the amount of duplicated functionality within each security protocol.
(I) ISAKMP Payloads
ISAKMP payloads provide modular building blocks for constructing ISAKMP
messages.The presence and ordering of payloads in ISAKMP are defined by and
dependent upon the Exchange Type Field located in the ISAKMP Header.
ISAKMP Header
The ISAKMP header fields are fined as shown in Figure 7.9.
Initiator Cookie (64 bits) - This field is the cookie of entity that initiated SA
establishment, SA notification, or SA deletion.
Responder Cookie (64 bits) - This field is the cookie of entity that is corresponded
to an SA establishment request, SA notification, or SA deletion.
Next Payload (8 bits) - This field indicates the type of the first payload in the
message.
Major Version (4 bits) - This field indicates the Major version of the ISAKMP
protocol in use. Set the Major version to 1 according to ISAKMP Internet-Draft.
Minor Version (4 bits) -- This field indicates the Minor version of ISAKMP protocol
in use. Set the Minor version to 0 according to implementations based on the
ISAKMP Internet-Draft.
Exchange Type (8 bits) - This field indicates the type of exchange being used. This
dictates the message and payload orderings in the ISAKMP exchanges.
Flags (8 bits) - This field indicates specific options that are set for the ISAKMP
exchange. The Flags are specified in the Flags field beginning with the least
significant bit: the encryption bit is bit 0 of the Flags field, the commit bit is bit 1,
and authentication only bit is bit 2 of the Flags field. The remaining bits of the
Flags field must be set to 0 prior to transmission.
Message ID (32 bits) - Message ID is used to identify protocol state during Phase 2
negotiations. This value is randomly generated by the initiator of the phase 2
negotiation. During Phase 1 negotiation, this value must be set to 0.
Length (32 bits) - Length of total message (header || payload) is 32 bits.
Encryption can expand the size of an ISAKMP message.
Generic Payload Header
Each ISAKMP payload begins with a generic header which provides a
payload chaining capability and clearly defines the boundaries of a payload.
The generic payload header fields in 32 bits are defined as follows:
is defined as follows:
H1 = hash(MAC-write-secret || pad-1 || seq-num || SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment)
H = hash(MAC-write-secret || pad-2 ||H1)
The compressed message plus the MAC are encrypted using symmetric encryption.
The block ciphers being used as encryption algorithms are:
DES(56), Triple DES(168), IDEA(128),
RC5(variable) and Fortezza(80)
where the number inside the brackets indicates the key size. Fortezza is a PCMCIA
card that provides both encryption and digital signing.
Append SSL record header: The final processing of the SSL Record Protocol is to
append an SSL record header. The composed fields consist of:
Content type (8 bits): This field is the higher-layer protocol used to process the
enclosed fragment.
Major version (8 bits): This field indicates the major version of SSL in use. For
SSLv3, the value is 3.
Minor version (8 bits): This field indicates the minor version of SSL in use. For
SSLv3, the value is 0.
Compressed length (16 bits): This field indicates the length in bytes of the plaintext
fragment or compressed fragment if compression is required. The maximum
value is 214 + 2048.
SSL Change Cipher Spec Protocol
The Change Cipher Spec Protocol is the simplest of the three SSL-specific
protocols.
This protocol consists of a single message, which is compressed and encrypted
under the current CipherSpec. The message consists of a single byte of value 1.
Client hello: The exchange is initiated by the client. A client sends a client hello
message using the session ID of the session to be resumed. The server then checks its
session cache for a match. If a match is found, the server will send a server hello
message with the same session ID value. The client sends a client hello message with
the following parameters:
Client version: This is the version of the SSL protocol in which the client
wishes to communicate during this session. This should be the most recent
(highest-valued) version supported by the client. The value of this version will
be 3.0.
UNIT II
E-MAIL SECURITY & FIREWALLS
PGP – S/MIME – Internet Firewalls for Trusted System: Roles of Firewalls - Firewall
related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce
Transactions.
Part-A
application-level traffic. The user contacts the gateway using a TCP/IP application,
such as Telnet or FTP, and the gateway asks the user for the name of the remote host
to be accessed.
1. All traffic from inside to outside, and vise versa, must pass through the firewall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to
pass.
1. Confidentiality of information
2. Integrity of data
4. Merchant authentication
5.Define S/MIME?
Content description.
It is used to declare general type of data. Subtype define particular format for that type
of the data. It has 7 content type & 15 subtypes. They are,
2. Multipart type
3. Message type
4. Image type
JPEG. CIF.
5. Video type.
6. Audio type.
7. Application type
2.Diffi Hellman.
3.RSA algorithm.
1. Generate Ks.
2. Encrypt Ks using recipient’ s public key. RSA algorithm used for encryption.
Prepare the ‘recipient info block’ .
3. Encrypt the message using Ks.
1. Packet Filters
2. Circuit-Level Gateways
3. Application-Level Gateways
Part-B
The session key is encrypted with RSA, using the recipient’s public
key.
The sending PGP encrypts the message, using CAST-128 or IDEA
or 3DES, with the session key. Note that the message is also
usually compressed.
The receiving PGP uses RSA with its private key to decrypt and
recover the session key.
The receiving PGP decrypts the message using the session key. If
the message was compressed, it will be decompressed.
Both digital signature and confidentiality services may be applied to the same
message. First, a signature is generated from the message and attached to the
message. Then the message plus signature are encrypted using a symmetric session
key. Finally, the session key is encrypted using public-key encryption and prefixed to
the encrypted block.
1.2 Authentication via Digital Signature
The digital signature uses a hash code of the message digest algorithm, and a public-
key signature algorithm. Figure 9.2 illustrates the digital signature service provided by
PGP.
The sequence is as follows:
The sender creates a message.
SHA-1 is used to generate a 160-bit hash code of the message.
The hash code is encrypted with RSA using the sender’s private key and a
digital signature is produced.
The binary signature is attached to the message.
The receiver uses RSA with the sender’s public key to decrypt and recover the
hash code.
The receiver generates a new hash code for the received message and compares
it with the decrypted hash code. If the two match, the message is accepted as
authentic.
The combination of SHA-1 and RSA provides an effective digital signature scheme.
As an alternative, signatures can be generated using DSS/SHA-1.
1.3 Compression
PGP compresses the message after applying the signature but before
encryption.
The placement of Z for compression and Z −1 for decompression is shown in
Figures 9.1 and 9.2.
This compression algorithm has the benefit of saving space both for e-mail
transmission and for file storage.
PGP makes use of a compression package called ZIP which is functionally
equivalent to PKZIP developed by PKWARE, Inc. The zip algorithm is perhaps
the most commonly used cross-platform compression technique.
Two main compression schemes, named after Abraham Lempel and Jakob Ziv, were
first proposed by them in 1977 and 1978, respectively. These two schemes for text
compression (generally referred to as lossless compression) are broadly used because
they are easy to implement and also fast.
Huffman compression is a statistical data compression technique which
reduces the average code length used to represent the symbols of an alphabet.
Huffman code is an example of a code which is optimal when all symbols
probabilities are integral powers of 1/2.
A technique related to Huffman coding is Shannon–Fano coding. This coding
divides the set of symbols into two equal or almost equal subsets based on the
probability of occurrence of characters in each subset.
The first subset is assigned a binary 0, the second a binary 1. Huffman
encoding always generates optimal codes, but Shannon–Fano sometimes uses a
few more bits.
Decompression of LZ77-compressed text is simple and fast. Whenever a
(position, length) pair is encountered, one goes to that position in that window
and copies length bytes to the output.
1.4 Radix-64 Conversion
When PGP is used, usually part of the block to be transmitted is encrypted. If
only the signature service is used, then the message digest is encrypted (with
the sender’s private key).
If the confidentiality service is used, the message plus signature (if present) are
encrypted (with a one-time symmetric key).
The scheme used for this purpose is radix-64 conversion. Each group of three octets
of binary data is mapped into four ASCII characters. This format also appends a CRC
to detect transmission errors. This radix-64 conversion is a wrapper around the binary
PGP messages, and is used to protect the binary messages during transmission over
non-binary channels, such as Internet e-mail.
1.5 Packet Headers
A PGP message is constructed from a number of packets. A packet is a chunk
of data which has a tag specifying its meaning. Each packet consists of a packet
header of variable length, followed by the packet body.
The first octet of the packet header is called the packet tag as shown in Figure
9.4. The MSB is ‘bit 7’ (the leftmost bit) whose mask is 0x80 (10000000) in
hexadecimal. PGP 2.6.x only uses old format packets.
0–Reserved
1–Session key packet encrypted by public key
2–Signature packet
3–Session key packet encrypted by symmetric key
4–One-pass signature packet
5–Secret-key packet
6–Public-key packet
7–Secret-subkey packet
8–Compressed data packet
9–Symmetrically encrypted data packet
10–Marker packet
11–Literal data packet
12–Trust packet
13–User ID packet
14–Public subkey packet
60 ∼ 63–Private or experimental values
1.6 PGP Packet Structure
A PGP file consists of a message packet, a signature packet and a session key packet.
1.6.1 Message Packet
This packet includes the actual data to be transmitted or stored as well as a header
that includes control information generated by PGP such as a filename and a
timestamp. A timestamp specifies the time of creation. The message component
consists of a single literal data packet.
1.6.2.Signature Packet (Tag 2)
This packet describes a binding between some public key and some data. The most
common signatures are a signature of a file or a block of text, and a signature that is a
certification of a user ID.
Two versions of signature packets are defined. PGP 2.6.x only accepts version 3
signature. Version 3 provides basic signature information, while version 4 provides an
expandable format with sub packets that can specify more information about the
signature. It is reasonable to create a v3 signature if an implementation is creating an
encrypted and signed message that is encrypted with a v3 key.
The signature includes the following components:
Timestamp
Message digest (or hash code)
Leading two octets of hash code
Key ID of sender’s public key
Session Key Packets (Tag 1)
This component includes the session key and the identifier of the receiver’s
public key that was used by the sender to encrypt the session key.
A public-key-encrypted session key packet, EKPb (Ks), holds the session key
used to encrypt a message.
The symmetrically encrypted data packets are preceded by one public-key-
encrypted session key packet for each PGP 5.x key to which the message is
encrypted.
The message is encrypted with the session key, and the session key is itself
encrypted and stored in the encrypted session key packet. The recipient of the
message finds a session key that is encrypted to its public key, decrypts the
session key, and then uses the session key to decrypt the message.
A key material packet contains all the information about a public or private key. There
are four variants of this packet type and two versions.
Key Packet Variants
There are:
• Public-key packet (tag 6): This packet starts a series of packets that forms a PGP
5.x key.
• Public subkey packet (tag 14): This packet has exactly the same format as a
publickey packet, but denotes a subkey. One or more subkeys may be associated with
a top-level key.
• Secret-key packet (tag 5): This packet contains all the information that is found in a
public-key packet, including the public-key materials, but also includes the secret-key
material after all the public-key fields.
• Secret-subkey packet (tag 7): A secret-subkey packet is the subkey analogous to the
secret-key packet and has exactly the same format.
Public-key Packet Formats
There are two variants of version 3 packets and version 2 packets. Version 3 packets
were originally generated by PGP 2.6. Version 2 packets are identical in format to
version 3 packets, but are generated by PGP 2.5.
A v3 key packet contains:
• A one-octet version number (3).
• A four-octet number denoting the time that the key was created.
• A two-octet number denoting the time in days that this key is valid.
• A one-octet number denoting the public-key algorithm of this key.
• A series of multiprecision integers (MPIs) comprising the key material: an MPI
of RSA public module n; an MPI of RSA public encryption exponent e.
Secret-key Packet Formats
The secret-key and secret-subkey packets contain all the data of public-key and
publicsubkey packets in encrypted form, with additional algorithm-specific key data
appended.
The secret-key packet contains:
• A public-key or public-subkey packet, as described above.
• One octet indicating string-to-key (S2K) usage conventions: 0 indicates that
the secretkey data is not encrypted; 255 indicates that an S2K specifier is being
given. Any other value specifies a symmetric-key encryption algorithm.
