Professional Documents
Culture Documents
Dr.Shivanna K
Assistant Professor
Department of Information Science and Engineering
M S Ramaiah Institute of Technology
Bangalore
Mob: 9686194749
E-mail:shivannak4phd@gmail.com
1 Unit-1 Introduction
3 Forensics basically deals with the recovery and analysis of latest evidence.
4 latest evidence can take many forms, from left ngerprints on window to DNA evidence
recovered from blood stains to the les on hard drive.
2 Computer forensics is a discipline that combines elements of law and computer science to
collect and analyze data from computer system, networks, wireless communications and
storage devices in a way that is admissible as a evidence in a court of law.
1 Storage technology
3 File systems
4 Disk imaging
5 Data recovery
7 Handling Encryption
4 Performing investigation after multiple users had taken over the system
2 SQL Injections
3 Virus dissemination
4 Logic bombs
5 Denial-of-Service attack
6 Phishing
8 Web jacking
9 Data diddling
2 Hackers (the people doing the `hacking') are basically computer programmers, who have
an advanced understanding of computers and commonly misuse this knowledge for
devious reasons.
2 It can be used to attack any type of unprotected or improperly protected SQL database.
3 An SQL injection is usually an additional command that when inserted into the web form,
tries to change the content of the database to reect a successful login.
4 It can also be used to retrieve information such as credit card numbers or passwords from
unprotected sites.
2 They disrupt the computer operation and aect the data stored either by modifying it or
by deleting it altogether.
4 They masquerade as a legitimate le, such as an email attachment from a supposed friend
with a very believable name, and don't disseminate themselves.
3 Malicious software such as viruses and worms often contain logic bombs which are
triggered at a specic payload or at a predened time.
4 To keep your network protected from the logic bombs, you need constant monitoring of
the data and ecient anti-virus software on each of the computers in the network.
2 It involves ooding a computer resource with more requests than it can handle consuming
its available bandwidth which results in server overload.
4 Denial-of-Service attacks typically target high prole web site servers belonging to banks
and credit card payment gateways.
3 You've probably received email containing links to legitimate appearing websites. You
probably found it suspicious and didn't click the link.
2 The message is meaningless and excessively long in order to consume network resources.
3 If multiple accounts of a mail server are targeted, it may have a denial-of-service impact.
4 This type of attack is more dicult to control due to multiple source addresses and the
bots which are programmed to send dierent messages to defeat spam lters.
5 Spamming is a variant of email bombing. Here unsolicited bulk messages are sent to a
large number of users, indiscriminately.
2 He may change the content of the original site or even redirect the user to another fake
similar looking page controlled by him.
3 The web jacking method attack may be used to create a clone of the web site, and
present the victim with the new link saying that the site has moved.
4 Unlike usual phishing methods, when you hover your cursor over the link provided, the
URL presented will be the original one, and not the attacker's site. But when you click on
the new link, it opens and is quickly replaced with the malicious web server.
2 Using this technique, the attacker may modify the expected output and is dicult to
track.
4 The programmer of the database or application, or anyone else involved in the process of
creating, recording, encoding, examining, checking, converting or transmitting data.
2 The most common case of credit card fraud is your pre-approved card falling into someone
else's hands.
2 The common form of IPR violation may be said to be software piracy, copyright
infringement, trademark and service mark violation, theft of computer source code etc.
2 Several parties such as government organizations, police, private organizations, and more
use computer forensics to trace and catch criminals.
3 It has quickly escalated as a new technology that is being used in several areas of criminal
investigations.
5 Forensics has now the advantage of computer forensics to detect and catch criminals who
assumed that they do not leave any imprints while committing crimes through computers.
6 To collect evidence
9 In criminal investigations
5 Memory forensics
6 Cloud Forensics
Preparation of investigation
2 Discover all les on the subject system. This includes existing normal les, deleted yet
remaining les, hidden les, password-protected les, and encrypted les.
4 Reveal the contents of hidden les as well as temporary or swap les used by both the
application programs and the operating system.
7 Print out an overall analysis of the subject computer system, as well as a listing of all
possibly relevant les and discovered le data.
3 Public sector digital forensic investigators often work with other regional government
bureaus to share insights and resources.
4 Public forensic investigators also rely on partnerships with investigators who work on the
commercial side, usually for a consulting rm that performs the same types of analyses.
5 In the private sector, consulting rms seek to help victims and solve cases just as public
sector investigators do, but they also build forensics tools for their customers and provide
support services where needed.
6 Private forensic investigators rely on a more automated, software approach to the business
rather than a singular scientic focus of solving one or a few legal cases.
7 He should have a rst responder toolkit and a predetermined incident response plan to
follow regardless of the type of data (volatile, persistent, or both) being collected.
