Unit 1 and Unit 2

Cyber Forensics
Dr.Shivanna K
Assistant Professor
Department of Information Science and Engineering
M S Ramaiah Institute of Technology
Bangalore
Mob: 9686194749
E-mail:shivannak4phd@gmail.com
June 13, 2022
Dr. Shivanna K June 13, 2022 1 / 89

Presentation outline
1 Unit-1 Introduction
2 Unit-2 Windows and Linux Forensic

What is Computer Forensics?
1 Forensics is the process of using scientic knowledge to collect, analyze and presenting
evidence to the courts.
2 The word forensics means that "` to bring to the court".
3 Forensics basically deals with the recovery and analysis of latest evidence.
4 latest evidence can take many forms, from left ngerprints on window to DNA evidence
recovered from blood stains to the les on hard drive.

Computer Forensics
1 Because computer forensics is a new discipline, there is little standardization and
consistency across court and industry.
2 Computer forensics is a discipline that combines elements of law and computer science to
collect and analyze data from computer system, networks, wireless communications and
storage devices in a way that is admissible as a evidence in a court of law.

Why Computer Forensics?
1 From a technical point of view, the main goal of computer forensics is to identity, collect,
preserve, and analyze data in a way that preserve the integrity of the evidence collected so
it can be used eectively in a legal case.

Technology
Understanding of
1 Storage technology
2 Operating system features such as windows, Linux, Unix, Mac OS.
3 File systems
4 Disk imaging
5 Data recovery
6 Total Data Deletion
7 Handling Encryption

Computer Forensics Examples
1 Recovering thousands of deleted emails
2 Performing investigation post employment termination
3 Recovering evidence post formatting hard drive
4 Performing investigation after multiple users had taken over the system

Digital Forensics Process

Digital Devices Forensic Investigation Flow Chart

Forms of Cyber Crime
1 Hacking
2 SQL Injections
3 Virus dissemination
4 Logic bombs
5 Denial-of-Service attack
6 Phishing
7 Email bombing and spamming
8 Web jacking
9 Data diddling
10 Identity Theft and Credit Card Fraud
11 Intellectual Property Crimes

Hacking
1 Hacking is an act committed by an intruder by accessing your computer system without
your permission.
2 Hackers (the people doing the `hacking') are basically computer programmers, who have
an advanced understanding of computers and commonly misuse this knowledge for
devious reasons.
3 Hacking banking information.
4 Hacking information from the computer system.

SQL Injections
1 An SQL injection is a technique that allows hackers to play upon the security
vulnerabilities of the software that runs a web site.
2 It can be used to attack any type of unprotected or improperly protected SQL database.
3 An SQL injection is usually an additional command that when inserted into the web form,
tries to change the content of the database to reect a successful login.
4 It can also be used to retrieve information such as credit card numbers or passwords from
unprotected sites.

Virus dissemination
1 Viruses are computer programs that attach themselves to or infect a system or les, and
have a tendency to circulate to other computers on a network.
2 They disrupt the computer operation and aect the data stored either by modifying it or
by deleting it altogether.
3 The term worm is sometimes used to mean selfreplicating malware.
4 They masquerade as a legitimate le, such as an email attachment from a supposed friend
with a very believable name, and don't disseminate themselves.

How malware can propogate?

Logic bombs
1 A logic bomb, also known as slag code, is a malicious piece of code which is intentionally
inserted into software to execute a malicious task when triggered by a specic event.
2 It's not a virus, although it usually behaves in a similar manner.
3 Malicious software such as viruses and worms often contain logic bombs which are
triggered at a specic payload or at a predened time.
4 To keep your network protected from the logic bombs, you need constant monitoring of
the data and ecient anti-virus software on each of the computers in the network.

Denial-of-Service attack
1 A Denial-of-Service (DoS) attack is an explicit attempt by attackers to deny service to
intended users of that service.
2 It involves ooding a computer resource with more requests than it can handle consuming
its available bandwidth which results in server overload.
3 Another variation to a denial-of-service attack is known as a Distributed Denial of

Service (DDoS) attack wherein a number of geographically widespread perpetrators ood
the network trac.
4 Denial-of-Service attacks typically target high prole web site servers belonging to banks
and credit card payment gateways.

