CSF Unit 3

UNIT 3
1. Data Acquisition of Digital Evidence from Electronic Media
• Digital devices are everywhere in today’s world, helping people

communicate locally and globally with ease.
• Most people immediately think of computers, cell phones and the Internet
as the only sources for digital evidence, but any piece of technology that
processes information can be used in a criminal way.
• For example, hand-held games can carry encoded messages between
criminals and even newer household appliances, such as a refrigerator
with a built-in TV, could be used to store, view and share illegal images.
• The important thing to know is that responders need to be able to
recognize and properly seize potential digital evidence.
• Digital evidence is defined as information and data of value to an
investigation that is stored on, received or transmitted by an electronic
device
This evidence can be acquired when electronic
devices are seized and secured for examination.
Digital evidence:
 Is latent (hidden), like fingerprints or DNA evidence
 Crosses jurisdictional borders quickly and easily
 Can be altered, damaged or destroyed with little effort
 Can be time sensitive
• There are many sources of digital evidence
divided into three major forensic categories of
devices where evidence can be
found: Internet-based, stand-alone
computers or devices, and mobile devices.
• Definition: Data acquisition is the process of making a
forensic image from computer media such as a hard drive,
thumb drive, CDROM, removable hard drives, thumb drives,
servers and other media that stores electronic data including
gaming consoles and other devices.
• The forensic image is made using specialized hardware that
prevents any data from being written to the source media so
it remains pristine.
• The forensic image, not the original media, is used by the
forensic examiner to conduct the examination.
• The forensic image is verified against the original to ensure
the forensic image is an exact duplicate of the original media.
• The acquired image is verified by using the SHA-1 or MD5
hash functions.
• At critical points throughout the analysis, the media is verified
again, known as "hashing", to ensure that the evidence is still
in its original state.
Evidence that May be Gathered Digitally
• Computer documents, emails, text and instant messages,
transactions, images and Internet histories are examples of
information that can be gathered from electronic devices
and used very effectively as evidence.
• For example, mobile devices use online-based based
backup systems, also known as the “cloud”, that provide
forensic investigators with access to text messages and
pictures taken from a particular phone.
• In addition, many mobile devices store information about
the locations where the device traveled and when it was
there.
• To gain this knowledge, investigators can access an average
of the last 200 cell locations accessed by a mobile device.
• Even photos posted to social media such as Facebook may
contain location information.
• Photos taken with a Global Positioning System (GPS)-
enabled device contain file data that shows when and
exactly where a photo was taken.
How Digital Devices are Collected
• On the scene: The digitally stored information is very
sensitive and easily lost.
• Once the scene has been secured and legal authority to
seize the evidence has been confirmed, devices can be
collected.
• Any passwords, codes or PINs should be gathered from
the individuals involved, if possible, and associated
chargers, cables, peripherals, and manuals should be
collected.
• Thumb drives, cell phones, hard drives and the like are
examined using different tools and techniques, and this
is most often done in a specialized laboratory.
• First responders need to take special care with digital
devices in addition to normal evidence collection
procedures to prevent exposure to things like extreme
temperatures, static electricity and moisture.
Seizing Mobile Devices
• • Devices should be turned off immediately and batteries removed,
if possible.
• Turning off the phone preserves cell tower location information and
call logs, and prevents the phone from being used, which could
change the data on the phone.
• In addition, if the device remains on, remote destruction
commands could be used without the investigator’s knowledge.
• Some phones have an automatic timer to turn on the phone for
updates, which could compromise data, so battery removal is
optimal.
• • If the device cannot be turned off, then it must be isolated from
its cell tower by placing it in a Faraday bag or other blocking
material, set to airplane mode, or the Wi-Fi, Bluetooth or other
communications system must be disabled.
• Digital devices should be placed in antistatic packaging such as
paper bags or
• Seizing Stand Alone Computers and Equipment:
• To prevent the alteration of digital evidence during
collection, first responders should first document any
activity on the computer, components, or devices by
taking a photograph and recording any information on
the screen.
• Responders may move a mouse (without pressing
buttons or moving the wheel) to determine if
something is on the screen. If the computer is on,
calling on a computer forensic expert is highly
recommended as connections to criminal activity may
be lost by turning off the computer.
• If a computer is on but is running destructive software
(formatting, deleting, removing or wiping information),
power to the computer should be disconnected
immediately to preserve whatever is left on the
machine.
• How and Where the Analysis
is Performed
• Exploiting data in the laboratory: Once the digital evidence has been sent
to the laboratory, a qualified analyst will take the following steps to
retrieve and analyze data:
• 1. Prevent contamination: Prior to analyzing digital evidence, an image or
work copy of the original storage device is created. When collecting data
from a suspect device, the copy must be stored on another form of media
to keep the original pristine.
• Analysts must use “clean” storage media to prevent contamination or the
introduction of data from another source.
• 2. Isolate Wireless Devices: Cell phones and other wireless devices should
be initially examined in an isolation chamber, if available. This prevents
connection to any networks and keeps evidence as pristine as possible.
• The Faraday bag can be opened inside the chamber and the device can be
exploited, including phone information, Federal Communications
Commission (FCC) information, SIM cards, etc.
• 3. Install write-blocking software: To prevent any change to the data on
the device or media, the analyst will install a block on the working copy so
that data may be viewed but nothing can be changed or added.
• 4. Select extraction methods: Once the working copy is created, the
analyst will determine the make and model of the device and select
extraction software designed to most completely “parse the data,” or
view its contents.
• 5. Submit device or original media for traditional evidence
examination: When the data has been removed, the device is sent back
into evidence. There may be DNA, trace, fingerprint, or other evidence
that may be obtained from it and the digital analyst can now work
without it.
• 6. Proceed with investigation: At this point, the analyst will use the
selected software to view data. The analyst will be able to see all the files
on the drive, can see if areas are hidden and may even be able to restore
organization of files allowing hidden areas to be viewed. Deleted files are
also visible, as long as they haven’t been over-written by new data.
Partially deleted files can be of value as well.
• Files on a computer or other device are not the only evidence that can be
gathered. The analyst may have to work beyond the hardware to find
evidence that resides on the Internet including chat rooms, instant
messaging, websites and other networks of participants or information. By
using the system of Internet addresses, email header information, time
stamps on messaging and other encrypted data, the analyst can piece
together strings of interactions that provide a picture of activity.
Recording Cryptographic Checksums
of Critical Files
• When a system or information has been
compromised, who knows what actions the
intruder took on the victim system?
• The integrity of files and data must be verified.
• The investigator must check the integrity of
system information and the last time the system
information was accessed.
• To check these attributes, the responder will
need to compare the current system state against
a “known-good” system state.
• Any changes to the system state will then be
investigated.
• When you have known-good copies, you can compare them to the
versions of the files after the incident. If the file and a known-good
copy match perfectly, then the file’s integrity is verified.
• The problem lies in performing the comparison—do you examine
the files line by line or do you compare attributes such as file size?
• SOLUTION: The solution is to use cryptographic checksums. A
cryptographic checksum, also known as a message digest or
fingerprint, is basically a digital signature.
• The checksum is created by applying an algorithm to a file. The
checksum for each file is unique to that file. Thus, a checksum is a
perfect attribute to use when verifying file integrity.
• For pre-incident preparation, create checksums for critical system
files before an incident occurs. Then, in the event of an incident,
create new checksums for the same critical files, and then compare
the two versions. If the checksums match, the files have not been
modified.
a) Using the MD5 Algorithm to Create
Checksums
• The most commonly accepted and used checksum
today is the MD5 algorithm.
• Created by Ron Rivest of MIT and published in April
1992 as RFC 1321.
• The MD5 algorithm creates a 128-bit checksum from
any arbitrarily large file.
• Many implementations of this algorithm exist for
common operating systems, including Unix and
Windows variants.
• For Unix systems, just use the target file as the
only command-line argument:
I/p: [root@localhost /root]# md5sum /bin/login
O/P: 113b07d56e9c054fe2d7f15462c7b90a /bin/login
The fixed-length checksum, along with the input filename, is
the output.
• For Windows systems, the usage is similar, except
when creating checksums for binary files. Here is the
correct usage for creating an MD5 checksum on a
text file under Windows:
I/P: C:\>md5sum boot.ini
O/P: f44ece28ee23cd9d1770a5daf6cf51bf boot.ini
• When creating an MD5 checksum on a binary file, use the -b
flag (this flag is unnecessary on Unix systems):
C:\>md5sum -b test.doc
95460dd2eabc0e51e2c750ae8c0cd4b5 *test.doc
• The asterisk (*) preceding the filename indicates that the
input is a binary file.
• Our test.doc file contains the text “This is a test document.”
When we edit the file and change the text to “This is a test
document2,” we see the following checksum:
C:\>md5sum -b test2.doc
cc67710c67ef69ed02c461c9a9fbe47e *test2.doc
• Notice that the checksum has changed, since the contents of
the file changed. (Note that a filename change does not affect
the checksum.)
1. (b) Automating the Pre-incident
Checksums
• The creation of checksums is straightforward, but actually
computing the checksums for a system manually would be a
laborious, time-consuming process. Fortunately, scripting
languages can automate the process of saving checksums of
critical files.
• As a simple example, create a list of files (named list) that
require checksums:
[root@response root]# cat list
/bin/login
/sbin/ifconfig
/etc/passwd
• Next, create checksums for all listed files:
[root@response root]# md5sum `cat list` > list.md5
[root@response root]# cat list.md5
113b07d56e9c054fe2d7f15462c7b90a /bin/login
fe93307aa595eb82ca751e8b9ce64e49 /sbin/ifconfig
fa0ebff965b4edbdafad746de9aea0c3 /etc/passwd
• Finally, you can verify the checksums at any point in the
future:
[root@response root]# md5sum -c list.md5
/bin/login: OK
/sbin/ifconfig: OK
/etc/passwd: OK
• Free and commercial products also automate this process.
One of the first tools to ever perform this task was the
Tripwire package.
• In digital Forensics, there are 2 types of
acquisitions:
• Static Acquisition: which is the preferred way
to collect a digital evidence when a computer
seized during police raid.
• Live Acquisition: is the way to collect digital
evidence when a computer is powered on and
the suspect has been logged on to. This type is
preferred when the hard disk is encrypted
with a password.
For both types, there are 4 methods of collecting data:
1. Creating a disk-to-image file: the most common method to collect data.
It allows the investigator to create on or many bit-for-bit replications of
the original drive. By using this method, we can use any of the forensics
tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth
Kit to read the different types of disk-to-image files. (Imaging creates a
large compressed file of your drive. You can then restore this file to bring
your drive back to life. Because the image file itself is large, they are often
saved to external drives or the cloud.)
2. Creating a disk-to-disk copy: is used when disk-to-image faces hardware
of software errors due to incompatibilities. Sometimes it is not possible to
create a bit-stream disk-to-image file due to software or hardware errors
or incompatibilities. Investigators face such issues while trying to acquire
data from older drives and create a bit-stream disk-to-disk copy of the
original disk or drive.It copies the entire disk to a newer disk by using any
of the forensics tools such as EnCase and SafeBack. These tools can adjust
the target disk’s geometry to match the original drive. (Disk cloning is the
process of creating a 1-to-1 copy of a hard disk drive) (Cloning creates an
exact, uncompressed replica of your drive. If a hard drive fails, you can
remove it and replace it with the cloned drive. And that brings us full
circle: Cloning can get you up and running quickly, but it doesn’t offer as
much flexibility as imaging. For this example, taking an image beats
cloning.)
3. Creating a logical disk-to-disk or disk-to-
data file: this is the preferred method with
large data storage such as RAID servers. This
method captures only specific files or file
types of interest to the case. It is used when
time is limited.
4. Creating a sparse copy of a folder or
file: this method is similar to creating a logical
acquisition but it also collects deleted data
(unallocated). Also this method is used when
an investigator doesn’t need to examine the
whole drive.
2. Acquisition Tools
• Take reference from CSF LAB FILE

