Computer

Forensics
Computer Forensics
Module Description
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

1
1.1.1 Introduction

(i) History

The evolution of Computer forensics

3.

2
Year Phase Development

3
(ii) Basic Terminology
What is Cyber Crime?

4
(iii) Myths about Computer Forensics

Myth #1

Reality

Myth #2

Reality

Myth #3

5
Reality

(iv) Need for Computer Forensics

6
(v) Rules of Computer Forensics

Rules for Admissibility of Evidences

Rules for Chain of Custody

7
 

Rules for Evidence Integrity

Self-assessment Questions

8
1.1.2 Computer Forensics Evidence

9
Where can we find evidence?

10
Self-assessment Questions

11
1.1.3 Forms of Cyber-crime


Intellectual Property (IP) Theft

12
Industrial Espionage

Fraud and Forgery


Bankruptcy

13
E-mail related crimes

14
 

Regulatory Compliance

Cyber Stalking

(i) Changing Landscape of Hacking

15
 

16
(ii) Types of Hacks

17
 

18
 

(iii) Money Laundering

19
 Self-assessment Questions

20
1.1.4 Computer Forensics Tools

1. Acquisition

2. Validation and Discrimination

21
3. Extraction and Analysis

4. Reporting

1.1.5 Skills of Forensics Investigator

22
Self-assessment Questions

23
 Summary
o

24
Terminal Questions

25
 Answer Keys
Self-assessment Questions
Question No. Answer

26
Activity

27
Bibliography
e-References

Image Credits


28
External Resources


Video Links

Topic Link

29
 Notes:

30
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

31
1.2.1 Introduction

1.2.2 First Investigation Process

32
Computer Forensics Principles

33
(i) First Responder Procedures

(ii) First Response Basics

34
 

Case Example

Role of a first responder

35
 

36
Potential places of evidence

Fax machine Modem Memory card

Computer and
Phone devices

37
Preparation for the first response
First responder Tool kit

Steps to create a First Responder Toolkit

38
 

Evidence Collecting Tools and Equipment

39
1. Documentation tools

2. System disassembly and removal tools

3. Package and transport supplies

4. Notebook computers

5. Software tools

6. Hardware tools

40
Self-assessment Questions

41
1.2.3 Incident Responses in Different Situations

(i) Forensics Expert

(ii) Technical Staff

42
(iii) Non-Technical Staff

Documenting the Crime Scene

Conducting Initial Interviews

43
Working with Powered-Off Systems

Working with Live Systems

44
Evidence Preservation

Maintain Chain of Custody

45
 

Incident type Priority level Recommended Action

46
Self-assessment Questions

47
1.2.4 Computer Forensics Investigation Procedure

1. Incident Description and Evidence Acquisition

48
Scoping

Acquire evidence

49
 

50
2. Investigation and Analysis

a) Timeline Analysis:

b) Media Analysis:

51
 

c) String Searching:

52
d) Data Recovery:

3. Reporting Phase

53
 

54
Self-assessment Questions

55
 Summary
o

56
Terminal Questions

57
 Answer Keys
Self-assessment Questions
Question No. Answer

58
Activities

59
Bibliography
e-References

60
External Resources


Video Links

Topic Link

61
 Notes:

62
Storage Devices
and Data Recovery
Methods
Storage Devices and Data Recovery
Methods
Module Description
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

63
2.1.1 Introduction to Storage Devices

Forms of storage devices

Types of storage media devices

64
 No need to carry files of physical storage devices wherever you go

Store and retrieve audio, video, text and graphics files anytime and from
anywhere