Phishing
1 This a technique of extracting condential information such as credit card numbers and
username password combos by masquerading as a legitimate enterprise.
2 Phishing is typically carried out by email spoong.
3 You've probably received email containing links to legitimate appearing websites. You
probably found it suspicious and didn't click the link.

How phishing?

Email bombing and spamming
1 Email bombing is characterised by an abuser sending huge volumes of email to a target
address resulting in victim's email account or mail servers crashing.
2 The message is meaningless and excessively long in order to consume network resources.
3 If multiple accounts of a mail server are targeted, it may have a denial-of-service impact.
4 This type of attack is more dicult to control due to multiple source addresses and the
bots which are programmed to send dierent messages to defeat spam lters.
5 Spamming is a variant of email bombing. Here unsolicited bulk messages are sent to a
large number of users, indiscriminately.
6 A large amount of spam is sent to invalid email addresses.

Web jacking
1 Web jacking derives its name from hijacking. Here, the hacker takes control of a web
site fraudulently.
2 He may change the content of the original site or even redirect the user to another fake
similar looking page controlled by him.
3 The web jacking method attack may be used to create a clone of the web site, and
present the victim with the new link saying that the site has moved.
4 Unlike usual phishing methods, when you hover your cursor over the link provided, the
URL presented will be the original one, and not the attacker's site. But when you click on
the new link, it opens and is quickly replaced with the malicious web server.

Data diddling
1 Data Diddling is unauthorized altering of data before or during entry into a computer
system, and then changing it back after processing is done.
2 Using this technique, the attacker may modify the expected output and is dicult to
track.
3 Original information to be entered is changed, either by a person typing in the data, a

virus that's programmed to change the data.
4 The programmer of the database or application, or anyone else involved in the process of
creating, recording, encoding, examining, checking, converting or transmitting data.

Identity Theft and Credit Card Fraud
1 Identity theft occurs when someone steals your identity and pretends to be you to access
resources such as credit cards, bank accounts and other benets in your name.
2 The most common case of credit card fraud is your pre-approved card falling into someone
else's hands.

Intellectual Property Crimes
1 Intellectual property consists of a bundle of rights. Any lawful act by which the owner is
deprives completely or partially of his rights is an oense.
2 The common form of IPR violation may be said to be software piracy, copyright
infringement, trademark and service mark violation, theft of computer source code etc.

Roles of Computer Forensics
1 With digital crime increasing manifolds, the needs for computer forensics increases
simultaneously.
2 Several parties such as government organizations, police, private organizations, and more
use computer forensics to trace and catch criminals.
3 It has quickly escalated as a new technology that is being used in several areas of criminal
investigations.
4 Recently, a wide application of computers has been found in committing crimes.
5 Forensics has now the advantage of computer forensics to detect and catch criminals who
assumed that they do not leave any imprints while committing crimes through computers.
6 To collect evidence
7 For forensics tools and tasking
8 To solve old cases
9 In criminal investigations

Dierent types/categories of digital forensics
1 Network Forensics
2 Mobile devises Forensics
3 Digital Image Forensics
4 Digital Video/Audio Forensics
5 Memory forensics
6 Cloud Forensics

Methodology of computer forensic
Preparation of investigation

Recognition/identication of digital evidence

Documentation of the crime scene

Collection of digital evidence

Packaging/Transportation of evidence/seized equipment

Analysis of digital evidence

Key Steps Taken by Computer Forensics Specialist
1 Protect the subject computer system during the forensic examination from any possible
alteration, damage, data corruption, or virus introduction.
2 Discover all les on the subject system. This includes existing normal les, deleted yet
remaining les, hidden les, password-protected les, and encrypted les.
3 Recover all of discovered deleted les.
4 Reveal the contents of hidden les as well as temporary or swap les used by both the
application programs and the operating system.
5 Access the contents of protected or encrypted les.
6 Analyze all possibly relevant data found in special areas of a disk.
7 Print out an overall analysis of the subject computer system, as well as a listing of all
possibly relevant les and discovered le data.
8 Provide an opinion of the system layout;
9 Provide expert consultation and/or testimony, as required.

public and private forensic
1 Public investigations usually involve criminal cases and government agencies.
2 private or corporate investigations, however, deal with private companies,

non-law-enforcement government agencies, and lawyers.
3 Public sector digital forensic investigators often work with other regional government
bureaus to share insights and resources.
4 Public forensic investigators also rely on partnerships with investigators who work on the
commercial side, usually for a consulting rm that performs the same types of analyses.
5 In the private sector, consulting rms seek to help victims and solve cases just as public
sector investigators do, but they also build forensics tools for their customers and provide
support services where needed.
6 Private forensic investigators rely on a more automated, software approach to the business
rather than a singular scientic focus of solving one or a few legal cases.