3. Evidence Collection
Collection: The collection phase of computer
forensics is when artifacts considered to be of
evidentiary value are identified and collected.
• Normally these artifacts are digital data in the
form of disk drives, flash memory drives, or
other forms of digital media and data, but
they can include supporting artifacts such as
corporate security policies, operating
manuals, and backup procedures.
• Even after the police are called in, the process of
collecting digital evidence usually involves several
people: the first responders (officers or official security
personnel who arrive first at the crime scene), the
investigator or investigative team, and the crime
scene technicians and specialists who are called out to
process the evidence.
• It is important that one person be designated in charge
of the scene who has the authority to make final
decisions as to how the scene will be secured, how the
search will be conducted, and how the evidence will be
handled.This is usually the role of the senior
investigator. It is equally important that each member
of this team understand his or her role and adhere to
it.
• The ability of the team to work together is essential to
the successful collection of evidence.
a) Role of First Responders
The first responder should not attempt to shut down or unplug the computer or
access it to look for evidence. The first responder should be concerned with the
following tasks"
1. Identifying the crime scene: Officers who arrive first at the scene should identify the
scope of the crime scene and establish a perimeter. This might include only one area
of a room or it might include several rooms or even multiple buildings if the suspect is
working with a complex setup of networked computers. First responders can begin
compiling a list of systems that might have been involved in the criminal incident and
from which evidence will be collected.
2. Protecting the crime scene: In a cybercrime case where digital evidence is sought, all
computer systems including those that appear to be powered off or non functional
should be considered part of the crime scene, as should laptop, notebook, and other
portable computers (including handheld computers and PDAs). The items subject to
seizure may be limited by the wording of the applicable search warrant, but first
responders should cordon off and protect as much of the computer and electronic
equipment as possible and wait for the investigator in charge of the case to
determine what equipment, if any, will be excluded.
3. Preserving temporary and fragile evidence: In the case of evidence that could
disappear before investigators arrive (such as information that is on the monitor and
changing), first responders should take any possible steps to preserve or record it. If a
camera is available, photos of the screen will preserve a record of what was there. If
no camera is available, officers should take detailed notes and be prepared to testify
in court as to what they saw.
b) The Role of Investigators
The IT incident response team might have already begun to collect evidence in some cases. If so, the best
practice is to have one person from the IT team coordinate the hand-over of that evidence with one
person from the police investigative team. The investigator (or the investigative team) is generally
responsible for coordinating the activities of all others at the scene and will be responsible for the
following:
1. Establishing the chain of command : The investigator in charge of the scene should ensure
that everyone else is aware of the chain of command and that important decisions are filtered through
him or her. Computers and related equipment should not be accessed, moved, or removed without
explicit instructions from the senior investigator. The investigators shape and control the investigation.
If the investigator in charge has to leave the scene, he or she should designate a person remaining on
the scene to be in charge of the scene and stay in close contact with that person until all evidence has
been collected and moved to secure storage.
2. Conducting the crime scene search: An investigator should direct the search of the
crime scene, which may be carried out by investigators or by other officers. If the search warrant allows,
officers should look for all computer hardware, software, manuals, written notes, and logs related to the
operation of the computers. This includes printers, scanners, and all storage media: diskettes, optical
discs (CDs, DVDs, and so on), tapes, Zip or Jaz and other removable disks, and any "extra" hard disks that
might be lying around. Maintaining integrity of the evidence Investigators should continue to protect
the evidence as preparations are made to preserve volatile evidence, duplicate the disks, and properly
shut down the system. The investigator should oversee the actions of the crime scene technicians and
convey any special considerations that should be taken based on the nature of case and knowledge of
the suspect(s).
c) The Role of Crime Scene Technicians
Crime scene technicians responding to a cybercrime case should, if at all possible, be specifically trained in
computer forensics.
1. Preserving volatile evidence and duplicating disks Volatile data is that which is in the computer's
memory and consists of processes that are running. Disks should be duplicated prior to shutdown, in
case the system is rigged to wipe the disks on startup.
2. Shutting down the systems for transport Proper shutdown is important to maintain the integrity of the
original evidence. One school of thought says the computer should be shut down through the standard
method (dosing all programs and so on) to avoid corrupting files. Another says that after ensuring that
no fragmentation or diskchecking program is running, you should shut down the computer by
disconnecting the power cord, to prevent running of self-destruct programs that are set to run on
shutdown. UNIX computers usually should not be abruptly shut down this way while the root user is
logged on because doing so can damage data. Some forensics experts recommend that the technician
change accounts using the su command or, if the root password is available, that the sync; halt
command be used before powering off.
3. Tagging and logging the evidence All evidence should be tagged and/or marked with the initials of the
officer or technician, time and date collected, case number, and identifying information. The evidence
on the tag or mark should also be entered in the evidence log. (Packaging the evidence Computer
evidence, especially any containing exposed circuit boards (such as hard disks), should be placed in
antistatic bags for transport. Paper documentation such as manuals and books should be placed in
plastic bags or otherwise protected from damage. Transporting the evidence All evidence should be
transported as directly as possible to the secure evidence storage locker or room. During transport, the
evidence should not be allowed to come into contact with any equipment that generates a magnetic
field (including police radios and other electronic equipment in the squad car) nor left in the sun or in a
vehicle or other place where the temperature rises above about 75 degrees Fahrenheit. The chain of
custody must be meticulously maintained during transport. Processing the evidence When the duplicate
disk is brought back to the lab, the disk image can be reconstructed and the data analyzed using special
forensics software tools.
Evidence Preservation
• The most effective methods to ensure legal admissibility while
preparing to engage a forensic analyst include the following:
 Drive Imaging
 Hash Values
 Chain of Custody
• 1. Drive Imaging
• Before investigators can begin analyzing evidence from a source, they
need to image it first.
• Imaging a drive is a forensic process in which an analyst creates a bit-for-
bit duplicate of a drive. This forensic image of all digital media helps retain
evidence for the investigation.
• When analyzing the image, investigators should keep in mind that even
wiped drives can retain important recoverable data to identify and
catalogue. In the best cases, they can recover all deleted files using
forensic techniques.
• As a rule, investigators should exclusively operate on the duplicate image
and never perform forensic analysis on the original media.
• In fact, once a system has been compromised, it is important to do as little
as possible – and ideally nothing – to the system itself other than isolating
it to prevent connections into or out of the system and capturing the
contents of live memory (RAM), if needed.
• Limiting actions on the original computer is important, especially if
evidence needs to be taken to court, because forensic investigators must
be able to demonstrate that they have not altered the evidence
whatsoever by presenting cryptographic hash values, digital time stamps,
legal procedures followed, etc.
• A piece of hardware that helps facilitate the legal defensibility of a forensic
image is a “write blocker”, which investigators should use to create the
image for analysis whenever one is available.
2. Hash Values
• When an investigator images a machine for analysis, the
process generates cryptographic hash values (MD5, SHA-1).
• The purpose of a hash value is to verify the authenticity
and integrity of the image as an exact duplicate of the
original media.
• Hash values are critical, especially when admitting evidence
into court, because altering even the smallest bit of data
will generate a completely new hash value.
• When you create a new file or edit an existing file on your
computer, it generates a new hash value for that file.
• This hash value and other file metadata are not visible in a
normal file explorer window but analysts can access it using
special software.
• If the hash values do not match the expected values, it may
raise concerns in court that the evidence has been
tampered with.
3. Chain of Custody
• As investigators collect media from their client and transfer it when
needed, they should document all transfers of media and evidence on
Chain of Custody (CoC) forms and capture signatures and dates upon
media handoff. (Chain of custody is a legal term referring to the order and
manner in which physical or electronic evidence in criminal and civil
investigations has been handled.)
What are the steps in the chain of custody?
 Taking notes, including documentation of the recovery location, the time
and date recovered or received, description of the item, condition of the
item and any unusual markings on or alterations to the item.
 Marking and packaging the evidence.
 Sealing the evidence.
 Preparing the chain-of-custody record.
• It is essential to remember chain-of-custody paperwork.
• This artifact demonstrates that the image has been under
known possession since the time the image was created.
• Any lapse in chain of custody nullifies the legal value of the
image, and thus the analysis.
• Any gaps in the possession record, including any time the
evidence may have been in an unsecured location are
problematic.
• Investigators may still analyze the information but the
results are not likely to hold up in court against a
reasonably tech-savvy attorney.
• Forms that investigators use to clearly and easily document
all records of change of possession are easy to find on the
Internet; we use the NIST Sample CoC to maintain the chain
of custody audit trail.
What is Digital Evidence ?
Is the discovery, analysis & reconstruction of
Evidence extracted from and / or contained in a
computer, computer system, computer network,
computer media or computer peripheral
Digital evidence is information and data of value to an