2 Evidence for crime cases may exist in a large storage media or even distributed in various
storage device(s) that may be in dierent sites.
3 If a crime case occurs, forensic investigators have to apply a warrant and try to retrieve
evidence from the servers of these platforms.
3 Identify major components and aspects of windows which are relevant during forensics.
4 Dene basic technologies and tools used to carry out data capture from a windows system
during forensic investigation.
5 Use basic tools and technologies for capturing registry information from windows systems
during forensic investigation.
4 Process is to analysis gathered information from activities that took place in a windows
system.
2 The Microsoft windows versions that are currently in use are; Windows 8 and Windows 10.
4 Almost 90 percent of trac in networks comes from computers using Windows as their
operating system
5 Investigators will be most likely to encounter Windows and have to collect evidence from
it in most of the cybercrime cases.
2 Non-volatile information like le systems, registry settings, logs, devices, slack space, swap
le, indexes, partitions etc.
3 Windows memory like memory dumps and analysing dumps and other aspects.
5 Other aspects like recycle bins, documents, short cut les, graphics le, executable les
etc.
2 It retains its contents while powered on but when the power is interrupted the stored data
is immediately lost.
3 One particular method/tool to get history of commands used on the computer we can use
Doskey. Doskey is a utility for DOS and Microsoft Windows that adds command history.
5 Many tools are available like PsLoggedon, Netsessions, logonsessions etc. to learn the
instantaneous information of the users.
2 This information will be lost over time and very dicult to trace as time passes by.
3 Also, an investigator needs to discover what processes are running on the system. This
system which can keep clues to a major crime in form of les or processes that are still on
the acquired system is potentially used just before a crime.
4 Information about processes like executable le path, commands to launch the process,
time stamps, current modules etc. along with contexts needs to be collected. Tools like
Tlist, Tasklist, Pslist, ListDlls etc. helps us to get all these information.
2 Mapped drives to a system are those which the user has created.
3 These information are volatile but can be correlated to network connections or drive
activities leading to a crime.
4 A system resources can be shared in many dierent ways like shared folders, shared
network access etc.
5 This information can be retrieved in many ways like scanning the registry for shares. Also,
command like `share' can be used for the same.
2 This information can be collected later on after all perishable information (volatile) can be
collected after the seizure of the system.
3 Investigators can collect these information after procuring the device and doing all the
formalities of the seizure/procuring/capturing the device under law so that the discoveries
later on does not get laid down during hearing.
4 Using command line `dir /o: d' the examiner can list out the recent updates that is listed
by the command.
2 Tools like reg and regedit helps in to get registry entries via important keys.
3 Important keys present in registries are runMRU, startup objects, last accessed key,
addresses in internet explorer, last saved directory in internet explorer.
2 Magnet RAM Capture: This tool is used to analyze the physical memory of the system.
3 Wireshark: This is a network analyzer tool and a capture tool that is used to see what
trac is going in your network.
4 RAM Capture: As the name suggests, this is a free tool that is used to extract the entire
contents of the volatile memory i.e. RAM.
5 Autopsy:This is the GUI based tool, that is used to analyze hard disks and smartphones.
6 HashMyFiles: This tool is used to calculate the SHA1 and MD5 hashes. It works on all
the latest websites.
7 ExifTool: This tool is used to read, write, and edit meta information from a number of
les.
2 The Windows registry also stores important technical information for each connected USB
device such as vendor ID, product ID, revision, and serial number.
3 Windows stores USB history-related information using ve registry keys, where each key
oers a dierent piece of information about the connected device.
4 By merging this information together, investigators will have an idea of how an oender
has used removable devicessuch as a USBto conduct/facilitate his/her actions.
2 There are many applications that run on Windows that have most recently used (MRU)
lists such as recently opened MS Oce les and recently visited web pages; these
applications list the les that have been most recently accessed.
4 Supported File systems are Ext2, Ext3, Ext4, Jfs, ReiserFS, Xfs, Btrfs,FAT, FAT32, NTFS.
6 Linux was initially developed for Intel's x86hardware processors. Now it supports
20+processor families.
2 Unix was developed by AT and T Bell lab and is not open source.
4 Supported File systems are fs, gpfs, hfs, hfs+, ufs, xfs, zfs.
6 SunOS, Solaris, SCO UNIX, AIX,HP/UX, ULTRIX etc are examples of Unix operating
system.
1 Kernel Kernel is the core part of Linux. It is responsible for all major activities of this
operating system. It consists of various modules and it interacts directly with the
underlying hardware. Kernel provides the required abstraction to hide low level hardware
details to system or application programs.
2 System Library System libraries are special functions or programs using which application
programs or system utilities accesses Kernel's features. These libraries implement most of
the functionalities of the operating system and do not requires kernel module's code
access rights.
3 System Utility System Utility programs are responsible to do specialized, individual level
tasks.