• If the S2K usage octet was 255, a one-octet symmetric encryption algorithm
(optional).
• If the S2K usage octet was 255, an S2K specifier (optional). The length of the
S2K specifier is implied by its type, as described above.
• If secret data is encrypted, an eight-octet IV (optional).
1.8 Algorithms for PGP 5.x
The MIME standard provides a general structure for the content type of Internet
messages and allows extensions for new content-type applications.
MIME Description
MIME transforms non-ASCII data at the sender’s site to NVT ASCII data and
delivers it to the client SMTP to be sent through the Internet. The server
SMTP at the receiver’s site receives the NVT ASCII data and delivers it to
MIME to be transformed back to the original non-ASCII data.
MIME Header
MIME defines five headers that can be added to the original SMTP header section:
• MIME Version
• Content Type
• Content Transfer Encoding
• Content Id
• Content Description
Note that lines in the header identify the type of the data as well as the encoding used.
• 7 bit: This is 7-bit NVT ASCII encoding. Although no special transformation is
needed, the length of the line should not exceed 1000 characters.
• 8 bit: This is 8-bit encoding. Non-ASCII characters can be sent, but the length of the
line still should not exceed 1000 characters. Since the underlying SMTP is able to
transfer 8-bit non-ASCII characters, MIME does not do any encoding here.
• Binary: This is 8-bit encoding. Non-ASCII characters can be sent, and the length of
the line can exceed 1000 characters. MIME does not do any encoding here; the
underlying SMTP must be able to transfer binary data.
• Base64 : This is a solution for sending data made of bytes when the highest bit is
not necessarily zero.
• Quoted-printable: Base64 is a redundant encoding scheme. The 24-bit non-ASCII
data becomes four characters consisting of 32 bits.
Content Id
This header uniquely identifies the whole message in a multiple message environment:
Content Id: id = <content id>
Content Description
This header defines whether the body is image, audio or video:
Content Description: <description>
MIME Security Multiparts
The basic MIME by itself does not specify security protection.
Accordingly, a MIME agent must provide security services by employing a
security protocol mechanism, by defining two security subtypes of the MIME
multipart content type: signed and encrypted.
The multipart/signed content type specifies how to support authentication and
integrity services via digital signature. The multipart/singed content type
contains exactly two body parts.
The first body part is the one over which the digital signature was created,
including its MIME headers.
The second body part contains the control information necessary to verify the
digital signature.
PGP can generate either ASCII Armor or a stream of arbitrary 8-bit octets when
encrypting data, generating a digital signature, or extracting public-key data. The
ASCII Armor output is the required method for data transfer. When the data is to
be transmitted in many parts, the MIME message/partial mechanism should be
used rather than the multipart ASCII Armor OpenPGP format. Before OpenPGP
encryption, the data is written in MIME canonical format (body and headers).
When the OpenPGP digital signature is generated:
S/MIME provides a way to send and receive 7-bit MIME data. S/MIME can be
used with any system that transports MIME data.
It can also be used by traditional mail user agents (MUAs) to add cryptographic
security services to mail that is sent, and to interpret cryptographic security
services in mail that is received.
The S/MIME agent represents user software that is a receiving agent, a sending agent,
or both. S/MIME version 3 agents should attempt to have the greatest interoperability
possible with S/MIME version 2 agents.
CMS allows for a wide variety of options in content and algorithm support. This
subsection puts forth a number of support requirements and recommendations in
order to achieve a base level of interoperability among all S/MIME implementations.
CMS provides additional details regarding the use of the cryptographic algorithms.
DigestAlgorithmIdentifier
This type identifies a message digest algorithm which maps the message to the
message digest. Sending and receiving agents must support SHA-1. Receiving agents
shouldsupport MD5 for the purpose of providing backward compatibility with MD5-
digested S/MIME v2 SignedData objects.
SignatureAlgorithmIdentifier
Sending and receiving agents must support id-dsa defined in DSS. Receiving agents
should support rsaEncryption, defined in PRCS-1.
KeyEncryptionAlgorithmIdentifier
General syntax
CMS defines multiple content types. Of these, only the data, signed data and
enveloped data types are currently used for S/MIME.
• Data content type: This type is arbitrary octet strings, such as ASCII text files.
Such strings need not have any internal structure. The data content type should have
ASN.1 type Data:
Sending agents must use the id-data content-type identifier to indicate the message
content which has had security services applied to it.
Signed-data content type: This type consists of any type and encrypted message
digests of the content for zero or more signers. Any type of content can be signed by
any number of signers in parallel. The encrypted digest for a signer is a digital
signature on the content for that signer.
The inside signature is used for content integrity, non-repudiation with proof of origin,
and binding attributes to the original content.
The outside signature provides authentication and integrity for information that is
processed hop by hop, where each hop is an intermediate entity such as a mail list
agent.
3. Sign the inner MIME headers and the original content resulting from step 2.
4. Add an appropriate MIME construct to the signed message from step 3. The
resulting message is called the inside signature.
Signed Receipts
3. Recipient receives message and determines if there are a valid signature and
receipt request in the message.
6. Sender receives the message and validates that it contains a signed receipt
for the original message.
Multilayer S/MIME messages may contain multiple SignedData layers. Receipts are
requested only for the innermost SignedData layer in a multilayer S/MIME message
such as a triple wrapped message. Only one receipt request attribute can be included
in the signedAttributes of SignerInfo.
4. Explain in detail about following topics of the Internet Firewalls for Trusted
Systems:
1. Roles of Firewalls
2. Firewall related terminology
Roles of Firewalls
1. Bastion Host
2. Proxy Server
3. SOCKS
4. Choke Point
5. De-militarised Zone (DMZ)
6. Logging and Alarms
7. VPN
Bastion Host
A bastion host is a publicly accessible device for the network’s security, which
has a direct connection to a public network such as the Internet.
The bastion host serves as a platform for any one of the three types of firewalls:
packet filter, circuit-level gateway or application-level gateway.
Bastion hosts must check all incoming and outgoing traffic and enforce the
rules specified in the security policy.
The bastion host’s role falls into the following three common types:
Proxy Server
Proxy servers are used to communicate with external servers on behalf of
internal clients.
A proxy service is set up and torn down in response to a client request, rather
than existing on a static basis.
The term proxy server typically refers to an application-level gateway, although
a circuit-level gateway is also a form of proxy server.
Each proxy is independent of other proxies on the bastion host.
If there is a problem with the operation of any proxy, or if future vulnerability is
discovered, it is easy to replace the proxy without affecting the operation of the
proxy’s applications.
If the support of a new service is required, the network administrator can easily
install the required proxy on the bastion host.
A proxy generally performs no disk access other than to read its initial
configuration file.
This makes it difficult for an intruder to install Trojan horse sniffers or other
dangerous files on the bastion host.
SOCKS
The SOCKS protocol version 4 provides for unsecured firewall traversal for TCP-
based client/server applications, including HTTP, TELNET and FTP.
The new protocol extends the SOCKS version 4 model to include UDP, and
allows the framework to include provision for generalized strong authentication
schemes, and extends the addressing scheme to encompass domain name and
IPv6 addresses.
When a TCP-based client wishes to establish a connection to an object that is
reachable only via a firewall, it must open a TCP connection to the appropriate
SOCKS port on the SOCKS server system.
The SOCKS service is conventionally located at TCP port 1080.
If the connection request succeeds, the client enters negotiation for the
authentication method to be used, authenticates with the chosen method, and
then sends a relay request.
The SOCKS server evaluates the request, and either establishes the appropriate
connection or denies it.
Choke Point
A choke point is the point at which a public internet can access the internal
network.
The most comprehensive and extensive monitoring tools should be configured
on the choke points.
Proper implementation requires that all traffic be funnelled through these choke
points.
Since all traffic is flowing through the firewalls, security administrators, as a
firewall strategy, need to create choke points to limit external access to their
networks.
Once these choke points have been clearly established, the firewall devices can
monitor, filter and verify all inbound and outbound traffic.
Since a choke point is installed at the firewall, a prospective hacker will go
through the choke point.
The DMZ is an expression that originates from the Korean War. It meant a strip
of land forcibly kept clear of enemy soldiers.
In terms of a firewall, the DMZ is a network that lies between an internal
private network and the external public network.
DMZ networks are sometimes called perimeter networks.
A DMZ is used as an additional buffer to further separate the public network
from the internal network.
A gateway is a machine that provides relay services to compensate for the
effects of a filter.
The network inhabited by the gateway is often called the DMZ.
A gateway in the DMZ is sometimes assisted by an internal gateway.
Logging and Alarms
Logging is usually implemented at every device in the firewall, but these
individual logs combine to become the entire record of user activity.
Packet filters normally do not enable logging by default so as not to degrade
performance. Packet filters as well as circuit-level gateways log only the most
basic information. Since a choke point is installed at the firewall, a prospective
hacker will go through the choke point.
The user can then tell exactly what a hacker is doing, and have such
information available for audit.
The audit log is an essential tool for detecting and terminating intruder
attacks.
Many firewalls allow the user to preconfigure responses to unacceptable
activities.
The firewall should alert the user by several means. The two most common
actions are for the firewall to break the TCP/IP connection, or to have it
automatically set off alarms.
VPN
VPNs are appropriate for any organization requiring secure external access to
internal resources.
All VPNs are tunneling protocols in the sense that their information packets or
payloads are encapsulated or tunneled into the network packets.
All data transmitted over a VPN is usually encrypted because an opponent with
access to the Internet could eavesdrop on the data as it travels over the public
network.
The VPN encapsulates all the encrypted data within an IP packet.
Authentication, message integrity and encryption are very important
fundamentals for implementing a VPN.
Without such authentication procedures, a hacker could impersonate anyone
and then gain access to the network.
Message integrity is required because the packets can be altered as they travel
through the Internet. Without encryption, the information may become truly
public. Several methods exist to implement a VPN.
Packet filters typically set up a list of rules that are sequentially read line by line.
Filtering rules can be applied based on source and destination IP addresses or
network addresses, and TCP or UDP ports. Packet filters are read and then treated on
a rule-by-rule basis. A packet filter will provide two actions, forward or discard. If the
action is in the forward process, the action takes place to route the packet as normal if
all conditions within the rule are met.
Packet-Filtering Rules
A packet filter applies a set of rules to each incoming IP packet and then
forwards or discards the packet.
The packet filter typically sets up a list of rules which may match fields in the
IP or TCP header. If there is a match to one of the rules, that rule is able to
determine whether to forward or discard the packet.
If there is no match to any rule, then two default actions (forward and discard)
will be taken.
TELNET packet filtering
TELNET is a simple remote terminal access that allows a user to log onto a
computer across an internet. TELNET establishes a TCP connection, and then
passes keystrokes from the user’s keyboard directly to the remote computer as
if they had been typed on a keyboard attached to the remote machine.
TELNET also carries output from the remote machine back to the user’s screen.
TELNET client software allows the user to specify a remote machine either by
giving its domain name or IP address.
TELNET can be used to administer a UNIX machine. Windows NT does not
provide a TELNET serve with the default installation, but a third-party service
can be easily added.
TELNET sends all user names and passwords in plaintext. Experienced hackers
can hijack a TELNET session in progress.
TELNET should only be used when the user can verify the entire network
connecting the client and server, not over the Internet.
All TELNET traffic should be filtered at the firewall. TELNET runs on TCP port
23.
FTP packet filtering
With FTP, two TCP connections are used: a control connection to set up the file
transfer and a data connection for the actual file transfer.
The data connection uses a different port number to be assigned for the
transfer.
Remember that most servers live on low-numbered ports, but most outgoing
calls tend to use higher-numbered ports, typically above 1024.
FTP is the first protocol for transferring or moving files across the Internet. Like
many of the TCP/IP protocols, FTP was not designed with security in mind.
Each FTP server has a command channel, where the requests for data and
directory listings are issued, and a data channel, over which the requested data
is delivered.