investigation that is stored on, received, or
transmitted by an electronic device. This evidence is
acquired when data or electronic devices are seized
and secured for examination
Thus trying to link the criminal with the crime

Sources of Digital/Electronic Evidence
The Internet
• What people do on the internet is typically not easily erased. Internet-based evidence may include
websites that have been visited, keywords that were searched and even items that were downloaded
from the web to a user's device.
• This category can also encompass the ever-prevalent social media activity that may give police valuable
leads in their investigation.
Computers
• Computers may be the most obvious choice as a source of evidence in digital crimes since the backend of a
system can tell the story about what a criminal might have been up to the days leading up to his or her
arrest.
• Stored files may become important pieces of evidence but it's also important to look into files or programs
that the suspect may have tried to hide or delete. Evidence of digital crimes may be on the computer's
hard drive or other peripheral equipment. Computers include desktop and laptop devices.
Removable Media
• Removable media such as disks, flash drives, and memory cards are often a viable hiding place for a
criminal's handiwork. This means that files saved on a flash drive or even photographs taken and stored on
a camera's memory card may be admissible in court proceedings.
Mobile Devices
• If you've ever watched a crime show on television, you know that investigators frequently use a suspect's
mobile devices to not only track their location (using cell towers to pinpoint where they are) but also to
examine text message conversations or mobile web searches. Investigators might even check social media
accounts to see what photos were posted so they can learn more about a suspect’s movements. Mobile
device may include Tablets or smartphones.
Types of electronic devices secured
from the crime scene
 Storage Devices
 Handheld Devices
 Peripheral Devices
 Network Devices
 Other potential source of digital evidence

Storage Devices
Hard Drives External Hard Drives Memory Cards
Removable Media Thumb Drives
Potential evidence: E-mail messages, Internet browsing history,

Internet chat logs and buddy lists, photographs, image files,
databases, financial records, and event logs that can be valuable
evidence in an investigation or prosecution
Handheld Devices
Potential evidence: Software
applications, data, and information
such as documents, e-mail
messages, Internet browsing
history, Internet chat logs and
buddy lists, photographs, image
files, databases, and financial
records that are valuable evidence
in an investigation or prosecution.
BEWARE !!!!!
•Digital evidence may be lost if power is not maintained.
•Digital evidence can be overwritten or deleted while the device remains activated.
•Software activated remotely to render the device unusable and make the data it
contains inaccessible.
Peripheral Devices
Potential evidence: The devices themselves and the functions they perform or
facilitate are all potential evidence. Information stored on the device regarding
its use also is evidence, such as incoming and outgoing phone and fax
numbers; recently scanned, faxed, or printed documents; and information about
the purpose for or use of the device. In addition, these devices can be sources
of fingerprints, DNA, and other identifiers.
Network Devices
Potential evidence: The connected devices themselves. The device functions,

capabilities, and any identifying information associated with the computer
system; components and connections, including Internet protocol (IP) and local
area network (LAN) addresses associated with the computers and devices;
broadcast settings; and media access card (MAC) or network interface card
(NIC) addresses may all be useful as evidence.
Other potential source of digital evidence
Potential evidence: The device or item itself, its intended or actual use, its
functions or capabilities, and any settings or other information it may contain is
potential evidence.
Digital Evidence is Sensitive to
Static Electricity
Magnetic Fields
Shock
Moisture
Tools & Material for Collecting Digital
Evidence
 Cameras (photo and video).
 Cardboard boxes.
 Notepads.
 Gloves.
 Evidence inventory logs.
 Evidence tape.
 Paper evidence bags.
 Evidence stickers, labels, or tags.
 Crime scene tape.
 Antistatic bags.
 Permanent markers.
 Nonmagnetic tools.
Securing and Evaluating the Crime Scene
for Digital Evidence
 Follow departmental policy for securing crime scenes.
 Immediately secure all electronic devices.
 Ensure that no unauthorized person has access to any electronic devices.
 Refuse offers of help or technical assistance from any unauthorized persons.
 Remove all persons from the crime scene
 Ensure that the condition of any electronic device is not altered.
 STOP! Leave a computer or electronic device off if it is already turned off
Preserve components such as keyboard, mouse, removable storage media for evidence
such as fingerprints, DNA, or other physical evidence that should be preserved.
If a computer is on or the power state cannot be determined , we check
 Sound of fans , drives spinning, or check to see if light emitting diodes are on.
Display screen for signs that digital evidence is being destroyed. Words to look out
for include "delete," "format," "remove," "copy," "move," "cut," or "wipe."
 Indications that the computer is being accessed from a remote computer or device.
 Active communications with other computers instant messaging or chat rooms.
 Web cameras (Web cams) and determine if they are active.

Relevant information along with the digital evidence to be recorded is
Purpose of the computer

Computer / Login Names
Document / Email / Login Passwords
Security software / provisions
Internet connectivity details

User details
Chain of Custody Form
"Chain of custody" refers to the document or paper trail showing the seizure,
custody, control, transfer, analysis, and disposition of physical and electronic
evidence. A chain of custody is the process of validating how any kind of evidence
has been gathered, tracked and protected. A piece of evidence is worthless without
a chain of custody.
A chain of custody form must answer the following questions:

1. What is the evidence?
2. How did the analyst get it?
3. When was it collected?
4. Who all have handled it?
5. Why did the mentioned persons handle it?
6. Where all has the evidence traveled?
7. Where the evidence was ultimately stored?
Digital Evidence is Fragile
Hash Result : 9046216413E94651BD0A6710629AF09B
After altering only one pixel in the original image.
Hash Result :E0AA50C70414562B29C6DB660FA9BC2A

Date of Creation : 3 Jan 2010
Hash Result : AFE57B9D7AC0D161BF87C0A7EECC35F9
After accessing the doc file directly from suspect drive
Date of Access : 23 March 2010

Hash Result : D0AF512F32D05B6D80E3AD9FF73092B4
SUSPECT HARD DISC
Hash Result :e83fd31b3a275e653146a6ed0de7fca09bd2ae565d8
After erroneously booting from Suspect Hard Disc
SUSPECT HARD DISC

Hash Result :68105f7fa96166ed3173e700a3bdc7d1603ccdd2f9b
Probable Reasons:
1. Startup program executed.
2. Access date & time of OS files changed.
Best Practices for Cyber
Forensics Procedure
Cyber Forensic Process
Acquire
Authenticate
Analyze
Document
Sanitizing investigator’s media for storing
images of suspect media for investigation
SANITIZE HARD DRIVES AT 7GB/MIN Sanitizes hard drives at speeds exceeding