FirstResponder Procedure- Non-technical sta, Technical Sta
1 The rst responder to a security incident has a unique and important position to play.
2 Determine the severity of the incident
3 Collect as much information about the incident as possible
4 Document all ndings
5 Share this collected information to determine the root cause
6 The rst responder is a system or network administrator, but by denition it is whoever is

assigned to handle security incidents and determine their root causes.
7 He should have a rst responder toolkit and a predetermined incident response plan to
follow regardless of the type of data (volatile, persistent, or both) being collected.

What is a Volatile Data?

Simple case Study
1 Double Encryption for Data Authenticity and Integrity in Privacy-preserving Condential
Forensic Investigation.

Simple case Study-Continuation
1 It is getting popular that users will put their data in cloud computing services or data
centers. It applies to criminals too.
2 Evidence for crime cases may exist in a large storage media or even distributed in various
storage device(s) that may be in dierent sites.
3 If a crime case occurs, forensic investigators have to apply a warrant and try to retrieve
evidence from the servers of these platforms.

Searching on Encrypted Data with Encrypted Keyword

Introduction-Windows Forensics
1 Appreciate and understand the need for windows forensics.
2 Understand various technical terminologies associated to forensics in windows systems.
3 Identify major components and aspects of windows which are relevant during forensics.
4 Dene basic technologies and tools used to carry out data capture from a windows system
during forensic investigation.
5 Use basic tools and technologies for capturing registry information from windows systems
during forensic investigation.

Need for Windows Forensics
1 Analysis of a computer system.
2 Identify evidences of activities leading to a criminal activities.
3 To support a theory pertaining a criminal oense
4 Process is to analysis gathered information from activities that took place in a windows
system.

About Windows
1 Among the major operating system in use, Microsoft window is the most widely used
operating system.
2 The Microsoft windows versions that are currently in use are; Windows 8 and Windows 10.
3 Microsoft Windows originated in 1985, as an operating environment running on top of MS

DOS, which was the standard operating system shipped on most of Intel architecture PCs.
4 Almost 90 percent of trac in networks comes from computers using Windows as their
operating system
5 Investigators will be most likely to encounter Windows and have to collect evidence from
it in most of the cybercrime cases.

Major forensic areas in windows
1 Volatile information like, system time, logged users, open les, network information and
drives that are mapped shared folders etc.
2 Non-volatile information like le systems, registry settings, logs, devices, slack space, swap
le, indexes, partitions etc.
3 Windows memory like memory dumps and analysing dumps and other aspects.
4 Caches, cookies and history analysis.
5 Other aspects like recycle bins, documents, short cut les, graphics le, executable les
etc.

Volatile information
1 Volatile Information can disappear or be easily modied.
2 It retains its contents while powered on but when the power is interrupted the stored data
is immediately lost.
3 One particular method/tool to get history of commands used on the computer we can use
Doskey. Doskey is a utility for DOS and Microsoft Windows that adds command history.

Doskey utility in Windows command prompt

Uptime2.exe output giving uptimes for the windows system

Volatile information
1 During an investigation we will always need to know who all were logged on to the system.
2 Logging to a system can be remotely or locally.
3 Information like these can add logical view to a context or a situation.
4 The logs can be related to an event occurrence.
5 Many tools are available like PsLoggedon, Netsessions, logonsessions etc. to learn the
instantaneous information of the users.
6 These tools can be downloaded from the windows sysinternals site.
7 Ps tools in sysinternals are handy in many ways as such.