FTP operates in two different modes (active and passive).
In active mode, an FTP server receives commands on TCP/IP port 21 and
exchanges data with the client.
SMTP packet filtering
SMTP is a store/forward system, and such systems are well suited to firewall
applications.
SMTP receivers use TCP port 25; SMTP senders use a randomly selected port
above 1023. Most e-mail messages are addressed with hostnames instead of IP
addresses, and the SMTP server uses DNS (Directory and Naming Services) to
determine the matching IP address.
If the same machines handle internal and external mail delivery, a hacker who
can spoof DNS information may be able to cause mail that was intended for
internal destinations to be delivered to an external host.
Circuit-Level Gateways
The circuit-level gateway represents a proxy server that statically defines what
traffic will be forwarded.
Circuit proxies always forward packets containing a given port number if that
port number is permitted by the rule set.
A circuit-leval gateway operates at the network level of the OSI model.
This gateway acts as an IP address translator between the Internet and the
internal system.
The main advantage of a proxy server is its ability to provide Network Address
Translation (NAT). NAT hides the internal IP address from the Internet.
Application-Level Gateways
The application-level gateway represents a proxy server, performing at the
TCP/IP application level, that is set up and torn down in response to a client
request, rather than existing on a static basis.
When an inside host initiates a TCP/IP connection, the application gateway receives
the request and checks it against a set of rules or filters. The application gateway (or
proxy server) will then initiate a TCP/IP connection with the remote server.
As with the single-homed bastion, all external traffic is forwarded directly to the
bastion host for processing. However, a hacker may try to subvert the bastion host
and the router to bypass the firewall mechanisms. Even if a hacker could defeat either
the screening router or the dual-homed bastion host, the hacker would still have to
penetrate the other. Nevertheless, a dual-homed bastion host removes even this
possibility. It is also possible to implement NAT for dual-homed bastion hosts.
This firewall is the most secure one among the three implementations, simply
because it uses a bastion host to support both circuit- and application-level
gateways.
This DMZ then functions as a small isolated network positioned between the
Internet and the internal network.
The screened subnet firewall contains external and internal screening routers.
Each is configured such that its traffic flows only to or from the bastion host.
This arrangement prevents any traffic from directly traversing the DMZ
subnetwork.
The external screening router uses standard filtering to restrict external access
to the bastion host, and rejects any traffic that does not come from the bastion
host.
This router also uses filters to prevent attacks such as IP spoofing and source
routing.
The internal screening router also uses rules to prevent spoofing and source
routing.
The Secure Electronic Transaction (SET) is a protocol designed for protecting credit
card transactions over the Internet. It is an industry-backed standard that was formed
by MasterCard and Visa (acting as the governing body) in February 1996.
This section describes the major business requirements for credit card transactions by
means of secure payment processing over the Internet. They are listed below:
5. Security techniques (ensure the use of the best security practices and system
design techniques to protect all legitimate parties in an electronic commerce
transaction):
6. Creation of brand-new protocol (create a protocol that neither depends on
transport security mechanisms nor prevents their use):
7. Interoperability (facilitate and encourage interoperability among software and
network providers):
1. Cardholder:
2. Issuer:
3. Merchant:
4. Acquirer:
5. Payment gateway:
6. Certification Authority:
Figure 11.1 illustrates the SET hierarchy which reflects the relationships between the
participants in the SET system, described in the preceding paragraphs. In the SET
environment, there exists a hierarchy of CAs. The SET protocol specifies a method of
trust chaining for entity authentication. This trust chain method entails the exchange
of digital certificates and verification of the public keys by validating the digital
signatures of the issuing CA.
Cryptographic Operation Principles
SET is the Internet transaction protocol providing security by ensuring confidentiality,
data integrity, authentication of each party and validation of the participant’s identity.
To meet these requirements, SET incorporates the following cryptographic principles:
• Confidentiality:
• Integrity:
• Authentication:
Dual Signature and Signature Verification
SET introduced a new concept of digital signature called dual signatures. A dual
signature is generated by creating the message digest of two messages: order digest
and payment digest.
Referring to Figure 11.2, the customer takes the hash codes (message digests) of both
the order message and payment message by using the SHA-1 algorithm. Computation
of the dual signature (DS) is shown as follows:
DS = EKsc(h)
where h = H(H(OM)||H(PM))
= H(ho||hp)
EKsc (= dc) is the customer’s private signature key.
Authentication and Message Integrity
When user A wishes to sign the plaintext information and send it in an encrypted
message (ciphertext) to user B, the entire encryption process is as configured in Figure
11.4. The encryption/decryption processes for message integrity consist of the
following steps.
1. Encryption process:
User A sends the plaintext through a hash function to produce the message
digest that is used later to test the message integrity.
A then encrypts the message digest with his or her private key to produce the
digital signature.
Next, A generates a random symmetric key and uses it to encrypt the plaintext,
A’s signature and a copy of A’s certificate, which contains A’s public key. To
decrypt the plaintext later, user B will require a secure copy of this temporary
symmetric key.
B’s certificate contains a copy of his or her public key. To ensure secure
transmission of the symmetric key, A encrypts it using B’s public key. The
encrypted key, called the digital envelope, is sent to B along with the encrypted
message itself.
A sends a message to B consisting of the DES-encrypted plaintext, signature
and A’s public key, and the RSA-encrypted digital envelope.
2. Decryption process:
B receives the encrypted message from A and decrypts the digital envelope with
his or her private key to retrieve the symmetric key.
B uses the symmetric key to decrypt the encrypted message, consisting of the
plaintext, A’s signature and A’s public key retrieved from A’s certificate.
B decrypts A’s digital signature with A’s public key that is acquired from A’s
certificate. This recovers the original message digest of the plaintext.
B runs the plaintext through the same hash function used by A and produces a
new message digest of the decrypted plaintext.
Finally, B compares his or her message digest to the one obtained from A’s
digital signature.
Payment Processing
1. Cardholder Registration
2. Merchant Registration
3. Purchase Request
4. Payment Authorization
5. Payment Capture
Cardholder Registration
The cardholder must register with a CA before sending SET messages to the merchant.
The cardholder needs a public/private-key pair for use with SET. The scenario of
cardholder registration is described in the following.
1. Registration request/response processes:
The registration process can be started when the cardholder requests a copy of the
CA certificate. When the CA receives the request, it transmits its certificate to the
cardholder. The cardholder verifies the CA certificate by traversing the trust chain
to the root key. The cardholder holds the CA certificate to use later during the
registration process.
The cardholder sends the initiate request to the CA.
Once the initiate request is received from the cardholder, the CA generates the
response and digitally signs it by generating a message digest of the response
and encrypting it with the CA’s private key.
The CA sends the initiate response along with the CA certificate to the
cardholder.
The cardholder receives the initiate response and verifies the CA certificate by
traversing the trust chain to the root key.
The cardholder verifies the CA certificate by decrypting it with the CA’s public
key and comparing the result with a newly generated message digest of the
initiate response.
2. Registration form process:
The cardholder generates the registration form request.
The cardholder encrypts the SET message with a random symmetric key
(No. 1).
The DES key, along with the cardholder’s account number, is then
encrypted with the CA’s public key.
The cardholder transmits the encrypted registration form request to the CA.
The CA decrypts the symmetric DES key (No. 1) and cardholder’s account
number with the CA’s private key. The CA then decrypts the registration
form request using the symmetric DES key (No. 1).
The CA determines the appropriate registration form and digitally signs it by
generating a message digest of the registration form and encrypting it with
the CA’s private key.
The CA sends the registration form and the CA certificate to the cardholder.
The cardholder receives the registration form and verifies the CA certificate
by traversing the trust chain to the root key.
The cardholder verifies the CA’s signature by decrypting it with the CA’s
public key and comparing the result with a newly generated message digest
The cardholder creates a message with request, the cardholder’s public key and
a newly generated symmetric key (No. 2), and digitally signs it by generating a
message digest of the cardholder’s private key.
The cardholder encrypts the message with a randomly generated symmetric key
(No. 3). This symmetric key, along with the cardholder’s account information, is
then encrypted with the CA’s public key.
The cardholder transmits the encrypted certificated request messages to the
CA.
The CA decrypts the No. 3 symmetric key and cardholder’s account information
with the CA’s private key, and then decrypts the certificate request using this
symmetric key.
The CA verifies the cardholder’s signature by decrypting it with the cardholder’s
public key and comparing the result with a newly generated message digest of
the certificate requested.
The CA verifies the certificate request using the cardholder’s account
information and information from the registration form.
The CA generates the certificate response and digitally signs it by generating a
message digest of the response and encrypting it with the CA’s private key.
Merchant Registration
Merchants must register with a CA before they can receive SET payment instructions
from cardholders. In order to send SET messages to the CA, the merchant must have a
copy of the CA’s public key which is provided in the CA certificate.
1. Registration form process:
The registration process starts when the merchant requests the appropriate
registration form.
o The merchant sends the initiate request of the registration form to the
CA.
o To register, the merchant fills out the registration form with information
such as the merchant’s name, address and ID.
o The CA receives the initiate request.
o The CA selects an appropriate registration form and digitally signs it by
generating a message digest of the registration form and encrypting it
with the CA’s private key.
o The CA sends the registration form along with the CA certificate to the
merchant.
o The merchant verifies the CA’s signature by decrypting it with the CA’s
public key and comparing the result with a newly computed message
digest of the registration form.
o The merchant creates two public/private-key pairs for use with SET: key
encryption and signature.
2. Certificate request/create process:
o The merchant generates the certificate request.
o The merchant creates the message with request and both merchant
public keys and digitally signs it by generating a message digest of the
certificate request and encrypting it with the merchant’s private key.
o The merchant encrypts the message with a random symmetric key (No.
1). This symmetric key, along with the merchant’s account data, is then
encrypted with the CA’s public key.
o The merchant transmits the encrypted certificate request message to the
CA.
o The CA decrypts the symmetric key (No. 1) and the merchant’s account
data with the CA’s private key, and then decrypts the message using the
symmetric key (No. 1).
o The CA verifies the merchant’s signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed
message digest of the certificate request.
o The CA confirms the certificate request using the merchant information.
o Upon verification, the CA creates the merchant certificate digitally
signing the certificate with the CA’s private key.
o The CA generates the certificate response and digitally signs it by
generating a message digest of the response and encrypting it with the
CA’s private key.
o The CA transmits the certificate response to the merchant.
o The merchant receives the certificate response from the CA. The
merchant decrypts the digital envelope to obtain the symmetric key. This
key is used to decrypt the registration response containing the
certificates.
o The merchant verifies the certificates by traversing the trust chain to the
root key.
o The merchant verifies the CA’s signature by decrypting it with the CA’s
public key and comparing the result with a newly computed message
digest of the certificate response.
o The merchant stores the certificates and information from the response
for use in future e-commerce transactions.
Purchase Request
The purchase request exchange should take place after the cardholder has completed
browsing, selecting and ordering. Before the end of this preliminary phase occurs, the
merchant sends a completed order form to the cardholder (customer).
1. Initiate request:
• The cardholder sends the initiate request to the merchant.
• The merchant receives the initiate request.
• The merchant generates the response and digitally signs it by generating a message
digest of the response and encrypting it with the merchant’s private key.
• The merchant sends the response along with the merchant and payment gateway
certificates to the cardholder.
2. Initiate response:
• The cardholder receives the initiate response and verifies the certificates by
traversing the trust chain to the root key.
• The cardholder verifies the merchant’s signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed message
digest of the response.
. The cardholder creates the order message (OM) using information from the shopping
phase and payment message (PM). At this step the cardholder completes
payment instructions.
3. Purchase request:
o The cardholder generates a dual signature for the OM and PM by
computing the message digests of both, concatenating the two digests,
computing the message digest of the result and encrypting it using the
cardholder’s private key.