3GB/Min for 9 drives simultaneously
Imaging with Care
 Attaching suspect storage

media to forensic workstation
for imaging.
Imaging & Data Retrieval Tools
 Winhex
 Norton Ghost 2000
 Byte back
 Encase
 FTK
 These tools can retrieve data from deleted files,
hidden files, files with changed extensions, stego
& camouflage files, encrypted files etc
 It is believed that even after formatting the
system for up to 7 levels, some traces of data can
yet be retrieved
Imaging & Data Retrieval Tools
Data can also be retrieved from hard discs
that are damaged, burnt , broken,
submerged in water
Mobiles- it is possible to retrieve data from
damaged, burnt, broken Sim cards &
mobile phones
Deleted Sms’s can also be retrieved from
sim cards (stored in PDU format- Protocol
Distribution Unit)
Imaging Devices
Tower for multiple hard disc imaging

Imaging Devices
“Image Master” device for Imaging

Imaging Devices
Portable devices for Forensic Analysis

Imaging Devices
Portable suitcase for Forensic Analysis

Authenticate
IMAGE FILE
Hash Value Hash Value
If acquisition hash equals verification

hash, image is authentic.
Cyber Forensics Documentation
 A forensic examination report must
* Software used & their versions
* Be in simple language
* List the hash results
* List all storage media numbers, model,etc
* Supported by photographs
 Case analysis details must have

* Introduction
* Background of the issue
* Detailed steps of forensic analysis carried out
* Certificate of the cyber forensic expert.
Potential digital evidence
in various cases.
Child Abuse and Exploitation Cases
Computers Mobile communication devices
External data storage devices
Video and still photo cameras and media
Printed e-mail, notes, and letters and maps Web cameras and microphones
Internet activity records Photo editing and viewing software
References to user-created folders and file names that classify images
Digital camera software Printed images or pictures

Computer Intrusion Cases
Computers Mobile communication devices
Lists of Internet protocol addresses
Lists or records of computer intrusion software

Executable programs
Wireless network equipment
Network devices, routers, switches
Printed computer program code
External data storage devices
Usernames and passwords

Antennas
Terrorism Cases
Computers Hand held mobile devices
Lists of Internet protocol addresses
Communication devices
Wireless network equipment Information regarding steganography
Voice over Internet Protocol (VoIP) equipment
Network devices, routers, switches
GPS equipment
Computer Forensic Analysis and
Validating Forensic Data
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence
depends on:
– Nature of the case
– Amount of data to process
– Search warrants and court orders
– Company policies
• Scope creep
– Investigation expands beyond the original description
• Right of full discovery of digital evidence
83
Approaching Computer Forensics
Cases
• Basic steps for all computer forensics
investigations List all folders and files on the
image or drive
– If possible, examine the contents of all data files in
all folders
• Starting at the root directory of the volume partition
– For all password-protected files that might be
related to the investigation
• Make your best effort to recover file contents
Guide to Computer Forensics

84
and Investigations
Approaching Computer Forensics
Cases (continued)
• Basic steps for all computer forensics
investigations
– Identify the function of every executable (binary
or .exe) file that doesn’t match known hash values
– Maintain control of all evidence and findings, and
document everything as you progress through
your examination

85
and Investigations
Refining and Modifying the
Investigation Plan
• Considerations
– Determine the scope of the investigation
– Determine what the case requires
– Whether you should collect all information
– What to do in case of scope creep
• The key is to start with a plan but remain
flexible in the face of new evidence

86
and Investigations
Validating Forensic Data
• One of the most critical aspects of computer
forensics
• Ensuring the integrity of data you collect is
essential for presenting evidence in court
• Most computer forensic tools provide
automated hashing of image files
• Computer forensics tools have some limitations
in performing hashing
– Learning how to use advanced hexadecimal editors is
necessary to ensure data integrity
87
Validating with Hexadecimal Editors
• Advanced hexadecimal editors offer many
features not available in computer forensics
tools
– Such as hashing specific files or sectors
• Hex Workshop provides several hashing
algorithms
– Such as MD5 and SHA-1
• Hex Workshop also generates the hash value
of selected data sets in a file or sector
88
and Investigations
NETWORK FORENSICS
• Network forensics can be generally defined as a
science of discovering and retrieving evidential
information in a networked environment about a
crime in such a way as to make it admissible in
court.
• Network forensics is a sub-branch of
digital forensics relating to the monitoring and
analysis of computer network traffic for the
purposes of information gathering, legal
evidence, or intrusion detection.
• Unlike other areas of
digital forensics, network investigations deal with
volatile and dynamic information.
• Network traffic is transmitted and then lost,
so network forensics is often a pro-active
investigation.
The FIVE RULES are that evidence must be:
 Admissible. Must be able to be used in court or elsewhere.

 Authentic. Evidence relates to incident in a relevant way.
 Complete. No tunnel vision, exculpatory evidence for alternative suspects.
 Reliable. No question about authenticity and veracity.
 Believable. Clear, easy to understand, and believable by a jury.
The primary activities of network forensics are investigative in nature. The

investigative process encompasses the following:
 Identification
 Preservation
 Collection
 Examination
 Analysis
 Presentation
 Decision
• NETWORK FORENSICS is the capture, recording, and analysis of
network events in order to discover the source of security attacks
or other problem incidents.
• It helps in identifying unauthorized access to computer system, and
searches for evidence in case of such an occurrence.
• Network forensics is the ability to investigate, at a network level,
things taking place or that have taken place across an IT system.
• There are three parts to network forensics:
Intrusion detection, Logging (the best way to track down a hacker is
to keep vast records of activity on a network with the help of an
intrusion detection system) and Correlating intrusion detection and
logging.
• The ultimate goal of network forensics is to provide sufficient
evidence to allow the criminal perpetrator to be successfully
prosecuted.
• The practical application of Network Forensics could be in areas
such as hacking, fraud, insurance companies, data theft—industrial
espionage, defamation, narcotics trafficking, credit card cloning,
software piracy, electoral law, obscene publication, murder, sexual
harassment, and discrimination.
• Network forensics generally has two uses:
• The first, relating to security, involves monitoring
a network for anomalous/unusual traffic and
identifying intrusions. An attacker might be able
to erase all log files on a compromised host;
network-based evidence might therefore be the
only evidence available for forensic analysis.
• The second form relates to law enforcement. In
this case analysis of captured network traffic can
include tasks such as reassembling transferred
files, searching for keywords and parsing human
communication such as emails or chat sessions.
• Two systems are commonly used to collect
network data; a brute force "catch it as you can"
and a more intelligent "stop look listen" method.
A generic Network forensic examination includes the
following steps:
Identification, preservation, collection, examination, analysis, presentation and
Incident Response.
The following is a brief overview of each step:
• Identification: recognizing and determining an incident based on network
indicators. This step is significant since it has an impact in the following steps.
• Preservation: securing and isolating the state of physical and logical evidences from
being altered, such as, for example, protection from electromagnetic damage or
interference.
• Collection: Recording the physical scene and duplicating digital evidence using
standardized methods and procedures.
• Examination: in-depth systematic search of evidence relating to the network
attack. This focuses on identifying and discovering potential evidence and building
detailed documentation for analysis.
• Analysis: determine significance, reconstruct packets of network traffic data and
draw conclusions based on evidence found.
• Presentation: summarize and provide explanation of drawn conclusions.
• Incident Response: The response to attack or intrusion detected is initiated based
on the information gathered to validate and assess the incident.
• Network forensics analysis, like any other forensic investigation presents many challenges.
The first challenge is related to traffic data sniffing.
• Depending on the network configuration and security measures where the sniffer is
deployed, the tool may not capture all desired traffic data.
• To solve this issue, the network administrator should use a span port on network devices
(SPAN (Switched Port Analyzer)/Port mirroring is a dedicated port on a switch that takes a
mirrored copy of network traffic from within the switch to be sent to a destination.) in
multiple places of the network.
• One tedious task in the network forensic is the data correlation.
• An attacker may encrypt the traffic, usually using an SSL VPN connection (A Secure Socket
Layer Virtual Private Network (SSL VPN) lets remote users access Web applications, client-
server apps, and internal network utilities and directories without the need for
specialized client software). For a network investigator, the address and port are still visible;
however, the data stream is not available. More logging and additional sleuthing/careful
investigation should be performed in order to determine the infiltrated data.
• Another additional challenge is determining the source of
an attack, since an attacker may use a zombie machine, an
intermediate host to perform an attack, or simply uses a
remote proxy server. This makes it difficult for a network
investigator to follow the attackers’ original address.
• Taking into consideration these concerns, the main task of a
network forensics investigator is to analyze network packet
capture, known as PCAP/Packet Capture files (captures live
network packet data from OSI model Layers 2-7.
These files are mainly used in analyzing the network
characteristics of a certain data).
• Items present in network traffic which should be examined
include but are not limited to: Protocols used, IP addresses,
port numbers, timestamps, malicious packets, transferred
Files, User-agents, application servers versions, and
operating system versions. This information can be
extracted from different types of traffic.
What traffic protocols and network layers are
analyzed in network forensics?
Data-link and physical layer examined
• Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model.
• This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of
which capture traffic data from a network card interface configured in promiscuous mode( In a
network, promiscuous mode allows a network device to intercept and read each network packet
that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that
captures and saves all packets for analysis ).
• Those tools allow investigator to filter traffic and reconstruct attachments transmitted over
the network.
• Encryption might indicate that the host is suspicious since the attacker uses encryption to
secure his connection and bypass eavesdropping.
• The disadvantage of this method is that it requires a large storage capacity.
Transport and network layer Examined (TCP/IP)
• Apply forensics methods on the network layer.
• The network layer provides router information based on the routing table present on all
routers and also provides authentication log evidence.
• Investigating this information helps determine compromised packets, identifying source, and
reverse routing and tracking data.
• Network device logs provide detailed information about network activities.
• Multiple logs recorded from different network devices can be correlated together to
reconstruct the attack scenario.
• Network devices have a limited storage capacity.
• Network administrators configure the devices to send logs to a server and store them for a
period of time.
Traffic examined based on the use case (Internet)
• The internet provides numerous services such as WWW, email,
chat, file transfer, etc. which makes it rich with digital evidence.
• This is achieved by identifying the logs of servers deployed on the
internet.
• Servers include web servers, email servers, internet relay chat (IRC),
and other types of traffic and communication.
• These servers collect useful log information, such as browsing
history, email accounts (except when email headers are faked), user
account information, etc.
Wireless
• This is achieved by collecting and analyzing traffic from wireless
networks and devices, such as mobile phones.
• This extends normal traffic data to include voice communications.
• Phone location can be also determined.
• The Analysis methods of wireless traffic are similar to wired
network traffic but different security issues should be taken into
consideration.
What types of systems are used to collect network data/traffic?
What are some pros and cons each of the above systems?
• Network traffic data collections systems can be of two kinds “stop, look and listen” or “Catch-it-as-you-can”
1. “Catch-it-as-you-can”:
• All packets are sent through a traffic point where they are stored in a database.
• After that, analysis is performed on stored data.
• Analysis data is also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that
this type of system requires a large storage capacity
• Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to
storage, with analysis being done subsequently in batch mode.
• Pro: Comprehensive visibility into all network traffic looking backward (within a reasonable time period)
• Con: This approach requires large amounts of storage, usually involving a RAID system (RAID (redundant array of
independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives to protect
data in the case of a drive failure..
2. The “stop, look and listen”

