Professional Documents
Culture Documents
Storage Devices
Handheld Devices
Peripheral Devices
Network Devices
BEWARE !!!!!
•Digital evidence may be lost if power is not maintained.
•Digital evidence can be overwritten or deleted while the device remains activated.
•Software activated remotely to render the device unusable and make the data it
contains inaccessible.
Peripheral Devices
Potential evidence: The devices themselves and the functions they perform or
facilitate are all potential evidence. Information stored on the device regarding
its use also is evidence, such as incoming and outgoing phone and fax
numbers; recently scanned, faxed, or printed documents; and information about
the purpose for or use of the device. In addition, these devices can be sources
of fingerprints, DNA, and other identifiers.
Network Devices
Potential evidence: The device or item itself, its intended or actual use, its
functions or capabilities, and any settings or other information it may contain is
potential evidence.
Digital Evidence is Sensitive to
Static Electricity
Magnetic Fields
Shock
Moisture
Tools & Material for Collecting Digital
Evidence
Cameras (photo and video).
Cardboard boxes.
Notepads.
Gloves.
Evidence inventory logs.
Evidence tape.
Paper evidence bags.
Evidence stickers, labels, or tags.
Crime scene tape.
Antistatic bags.
Permanent markers.
Nonmagnetic tools.
Securing and Evaluating the Crime Scene
for Digital Evidence
Securing and Evaluating the Crime Scene
for Digital Evidence
Preserve components such as keyboard, mouse, removable storage media for evidence
such as fingerprints, DNA, or other physical evidence that should be preserved.
Securing and Evaluating the Crime Scene
for Digital Evidence
Sound of fans , drives spinning, or check to see if light emitting diodes are on.
Display screen for signs that digital evidence is being destroyed. Words to look out
for include "delete," "format," "remove," "copy," "move," "cut," or "wipe."
Indications that the computer is being accessed from a remote computer or device.
Probable Reasons:
1. Startup program executed.
2. Access date & time of OS files changed.
Best Practices for Cyber
Forensics Procedure
Cyber Forensic Process
Acquire
Authenticate
Analyze
Document
Sanitizing investigator’s media for storing
images of suspect media for investigation
IMAGE FILE
Printed e-mail, notes, and letters and maps Web cameras and microphones
Communication devices
GPS equipment
Computer Forensic Analysis and
Validating Forensic Data
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence
depends on:
– Nature of the case
– Amount of data to process
– Search warrants and court orders
– Company policies
• Scope creep
– Investigation expands beyond the original description
• Right of full discovery of digital evidence
83
Approaching Computer Forensics
Cases
• Basic steps for all computer forensics
investigations List all folders and files on the
image or drive
– If possible, examine the contents of all data files in
all folders
• Starting at the root directory of the volume partition
– For all password-protected files that might be
related to the investigation
• Make your best effort to recover file contents
• Network traffic data collections systems can be of two kinds “stop, look and listen” or “Catch-it-as-you-can”
1. “Catch-it-as-you-can”:
• All packets are sent through a traffic point where they are stored in a database.
• After that, analysis is performed on stored data.
• Analysis data is also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that
this type of system requires a large storage capacity
• Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to
storage, with analysis being done subsequently in batch mode.
• Pro: Comprehensive visibility into all network traffic looking backward (within a reasonable time period)
• Con: This approach requires large amounts of storage, usually involving a RAID system (RAID (redundant array of
independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives to protect
data in the case of a drive failure..
• Every security device has advantages and disadvantages and firewalls are no
different. If we applied strict defensive mechanisms into our network to protect it
from breach, then it might be possible that even our legitimate communication
could malfunction, or if we allow entire protocol communications into our
network, then it can be easily hacked by malicious users. So, we should maintain a
balance between strictly-coupled and loosely-coupled functionalities.
Advantages
Network forensic tasks that can be facilitated through software include the collection, normalizing, filtering,
labeling, stream reassembly, correlation and analysis of multiple sources of traffic data. Although there are
single-purpose tools aimed at each of these tasks, feature creep is blurring the distinction between categories,
resulting in tools that are useful in addressing a growing number of things that can go wrong on the network.
However, before an investigator can perform any other forensic task, suitable network activity data must be
collected. Raw network packets, which contain the highest possible level of traffic detail, supplement the often-
sparse log data available from applications, authentication systems, routers and firewalls. Sniffing collects such
network data.
Stream reassembly or sessioning is the collation and packaging of raw network traffic from a single source such
that all the data within a connection session is presented as a complete stream. Sessioning is performed by
protocol analysis tools, which isolate the specific communications that took place between two or more of the
apparent endpoints or relay points. Such an analysis is the first step in determining who communicated when
and what was transmitted. Most protocol analysis tools provide a tree-oriented view of sessions and protocols
used within the sessions. Such a visual presentation of network traffic makes it easier to understand exactly what
happened on the network.