2. Authorisation response:
o The gateway creates the authorisation response message and digitally
signs it by generating a message digest of the authorisation response and
encrypting it with the gateway’s private key.
o The gateway encrypts the authorisation response with a new randomly
generated symmetric key (No. 3). This key is then encrypted with the
merchant’s public key.
The gateway creates the capture token and digitally signs it by generating a
message digest of the capture token and encrypting it with the gateway’s private
key.
o The gateway encrypts the capture token with a new symmetric key (No.
4). This key and the cardholder account information are then encrypted
with the gateway’s public key.
o The gateway transmits the encrypted authorisation response to the
merchant.
The merchant verifies the gateway certificate by traversing the trust chain to
the root key.
The merchant decrypts the symmetric key (No. 3) with the merchant’s private
key and then decrypts the authorisation response using the symmetric key (No.
3).
1. Capture request:
• The merchant creates the capture request.
• The merchant embeds the merchant certificate in the capture request and digitally
signs it by generating a message digest of the capture request and encrypting it with
the merchant’s private key.
• The merchant encrypts the capture request with a randomly generated symmetric
key (No. 5). This key is then encrypted with the payment gateway’s public key.
• The merchant transmits the encrypted capture request and encrypted capture token
previously stored from the authorisation response to the payment gateway.
• The gateway verifies the merchant certificate by traversing the trust chain to the
root key.
• The gateway decrypts the symmetric key (No. 5) with the gateway’s private key
and then decrypts the capture request using the symmetric key (No. 5).
• The gateway verifies the merchant’s digital signature by decrypting it with the
merchant’s public key and comparing the result with a newly computed message
digest of the capture request.
• The gateway decrypts the symmetric key (No. 4) with the gateway’s private key
and then decrypts the capture token using the symmetric key (No. 4).
• The gateway ensures consistency between the merchant’s capture request and the
capture token.
• The gateway sends the capture request through a financial network to the
cardholder’s issuer (financial institution).
2. Capture response:
• The gateway creates the capture response message, including the gateway signature
certificate, and digitally signs it by generating a message digest of the capture
response and encrypting it with the gateway’s private key.
• The gateway encrypts the capture response with a newly generated symmetric key
(No. 6). This key is then encrypted with the merchant’s public key.
• The gateway transmits the encrypted capture response to the merchant.
• The merchant verifies the gateway certificate by traversing the trust chain to the root
key.
• The merchant decrypts the symmetric key (No. 6) with the merchant’s private key
and then decrypts the capture response using the symmetric key (No. 6).
Important Questions
Part-A
1.What is application level gateway?
2. List the design goals of firewalls?
3.What is mean by SET? What are the features of SET?
4. What are the steps involved in SET Transaction?
5.Define S/MIME?
6. What are the headers fields define in MIME?
7. What is MIME content type and explain?
8. What are the key algorithms used in S/MIME?
9. Give the steps for preparing envelope data MIME?
10.What are the services provided by PGP services
11. Explain the reasons for using PGP?
12. Why E-mail compatibility function in PGP needed?
13. Name any cryptographic keys used in PGP?
14.What is meant by S/MIME? (A/M-12)
15.List out the types of firewalls.
Part-B
1.Explain in detail about the PGP.
2.Explain in detail about the S/MIME.
3.Explain in detail about the Types of Firewalls in Internet Firewalls for Trusted
System.
4. Explain in detail about the Firewall related terminology in Internet Firewalls for
Trusted System.
5.Explain in detail about the SET for E-Commerce Transactions.
UNIT III
INTRODUCTION TO COMPUTER FORENSICS
Part-A
Intrusion detection systems help computer systems prepare for and deal
with attacks.
Monitoring and analysis of user and system activity
Auditing of system configurations and vulnerabilities
Assessing the integrity of critical system and data files
Recognition of activity patterns reflecting known attacks
Statistical analysis of abnormal activity patterns
Operating system audit trail management, with recognition of user
activity reflecting policy violations
15.write the benefits of firewalls.
Benefits of Firewalls
Protection from vulnerable services
Controlled access to site systems
Concentrated security
Enhanced privacy
Logging and statistics on network use and misuse
Policy enforcement
Part-B
1. Explain in detail about the computer crime.
Computer crime is any criminal offense, activity or issue that involves
computers
Computer misuse tends to fall into two categories.
Computer is used to commit a crime
Computer itself is a target of a crime. Computer is the victim. Computer
Security Incident.
Computer Incident Response.
Computer Forensics involves the preservation, identification, extraction,
documentation and interpretation of computer data [1]
Computer Forensics is the application of science and engineering to the legal
problem of digital evidence. It is a synthesis of science and law.
Computer forensics, still a rather new discipline in computer security, focuses
on finding digital evidence after a computer security incident has occurred .
The goal of computer forensics is to do a structured investigation and find out
exactly what happened on a digital system, and who was responsible for it.
Introduction
The introduction of the Internet has created unparalleled opportunities for
commerce, research, education, entertainment, and public discourse. A global
marketplace has emerged, in which fresh ideas and increased appreciation for
multiculturalism have flourished.
While computer crime and computer related crime will be used interchangeably
throughout the text, cybercrime will only be used to describe that criminal activity
which has been facilitated via the Internet.
Just as confusion exists regarding the appropriate terminology for crimes involving
computers, the nomenclature of the science developed to investigate such activity
lacks universality.
For clarification purposes in this text, computer forensic science, computer
forensics, and digital forensics may be defined as the methodological, scientific,
and legally sound process of examining computer media and networks for the
identification, extraction, authentication, examination, interpretation, preservation,
and analysis of evidence.
A lack of knowledge coupled with general apathy toward cyber criminality has
resulted in an atmosphere of indifference.
Many stereotype computer criminals as nonthreatening, socially challenged
individuals (i.e., nerds or geeks) and fail to see the insidious nature of computer
crime;
In addition, those administrators and investigators who grudgingly admit the
presence and danger of electronic crime tend to concentrate exclusively on child
pornography, overlooking motivations and criminal behaviors apart from sexual
gratification.
Even in situations where law enforcement authorities recognize the insidious
nature of computer or cybercrime, many do not perceive themselves or others in
their department to be competent to investigate such criminal activity.
Prosecutorial Reluctance
As media focus has increasingly highlighted the dangers of cyberspace,
including those involving cyber bullying and child exploitation, public
awareness has heightened an urgency to protect children’s virtual
playgrounds.
In response, federal and state resources have often been allocated to fund
specialized units to investigate and prosecute those offenses which affect the
safety of American children.
For example, the Federal Bureau of Investigation maintains a partnership
with the Child Exploitation and Obscenity Section of the Department of
Justice.
This organization is composed of attorneys and computer forensic specialists
who provide expertise to U.S. Attorney’s Offices on crimes against children
cases.
Lack of Reporting
The number of reported incidents handled by Carnegie-Mellon University’s
Computer Emergency Response Team (CERT) has increased threefold, from
24,097 in 2006 to 72,065 in 2008.13 In their annual survey, CSO Magazine (in
conjunction with the U.S. Secret Service; CERT, and Deloitte) reported that 58
percent of the organizations surveyed perceived themselves to be more prepared
to prevent, detect, respond to, or recover from a cybercrime incident compared
to the previous year.
However, only 56 percent of respondents actually had a plan for reporting and
responding to a crime.14 In 2011, it was reported that over 75 percent of all
insider intrusions were handled internally without notification of authorities.
Underreporting on the part of businesses and corporations may be attributed to
a variety of reasons, but perhaps the most common are exposure to financial
losses, data breach liabilities, damage to brand, regulatory issues, and loss of
consumer confidence.
Contemporary society, characterized by increased reliance on paperless
transactions, demands assurances that the company’s infrastructure is
invulnerable and that confidential information remains inviolate.
Lack of Resources
Computer intrusions have proven to be problematic within the corporate world,
such institutions’ unwillingness or inability to effectively communicate with
judicial authorities has led to an increase in computer crime.
Unfortunately, law enforcement and corporate entities desperately need to
cooperate with one another.
Unlike their civil service counterparts, the business communities have the
resources (both financial and legal) necessary to effectively combat computer
crimes.
First, these companies, through their system administrators, have far more
leeway in monitoring communications and system activities, and they have the
ability to establish policies which enable wide-scale oversight.
Jurisprudential Inconsistency
Unfortunately, the Supreme Court has remained resolutely averse to
deciding matters of law in the newly emerging sphere of cyberspace.
They have virtually denied cert on every computer privacy case to which
individuals have appealed and have refused to determine appropriate
levels of Fourth Amendment protections of individuals and computer
equipment.
This hesitation has become even more pronounced with the emergence of
wireless communications, social networking sites, and smart phones.
As such, obvious demarcations of perception, application, and
enforcement of computer crime laws vary widely across the country, and
a standard of behavior in one jurisdiction may supersede or even negate
legal standards in another.
Traditionally, trial and appellate courts evaluated the constitutionality of
computer crime statutes, searches, and investigations through the lens
of the First and Fourth Amendment.
Evaluating appropriate boundaries for free speech and establishing
standards of reasonableness have varied across state and federal rulings,
and an inconsistent patchwork of guidelines has resulted.
Dumpster Diving
As the name implies, dumpster diving is the practice of sifting through
commercial or residential trash or waste for information deemed valuable. Such
information ranges widely, but may include account numbers, social security or
tax payer identification numbers, and passwords.
It may be located on discarded computer media or in paper form, and may be
housed in personnel records, accounting spreadsheets, receipts, invoices, or the
like.
• Line of authority - states who has the legal right to initiate an investigation,
who can take possession of evidence, and who can have access to evidence
• Business can avoid litigation by displaying a warning banner on computer
screens
– Informs end users that the organization reserves the right to inspect
computer systems and network traffic
• Sample text that can be used in internal warning banners:
– Use of this system and network is for official business only
– Systems and networks are subject to monitoring at any time by the
owner
– Using this system implies consent to monitoring by the owner
– Unauthorized or illegal users of this system or network will be subject to
discipline or prosecution
• Businesses are advised to specify an authorized requester who has the power
to initiate investigations
• Examples of groups with authority
– Corporate security investigations
– Corporate ethics office
– Corporate equal employment opportunity office
– Internal auditing
– The general counsel or legal department
• During private investigations, you search for evidence to support allegations of
violations of a company’s rules or an attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse
• A private-sector investigator’s job is to minimize risk to the company
• The distinction between personal and company computer property can be
difficult with cell phones, smartphones, personal notebooks, and tablet
computers
• Bring your own device (BYOD) environment
– Some companies state that if you connect a personal device to the
business network, it falls under the same rules as company property
Maintaining Professional Conduct
• Professional conduct - includes ethics, morals, and standards of behavior
• An investigator must exhibit the highest level of professional behavior at all
times
– Maintain objectivity
– Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay current with the latest
technical changes in computer hardware and software, networking, and
forensic tools
Preparing a Digital Forensics Investigation
–
Securing Your Evidence
Use evidence bags to secure and catalog the evidence
– Use computer safe products when collecting computer evidence
– Antistatic bags
– Antistatic pads
– Use well padded containers
– Use evidence tape to seal all openings
– CD drive bays
– Insertion slots for power supply electrical cords and USB cables
• Write your initials on tape to prove that evidence has not been tampered with
• Consider computer specific temperature and humidity ranges
– Make sure you have a safe environment for transporting and storing it
until a secure evidence container is available
Procedures for Private-Sector High-Tech Investigations
• As an investigator, you need to develop formal procedures and informal
checklists
– To cover all issues important to high-tech investigations
• Basic requirements
– A workstation running Windows XP or later
– A write-blocker device
– Digital forensics acquisition tool
– Digital forensics analysis tool
– Target drive to receive the source or suspect disk data
– Spare PATA or SATA ports
– USB ports
• Additional useful items
– Network interface card (NIC)
– Extra USB ports
– FireWire 400/800 ports
– SCSI card
– Disk editor tool
– Text editor tool
– Graphics viewer program
– Other specialized viewing tools
Conducting an Investigation
• Gather resources identified in investigation plan
• Items needed
– Original storage media
– Evidence custody form
– Evidence container for the storage media
– Bit-stream imaging tool
– Forensic workstation to copy and examine your evidence
– Securable evidence locker, cabinet, or safe
Gathering the Evidence
• Avoid damaging the evidence
• Steps
– Meet the IT manager to interview him
– Fill out the evidence form, have the IT manager sign
– Place the evidence in a secure container
– Carry the evidence to the computer forensics lab
– Complete the evidence custody form
– Secure evidence by locking the container
Analyzing Your Digital Evidence
• Your job is to recover data from:
– Deleted files
– File fragments
– Complete files
• Deleted files linger on the disk until new data is saved on the same physical
location
• Tools can be used to retrieve deleted files
– ProDiscover Basic
The cyber forensic tools involved in CFX-2000 consisted of commercial offthe- shelf
software and directorate-sponsored R&D prototypes. The Synthesizing Information
from Forensic Investigations (SI-FI) integration environment, developed under contract
by WetStone Technologies, Inc. [2], was the cornerstone of the technology
demonstrated. SI-FI supports the collection, examination, and analysis processes
employed during a cyber forensic investigation. The SI-FI prototype uses digital
evidence bags (DEBs), which are secure and tamperproof containers used to store
digital evidence.