• This system is different from the “Catch-it-as-you-can” system, since only data required for analysis is saved into database.
• The incoming traffic is filtered and analyzed in real-time in memory, which means this system requires less storage but a
much faster processor.
• "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain
information saved for future analysis.
– Pro: This approach requires less storage than a "Catch-it-as-you-can" system.
– Con: May require a faster processor to keep up with incoming traffic.
What are some popular network
forensics tools & resources?
• Network Forensic Analysis Tools (aka NFATs) allow network investigators and
network administrators to monitor networks and gather all information about
anomalous or malicious traffic.
• These tools synergize with network systems and network devices, such as firewalls
and IDS, to make preserving long-term record of network traffic possible.
• NFATs allow a quick analysis of patterns identified by network security equipments.
The following are a few functions of a Network Forensic Analysis Tool:
• Network traffic capturing and analysis
• Evaluation of network performance
• Detection of anomalies and misuse of resources
• Determination of network protocols in use
• Aggregating data from multiple sources
• Security investigations and incident response
• Protection of intellectual property
• Network forensics tools can be classified based on many criteria, for example host
based or network-wide-based forensics tools.
General purpose tools
• This category include Packet collectors (sniffers), protocol analyzers and Network
Forensic Analyzers
• dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record
packets from the network and store them on files.
• tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools
are used to inspect recorded traffic. They can be either packet-centric or session-
centric.
• Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools
are data-centric which analyze the traffic content.
Specific Tasks Tools
• These are often small programs written to do just one thing.
• Intrusion detection (snort, suricata, bro)
• Match regular expressions (ngrep)
• Extract files (nfex) or pictures (driftnet)
• Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)
• Extract emails (mailsnarf, smtpcat)
• Print network/packet statistics (ntop, tcpstat, tstat)
• Extract SSL information (ssldump)
• Reconstruct TCP flows (tcpflow, tcpick)
• Fingerprinting (p0f, prads)
Preparing a Network
1. Installing firewalls and IDS
2. User access control lists
3. Establishing appropriate policies and
procedures
4. Creating A response tool kit
5. Establishing an incident response team
6. Incident handling after detection of an
incident
PREPARING A NETWORK
• Network monitors are your only hope to accumulate
evidence in many cases of computer incidents.
• Therefore, network administrators play a critical role during
incident response.
ROLE OF NETWORK ADMINISTRATORS:
 Network administrators are responsible for the network
architecture and topology, which you will need to
understand in order to answer questions such as, “What
other systems are affected?”
 Network administrators also manage devices such as
firewalls, routers, and intrusion detection systems, which
you must access in order to review critical log files.
 Network administrators may be asked to reconfigure these
devices to block certain traffic during incident response.
Network security actions include the following:
1. Install firewalls and intrusion detection systems
2. Use access control lists on routers
3. Create a network topology conducive (good for) to monitoring
4. Encrypt network traffic
5. Require authentication
1. Installing Firewalls and Intrusion
Detection Systems
• When routers, intrusion detection systems (IDS), and firewalls
exist and are configured optimally, intruders are often caught.
• The manner in which you configure these systems depends on
the response posture of your organization.
• You may decide to deny certain attacks and not log, or permit
attacks and log in detail to learn more about the attacker.
• Rather than configuring your network devices to simply
protect your network, you should also configure them to log
activities.
FIREWALLS
• A firewall is a device installed between the internal network of an organization and
the rest of the network. It is designed to forward some packets and filter others.
For example, a firewall may filter all incoming packets destined for a specific host
or a specific server such as HTTP or it can be used to deny access to a specific host
or a service in the organization. The following image depicts a firewall installation
in the network.
• Firewalls are a set of tools that monitors the flow of traffic between networks.
Placed at the network level and working closely with a router, it filters all network
packets to determine whether or not to forward them towards their destinations.
Working Architecture
• A firewall is often installed away from the rest of the

network so that no incoming requests get directly to the
private network resource. If it is configured properly,
systems on one side of the firewall are protected from
systems on the other side. Firewalls generally filter traffic
based on two methodologies:
• A firewall can allow any traffic except what is specified as
restricted. It relies on the type of firewall used, the source,
the destination addresses, and the ports.
• A firewall can deny any traffic that does not meet the
specific criteria based on the network layer on which the
firewall operates.
• A firewall may be concerned with the type of traffic or with
source or destination addresses and ports.
Firewall Pros and Cons
• Every security device has advantages and disadvantages and firewalls are no
different. If we applied strict defensive mechanisms into our network to protect it
from breach, then it might be possible that even our legitimate communication
could malfunction, or if we allow entire protocol communications into our
network, then it can be easily hacked by malicious users. So, we should maintain a
balance between strictly-coupled and loosely-coupled functionalities.
Advantages
• A firewall is an intrusion detection mechanism. Firewalls are specific to an

organization’s security policy. The settings of firewalls can be altered to make
pertinent modification to the firewall functionality.
• Firewalls can be configured to bar incoming traffic to POP and SNMP and to enable
email access.
• Firewalls can also block email services to secure against spam.
• Firewalls can be used to restrict access to specific services. For example, the
firewall can grant public access to the web server but prevent access to the telnet
and the other non-public daemons.
• Firewall verifies the incoming and outgoing traffic against firewall rules. It acts as a
router in moving data between networks.
• Firewalls are excellent auditors. Given plenty of disk or remote logging capabilities,
they can log any and all traffic that passes through.
Disadvantage
• A firewall can’t prevent revealing sensitive information
through social engineering (Social engineering is an attack vector that relies
heavily on human interaction and often involves manipulating people into breaking normal security
procedures and best practices in order to gain access to systems, networks or physical locations, or for
.)
financial gain
• Firewall can’t protect against what has been

authorized. Firewalls permit normal communications
of approved applications, but if those applications
themselves have flaws, a firewall will not stop the
attack because to the firewall, the communication is
authorized.
• Firewalls are only as effective as the rules they are
configured to enforce.
• Firewalls can’t stop attacks if the traffic does not pass
through them.
Intrusion Detection System (IDS)
• Intrusion Detection (ID) is the process of monitoring for and identifying
attempted unauthorized system access or manipulation. An ID system
gathers and analyzes information from diverse areas within a computer or
a network to identify possible security breaches which include both
intrusions (attack from outside the organization) and misuse (attack from
within the organization).
• An Intrusion Detection System (IDS) is yet another tool in the network administrator’s
computer security arsenal. It inspects all the inbound and outbound network activity. The
IDS identifies any suspicious pattern that may indicate an attack the system and acts as a
security check on all transactions that take place in and out of the system.
• Types of IDS
For the purpose of dealing with IT, there are four main types of IDS:
• Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network traffic and