PsLoggedon output

LoggedonSessions output

Net Sessions output

Openles output

NetStat Command
1 Tools like NetStat gives access to information partitioning current network connections to
the host computer.
2 This information will be lost over time and very dicult to trace as time passes by.
3 Also, an investigator needs to discover what processes are running on the system. This
system which can keep clues to a major crime in form of les or processes that are still on
the acquired system is potentially used just before a crime.
4 Information about processes like executable le path, commands to launch the process,
time stamps, current modules etc. along with contexts needs to be collected. Tools like
Tlist, Tasklist, Pslist, ListDlls etc. helps us to get all these information.

NetStat output

NetStat Output
1 netstat -a: This command is used to list all ports including both UDP and TCP.
2 netstat -at: List only TCP ports
3 netstat -au: List only UDP ports

One of the output of ipCong command

Other Volatile information
1 Several other information like; mapped drives, shares or stored folders etc. also needs to
be collected for future tests and analysis.
2 Mapped drives to a system are those which the user has created.
3 These information are volatile but can be correlated to network connections or drive
activities leading to a crime.
4 A system resources can be shared in many dierent ways like shared folders, shared
network access etc.
5 This information can be retrieved in many ways like scanning the registry for shares. Also,
command like `share' can be used for the same.

Non Volatile information
1 Non-volatile information remains on a secondary storage device and persists even after
power is o.
2 This information can be collected later on after all perishable information (volatile) can be
collected after the seizure of the system.
3 Investigators can collect these information after procuring the device and doing all the
formalities of the seizure/procuring/capturing the device under law so that the discoveries
later on does not get laid down during hearing.
4 Using command line `dir /o: d' the examiner can list out the recent updates that is listed
by the command.

Registry information
1 Registry information can have a good impact on the forensic analysis and investigation.
2 Tools like reg and regedit helps in to get registry entries via important keys.
3 Important keys present in registries are runMRU, startup objects, last accessed key,
addresses in internet explorer, last saved directory in internet explorer.

Options in reg tool

Example output of reg

regedit command in windows

regedit command in windows

Top Open-Source Tools for Windows Forensic Analysis
1 Magnet Encrypted Disk Detector: This tool is used to check the encrypted physical
drives.
2 Magnet RAM Capture: This tool is used to analyze the physical memory of the system.
3 Wireshark: This is a network analyzer tool and a capture tool that is used to see what
trac is going in your network.
4 RAM Capture: As the name suggests, this is a free tool that is used to extract the entire
contents of the volatile memory i.e. RAM.
5 Autopsy:This is the GUI based tool, that is used to analyze hard disks and smartphones.
6 HashMyFiles: This tool is used to calculate the SHA1 and MD5 hashes. It works on all
the latest websites.
7 ExifTool: This tool is used to read, write, and edit meta information from a number of
les.

USB Device Forensics
1 Windows keeps a history log of all previously connected USB devices along with their
connection times in addition to the associated user account which installs them.
2 The Windows registry also stores important technical information for each connected USB
device such as vendor ID, product ID, revision, and serial number.
3 Windows stores USB history-related information using ve registry keys, where each key
oers a dierent piece of information about the connected device.
4 By merging this information together, investigators will have an idea of how an oender
has used removable devicessuch as a USBto conduct/facilitate his/her actions.

1 HKEY-LOCAL-MACHINE/SYSTEM/CurrentControlSet/Enum/USBSTOR: Here you will
nd all USB devices that have been plugged into the operating system since its
installation. It shows the USB vendor ID (manufacturer name), product ID, and the
device serial number.

Step-2
HKEY-LOCAL-MACHINE/SYSTEM/MountedDevices: The Mounted Devices sub-key
stores the drive letter allocations; it matches the serial number of a USB device to a given drive
letter or volume that was mounted when the USB device was inserted.

HKEY-CURRENT-USER-
Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2 This key will record
which user was logged into Windows when a specic USB device was connected. The key also
includes the Last Write Time for each device that was connected to the system.

HKEY-LOCAL-MACHINE/SYSTEM/Currentcontrolset/Enum/Usb This key holds technical
information about each connected USB device in addition to the last time the subject USB was
connected to the investigated computer.