Types of Law Enforcement: Computer Forensic Technology
Law enforcement and military agencies have been involved in processing
computer evidence for years.
This section touches very briefly on issues dealing with Windows NTR,
WindowsR 2000, XP and 2003 and their use within law enforcement computer
forensic technology.
Windows XP and Windows 2003 are operating systems that are often used on
notebook and desktop computers in corporations and government agencies.
Thus, they are currently the operating systems most likely to be encountered in
computer investigations and computer security reviews.
Be advised that this chapter does not cover the use of black box computer
forensics software tools. Those tools are good for some basic investigation tasks,
but they do not offer a full computer forensics solution.
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer
evidence processing standards. Computer processing procedures have also been
developed for the U.S. Treasury Department.
Training and certification programs have also been developed for the
International Association of Computer Investigation Specialists (IACIS). For
these reasons, computer forensic trainers and instructors should be well
qualified to teach the correct computer-processing methods and procedures.
Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number
of occurrences. Computer forensic instructors should expose their trainees to bit
stream backup theories that ensure the preservation of all storage levels that may
contain evidence.
Trojan Horse Programs
The need to preserve the computer evidence before processing a computer
should be clearly demonstrated by the computer forensic instructor through the
use of programs designed to destroy data and modify the operating systems.
The participant should be able to demonstrate his or her ability to avoid
destructive programs and traps that can be planted by computer users bent on
destroying data and evidence.
capture keyboard activity from corporate executives, for example. For this reason, it is
important that the participants understand these potential risks and how to identify
them.
Disk Structure
Participants should be able to leave a training course with a good
understanding of how computer hard disks and floppy diskettes are structured
and how computer evidence can reside at various levels within the structure of
the disk.
They should also demonstrate their knowledge of how to modify the structure
and hide data in obscure places on floppy diskettes and hard disk drives.
Data Encryption
A computer forensics course should cover, in general, how data is encrypted; it
should also illustrate the differences between good encryption and bad encryption.
Furthermore, demonstrations of password-recovery software should be given
regarding encrypted WordPerfect, Excel, Lotus, Microsoft Word, and PKZIP files.
The participant should become familiar with the use of software to crack
security associated with these different file structures.
Matching a Diskette to a Computer
New Technology Inc. has also developed specialized techniques and tools that make it
possible to conclusively tie a diskette to a computer that was used to create or edit
files stored on it. Unlike some special government agencies, New Technology Inc.
relies on logical rather than physical data storage areas to demonstrate this
technique. Each participant is taught how to use special software tools to complete
this process.
Dual-Purpose Programs
Programs can be designed to perform multiple processes and tasks at the same
time.
They can also be designed for delayed tasking. These concepts should be
demonstrated to the training participants during the course through the use of
specialized software.
The participant should also have hands-on experience with these programs.
Text Search Techniques
New Technology Inc. has also developed specialized search techniques and tools
that can be used to find targeted strings of text in files, file slack, unallocated
file space, and Windows swap files.
Each participant will leave their training class with a licensed copy of their
TextSearch PlusTM software and the necessary knowledge to conduct computer
security reviews.
TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY
1. Remote monitoring of target computers
2. Creating trackable electronic documents
3. Theft recovery software for laptops and PCs
4. Basic forensic tools and techniques
5. Forensic services available
Remote Monitoring of Target Computers
Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS),
Inc. [7] is a powerful remote control monitoring tool that allows stealth monitoring of
all activity on one or more target computers simultaneously from a remote command
center. No physical access is necessary.
Creating Trackable Electronic Documents
There are so many powerful intrusion detection tools that allow the user to create
trackable electronic documents.
In general, most of these tools identify (including their location) unauthorized
intruders who access, download, and view these tagged documents. The tools also
allow security personnel to trace the chain of custody and chain of command of all
who possess the stolen electronic documents.
Theft Recovery Software for Laptops and PCs
According to a recent FBI report, 98% of stolen computers are never recovered.
According to Safeware Insurance, 1,201,000 PCs and laptops were stolen in 2002 and
2003, costing owners $7.8 billion dollars [9]. According to a recent joint Computer
Security Institute/FBI survey, 72% of the Fortune 1000 companies experienced laptop
theft.
Basic Forensic Tools and Techniques
Today, many computer forensics workshops have been created to familiarize
investigators and security personnel with the basic techniques and tools
Information such as trade secrets, vault and authorization codes, and lock and
key information are clearly of a mission critical nature, and their unintended
disclosure could cause severe loss to a business or operation.
Departmental information is typically data that is private to a particular
department, such as payroll information in finance and medical records in
personnel. There may be legal requirements for securing this information.
Company private information varies from company to company but typically
consists of information that should only be disclosed to employees and partners
of a company, such as policy and procedure manuals.
Public information is information such as product literature, brochures, and
catalogs that needs to be freely available to anyone, but whose integrity needs
to be assured to prevent unauthorized alteration. This information is often
provided to customers and interested parties by means of the Internet
INTRUSION DETECTION SYSTEMS
Intrusion detection systems help computer systems prepare for and deal with
attacks.
They collect information from a variety of vantage points within computer
systems and networks and analyze this information for symptoms of security
problems.
Vulnerability assessment systems check systems and networks for system
problems and configuration errors that represent security vulnerabilities.
Both intrusion detection and vulnerability assessment technologies allow
organizations to protect themselves from losses associated with network
security problems.
This section explains how intrusion detection and vulnerability assessment fits
into the overall framework of security products and techniques used in
computer forensics.
Intrusion Detection Defined
Intrusion detection systems help computer systems prepare for and deal
with attacks.
Monitoring and analysis of user and system activity
Auditing of system configurations and vulnerabilities
Assessing the integrity of critical system and data files
Recognition of activity patterns reflecting known attacks
Statistical analysis of abnormal activity patterns
Operating system audit trail management, with recognition of user
activity reflecting policy violations
Vulnerability Assessment and Intrusion Detection
SAN Benefits
1. Centralized Management
2. Scalability
3. Reliability
4. Performance
NETWORK DISASTER RECOVERY SYSTEMS
The high availability of mission-critical systems and communications is a major
requirement for the viability of the modern organization.
A network disaster could negate the capability of the organization to provide
uninterrupted service to its internal and external customers.
Network disaster recovery (NDR) is the ability to respond to an interruption in
network services by implementing a disaster recovery plan to restore an
organization’s critical business functions.
NDR is not a new idea. In recent years, data has become a vitally important
corporate asset essential to business continuity. A fundamental requirement of
economic viability is the ability to recover crucial data quickly after a disaster.
PUBLIC KEY INFRASTRUCTURE SYSTEMS
A PKI enables users of an insecure public network such as the Internet to
securely and privately exchange data through the use of a public and a private
cryptographic key pair that is obtained and shared through a trusted authority.
The PKI provides for digital certificates that can identify individuals or
organizations and directory services that can store and, when necessary, revoke
them.
PKI is the underlying technology that provides security for the secure sockets
layer (SSL) and hyper text transfer protocol secure sockets (HTTPS) protocols,
which are used extensively to conduct secure e-business over the Internet.
A PKI consists of
A certificate authority that issues and verifies digital certificates
A registration authority that acts as the verifier for the certificate authority
before a digital certificate is issued to a requestor
One or more directories where the certificates (with their public keys) are
held
A certificate management system
PKI is complicated but is a sound solution to a difficult problem, namely enabling
two parties to exchange data securely over an insecure medium without the benefit of
prior communication. It has been adopted by the popular Web browsers and is widely
used for one-off business-to-customer (B2C) transactions. In general, however, PKI
still faces challenges in terms of application support, interoperability between vendors,
differing government legislation, and practical key management.
WIRELESS NETWORK SECURITY SYSTEMS
wireless network security vendors (even giants like IBM) are busy developing
products to fight the viruses and security breaches of the future.
Among them are those that head off problems on a wireless network level,
within applications and on devices.
The widely used wireless LAN standard, 802.11, came under fire recently when
researchers at the University of California at Berkeley figured out how to crack
its builtin encryption.
Still, there is some hope, because developers addressed wireless network
security from the start and are working to beef it up before wireless LANs
become more pervasive.
Companies will also have to secure wireless transactions. There will be attacks
on the devices themselves, but they quickly will be focused on transactions.
SATELLITE ENCRYPTION SECURITY SYSTEMS
The boom in satellite communications is changing the way we work and live,
but it is becoming a security nightmare for those organizations and
governments whose survival depends on the protection of intellectual property
distribution, electronic commerce, electronic battlefields and national security.
3. The session key is encrypted with RSA using the recipient’s public
key and is prepended (to prefix a string or statement with another or to
place a word or set of numbers in front of an existing word or set of
numbers; for example, to prepend “sub” to “net” would yield
“subnet”) to the message.
4. The receiver uses RSA with its private key to decrypt and recover the
session key.
5. The session key is used to decrypt the message.
INSTANT MESSAGING (IM) SECURITY SYSTEMS
The security threats from IM are straightforward. Since deployment isn’t
controlled, the enterprise can’t keep a rein on how the systems are used. With
the public IM networks, the individual employee registers for service.
Securing IM
IM management and security systems act as proxies for IM traffic going into the
network, which imposes policies before letting traffic through.
Besides addressing security, this architecture puts the IM management and
security vendors in a position to deal with the pesky problem of the lack of
interoperability among networks.
NET PRIVACY SYSTEMS
Privacy is a social, political, and economic issue. Privacy protection for the
individual was born with democracy and was originally designed to keep
oppressive governments from intruding on individual freedoms.
In a world of advanced industrial societies where most major countries are at
peace with each other, the violation of privacy and civil liberties has come under
new threats.
People still have every reason to keep a tight reign on snoopy governments (like
the use of the Patriot Act), but now they must also be concerned about the
commercial violation of individual privacy rights and desires.
Some private companies have made a business out of selling information about
individuals, groups, and organizations. This has raised considerable concern
among privacy advocates.
IDENTITY MANAGEMENT SECURITY SYSTEMS
Identity management is the creation, management, and use of online, or digital,
identities.
Hundreds of millions of people around the world now use the Internet daily at
home and at work, facing a multiplicity of corporate applications and e-
business interfaces.
Many such applications and interfaces require a unique user name, and as a
result, an individual typically possesses not one but several digital identities.
The Challenges of Managing Digital Identities
Aggregation
Web Services
Online Partnerships
As a first step, a system must collect or ―capture‖ the biometric to be used. One
essential difference between the various techniques is the characteristic (body
part or function) being analyzed.
Extraction
Commercially available biometric devices generally do not record full images of
biometrics the way law enforcement agencies collect actual fingerprints.
Instead, specific features of the biometric are ―extracted.‖ Only certain
attributes are collected (particular measurements of a fingerprint or pressure
points of a signature).