monitors multiple hosts. Network intrusion detection systems gain access to network
traffic by connecting to a network hub, a network switch configured for port mirroring, or
a network tap. In a NIDS, sensors are placed at choke points in the network to monitor,
often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network
traffic and analyze the content of individual packets for malicious traffic. An example of a
NIDS is Snort.
• Host-based intrusion detection system (HIDS)
It consists of an agent on a host that identifies intrusions by analyzing system calls,

application logs, file-system modifications (binaries, password files, capability
databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors
usually consist of a software agent. Some application-based IDS are also part of this
category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools
and honeypots. In the case of physical building security, IDS is defined as an alarm system
designed to detect unauthorized entry.
Perimeter Intrusion Detection System (PIDS)
• Detects and pinpoints the location of intrusion attempts on

perimeter fences of critical infrastructures. Using either
electronics or more advanced fiber optic cable technology
fitted to the perimeter fence, the PIDS detects disturbances
on the fence, and if an intrusion is detected and deemed by
the system as an intrusion attempt, an alarm is triggered.
VM based Intrusion Detection System (VMIDS)
• It detects intrusions using virtual machine monitoring. By

using this, we can deploy the Intrusion Detection System
with Virtual Machine Monitoring. It is the most recent type
and it’s still under development. There’s no need for a
separate intrusion detection system since by using this, we
can monitor the overall activities.
Detection Method of IDS:
• Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific
patterns such as number of bytes or number of 1’s or number of 0’s
in the network traffic. It also detects on the basis of the already
known malicious instruction sequence that is used by the malware.
The detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern
(signature) already exists in system but it is quite difficult to detect
the new malware attacks as their pattern (signature) is not known.
• Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown
malware attacks as new malware are developed rapidly. In
anomaly-based IDS there is use of machine learning to create a
trustful activity model and anything coming is compared with that
model and it is declared suspicious if it is not found in model.
Machine learning based method has a better generalized property
in comparison to signature-based IDS as these models can be
trained according to the applications and hardware configurations.
Comparison with Firewall
• Though they both relate to network security, an intrusion detection

system (IDS) differs from a firewall in that a firewall looks outwardly for
intrusions in order to stop them from happening. Firewalls limit access
between networks to prevent intrusion and do not signal an attack from
inside the network. An IDS evaluates a suspected intrusion once it has
taken place and signals an alarm. An IDS also watches for attacks that
originate from within a system. This is traditionally achieved by examining
network communications, identifying heuristics and patterns (often
known as signatures) of common computer attacks, and taking action to
alert operators. A system that terminates connections is called
an intrusion prevention system, and is another form of an application layer
firewall.
2. Using Access Control Lists on Your
Routers
• Cisco routers are often used (with good reason) as security devices on networks.
The router is typically configured with access control lists (ACLs) that allow certain
types of traffic while prohibiting potentially dangerous traffic.
• ACLs are mechanisms that restrict traffic passing through the router. Packets can
be restricted based on a dazzling array of attributes, including (but not limited to)
the following:
 Protocol
 Source or destination IP address
 TCP or UDP source or destination port
 TCP flag
 ICMP message type
 Time of day
• Normally, ACLs are used to implement security policies. A well-configured router
can provide many of the capabilities of commercial firewalls, and routers are often
used to supplement firewalls.
2. (a) Creating a Network Topology
Conducive to Monitoring
• In the event of an incident, you must know the network
topology in order to determine the best response strategy.
• Without information about the network topology, you won’t
be able to figure out which other systems are affected. And
without knowing about other affected systems, you cannot
have a truly effective response plan.
CASE: What Can Happen
An intruder placed a network sniffer (hardware or software that passively intercepts packets
as they traverse a network) on a compromised host. The intruder is now watching passwords
and sensitive traffic, not just from the compromised host, but also from any computer that
shares the compromised host’s network. So the intruder can now log on to any computer
that passes cleartext (unencrypted) traffic on the compromised host’s network.
Where to Look for Evidence
To respond to this incident, you need to know which systems may have been compromised
by the stolen usernames and passwords. Removing only the compromised host is a recipe for
disaster, because the intruder will still have valid usernames and passwords into other
systems after the compromised host is long gone. This type of incident points out the value in
understanding your network topology and maintaining accurate network maps.
Creating a Network Topology Map

An accurate network topology map is a helpful tool during incident response.
Ideally, the network topology map will include details for all hosts and network
connections, such as how the hosts connect, which networks use switches versus
routers, and the locations of external connectivity. Realistically, this level of detail is
usually not present for large networks. However, it should be present for mission-
critical networks such as the DMZ (demilitarized zone) or Internet-facing e-commerce
applications. Before an incident occurs, make sure that the response team has access
to accurate, up-to-date topology maps. You can create these maps manually using Visio
or use a product designed for this purpose, such as FoundScan or Cheops.
Creating a Network Architecture Map
• While a network topology map generally gives a
picture of the logical network layout, the
topology map rarely shows the physical location
and connectivity of the hosts. Unfortunately,
incident response requires this information.
• In order to perform critical response steps on the
console of the affected host, or to tap the
network for monitoring, the physical location
must be known. A map showing the physical
network architecture saves precious time in the
event of an incident, and creating one should be
a part of your pre-incident preparation.
Supporting Network Monitoring
Network monitoring is one of the first steps that you may take
when responding to incidents. In order to perform network
monitoring, the network architecture must support monitoring.
HOW:
 To monitor a network, you must attach your network-
monitoring platform to a network device that has access to
all network traffic.
 To find that the hub or switch has no open ports!
 There are situations where the network is switched, and for a
variety of reasons, the spanning port is not available. These
problems should be addressed through policy and procedure
as part of your pre-incident preparation. Make sure that
critical networks, especially Internet-facing and DMZ
networks, provide an open port with access to all traffic on
the given segment.
2. (b) Encrypting Network Traffic
 Encrypting network traffic enhances the security of any network.
 Two popular implementations are
 Secure Sockets Layer (SSL) and
 Secure Shell (SSH).
 SSL is used for encrypted web traffic. SSL (Secure Sockets Layer) is a standard
security protocol for establishing encrypted links between a web server and a
browser in an online communication.
 SSH is used for interactive logins and file transfers, and as an enabler of virtual
private networks (VPNs). SSH provides a secure channel over an unsecured
network in a client-server architecture, connecting an SSH client application with
an SSH server. The SSH protocol (also referred to as Secure Shell) is a method for
secure remote login from one computer to another. It provides several alternative
options for strong authentication, and it protects the communications security and
integrity with strong encryption. It is a secure alternative to the non-protected
login protocols (such as telnet, rlogin) and insecure file transfer methods (such
as FTP).
 Encrypting network traffic can also hinder the detection and investigation into any
unauthorized or unlawful network-based activity. When attackers use encrypted
protocols to access your systems, network monitoring and IDS systems are useless.
Your ability to respond effectively is reduced. Keep this in mind as you implement
your security architecture.
2. (c) Requiring Authentication
• Authentication is both a host-based and network-based security
measure.
• Merely using usernames and passwords as authentication has
proven to be less effective than desired.
• Usernames and passwords are often guessed easily, or just plain
known to half an organization’s workforce.
• Using additional authentication—Kerberos, IP Security Protocol
IPSec, or any protocol other than just username/password—often
provides the controls needed to implement a more secure network.
• Many different authentication protocols are freely available on the
Internet. Each one affects your response capability a bit differently.
• Choose an implementation that both increases network security
and provides an effective audit trail for incident response teams.
3. ESTABLISHING APPROPRIATE
POLICIES AND PROCEDURES
• Absence of a proper policy, you may not be able
to legally monitor employees activities.
• When a security incident occurs, your
investigation may warrant taking intrusive steps,
such as monitoring the activities of your
employees or unauthorized intruders. With some
preparation, planning, proper policies, and in-
place procedures, you can meet your determined
objectives when responding to an incident.
4. CREATING A RESPONSE TOOLKIT
• Regardless of the status of network, host, and policy
preparation, the CSIRT will need to be prepared to
respond to incidents.
• The response toolkit is a critical component of pre-
incident preparation, and it is one of the few
components in your control.
• The response toolkit includes the hardware,
software, and documentation used during response.
4. (A) The Response Hardware
• This robust and configurable platform uses
full-size components, has attachments for
various external devices, and includes a
network interface card (NIC) as well as a CD-
RW drive.
• This platform has proven durable and flexible
during incident response, and is able to
handle a variety of applications and networks
with ease.
The hardware specifications:
o High-end processor
o A minimum of 256MB of RAM
o Large-capacity IDE drives
o Large-capacity SCSI drives
o SCSI card and controller
o A fast CD-RW drive
o 8mm exabyte tape drive (20GB native, 40GB
compressed), or a drive for DDS3 tapes (4mm)
if you have less funding
Some other items:
• Extra power extenders for peripherals such as drives and any gear that goes
in your forensic tower
• Extra power-extension cords
• Numerous SCSI cables and active terminators
• Parallel-to-SCSI adapters
• Plenty of Category 5 cabling and hubs
• Ribbon cables with more than three plugs
• Power strips
• An uninterruptible power supply (UPS)
• CD-Rs, 100 or more
• Labels for the CDs
• A permanent marker for labeling CDs
• Jaz or Zip media
• Folders and folder labels for evidence
• Operating manuals for all your hardware
• A digital camera
• Toolkit or Victorinox Cybertool (which is all we need)
• Lockable storage containers for evidence (if you are on the road)
• Printer and printer paper
• Burn bags
4. (B) The Response Software
• Many specific software tools are used during incident
response to investigate various operating systems and
applications.
• The following is a list of the more generic software that
forms the basis of any software toolkit:
 Two to three native operating systems on the machine, such as Windows 98,
Windows NT, Windows 2000, and Linux, all bootable via GRUB (a GNU
bootloader) or on a CD-ROM “ghost” image.
 Safeback, EnCase, DiskPro, or another forensics software package, used to re-
create exact images of computer media for forensic-processing purposes
 All the drivers for all of the hardware on your forensic machine (absolutely
necessary!)
 Selection of boot disks (DOS, EnCase, Maxtor, and so on)
 Quick View Plus or some other software that allows you to view nearly all types
of files
 Disk-write blocking utilities
 An image of the complete setup on backup media such as DVD
4. (C) The Networking Monitoring
Platform
• The system running the network monitor should be a
Pentium-class machine, 500MHz or higher, with at least
512MB of RAM (or more, depending on network traffic and
the host operating system).
• Hard drive size depends on the amount of traffic collected,
but a 30GB hard drive is a good start.
• Make sure that your network monitor system has a NIC that
supports promiscuous mode. (In a local area network
(LAN), promiscuous mode is a mode of operation in which
every data packet transmitted is received and read by every
network adapter.)
4. (D) Documentation
• The CSIRT must document all actions and findings.
• Documentation is necessary for further disciplinary, civil, or
criminal action, as well as for a thorough response.
• Key areas for documentation include
 how the evidence is obtained,
 all actions taken, and
 where and how the evidence is stored.
• To facilitate complete documentation, standardized reporting
and forms are helpful.
• We recommend your response toolkit include evidence tags
and evidence labels
5. ESTABLISHING AN INCIDENT RESPONSE
TEAM
• After a possible computer security incident
occurs, it is too late to assemble a team of
experts to handle the incident.
• You cannot expect untrained and unprepared
personnel to succeed!
5. (A) Deciding on the Team’s Mission
The mission of your CSIRT may be to achieve all
or most of the following:
• Respond to all security incidents or suspected
incidents using an organized, formal investigative
process.
• Conduct a complete investigation free from bias
(well, as much as possible).
• Quickly confirm or dispel whether an intrusion
or security incident actually occurred.
• Assess the damage and scope of an incident.
• Establish a 24-hour, 7-day-a-week hotline for clients during the
duration of the investigation.
• Control and contain the incident.
• Collect and document all evidence related to an incident.
• Maintain a chain of custody (protect the evidence after
collection).
• Select additional support when needed.
• Protect privacy rights established by law and/or corporate policy.
• Provide liaison to proper law enforcement and legal authorities.
• Maintain appropriate confidentiality of the incident to protect
the organization from unnecessary exposure.
• Provide expert testimony.
• Provide management with incident-handling recommendations
that are fully supported by facts.
5. (b) Training the Team
• The importance of good training cannot be overemphasized.
• It is also a good idea for CSIRT members to join professional organizations to
continue their education.
• There are several professional organizations that allow law enforcement
officers to mingle with computer security professionals:
• InfraGard
• High Technology Crime Investigation Association (HTCIA)
• Information Systems Security Association (ISSA)
• Forum of Incident Response and Security Teams (FIRST)
6. Incident handling After Detection of
an Incident.
(A) RECORDING THE DETAILS AFTER INITIAL DETECTION
I. Initial Response Checklists
II. Case Notes
(B) INCIDENT DECLARATION
(C) ASSEMBLING THE CSIRT
I. Determining Escalation Procedures
II. Implementing Notification Procedures
III. Scoping an Incident and Assembling the Appropriate
Resources
(D) PERFORMING TRADITIONAL INVESTIGATIVE STEPS
(E) CONDUCTING INTERVIEWS
(F) FORMULATING A RESPONSE STRATEGY
6. (A) RECORDING THE DETAILS AFTER
INITIAL DETECTION
• Implementing an organized incident response program requires checklists. One such checklist is the
initial response checklist, for recording the details after the initial notification of an incident.
6. (A). I. Initial Response Checklists