2 Open Source: Linux source code is freely available and it is community based
development project. Multiple teams work in collaboration to enhance the capability of
Linux operating system and it is continuously evolving.
3 MultiUser: Linux is a multiuser system means multiple users can access system resources
like memory/ram/ application programs at same time.
5 Hierarchical File System: Linux provides a standard le structure in which system les/
user les are arranged.
6 Shell: Linux provides a special interpreter program which can be used to execute
commands of the operating system. It can be used to do various types of operations, call
application programs. etc.
7 Security: Linux provides user security using authentication features like password
protection/controlled access to specic les/encryption of data.
2 But Linux is dierent from them. Dierent parts of Linux are developed by dierent
organizations.
3 Dierent parts include kernel, shell utilities, X server, system environment, graphical
programs, etc. If you want you can access the codes of all these parts and assemble them
yourself. But its not an easy task seeking a lot of time and all the parts has to be
assembled correctly in order to work properly.
2 Linux Mint: Mint is based on Ubuntu and uses its repository software so some packages
are common in both. Earlier it was an alternative of Ubuntu because media codecs and
proprietary software are included in mint but was absent in Ubuntu.
3 Debian: Debian has its existence since 1993 and releases its versions much slowly then
Ubuntu and mint. Ubuntu is based on Debian and was founded to improve the core bits
of Debian more quickly and make it more user friendly. Every release name of Debian is
based on the name of the movie ToyStory.
4 Red Hat Enterprise/CentOS: Red hat is a commercial Linux distributor. There products
are red hat enterprise Linux (RHEL) and Fedora which are freely available.
5 Fedora: It is a project that mainly focuses on free software and provides latest version of
software. It doesn't make its own desktop environment but used 'upstream' software.
2 A partition is a segment of memory and contains some specic data. In our machine, there
can be variouspartitions of the memory. Generally, every partition contains a le system.
3 The general-purpose computer system needs to store data systematically so that we can
easilyaccess the les in less time.
4 It stores the data on hard disks (HDD) or some equivalent storage type.
5 Primarily the computer saves data to the RAM storage; it may lose the data if it gets
turned o. However, there is non-volatile RAM (Flash RAM and SSD) that is available to
maintain the data after the power interruption.
6 Data storage is preferred on hard drives as compared to standard RAM as RAM costs more
than disk space. The hard disks costs are dropping gradually comparatively the RAM.
2 A specic data storage format (EXT3, EXT4, BTRFS, XFS and so on)
2 It helps to arrange the le on the disk storage. It manages the le name, le size, creation
date, and much more information about a le.
3 Linux le system has a hierarchical le structure as it contains a root directory and its sub
directories.
4 All other directories can be accessed from the root directory. A partition usually has only
one le. All le system, but it may have more than one le system.
2 Partition, Directories, and Drives: Linux does not use drive letters to organize the drive
asWindows does. In Linux, we cannot tell whether we are addressing a partition, a
network device, or an "ordinary" directory and a Drive.
3 Case Sensitivity: Linux le system is case sensitive. It distinguishes between lowercase
anduppercase le names. Such as, there is a dierence between test.txt and Test.txt in
Linux. This rule is also applied for directories and Linux commands.
4 File Extensions: In Linux, a le may have the extension '.txt,' but it is not necessary that
a le should have a le extension.
5 Hidden les: Linux distinguishes between standard les and hidden les, mostly the
conguration les are hidden in Linux OS. Usually, we don't need to access or read the
hidden les. The hidden les in Linux are represented by a dot (.) before the le name
(e.g.,.ignore). To access the les, we need to change the view in the le manager or need
to use a specic command in the shell.
1 Linux has a very comprehensive and capable networking stack, supporting many protocols
and features.
2 Linux can be used both as an endpoint node on a network, and also as a router, passing
trac between interfaces according to networking policies.
3 Netlter is an IP network layer framework which hooks packets which pass into, through
and from the system. Kernel-level modules may hook into this framework to examine
packets and make security decisions about them.
4 ebtables provides ltering at the link layer, and is used to implement access control for
Linux bridges, while arptables provides ltering of ARP packets.
2 Support for hardware-based cryptographic features is growing, and several algorithms have
optimized assembler implementations on common architectures.
3 A key management subsystem is provided for managing cryptographic keys within the
kernel.
4 Kernel users of the cryptographic API include the IPsec code, disk encryption schemes
including ecryptfs and dm-crypt, and kernel module signature verication.
2 cd command
3 ls command
4 cat command
5 cp command
6 mkdir command
7 rmdir command
8 rm command
9 touch command
10 locate command
11 nd command
2 sudo command
3 df command
4 du command
5 head command
6 tail command
7 di command
8 chmod command
9 chown command
2 wget command
3 uname command
4 history command