Comparison and Matching
To use a biometric system, the specific features of a person’s biometric
characteristic are measured and captured each time he presents his ―live‖
biometric.
This extracted information is translated into a mathematical code using the
same method that created the template. The new code created from the live
scan is compared against a central database of templates in the case of a one-
to-many match, or to a single stored template in the case of a one-to-one
match.
HOMELAND SECURITY SYSTEMS
The terms homeland security and homeland defense have received increased
attention since the tragic events of September 11, 2001.
While these terms are relatively new, the concepts behind them are not.
Homeland security is defined as the deterrence, prevention, and preemption of
and defense against aggression targeted at U.S. territory, sovereignty,
population, and infrastructure as well as the management of the consequences
of such aggression and other domestic emergencies.
Homeland defense on the other hand is a subset of homeland security.
Homeland Security Today
Security has the following organizational structure:
Border and transportation security
Emergency preparedness and response
Chemical, biological, radiological, and nuclear countermeasures
Information analysis and infrastructure protection
7. Explain in detail about the Data Acquisition.
• List digital evidence storage formats
• Explain ways to determine the best acquisition method
–File extensions include .afd for segmented image files and .afm for AFF
metadata
– AFF is open source
Determining the Best Acquisition Method
• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods of data collection
– Creating a disk-to-image file
– Creating a disk-to-disk
– Creating a logical disk-to-disk or disk-to-data file
– Creating a sparse data copy of a file or folder
• Determining the best method depends on the circumstances of the investigation
• Creating a disk-to-image file
– Most common method and offers most flexibility
– Can make more than one copy
– Copies are bit-for-bit replications of the original drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLookIX
• Creating a disk-to-disk
– When disk-to-image copy is not possible
– Tools can adjust disk’s geometry configuration
– EnCase, SafeBack, SnapCopy
• Logical acquisition or sparse acquisition
– Can take several hours; use when your time is limited
– Logical acquisition captures only specific files of interest to the case
– Sparse acquisition collects fragments of unallocated (deleted) data
– For large disks
– PST or OST mail files, RAID servers
• When making a copy, consider:
– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– When working with large drives, an alternative is using tape backup
systems
– Whether you can retain the disk
• RAID 2
– Similar to RAID 1
– Data is written to a disk on a bit level
– Has better data integrity checking than RAID 0
– Slower than RAID 0
• RAID 3
– Uses data stripping and dedicated parity
• RAID 4
– Data is written in blocks
• RAID 5
– Similar to RAIDs 0 and 3
– Places parity recovery data on each disk
• RAID 6
– Redundant parity on each disk
• RAID 10, or mirrored striping
– Also known as RAID 1+0
– Combination of RAID 1 and RAID 0
• Features:
– Create a raw format image file
– Segment the raw format or compressed image for archiving purposes
– Access network computers’ drives
ILook Investigator IXimager
• IXimager
– Runs from a bootable floppy or CD
– Designed to work only with ILook Investigator
– Can acquire single drives and RAID drives
– Supports:
• IDE (PATA)
• SCSI
• USB
• FireWire
Detection
Intrusion Detection Systems
Detection Software
Reporting
Containment
Strategies
Shutting down a system
Disconnect from the network
Change filtering rules of firewalls
Disabling or deleting compromised accounts
Increasing monitoring levels
Setting traps
Striking back at the attacker’s system
Adhering to containment procedures.
Record all actions
Define acceptable risks in advance
Eradication: Eliminate the cause of the incident.
Software available for most virus, worm attacks.
Procedures are very important.
Eradication in UNIX System
UNIT IV
EVIDENCE COLLECTION AND FORENSICS TOOLS
Processing Crime and Incident Scenes - Working with Windows and DOS Systems.
Current Computer Forensics Tools: Software/ Hardware Tools.
Part-A
1.Write the rule for the rules for controlling digital evidence.
• Comply with your state’s rules of evidence or with the Federal Rules of Evidence
• Evidence admitted in a criminal case can be used in a civil suit, and vice versa
• Keep current on the latest rulings and directives on collecting, processing,
storing, and admitting digital evidence
• Data you discover from a forensic examination falls under your state’s rules of
evidence
2.Define Best evidence rule states:
To prove the content of a written document, recording, or photograph,
ordinarily the original writing, recording, or photograph is required
3. Define Federal Rules of Evidence
Allow a duplicate instead of originals when it is produced by the same
impression as the original
4. How to collect evidence at private-sector incident scenes.
• Private-sector organizations include:
• Non-government organizations (NGO) must comply with state public disclosure
and federal Freedom of Information Act (FOIA) laws
• FOIA allows citizens to request copies of public documents created by federal
agencies
5. Define Processing Law Enforcement Crime Scenes
• Law enforcement officer may search for and seize criminal evidence only with
probable cause
– Refers to the standard specifying whether a police officer has the right to
make an arrest, conduct a personal or property search, or obtain a
warrant for arrest
• With probable cause, a police officer can obtain a search warrant from a judge
– Review facts, plans, and objectives with the investigation team you have
assembled
• Goal of scene processing
– To collect and secure digital evidence
• Digital evidence is volatile
– Develop skills to assess facts quickly
• Slow response can cause digital evidence to be lost
10.List out the Storing Digital Evidence.
• The media you use to store digital evidence usually depends on how long you
need to keep it
• CDs, DVDs, DVD-Rs, DVD+Rs, or DVD-RWs
• Magnetic tapes - 4-mm DAT
• Super Digital Linear Tape (Super-DLT or SDLT)
• Smaller external SDLT drives can connect to a workstation through a SCSI card
• Don’t rely on one media storage method to preserve your evidence
11.How to Reviewing a Case.
Reviewing a Case
• General tasks you perform in any computer forensics case:
– Identify the case requirements
– Plan your investigation
– Conduct the investigation
– Complete the case report
– Critique the case
12.Define file system.
• File system
– Gives OS a road map to data on a disk
• Type of file system an OS uses determines how data is stored on the disk
• When you need to access a suspect’s computer to acquire or inspect data
You should be familiar with both the computer’s OS and file systems.
13.List out the disk drive components.
• Disk drive components
– Geometry
– Head
– Tracks
– Cylinders
– Sectors
• Properties handled at the drive’s hardware or firmware level
– Zone bit recording (ZBR)
– Track density
– Areal density
– Head and cylinder skew
14.Define Solid-State Storage Devices.
• All flash memory devices have a feature called wear-leveling
– An internal firmware feature used in solid-state drives that ensures even
wear of read/writes for all memory cells
• When dealing with solid-state devices, making a full forensic copy as soon as
possible is crucial
– In case you need to recover data from unallocated disk space
15.Define NTFS Encrypting File System (EFS)
• Encrypting File System (EFS)
– Introduced with Windows 2000
– Implements a public key and private key method of encrypting files,
folders, or disk volumes
• When EFS is used in Windows 2000 and later
– A recovery certificate is generated and sent to the local Windows
administrator account
16. Define NTFS Disks
• NT File System (NTFS)
• Improvements over FAT file systems
• NTFS was Microsoft’s move toward a journaling file system
– It records a transaction before the system carries it out
• In NTFS, everything written to the disk is considered a file
• On an NTFS disk
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode
17.Define Deleting NTFS Files
• When a file is deleted in Windows NT and later
• Using VirtualBox
– An open-source program that can be downloaded at
www.virtualbox.org/wiki/Downloads
• Consult with your instructor before doing the activities using VirtualBox
22.List out the digital forensics tools.
Types of Digital Forensics Tools
• Hardware forensic tools
– Range from single-purpose components to complete computer systems
and servers
• Software forensic tools
– Types
• Command-line applications
• GUI applications
– Commonly used to copy data from a suspect’s disk drive to an image file
23.List the types of task performed by digital forensics tools.
• Five major categories:
– Acquisition
– Validation and verification
– Extraction
– Reconstruction
– Reporting
24.Define Validation and Verification
– Validation
• A way to confirm that a tool is functioning as intended
– Verification
• Proves that two sets of data are identical by calculating hash
values or using another similar method
• A related process is filtering, which involves sorting and searching
through investigation findings to separate good data and
suspicious data.
• SMART
• Helix 3
• Kali Linux
• Autopsy and SleuthKit
Part-B
1. Explain in detail about the concepts Processing Crime and Incident Scenes.
• Explain the rules for controlling digital evidence
• Describe how to collect evidence at private-sector incident scenes
• Explain guidelines for processing law enforcement crime scenes
• List the steps in preparing for an evidence search
• Describe how to secure a computer incident or crime scene
• Explain guidelines for seizing digital evidence at the scene
• List procedures for storing digital evidence
• Explain how to obtain a digital hash
• Review a case to identify requirements and plan your investigation
1.1 Explain the rules for controlling digital evidence
Identifying Digital Evidence
• Digital evidence
– Can be any information stored or transmitted in digital form
• U.S. courts accept digital evidence as physical evidence
– Digital data is treated as a tangible object
• Groups such as the Scientific Working Group on Digital Evidence (SWGDE) set
standards for recovering, preserving, and examining digital evidence
• General tasks investigators perform when working with digital evidence:
– Identify digital information or artifacts that can be used as evidence
– Collect, preserve, and document evidence
– Analyze, identify, and organize evidence
– Rebuild evidence or repeat a situation to verify that the results can be
reproduced reliably
• Collecting digital devices and processing a criminal or incident scene must
be done systematically
Understanding Rules of Evidence
• Consistent practices help verify your work and enhance your credibility
• Comply with your state’s rules of evidence or with the Federal Rules of Evidence
• Evidence admitted in a criminal case can be used in a civil suit, and vice versa
• Keep current on the latest rulings and directives on collecting, processing,
storing, and admitting digital evidence
• Data you discover from a forensic examination falls under your state’s rules of
evidence
Or the Federal Rules of Evidence (FRE)
• Digital evidence is unlike other physical evidence because it can be changed
more easily
The only way to detect these changes is to compare the original data with
a duplicate
• Most federal courts have interpreted computer records as hearsay evidence
Hearsay is secondhand or indirect evidence
• Business-record exception
Allows “records of regularly conducted activity,” such as business
memos, reports, records, or data compilations
• Generally, digital records are considered admissible if they qualify as a business
record
• Computer records are usually divided into:
Computer-generated records
Computer-stored records
• Computer and digitally stored records must be shown to be authentic and
trustworthy
To be admitted into evidence
• Computer-generated records are considered authentic if the program that
created the output is functioning correctly
Usually considered an exception to hearsay rule
• Collecting evidence according to the proper steps of evidence control helps
ensure that the computer evidence is authentic
• When attorneys challenge digital evidence
Often they raise the issue of whether computer-generated records were
altered or damaged
• One test to prove that computer-stored records are authentic is to demonstrate
that a specific person created the records
– How are you going to protect the computer and media while transporting
them to your lab?
– Is the computer powered on when you arrive?
• Ask your supervisor or senior forensics examiner in your organization the
following questions (cont’d):
– Is the suspect you’re investigating in the immediate area of the
computer?
– Is it possible the suspect damaged or destroyed the computer,
peripherals, or media?
– Will you have to separate the suspect from the computer?