• Use an initial response checklist as the mechanism to record the circumstances
surrounding a reported incident.
• CHECKLIST contains:
 Date the incident was detected or initiated
 Contact information of the person completing the form
 Contact information of the person who detected the incident
 The type of incident.
 The location(s) of the computers affected by the incident
 The date the incident was first noticed
 A description of the physical security at the location(s)
 How the incident was detected
 Who accessed or touched the relevant system(s) since the onset of the incident
 Who has had physical access to the affected system(s) since the onset of the incident
 Who currently knows about the incident
6. (A) II. Case Notes
• If you choose not to have an initial response checklist of any kind, then you should
at least enforce the maintenance of case notes.
• Case notes are any documentation that records the steps that are taken during
your incident response process.
• A case note should analyze a single case.
• Advise any member of your CSIRT to maintain well-written notes of the details
surrounding the incident.
• Remember that these notes may establish the foundation for a criminal or civil
action, and lacking a checklist, these case notes will be critical to advance any case
your organization may want to establish.
• Teach your team members to document the “who, what, when, where, and how”
information that surrounds an incident.
• A quality case note requires good organization and clear analysis.
• A case note provides a brief analysis of a case, identifying and examining the key
elements of the decision, as well as placing the case in its wider legal and social
context.
6. (B) INCIDENT DECLARATION
• In most cases in which suspicious activity is reported, it will
be immediately obvious whether or not the activity is
actually a computer security incident.
• However, in a few cases, it may be difficult to determine if
an incident occurred based on the details recorded in the
initial response checklist. If it is not clear whether the
reported suspicious activity constitutes an incident, then it
should most likely be considered an incident and treated as
one until your investigation proves otherwise.
• However, in order to avoid spending considerable amounts
of time on non incidents, there are a few questions that can
be considered:
 Was there a scheduled system or network outage that caused
resources to be unavailable during the time the incident was
reported?
 Was there an unscheduled and unreported outage of a network
service provider that caused resources to be unavailable during the
time the suspected incident was reported?
 Was the affected system recently upgraded, patched, reconfigured,
or otherwise modified in such a way as to cause the suspicious
activity that was reported?
 Was testing being performed on the network that would lock out
accounts or cause resources to be unavailable?
 For insider incidents, are there any justifications for the actions an
employee has taken that remove or lessen the suspicions?
• If you cannot immediately tell if an incident has occurred, we