Most Recently Used List
1 Windows keep a log of the most recently accessed les (e.g., when you open a le using
Windows File Explorer or from a standard open/save dialog box, run command using the
MS-DOS prompt on the registry).
2 There are many applications that run on Windows that have most recently used (MRU)
lists such as recently opened MS Oce les and recently visited web pages; these
applications list the les that have been most recently accessed.

Overview of Linux and Unix Platforms
1 Linux is an open source multi-tasking, multi-user operating system. It was initially
developed by Linus Torvalds in 1991. Linux OS is widely used in desktops, mobiles,
mainframes etc.
2 Linux is open source and is developed by Linux community of developers.
3 Linux is free to use.
4 Supported File systems are Ext2, Ext3, Ext4, Jfs, ReiserFS, Xfs, Btrfs,FAT, FAT32, NTFS.
5 Linux is used in wide varieties from desktop, servers, smartphones to mainframes.
6 Linux was initially developed for Intel's x86hardware processors. Now it supports
20+processor families.
7 Ubuntu, Debian GNU, Arch Linux, etc are examples of Linux.
8 It has about 60-100 viruses listed till date.

Unix Operating System
1 Unix is multi-tasking, multi-user operating system but is not free to use and is not open
source. It was developed in 1969 by Ken Thompson team at AT and T Bell Labs. It is
widely used on servers,workstations etc.
2 Unix was developed by AT and T Bell lab and is not open source.
3 Unix is licensed OS.
4 Supported File systems are fs, gpfs, hfs, hfs+, ufs, xfs, zfs.
5 Unix is mostly used on servers,workstations or PCs.
6 SunOS, Solaris, SCO UNIX, AIX,HP/UX, ULTRIX etc are examples of Unix operating
system.
7 It has about 85-120 viruses listed tilldate (rough estimate).

Components of Linux System
Linux Operating System has primarily three components
1 Kernel Kernel is the core part of Linux. It is responsible for all major activities of this
operating system. It consists of various modules and it interacts directly with the
underlying hardware. Kernel provides the required abstraction to hide low level hardware
details to system or application programs.
2 System Library System libraries are special functions or programs using which application
programs or system utilities accesses Kernel's features. These libraries implement most of
the functionalities of the operating system and do not requires kernel module's code
access rights.
3 System Utility System Utility programs are responsible to do specialized, individual level
tasks.

Kernel Mode vs User Mode

Important features of Linux Operating System
1 Portable: Portability means software can works on dierent types of hardware in same
way.Linux kernel and application programs supports their installation on any kind of
hardware platform.
2 Open Source: Linux source code is freely available and it is community based
development project. Multiple teams work in collaboration to enhance the capability of
Linux operating system and it is continuously evolving.
3 MultiUser: Linux is a multiuser system means multiple users can access system resources
like memory/ram/ application programs at same time.
4 Multiprogramming: Linux is a multiprogramming system means multiple applications can

run at same time.
5 Hierarchical File System: Linux provides a standard le structure in which system les/
user les are arranged.
6 Shell: Linux provides a special interpreter program which can be used to execute
commands of the operating system. It can be used to do various types of operations, call
application programs. etc.
7 Security: Linux provides user security using authentication features like password
protection/controlled access to specic les/encryption of data.

Architecture of Linux Operating System

Linux Distributions
1 Other operating systems like Microsoft combine each bit of codes internally and release it
as a single package. You have to choose from one of the version they oer.
2 But Linux is dierent from them. Dierent parts of Linux are developed by dierent
organizations.
3 Dierent parts include kernel, shell utilities, X server, system environment, graphical
programs, etc. If you want you can access the codes of all these parts and assemble them
yourself. But its not an easy task seeking a lot of time and all the parts has to be
assembled correctly in order to work properly.

Linux Distributions List
1 Ubuntu: It came into existence in 2004 by Canonical and quickly became popular.
Canonical wants Ubuntu to be used as easy graphical Linux desktop without the use of
command line.
2 Linux Mint: Mint is based on Ubuntu and uses its repository software so some packages
are common in both. Earlier it was an alternative of Ubuntu because media codecs and
proprietary software are included in mint but was absent in Ubuntu.
3 Debian: Debian has its existence since 1993 and releases its versions much slowly then
Ubuntu and mint. Ubuntu is based on Debian and was founded to improve the core bits
of Debian more quickly and make it more user friendly. Every release name of Debian is
based on the name of the movie ToyStory.
4 Red Hat Enterprise/CentOS: Red hat is a commercial Linux distributor. There products
are red hat enterprise Linux (RHEL) and Fedora which are freely available.
5 Fedora: It is a project that mainly focuses on free software and provides latest version of
software. It doesn't make its own desktop environment but used 'upstream' software.