Data sharing with others becomes easy

Use as an off-site storage/backups medium of data at a very low cost

(i) Magnetic Medium

Floppy Disks

65
Tape drives

Advantages Disadvantages

(ii) Non-magnetic Medium

(iii) Optical Medium

66


67
Blu-ray Disc

Disc/Feature CD-R CD-RW DVD-R DVD-RW Blu-ray

68
CD/DVD Drive Maximum Data Transfer RPMs (revolutions per
Speed Rate minute)

Storage Speed Capacity Relative Cost Permanent

69
 Self-assessment Questions

70
2.1.2 Working of Storage Devices

Magnetic storage devices

71
Optical storage devices

(i) Platters

72
(ii) Head Assembly
Head Assembly/read write head in magnetic storage devices

Head Assembly/read write head in optical storage devices

73
(iii) Spindle Motor
Spindle motors in magnetic devices

74
Spindle motors in optical storage devices

Self-assessment Questions

75
2.1.3 File Conversion and Numbering Formats

76
Decimal number system

× × ×

× ×

× × × ×

× × ×

× × × × × ×

=∑ ×

77
Binary Number System

× ×

× ×

× × ×

=∑ ×

Step Binary Number Decimal Number

78
 


Octal number system

Step Octal Number Decimal Number

Hexadecimal Number System

79
 

Binary
Step Decimal Number
Number

Converting numbers from one number system to another


Shortcut method - Binary to Octal

80
Shortcut method - Octal to Binary

Shortcut method - Binary to Hexadecimal

81
Shortcut method - Hexadecimal to Binary

82
Self-assessment Questions

83
2.1.4 Windows Registry and Boot Process
Windows Registry

Icon Type Name Description

84
 


Root keys

85
 Root Key Description

Registry Editors

86
Demonstrate the boot process

87
 Self-assessment Questions

88
2.1.5 Hard Disk Drives and Removable Memory
Hard Disc Drive

Speed(in Data Transfer

Drive Type Cost
RPM) Rate(in Mbps)

Advantages Disadvantages

89
Media layer

Tracks

Cylinders

90
Sectors and clusters

Read/write heads

91
Removable Memory Devices

Flash Storage Devices

Did you know?

2.1.6 Computer Forensics Tools

92
 

Some of the Forensic tools are as follows:

a) FTK

b) Moonsols

93
c) DD

d) Belka soft

Some more examples of Forensics tools:

 EnCase

94
 CAINE

 Digital Forensics Framework

 SANS Investigative Forensics Toolkit – SIFT

 The Sleuth Kit

 Volatility

95
 Self-assessment Questions

96
Summary
o

97
 Terminal Questions

Answer Keys
Self-assessment Questions
Question No. Answer

98
Activity

99
Bibliography
e-References

Image Credits





100
External Resources


Video Links

Topic Link

101
 Notes:

102
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

103
2.2.1 Introduction to Forensics Data Recovery

Forensics data recovery

1. Intentional action

2. Unintentional action

104
3. Disc failure

4. Natural disaster


5. Criminal action


105
 Self-assessment Questions

106
2.2.2 Data Acquisition

(i) Storage Formats for Digital Evidence

1. Raw Format

107
 Advantages

Disadvantages

Proprietary Formats

mat

Advantages

108
 

Disadvantages

Advanced Forensics Format

109
 Advantages



Types of acquisitions



Commonly used methods










110
 

(ii) Acquisition Tools

111
112
113
A typical use example

114
(iii) Validating Data Acquisitions

(iv) RAID Data Acquisitions

Raid Types

115
RAID Acquisition methods

116


Self-assessment Questions

117
2.2.3 Data Deletion

Trash/Recycle bin

Now, what if the file gets deleted from the trash?

Hard drive sanitation

2.2.4 Data Recovery Methods and Techniques

118
 

Physical damage

119
Physical Recovery Techniques

Logical damage

120
 

Overwritten data

Steps for data recovery

121
 .

File carving

122
Tips for data recovery



Data recovery software

123
Step 1

Step 2

Scanning Probe Microscopy (SPM)

124
Magnetic Force Microscopy (MFM)

Scanning Tunneling Microscopy (STM)

125
 Did you Know?

126
Self-assessment Questions

127
 Summary
o

128
Abbreviation

129
 Terminal Questions

130
Answer Keys
Self-assessment Questions
Question No. Answer

Activity

131
Bibliography
e-References

Image Credits


132
External Resources


Video Links

Topic Link

133
 Notes:

134
Forensic
Techniques
Forensic Techniques
Module Description
Chapter Table of Contents
Aim

Instructional Objectives






Learning Outcomes

135
3.1.1 Introduction to Windows Forensic

3.1.2 Windows Forensics

136
(i) Windows File System

Let us now look at the various file systems:

FAT File System

137
 

Block Entry

138
 FAT16 FAT32 exFAT

NTFS File System

139
 

(ii) Recovering Deleted Files

Procedure to recover the deleted files from the system:

1. Recover deleted files from the Recycle Bin

140
2. Use data recover software to recover deleted files

(iii) Windows Artefacts

141
Windows File Systems (MFT) attributes

Windows Registry

142
Windows Registry Structure

143
Windows Event Logs

Prefetch Files

Shortcuts and link files

144


Self-assessment Questions

145
3.1.3 Linux Forensics

146
(i) Linux File System

EXT2 features

Pros:

147
Cons:

Block Size 1k 2k 3k 4k

EXT3 file system

Pros

148
 

Cons:

Block Size 1KB 2KB 3KB 4KB

EXT4 file system

Swap file system

149
Directory Structure

Differences Windows Linux

(ii) Linux Analysis

Quick Hits

Hidden Files

150
File Integrity Verification

File Activity Timeline

Hash Databases

151
 

Tools

152
 Self-assessment Questions

3.1.4 Mobile Forensics

153
 

(i) Cellular Network

154
Wireless forensics

155
 

156
 

(ii) Handset Specifications

157
 

158
 

Single or Dual SIM support

(iii) Mobile Operating System

159
(iv) Procedures for Handling Handset Evidence

160


161
 Self-assessment Questions

162
Summary
o

163
 Terminal Questions

164
Answer Keys
Self-assessment Questions
Question No. Answer

Activity

165
Bibliography
e-References

166
External Resources


Video Links

Topic Link

167
 Notes:

168
Chapter Table of Contents
Aim

Instructional Objectives






Learning Outcomes

169
3.2.1 Introduction

3.2.2 Steganography

170
 Steganography

Technical Linguistic
Steganography Steganography

Semagrams Open codes

Visual Text Covered

Jargan code
Semagrams Semagrams ciphers

Null Cipher Grille Cipher

171
 

172
(i) Information Hiding

173
174
 

(ii) Cryptography

175
(iii) Algorithms in Steganography

176
 Image
• Image steganlysis
algorithms study the
inter-pixel
dependencies that are
a characteristic of
natural images.
Audio
• Audio steganalysis
algorithms are based
on some of the
characteristic aspects
of audio data files
namely - distortion
measure of the audio
signal, high order
statistics, etc.
Video
• Video steganalysis
algorithms are based
on the spatial and
temporal
redundancies of the
data signals inherent
in the video file,
within individual
frames and the inter-
frame level.

IMAGE STEGANALYSIS

Specific
•The specific type, represents a
category of image steganalysis
techniques that are dependent
on the underlying
steganographic algorithms
used on the image. They have a
high success rate in detecting
the presence of a secret
message in the image, if the
message is concealed with the
algorithms for which the
techniques are meant.
Generic
•The generic type, represents a
category of image steganalysis
techniques that are not
dependent on the underlying
steganographic algoritms used
for hiding the message. They
produce a good result while
detecting the presence of a
secret message hidden in the
image using new or unusual
steganographic algorithms.

177
AUDIO STEGANOGRAPHY

VIDEO STEGANALYSIS

EMBEDDING ALGORITHM

178
179
180
 Self-assessment Questions

3.2.3 Application Password Cracking

(i) Dictionary Attack

Favourite colour Partner‘s name Date of birth Place of birth

Any other important information that the user might use

to set their password

181
Dictionary Attack Software:

182
Cain and Abel:

183
Forensic Toolkit (FTK):

Crack:

Aircrack-ng:

John the Ripper:

184
 

Airodump-ng:

L0phtcrack:

Metasploit Project:

Ophcrack:

185
(ii) Brute Force

186
 

(iii) Rainbow Attack

187
 

(iv) Other tools for Password Cracking

Wfuzz:

188


189
 

190
Self-assessment Questions

191
3.2.4 Email Tracking

(i) SMTP

192
 

(ii) POP3

193
 

(iii) IMAP

194


Self-assessment Questions

195
 Summary
o

196
Terminal Questions

197
 Answer Keys
Self-assessment Questions
Question No. Answer

198
Activity

199
Bibliography
e-References

Image Credits


External Resources


200
Video Links

Topic Link

201
 Notes:

202
Cyber Law
Cyber Law
Module Description
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

203
4.1.1 Introduction to Cyber Law

Digital Forensic Process

204
205
Sl.
Process Description
No.