Processing an Incident or Crime Scene
• Guidelines
– Keep a journal to document your activities
– Secure the scene
• Be professional and courteous with onlookers
• Remove people who are not part of the investigation
– Take video and still recordings of the area around the computer
• Pay attention to details
– Sketch the incident or crime scene
– Check state of computers as soon as possible
– Don’t cut electrical power to a running system unless it’s an older
Windows 9x or MS-DOS system
– Save data from current applications as safely as possible
– Record all active windows or shell sessions
– Make notes of everything you do when copying data from a live suspect
computer
– Close applications and shut down the computer
– Bag and tag the evidence, following these steps:
• Assign one person to collect and log all evidence
• Tag all evidence you collect with the current date and time, serial
numbers or unique features, make and model, and the name of
the person who collected it
• Maintain two separate logs of collected evidence
Documenting Evidence
• Create or use an evidence custody form
• An evidence custody form serves the following functions:
– Identifies the evidence
– Identifies who has handled the evidence
– Lists dates and times the evidence was handled
• You can add more information to your form
– Such as a section listing MD5 and SHA-1 hash values
• Include any detailed information you might need to reference
• Evidence bags also include labels or evidence forms you can use to document
your evidence
– Use antistatic bags for electronic components
1.8 Explain how to obtain a digital hash
Reviewing a Case
• General tasks you perform in any computer forensics case:
– Identify the case requirements
– Plan your investigation
– Conduct the investigation
– Complete the case report
– Critique the case
Sample Civil Investigation
• Most cases in the corporate environment are considered low-level
investigations
– Or noncriminal cases
• Common activities and practices
– Recover specific evidence
• Suspect’s Outlook e-mail folder (PST file)
– Covert surveillance
• Its use must be well defined in the company policy
• Risk of civil or criminal liability
– Sniffing tools for data transmissions
Sample Criminal Investigation
• Computer crimes examples
– Fraud
– Check fraud
– Homicides
• Need a warrant to start seizing evidence
– Limit searching area
2.Explain in detail about the Working with Windows and DOS Systems.
• Explain the purpose and structure of file systems
• Describe Microsoft file structures
• Explain the structure of NTFS disks
• List some options for decrypting drives encrypted with whole disk
encryption
• Explain how the Windows Registry works
• Describe Microsoft startup tasks
• Explain the purpose of a virtual machine
– You should be familiar with both the computer’s OS and file systems
Understanding the Boot Sequence
• Complementary Metal Oxide Semiconductor (CMOS)
– Computer stores system configuration and date and time information in
the CMOS
• When power to the system is off
• Basic Input/Output System (BIOS) or Extensible Firmware Interface (EFI)
– Contains programs that perform input and output at the hardware level
• Bootstrap process
– Contained in ROM, tells the computer how to proceed
– Displays the key or keys you press to open the CMOS setup screen
• CMOS should be modified to boot from a forensic floppy disk or CD
Disk Partitions
• A partition is a logical drive
• Windows OSs can have three primary partitions followed by an extended
partition that can contain one or more logical drives
• Hidden partitions or voids
– Large unused gaps between partitions on a disk
• Partition gap
– Unused space between partitions
• An unintentional side effect of FAT16 having large clusters was that it reduced
fragmentation
– As cluster size increased
• When this first assigned cluster is filled and runs out of room
– FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the current cluster
– File becomes fragmented
Deleting FAT Files
– TrueCrypt
2.5 Explain how the Windows Registry works
• Registry
– A database that stores hardware and software configuration information,
network connections, user preferences, and setup information
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x systems
– Regedt32 for Windows 2000, XP, and Vista
– Both utilities can be used for Windows 7 and 8
Exploring the Organization of the Windows Registry
• Registry terminology:
– Registry
– Registry Editor
– HKEY
– Key
– Subkey
– Branch
– Value
– Default value
– Hives
• All NTFS computers perform the following steps when the computer is turned
on:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon
• Startup Files for Windows Vista:
– The Ntldr program in Windows XP used to load the OS has been replaced
with these three boot utilities:
• Bootmgr.exe
• Winload.exe
• Winresume.exe
– Windows Vista includes the BCD editor for modifying boot options and
updating the BCD registry file
– The BCD store replaces the Windows XP boot.ini file
• Startup Files for Windows XP:
– NT Loader (NTLDR)
– Boot.ini
– Ntoskrnl.exe
– Bootvid.dll
– Hal.dll
– BootSect.dos
– NTDetect.com
– NTBootdd.sys
– Pagefile.sys
• Windows XP System Files
After Msdos.sys finishes setting up DOS services, it looks for the Config.sys file
to configure device drivers and other settings.
Config.sys is a text file containing commands that typically run only at system
startup to enhance the computer’s DOS configuration.
Msdos.sys then loads Command.com, which contains the same internal DOS
commands in MS-DOS 6.22 as in Windows 9x. As the loading of Command.com
nears completion, Msdos.sys looks for and loads Autoexec.bat, a batch file
containing customized settings for MS-DOS that runs automatically.
In this batch file, you can define the default path and set environmental
variables, such as temporary directories. MS-DOS then accesses and resets the
last access dates and times on files when powered up.
2.8 Describe about virtual machine.
• Virtual machine
– Allows you to create a representation of another computer on an existing
physical computer
• A virtual machine is just a few files on your hard drive
– Must allocate space to it
• A virtual machine recognizes components of the physical machine it’s loaded on
– Virtual OS is limited by the physical machine’s OS
• In digital forensics
– Virtual machines make it possible to restore a suspect drive on your
virtual machine
• And run nonstandard software the suspect might have loaded
• GUI applications
– Commonly used to copy data from a suspect’s disk drive to an image file
Tasks Performed by Digital Forensics Tools
• Follow guidelines set up by NIST’s Computer Forensics Tool Testing (CFTT)
program
• ISO standard 27037 states: Digital Evidence First Responders (DEFRs) should
use validated tools
• Five major categories:
– Acquisition
– Validation and verification
– Extraction
– Reconstruction
– Reporting
Acquisition
– Making a copy of the original drive
• Acquisition subfunctions:
– Physical data copy
– Logical data copy
– Data acquisition format
– Command-line acquisition
– GUI acquisition
– Remote, live, and memory acquisitions
– Two types of data-copying methods are used in software acquisitions:
• Physical copying of the entire drive
• Logical copying of a disk partition
– The formats for disk acquisitions vary
• From raw data to vendor-specific proprietary
You can view the contents of a raw image file with any hexadecimal editor
– Creating smaller segmented files is a typical feature in vendor acquisition
tools
– Remote acquisition of files is common in larger organizations
• Popular tools, such as AccessData and EnCase, can do remote
acquisitions of forensics drive images on a network
Validation and Verification
– Validation
• A way to confirm that a tool is functioning as intended
– Verification
• Proves that two sets of data are identical by calculating hash
values or using another similar method
• A related process is filtering, which involves sorting and searching
through investigation findings to separate good data and
suspicious data.
– Subfunctions
• Hashing
– CRC-32, MD5, SHA-1 (Secure Hash Algorithms)
• Filtering
– Based on hash value sets
• Analyzing file headers
– Discriminate files based on their types
– National Software Reference Library (NSRL) has compiled a list of known
file hashes
• For a variety of OSs, applications, and images
– Validation and discrimination
– Many computer forensics programs include a list of common header
values
• With this information, you can see whether a file extension is
incorrect for the file type
– Most forensics tools can identify header values
• Extraction
– Recovery task in a digital investigation
– Most challenging of all tasks to master
– Recovering data is the first step in analyzing an investigation’s data
– Subfunctions of extraction
• Data viewing
• Keyword searching
• Decompressing or uncompressing
• Carving
• Decrypting
• Bookmarking or tagging
– Keyword search speeds up analysis for investigators
– From an investigation perspective, encrypted files and systems are a
problem
– Many password recovery tools have a feature for generating potential
password lists
• For a password dictionary attack
– If a password dictionary attack fails, you can run a brute-force attack
• Reconstruction
– Re-create a suspect drive to show what happened during a crime or an
incident
– Methods of reconstruction
• Disk-to-disk copy
• Partition-to-partition copy
• Image-to-disk copy
• Image-to-partition copy
• Rebuilding files from data runs and carving
– To re-create an image of a suspect drive
• Copy an image to another location, such as a partition, a physical
disk, or a virtual machine
• Simplest method is to use a tool that makes a direct disk-to-image
copy
– Examples of disk-to-image copy tools:
• Linux dd command
• ProDiscover
• Voom Technologies Shadow Drive
• Reporting
– To perform a forensics disk analysis and examination, you need to create
a report
– Subfunctions of reporting
• Bookmarking or tagging
• Log reports
• Report generator
– Use this information when producing a final report for your investigation
• Kali Linux
– Formerly known as BackTrack
– Includes a variety of tools and has an easy-to-use KDE interface
• Autopsy and SleuthKit
– Sleuth Kit is a Linux forensics tool
– Autopsy is the GUI browser interface used to access Sleuth Kit’s tools
Other GUI Forensics Tools
• GUI forensics tools can simplify digital forensics investigations
• Have also simplified training for beginning examiners
• Most of them are put together as suites of tools
• Advantages
– Ease of use
– Multitasking
– No need for learning older OSs
• Disadvantages
– Excessive resource requirements
– Produce inconsistent results
– Create tool dependencies
• Investigators’ may want to use only one tool
• Should be familiar with more than one type of tool
3.3 List some considerations for digital forensics hardware tools
Digital Forensics Hardware Tools
• Technology changes rapidly
• Hardware eventually fails
– Schedule equipment replacements periodically
• When planning your budget consider:
– Amount of time you expect the forensic workstation to be running
– Failures
– Consultant and vendor fees
– Anticipate equipment replacement
Forensic Workstations
• Carefully consider what you need
• Categories
– Stationary workstation
– Portable workstation
– Lightweight workstation
• Balance what you need and what your system can handle
– Remember that RAM and storage need updating as technology advances
• Police agency labs
– Need many options
– Use several PC configurations
• Keep a hardware library in addition to your software library
• Private corporation labs
– Handle only system types used in the organization
• Some vendors offer workstations designed for digital forensics
• Examples
– F.R.E.D. unit from Digital Intelligence
– Hardware mounts from ForensicPC
• Having vendor support can save you time and frustration when you have
problems
• Can mix and match components to get the capabilities you need for your
forensic workstation
Using a Write-Blocker
• Write-blocker
– Prevents data writes to a hard disk
• Software-enabled blockers
– Typically run in a shell mode (Windows CLI)
– Example: PDBlock from Digital Intelligence
• Hardware options
– Ideal for GUI forensic tools
– Act as a bridge between the suspect drive and the forensic workstation
• You can navigate to the blocked drive with any application
• Discards the written data
– For the OS the data copy is successful
• Connecting technologies
– FireWire
– USB 2.0 and 3.0
– SATA, PATA, and SCSI controllers
Important Question
Part-A
1.Write the rule for the rules for controlling digital evidence.
2.Define Best evidence rule states:
3. Define Federal Rules of Evidence
4. How to collect evidence at private-sector incident scenes.
5. Define Processing Law Enforcement Crime Scenes
6.How to prepare for a search in criminal case.
7. Determining Whether You Can Seize Computers and Digital Devices in processing
crime.
8.How are the tools are used in processing crime and incident scene.
9.How to prepare for a Preparing the Investigation Team
10.List out the Storing Digital Evidence.
11.How to Reviewing a Case.
12.Define file system.
13.List out the disk drive components.
14.Define Solid-State Storage Devices.
15.Define NTFS Encrypting File System (EFS)
16. Define NTFS Disks
17.Define Deleting NTFS Files
18.List out the Third-Party Disk Encryption Tools.
19. Explain how the Windows Registry works
20.List out the registry terminology.
Part-B
1. Explain the rules for controlling digital evidence
2. Describe how to collect evidence at private-sector incident scenes
3. Explain guidelines for processing law enforcement crime scenes
4. List the steps in preparing for an evidence search
5. Describe how to secure a computer incident or crime scene
6. Describe Microsoft file structures
7. Explain the structure of New Technology File System (NTFS) disks
8. List some options for decrypting drives encrypted with whole disk encryption
9. Explain how the Windows Registry works
10. Describe Microsoft startup tasks
11. Describe MS-DOS startup tasks
12. Describe available computer forensics software tools
13. List some considerations for computer forensics hardware tools
14. Describe methods for validating and testing computer forensics tools
UNIT V
ANALYSIS AND VALIDATION
Validating Forensics Data -Data Hiding Techniques - Performing Remote Acquisition –
Network Forensics -Email Investigations - Cell Phone and Mobile Devices Forensics
Part-A
1. Define bit-shifting
The process of shifting one or more digits in a binary number to the left or right
to produce a different value. key escrow A technology designed to recover
encrypted data if users forget their passphrases or if the user key is corrupted
after a system failure.