Linux File System
1 A Linux le system is a structured collection of les on a disk drive or a partition.
2 A partition is a segment of memory and contains some specic data. In our machine, there
can be variouspartitions of the memory. Generally, every partition contains a le system.
3 The general-purpose computer system needs to store data systematically so that we can
easilyaccess the les in less time.
4 It stores the data on hard disks (HDD) or some equivalent storage type.
5 Primarily the computer saves data to the RAM storage; it may lose the data if it gets
turned o. However, there is non-volatile RAM (Flash RAM and SSD) that is available to
maintain the data after the power interruption.
6 Data storage is preferred on hard drives as compared to standard RAM as RAM costs more
than disk space. The hard disks costs are dropping gradually comparatively the RAM.

The Linux le system contains the following sections:
1 The root directory (/)
2 A specic data storage format (EXT3, EXT4, BTRFS, XFS and so on)
3 A partition or logical volume having a particular le system.

What is the Linux File System?
1 Linux le system is generally a built-in layer of a Linux operating system used to handle
the data management of the storage.
2 It helps to arrange the le on the disk storage. It manages the le name, le size, creation
date, and much more information about a le.
3 Linux le system has a hierarchical le structure as it contains a root directory and its sub
directories.
4 All other directories can be accessed from the root directory. A partition usually has only
one le. All le system, but it may have more than one le system.

Linux File System

Linux File System Features
1 Specifying paths: Linux does not use the backslash to separate the components; it
usesforward slash (/) as an alternative. For example, as in Windows, the data may be
stored in C:_My Documents_ Work, whereas, in Linux, it would be stored in /home/ My
Document/ Work.
2 Partition, Directories, and Drives: Linux does not use drive letters to organize the drive
asWindows does. In Linux, we cannot tell whether we are addressing a partition, a
network device, or an "ordinary" directory and a Drive.
3 Case Sensitivity: Linux le system is case sensitive. It distinguishes between lowercase
anduppercase le names. Such as, there is a dierence between test.txt and Test.txt in
Linux. This rule is also applied for directories and Linux commands.
4 File Extensions: In Linux, a le may have the extension '.txt,' but it is not necessary that
a le should have a le extension.
5 Hidden les: Linux distinguishes between standard les and hidden les, mostly the
conguration les are hidden in Linux OS. Usually, we don't need to access or read the
hidden les. The hidden les in Linux are represented by a dot (.) before the le name
(e.g.,.ignore). To access the les, we need to change the view in the le manager or need
to use a specic command in the shell.

Types of Linux File System

Linux Kernel Security Features
Network Security
1 Linux has a very comprehensive and capable networking stack, supporting many protocols
and features.
2 Linux can be used both as an endpoint node on a network, and also as a router, passing
trac between interfaces according to networking policies.
3 Netlter is an IP network layer framework which hooks packets which pass into, through
and from the system. Kernel-level modules may hook into this framework to examine
packets and make security decisions about them.
4 ebtables provides ltering at the link layer, and is used to implement access control for
Linux bridges, while arptables provides ltering of ARP packets.
5 The networking stack also includes an implementation of IPsec, which provides

condentiality, authenticity, and integrity protection of IP networking.

Cryptography
1 A cryptographic API is provided for use by kernel subsystems. It provides support for a
wide range of cryptographic algorithms and operating modes, including commonly
deployed ciphers, hash functions, and limited support for asymmetric cryptography.
2 Support for hardware-based cryptographic features is growing, and several algorithms have
optimized assembler implementations on common architectures.
3 A key management subsystem is provided for managing cryptographic keys within the
kernel.
4 Kernel users of the cryptographic API include the IPsec code, disk encryption schemes
including ecryptfs and dm-crypt, and kernel module signature verication.