206
1. Jurisdiction of case

2. Search and Seizure of Digital Evidence

3. Preservation

207
4. Examination

5. Evidence Analysis

Legal Aspects of Computer Forensics

208
209
 

210
 

211
 

Self-assessment Questions

212
4.1.2 Importance of Cyber Law

213
 Self-assessment Questions

214
4.1.3 Corporate Espionage

215
Cyber Laws and impact on Corporates

Ways to combat Corporate Espionage

216


217
 Self-assessment Questions

218
4.1.4 Evidence Handling Procedure
Definition and Purpose

Importance of maintaining integrity of evidence

219
 Phase Best Practice to be followed

220


221
 

222


223
 

224
Self-assessment Questions

225
 Summary
o

226
Terminal Questions

227
 Answer Keys
Self-assessment Questions
Question No. Answer

228
Activity

229
Bibliography
e-References

External Resources

230
Video Links

Topic Link

231
 Notes:

232
Chapter Table of Contents
Aim

Instructional Objectives

Learning Outcomes

233
4.2.1 Introduction

Digital Evidence – The Physical and the Logical Evidence

Physical image of a hard drive:

Logical image of a hard drive:

234
 Physical Context of the Digital Logical Context of the Digital
Evidence Evidence

4.2.2 Chain of Custody

What is Chain of Custody?

235
 Description of Evidence
Description of Item (Model, Serial #, Condition, Marks,
Item # Quantity
Scratches)

Chain of Custody
Item Released by Received by
Date/Time Comments/Location
# (Signature & ID#) (Signature & ID#)

236
 What is the evidence?

How was it collected?

When was it collected?

Who all have handled it?

Why did that person handle it?

Where has it travelled and where has it been

ultimately stored?

 Guard the best evidence closely

237
  Don’t work off the best evidence

 Keep the chain of custody up-to-date

 Don’t produce the hardware in the court as evidence unless asked for

 Get rid of the evidence as soon as you can

238
Method Description Advantages Disadvantages

239
 

240
Importance of Chain of Custody

Perspective Importance

241
Challenges to the Chain of Custody

Area of Challenge Description

242
 The digital The exact location
The exact date-time
signature for each of where each
of where it was
piece of digital digital evidence is
accessed
evidence handled

The exact identify of The complete

all the people who description of all
accessed the transactions that
evidence have occurred

243
 Self-assessment Questions

244
4.2.3 Main Features of Indian Information
Technology Act 2008 (Amendment)
The Indian IT Act 2000

245
The ITA 2000 Oversight

1. Licensing of the certifying authorities

246
2. Complicated licensing procedure for foreign CAs

3. Submission of certificate practice statement by individuals

Highlights of the It Amendment Act 2008

247
>> Important Definitions added to the Ammendment

>> Re-emphasis of the Legal validity of electronic documents

>> Change in the Role of the Controller

>> Liability of intermediary amended

248
>>Examiner of Electronic Evidence created

4.2.4 Cyber Law

The birth of Cyber Laws

Electronic authentication

249
 

250
Civil Provisions
Section 43 - Unauthorised Access

If any person without

permission of the owner or in Charges
charge of a computer the
Provides services
Accesses Download Introduces Disrupts assistance availed of
or secures s, copies computer Damages computer to by a
access to a or extracts contamina computer or facilitate person to
computer data nt or virus network illegal the
access account of
another
person

Then the owner is liable

for compensation

251
Adjudication of Civil offences

Criminal Provisions
Section 66:

252
 `


`

 `

 `

253
 

 `


`

254


Did you know?

255
 Self-assessment Questions

256
Summary
o

257
 Terminal Questions

258
Answer Keys
Self-assessment Questions
Question No. Answer

Activity

259
Case Study
ONLINE CREDIT CARD FRAUD ON E-BAY

260
Source:
Question and Answer:

261
Bibliography
e-References

Image Credits


262
External Resources

Video Links

Topic Link

263
 Notes:

264