Network Forensics Tools
• Network forensics tool is the application used for the forensic experts who used to
do things related to forensic such as monitoring and audit on the network. Toolkit
for forensic testing allows investigators to gather and analyze data such as E-
Detective, NetFlow v5 / 9, netcat, NetDetector, tcpdump, Wireshark / Ethereal,
Argus, NFR, TCPWrapper, sniffer, nstat, and tripwire.
• Some examples of network forensic tools:
1. Wireshark
An analyzer and monitoring network that is popular. The features in Wireshark,
such as:
- Can checks for hundreds of protocols in depth
- Able to capture direct and analyzed offline
- Multi platform can run on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD,
and others.
- Data networks have been captured can be displayed via the GUI or via the TTY-
mode.
- Can filter the view with many filter options.
- Can read and store different formats.
• 2. Netcat
• It is a utility tool that is used for a wide range of issues related to TCP or
UDP protocol. That can open TCP connections, sending UDP packets, listen
on the TCP and UDP port -Port, scanning ports, and by IPV4 and IPV6. This
Netcat typically used by hackers to connect back to the target system so
that hackers gain root access through the port that has been set by the
hacker.
• 3. E-Detective
• It is an interception system that makes the process of the Internet in real-
time, monitoring and forensics systems that capture, code reading, and
restore some types of Internet traffic. These systems are typically used in
corporate Internet and monitor behavior, audit, storage of records,
forensic analysis, and investigations. E-Detective can read the code,
reassembly, and recover various types of Internet Applications and
services this example, Email, Webmail, Instant Messaging, File Transfer,
Online Games, Telnet, HTTP, VOIP, and others.
Database Forensics
• Database servers store sensitive information.
• Database forensics refers to the branch of digital forensic science
specifically related to the study of databases and the data they
keep.
• Database forensics look at who access the database and what
actions are performed.
• A forensic examination of a database may investigate the
timestamps relating to the update time of a row in a relational table
in order to verify the actions of a database user.
• Another database forensics case might examine all transactions
within a database system or application over a specific period of
time in order to identify any fraudulent transactions.
• Experts in database forensics need to be well-versed in almost all
aspects of database development and use, as they have to
preserve, authenticate, analyze and output data from large,
custom-built databases that cannot just be copied and taken back
to the office for further investigation.
• Database forensics concentrates on scientifically interrogating the
failed database and by trying to reconstruct the metadata and page
information from within a data set.
• Databases act as the primary source of electronic evidence for
every organization irrespective of its size and complexity. On the
occurrence of an unexpected incident, a forensic examiner
produces this evidence in the court of law, regardless the size of the
databases.
• The following scenarios would require the intervention of a
database forensic specialist:
Failure of a database
Deletion of information from database
Inconsistencies in the data of a database
Detection of suspicious behaviour of users
• A database forensics expert will normally use a read-only method
or an identical forensic copy of the data when interfacing with a
database to ensure that no data is compromised. They will run a
series of diagnostic tools to help them to:
Create a forensic copy of a database for analysis
Reconstruct missing data and/or log files associated with the
deletion
Decipher data and ascertain possible causes of corruption
Audit user activities and isolate suspicious and illegal behaviour
• What Database Systems Are Mostly Commonly Used
in Forensics?
• Here are the top five, along with their DB schema
types:
• Oracle (Relational Database Management System)
• MySQL (Relational Database Management System)
• Microsoft SQL Server (Relational Database
Management System)
• PostgresSQL (Relational Database Management
System)
• MongoDB (Document Stores)
• What Are Record Carving and Database
Reconstruction?
• Record carving is an attempt by a forensics
specialist to obtain valid rows of data from within
a damaged or corrupt database.
• Database reconstruction is a process whereby a
forensics professional attempts to repair a
database well enough to get some rudimentary
information from it, allowing for further repair
and interrogation. This is usually done by
analyzing log files of the database system and
running the activities through an algorithm that
restores records to their previous state at the
time of the log creation.
A. For seeking forensic aspects of a database well known point-of-view dimension having
external, conceptual, and internal schemas for Forensic examination are considered. It is said
from forensic investigation perspective the following things need to be considered.
• To know the relation between the data dictionary and the conceptual layer. The data dictionary
may be the target of an attack by destructing or making any subtle changes in the data
dictionary.
• The data dictionary also contains information that may be of forensic interest itself, such as the
creation time of an entity-whether that entity occurs on the external, conceptual or internal
layer.
• The external schema defines the data to be provided to a specific user.
• During a forensic investigation, the different views for various users generated by different
schemas may be relevant. The number of such external schemas only depends on the
considered database.
• The operating system’s management of the files used for the physical layer is also to be
considered.
The level of logging that occurs in a database may include enough information for investigation.
C. Restoration or recreation of data that has been (partially) destroyed, or only partially
recovered is done under a forensic capture process. It is often necessary to reverse engineer
not only the application schema and other data, but also the underlying DBMS structure of
the (known) DBMS.
D. Detailed logs or Metadata or combination of both may be used to determine who was
authorized to perform a certain action and use that as the basis for attribution. Data mining
tools and applications may be of valuable help in forensic analysis.
List of Database Forensics Tools
Volatile/Non-Volatile Data