Common command-line utilities
1 pwd command
2 cd command
3 ls command
4 cat command
5 cp command
6 mkdir command
7 rmdir command
8 rm command
9 touch command
10 locate command
11 nd command

1 grep command
2 sudo command
3 df command
4 du command
5 head command
6 tail command
7 di command
8 chmod command
9 chown command

1 ping command
2 wget command
3 uname command
4 history command
5 useradd, userdel command

Unit 1 and Unit 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 1 and Unit 2

Uploaded by

Copyright:

Available Formats

Cyber Forensics

June 13, 2022

Dr. Shivanna K June 13, 2022 1 / 89

2 Unit-2 Windows and Linux Forensic

Dr. Shivanna K June 13, 2022 2 / 89

2 The word forensics means that "` to bring to the court".

Dr. Shivanna K June 13, 2022 3 / 89

Dr. Shivanna K June 13, 2022 4 / 89

Dr. Shivanna K June 13, 2022 5 / 89

2 Operating system features such as windows, Linux, Unix, Mac OS.

6 Total Data Deletion

Dr. Shivanna K June 13, 2022 6 / 89

2 Performing investigation post employment termination

3 Recovering evidence post formatting hard drive

Dr. Shivanna K June 13, 2022 7 / 89

Dr. Shivanna K June 13, 2022 8 / 89

Dr. Shivanna K June 13, 2022 9 / 89

7 Email bombing and spamming

10 Identity Theft and Credit Card Fraud

11 Intellectual Property Crimes

Dr. Shivanna K June 13, 2022 10 / 89

3 Hacking banking information.

4 Hacking information from the computer system.

Dr. Shivanna K June 13, 2022 11 / 89

Dr. Shivanna K June 13, 2022 12 / 89

3 The term worm is sometimes used to mean selfreplicating malware.

Dr. Shivanna K June 13, 2022 13 / 89

Dr. Shivanna K June 13, 2022 14 / 89

2 It's not a virus, although it usually behaves in a similar manner.

Dr. Shivanna K June 13, 2022 15 / 89

3 Another variation to a denial-of-service attack is known as a Distributed Denial of

Dr. Shivanna K June 13, 2022 16 / 89

2 Phishing is typically carried out by email spoong.

Dr. Shivanna K June 13, 2022 17 / 89

Dr. Shivanna K June 13, 2022 18 / 89

6 A large amount of spam is sent to invalid email addresses.

Dr. Shivanna K June 13, 2022 19 / 89

Dr. Shivanna K June 13, 2022 20 / 89

3 Original information to be entered is changed, either by a person typing in the data, a

Dr. Shivanna K June 13, 2022 21 / 89

Dr. Shivanna K June 13, 2022 22 / 89

Dr. Shivanna K June 13, 2022 23 / 89

4 Recently, a wide application of computers has been found in committing crimes.

7 For forensics tools and tasking

8 To solve old cases

Dr. Shivanna K June 13, 2022 24 / 89

2 Mobile devises Forensics

3 Digital Image Forensics

4 Digital Video/Audio Forensics

Dr. Shivanna K June 13, 2022 25 / 89

Dr. Shivanna K June 13, 2022 26 / 89

Dr. Shivanna K June 13, 2022 27 / 89

Dr. Shivanna K June 13, 2022 28 / 89

Dr. Shivanna K June 13, 2022 29 / 89

Dr. Shivanna K June 13, 2022 30 / 89

Dr. Shivanna K June 13, 2022 31 / 89

3 Recover all of discovered deleted les.

5 Access the contents of protected or encrypted les.

6 Analyze all possibly relevant data found in special areas of a disk.

8 Provide an opinion of the system layout;

9 Provide expert consultation and/or testimony, as required.

Dr. Shivanna K June 13, 2022 32 / 89

2 private or corporate investigations, however, deal with private companies,

3 The term worm is sometimes used to mean selfreplicating malware.

3 Another variation to a denial-of-service attack is known as a Distributed Denial of

2 Phishing is typically carried out by email spoong.

3 Recover all of discovered deleted les.

5 Access the contents of protected or encrypted les.

4 Document all ndings

6 The rst responder is a system or network administrator, but by denition it is whoever is

3 To support a theory pertaining a criminal oense