2. Define Known File Filter (KFF).
A database containing the hash values of known legitimate and suspicious files.
It’s used to identify files for evidence or eliminate them from the investigation if
they are legitimate files. scope creep The result of an investigation expanding
beyond its original description because the discovery of unexpected evidence
increases the amount of work required.
3. Define steganography.
A cryptographic technique for embedding information in another file for the
purpose of hiding that information from casual observers.
4. Define network forensics.
The process of collecting and analyzing raw network data and systematically
tracking network traffic to determine how security incidents occur.
5. Define client/server architecture.
A network architecture in which each computer or process on the network is a
client or server. Clients request services from a server, and a server processes
requests from clients.
6. Define Enhanced Simple Mail Transfer Protocol (ESMTP) .
An enhancement of SMTP for sending and receiving e-mail messages. ESMTP
generates a unique, non repeatable number that’s added to a transmitted e-
mail. No two messages transmitted from an e-mail server have the same ESMTP
value.
7. Define Multipurpose Internet Mail Extensions (MIME)
– Web-based clients
• After you open e-mail headers, copy and paste them into a text document
• Headers contain useful information
• Outlook
• Outlook Express
• Pine and ELM
• AOL headers
• Hotmail
• Apple Mail
19. List out the E-mail Forensics Tools
• Tools include:
– AccessData’s Forensic Toolkit (FTK)
– ProDiscover Basic
– FINALeMAIL
– Sawmill-GroupWise
– DBXtract
– Fookes Aid4Mail and MailBag Assistant
– Paraben E-Mail Examiner
– Ontrack Easy Recovery EmailRepair
– R-Tools R-Mail
• Tools allow you to find:
– E-mail database files
– Personal e-mail files
– Offline storage files
– Log files
20.Define SIM Card Readers
SIM Card Readers With GSM phones and many newer models of mobile
devices, the next step is accessing the SIM card, which you can do by using a
combination hardware/ software device called a SIM card reader.
The general procedure is as follows:
1. Remove the back panel of the device.
2. Remove the battery.
3. Under the battery, remove the SIM card from its holder.
4. Insert the SIM card into the card reader, which you insert into your
forensic workstation’s USB port.
Part-B
1. Determine what data to analyze in a computer forensics investigation.
Determining What Data to Collect and Analyze
• Examining and analyzing digital evidence depends on:
– Nature of the case
– Amount of data to process
– Search warrants and court orders
– Company policies
• Scope creep
– Investigation expands beyond the original description
• Right of full discovery of digital evidence
Approaching Computer Forensics Cases
• Some basic principles apply to almost all computer forensics cases
– The approach you take depends largely on the specific type of case you’re
investigating
• Basic steps for all computer forensics investigations
– For target drives, use only recently wiped media that have been
reformatted
• And inspected for computer viruses
• Basic steps for all computer forensics investigations (continued)
– Inventory the hardware on the suspect’s computer and note the
condition of the computer when seized
– Remove the original drive from the computer
• Check date and time values in the system’s CMOS
– Record how you acquired data from the suspect drive
– Process the data methodically and logically
• Basic steps for all computer forensics investigations (continued)
– List all folders and files on the image or drive
– If possible, examine the contents of all data files in all folders
• Starting at the root directory of the volume partition
– For all password-protected files that might be related to the investigation
• Make your best effort to recover file contents
– Brute-force attack
– Password guessing based on suspect’s profile
• Tools
– AccessData PRTK
– Advanced Password Recovery Software Toolkit
– John the Ripper
• Using AccessData tools with passworded and encrypted files
– AccessData offers a tool called Password Recovery Toolkit (PRTK)
• Can create possible password lists from many sources
– Can create your own custom dictionary based on facts in the case
– Can create a suspect profile and use biographical information to generate
likely passwords
• Using AccessData tools with passworded and encrypted files (continued)
– FTK can identify known encrypted files and those that seem to be
encrypted
• And export them
– You can then import these files into PRTK and attempt to crack them
• Name conventions
– Corporate: john.smith@somecompany.com
– Public: whatever@hotmail.com
– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
– Because accounts use standard names the administrator
establishes
Investigating E-mail Crimes and Violations
• Similar to other types of investigations
• Goals
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
• Depend on the city, state, or country
– Example: spam
– Always consult with an attorney
• Becoming commonplace
• Examples of crimes involving e-mails
– Narcotics trafficking
– Extortion
– Sexual harassment
– Child abductions and pornography
Examining E-mail Messages
• Access victim’s computer to recover the evidence
• Using the victim’s e-mail client
– Find and copy evidence in the e-mail
– Access protected or encrypted material
– Print e-mails
• Guide victim on the phone
– Open and copy e-mail including headers
• Sometimes you will deal with deleted e-mails
• Copying an e-mail message
– Before you start an e-mail investigation
• You need to copy and print the e-mail involved in the crime or
policy violation
– You might also want to forward the message as an attachment to another
e-mail address
• With many GUI e-mail programs, you can copy an e-mail by dragging it to a
storage medium
– Or by saving it in a different location
Viewing E-mail Headers
• Learn how to find e-mail headers
– GUI clients
– Command-line clients
– Web-based clients
• After you open e-mail headers, copy and paste them into a text document
– So that you can read them with a text editor
• Headers contain useful information
– Unique identifying numbers, IP address of sending server, and sending
time
• Outlook
– Open the Message Options dialog box
– Copy headers
– Paste them to any text editor
• Outlook Express
– Open the message Properties dialog box
– Select Message Source
– Copy and paste the headers to any text editor
• Novell Evolution
• Yahoo
– Click Mail Options
– Click General Preferences and Show All headers on incoming messages
– Copy and paste headers
• /etc/sendmail.cf
– Configuration information for Sendmail
• /etc/syslog.conf
– Specifies how and which events Sendmail logs
• /var/log/maillog
– SMTP and POP3 communications
• IP address and time stamp
• Check UNIX man pages for more information
• Mobile WiMAX—This technology uses the IEEE 802.16e standard and Orthogonal
Frequency Division Multiple Access (OFDMA) and is expected to support transmission
speeds of 12Mbps. Sprint has chosen this technology for its 4G network, although
some argue it’s not true 4G.
• Ultra Mobile Broadband (UTMS)—Also known as CDMA2000 EV-DO, this
technology is expected to be used by CDMA network providers to switch to 4G and
support transmission speeds of 100 Mbps.
Although digital networks use different technologies, they operate on the same basic
principles. Basically, geographical areas are divided into cells resembling honeycombs.
The SIM card is necessary for the ME to work and serves these additional
purposes:
• Identifies the subscriber to the network
• Stores personal information
• Stores address books and messages
• Stores service-related information
SIM cards come in two sizes, but the most common is the size of a standard U.S.
postage stamp and about 0.75 mm thick. Portability of information is what makes SIM
cards so versatile.
By switching a SIM card between compatible phones, users can move their
information to another phone automatically without having to notify the service
provider.
Inside PDAs
Personal digital assistants (PDAs) can still be found as separate devices from mobile
phones. Most users carry them instead of a laptop to keep track of appointments,
deadlines, address books, and so forth. Palm Pilot and Microsoft Pocket PC were
popular models when PDAs came on the market in the 1990s, and standalone PDAs
are still made by companies such as Palm, Sharp, and HP.
A number of peripheral memory cards are used with PDAs:
• Compact Flash (CF)—CF cards are used for extra storage and work much the same
way as PCMCIA cards.
• MultiMedia Card (MMC)—MMC cards are designed for mobile phones, but they can
be used with PDAs to provide another storage area.
• Secure Digital (SD)—SD cards are similar to MMCs but have added security
features to protect data.
8.Describe procedures for acquiring data from cell phones and mobile
Devices.
Understanding Acquisition Procedures for Cell Phones and Mobile Devices
All mobile devices have volatile memory, so making sure they don’t lose power before
you can retrieve RAM data is critical. At the investigation scene, determine whether
the device is on or off. If it’s off, leave it off, but find the recharger and attach it as
soon as possible. If the device is on, check the LCD display for the battery’s current
charge level. Because mobile devices are often designed to synchronize with
applications on a user’s PC, any mobile device attached to a PC via a cable or
cradle/docking station should be disconnected from the PC immediately.
The alternative is to isolate the device from incoming signals with one of the
following options:
• Place the device in a paint can, preferably one that previously contained radio wave–
blocking paint.
• Use the Paraben Wireless StrongHold Bag (www.paraben-forensics.com/catalog),
which conforms to Faraday wire cage standards.
• Use eight layers of antistatic bags (for example, the bags that new hard drives are
wrapped in) to block the signal.
When you’re back in the forensics lab, you need to assess what can be retrieved.
Knowing where information is stored is critical. You should check these four areas:
• The internal memory
• The SIM card
• Any removable or external memory cards
• The system server
Memory storage on a mobile device is usually implemented as a combination of
volatile and nonvolatile memory.
Volatile memory requires power to maintain its contents, but nonvolatile
memory does not.
Although the specific locations of data vary from one phone model to the next,
volatile memory usually contains data that changes frequently, such as missed
calls, text messages, and sometimes even user files.
Nonvolatile memory, on the other hand, contains OS files and stored user data,
such as a personal information manager (PIM) and backed-up files.
You can retrieve quite a bit of data from a SIM card. The information that can be
retrieved falls into four categories:
• Service-related data, such as identifiers for the SIM card and
subscriber
• Call data, such as numbers dialed
• Message information
• Location information
Mobile Forensics Equipment
Mobile forensics is such a new science that many of the items you’re
accustomed to retrieving from computers, such as deleted files, aren’t available
on mobile devices.
The biggest challenge is dealing with constantly changing models of cell phones.
This section gives you an overview of procedures for working with mobile
forensics software, and specific tools are discussed in the following sections.
The first step is identifying the mobile device. Most users don’t alter their
devices, but some file off serial numbers, change the display to show misleading
data, and so on.
When attempting to identify a phone, you can make use of several online
sources, such as www. cellphoneshop.com, www.phonescoop.com, and
www.mobileforensicscentral.com.
The next step is to attach the phone to its power supply and connect the correct
cables.
Often you have to rig cables to connect to devices because cables for the model
you’re investigating are not available. U.S. companies usually don’t supply
cables for phones not commonly used in the United States, but the reverse is
true for companies based in Europe.
Some vendors have toolkits with an array of cables you can use (discussed later
in ―Mobile Forensics Tools‖).
After you’ve connected the device, start the forensics program and begin
downloading the available information.
SIM Card Readers
SIM Card Readers With GSM phones and many newer models of mobile
devices, the next step is accessing the SIM card, which you can do by using a
combination hardware/ software device called a SIM card reader.
Important Questions
Part-A
1. Define bit-shifting
2. Define Known File Filter (KFF).
3. Define steganography.
4. Define network forensics.
5. Define client/server architecture.
6. Define Enhanced Simple Mail Transfer Protocol (ESMTP).
7. Define Multipurpose Internet Mail Extensions (MIME)
8. Define spoofing
9.How to Validating with Computer Forensics Programs
10.List out the Addressing Data-hiding Techniques
11. Define Code Division Multiple Access (CDMA)
12.Define Electronically erasable programmable read-only memory (EEPROM)
13.Define fourth-generation (4G).
14.Define Global System for Mobile Communications (GSM).
15.Define Orthogonal Frequency Division Multiplexing (OFDM).
16. How to Exploring the Role of E-mail in Investigations.
17. How to Exploring the Roles of the Client and Server in E-mail.
18.List out E-Mail Headers.
19. List out the E-mail Forensics Tools
20.Define SIM Card Readers
Part-B
1. Determine what data to analyze in a computer forensics investigation
2. Explain tools used to validate data
3. Explain common data-hiding techniques
4. Describe methods of performing a remote acquisition
5. Explain standard procedures for network forensics
6. Describe the use of network tools
7. Describe the importance of network forensics
8. Explain the basic concepts of mobile device forensics
9. Describe procedures for acquiring data from cell phones and mobile devices
10.Explain in detail about the E-Mail Investigations.