recommend that you assign the incident a case or incident number,
making it a real incident worth investigating. Once an incident is
declared, that means that the incident has an incident number (or
case number) to be used as a specific reference to that incident.
6. (C) ASSEMBLING THE CSIRT
• Many organizations have CSIRTs that are formed dynamically in response to a
particular situation or incident, rather than an established, centralized team that is
dedicated to responding to incidents.
• Therefore, the CSIRT needs to be staffed in real time after an incident is detected.
• To staff the team properly for a particular incident, your organization must identify
the types of skills and resources that are required from the rest of the
organization to respond to that particular incident.
• Assembling the CSIRT requires the following activities:
 Determining escalation procedures
 Implementing notification procedures
 Scoping an incident and assembling the appropriate resources, including assigning
a team leader and the technical staff
6. (D) PERFORMING TRADITIONAL
INVESTIGATIVE STEPS
• The investigation phase involves determining the “who, what, when, where, how,
and why” surrounding an incident.
• One of the best ways to simplify a technical investigation is to divide the evidence
you collect into three categories:
a. Host-based evidence: This data is usually collected from Windows or Unix
machines, or the device actually involved in the incident (the victim system or the
system used in furtherance of a crime).
b. Network-based evidence: This type of evidence is usually collected from routers,
IDS, network monitors, or some network node not immediately involved in the
incident.
c. Other evidence: This category normally describes testimonial data that contributes
to the case, such as motive, intent, or some other nondigital evidence.
• The information you obtain from these three categories will help you answer the
preliminary questions you might have after an incident occurs.
6. (E) CONDUCTING INTERVIEWS
• When your CSIRT learns of a suspected incident,
the first step is to start asking the “who, what,
when, where, and how” questions.
• These questions allow you to determine some
facts surrounding the incident, such as the
location of relevant systems, administrative
contacts, what may have occurred and when, and
so on.
• While the answer to every question may not be
available, the more answers you can obtain, the
easier it will be for you to assess the situation.
6. (G) Formulating a Response Strategy
• Your response strategy is arguably the most important
aspect of incident response.
• This is the phase where you consider what remedial
steps to take to recover from the incident.
• Your strategy may also include initiating adverse action
against an internal employee or an external attacker.
• Regardless of the circumstances, you will probably
require multiple brainstorming sessions to determine
the best way for your organization to respond.
a) Response Strategy Considerations
Your response strategy should take into account everything you know
about the incident, which changes over time, and then factor in the
political, technical, legal, and business influences that should be
considered.
The following are some common factors you will likely consider when
determining your response strategy:
▼ Does your organization have a formal/public posture on responding to
attacks that it must adhere to in order to appear consistent to customers
and the media?
■ Is the suspected attack from overseas, making it more difficult to pursue
technically and legally?
■ Is the strategy worth pursing from a cost/benefit standpoint?
■ Are there any legal considerations that may affect the response?
■ Can you risk public disclosure of the incident to clients or to the public?
■ How have you enforced similar incidents in the past?
■ What is the past record/work performance of the individual(s) involved?
▲ Will the investigation cost more than merely allowing the incident to
continue?
Challenges
• The biggest challenge in conducting network forensics is the sheer amount of data generated by the network,
often comprising gigabytes a day. It is very tedious to search for evidence and is nearly impossible to find it, if the
incident is discovered after a very long time.
• The second challenge of network forensics lies in the inherent anonymity of the Internet protocols. Each network
layer uses some form of addressing for the 'to' and 'from' points, such as MAC addresses, IP addresses and e-mail
addresses, all of which can be spoofed. Fortunately, the wide range of powerful software, including products
purpose-built for forensic analysis, makes it practical to solve cases through the analysis of network activity.
Network forensic tasks that can be facilitated through software include the collection, normalizing, filtering,
labeling, stream reassembly, correlation and analysis of multiple sources of traffic data. Although there are
single-purpose tools aimed at each of these tasks, feature creep is blurring the distinction between categories,
resulting in tools that are useful in addressing a growing number of things that can go wrong on the network.
However, before an investigator can perform any other forensic task, suitable network activity data must be
collected. Raw network packets, which contain the highest possible level of traffic detail, supplement the often-
sparse log data available from applications, authentication systems, routers and firewalls. Sniffing collects such
network data.
Stream reassembly or sessioning is the collation and packaging of raw network traffic from a single source such
that all the data within a connection session is presented as a complete stream. Sessioning is performed by
protocol analysis tools, which isolate the specific communications that took place between two or more of the
apparent endpoints or relay points. Such an analysis is the first step in determining who communicated when
and what was transmitted. Most protocol analysis tools provide a tree-oriented view of sessions and protocols
used within the sessions. Such a visual presentation of network traffic makes it easier to understand exactly what
happened on the network.
Network Forensics Tools
• Network forensics tool is the application used for the forensic experts who used to
do things related to forensic such as monitoring and audit on the network. Toolkit
for forensic testing allows investigators to gather and analyze data such as E-
Detective, NetFlow v5 / 9, netcat, NetDetector, tcpdump, Wireshark / Ethereal,
Argus, NFR, TCPWrapper, sniffer, nstat, and tripwire.
• Some examples of network forensic tools:
1. Wireshark
An analyzer and monitoring network that is popular. The features in Wireshark,
such as:
- Can checks for hundreds of protocols in depth
- Able to capture direct and analyzed offline
- Multi platform can run on Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD,
and others.
- Data networks have been captured can be displayed via the GUI or via the TTY-
mode.
- Can filter the view with many filter options.
- Can read and store different formats.
• 2. Netcat
• It is a utility tool that is used for a wide range of issues related to TCP or
UDP protocol. That can open TCP connections, sending UDP packets, listen
on the TCP and UDP port -Port, scanning ports, and by IPV4 and IPV6. This
Netcat typically used by hackers to connect back to the target system so
that hackers gain root access through the port that has been set by the
hacker.
• 3. E-Detective
• It is an interception system that makes the process of the Internet in real-
time, monitoring and forensics systems that capture, code reading, and
restore some types of Internet traffic. These systems are typically used in
corporate Internet and monitor behavior, audit, storage of records,
forensic analysis, and investigations. E-Detective can read the code,
reassembly, and recover various types of Internet Applications and
services this example, Email, Webmail, Instant Messaging, File Transfer,
Online Games, Telnet, HTTP, VOIP, and others.
Database Forensics
• Database servers store sensitive information.
• Database forensics refers to the branch of digital forensic science
specifically related to the study of databases and the data they
keep.
• Database forensics look at who access the database and what
actions are performed.
• A forensic examination of a database may investigate the
timestamps relating to the update time of a row in a relational table
in order to verify the actions of a database user.
• Another database forensics case might examine all transactions
within a database system or application over a specific period of
time in order to identify any fraudulent transactions.
• Experts in database forensics need to be well-versed in almost all
aspects of database development and use, as they have to
preserve, authenticate, analyze and output data from large,
custom-built databases that cannot just be copied and taken back
to the office for further investigation.
• Database forensics concentrates on scientifically interrogating the
failed database and by trying to reconstruct the metadata and page
information from within a data set.
• Databases act as the primary source of electronic evidence for
every organization irrespective of its size and complexity. On the
occurrence of an unexpected incident, a forensic examiner
produces this evidence in the court of law, regardless the size of the
databases.
• The following scenarios would require the intervention of a
database forensic specialist:
 Failure of a database
 Deletion of information from database
 Inconsistencies in the data of a database
 Detection of suspicious behaviour of users
• A database forensics expert will normally use a read-only method
or an identical forensic copy of the data when interfacing with a
database to ensure that no data is compromised. They will run a
series of diagnostic tools to help them to:
 Create a forensic copy of a database for analysis
 Reconstruct missing data and/or log files associated with the
deletion
 Decipher data and ascertain possible causes of corruption
 Audit user activities and isolate suspicious and illegal behaviour
• What Database Systems Are Mostly Commonly Used
in Forensics?
• Here are the top five, along with their DB schema
types:
• Oracle (Relational Database Management System)
• MySQL (Relational Database Management System)
• Microsoft SQL Server (Relational Database
Management System)
• PostgresSQL (Relational Database Management
System)
• MongoDB (Document Stores)
• What Are Record Carving and Database
Reconstruction?
• Record carving is an attempt by a forensics
specialist to obtain valid rows of data from within
a damaged or corrupt database.
• Database reconstruction is a process whereby a
forensics professional attempts to repair a
database well enough to get some rudimentary
information from it, allowing for further repair
and interrogation. This is usually done by
analyzing log files of the database system and
running the activities through an algorithm that
restores records to their previous state at the
time of the log creation.
A. For seeking forensic aspects of a database well known point-of-view dimension having
external, conceptual, and internal schemas for Forensic examination are considered. It is said
from forensic investigation perspective the following things need to be considered.
• To know the relation between the data dictionary and the conceptual layer. The data dictionary
may be the target of an attack by destructing or making any subtle changes in the data
dictionary.
• The data dictionary also contains information that may be of forensic interest itself, such as the
creation time of an entity-whether that entity occurs on the external, conceptual or internal
layer.
• The external schema defines the data to be provided to a specific user.
• During a forensic investigation, the different views for various users generated by different
schemas may be relevant. The number of such external schemas only depends on the
considered database.
• The operating system’s management of the files used for the physical layer is also to be
considered.
The level of logging that occurs in a database may include enough information for investigation.
C. Restoration or recreation of data that has been (partially) destroyed, or only partially
recovered is done under a forensic capture process. It is often necessary to reverse engineer
not only the application schema and other data, but also the underlying DBMS structure of
the (known) DBMS.
D. Detailed logs or Metadata or combination of both may be used to determine who was
authorized to perform a certain action and use that as the basis for attribution. Data mining
tools and applications may be of valuable help in forensic analysis.
List of Database Forensics Tools
Volatile/Non-Volatile Data
Why can Volatile Data be crucial for your cases?

If the suspect of your case stored the evidential documents on a cloud storage, if he
used encrypted containers or even full disk encryption or if he used techniques to
overwrite his traces on the physical hard disk you can still get information from
Volatile Data. Encryption be sometimes be beaten by extracting the encryption key
from RAM, cloud storage can be detected and acquired while the machine is still
running and unsaved or even physically overwritten data might still have left traces in
RAM.
Fighting against Macro Threats
• Macros are a powerful way to automate common tasks in Microsoft
Office and can make people more productive. However, macro
malware uses this functionality to infect your device.
How macro malware works?
• Macro malware hides in Microsoft Office files and is delivered as
email attachments or inside ZIP files. These files use names that are
intended to entice or scare people into opening them. They often
look like invoices, receipts, legal documents, and more.
• Macro malware was fairly common several years ago because
macros ran automatically whenever a document was opened. In
recent versions of Microsoft Office, macros are disabled by default.
Now, malware authors need to convince users to turn on macros so
that their malware can run. They try to scare users by showing fake
warnings when a malicious document is opened.
How to protect against macro malware
• Make sure macros are disabled in your Microsoft Office
applications. In enterprises, IT admins set the default
setting for macros:
– Enable or disable macros in Office documents
• Don’t open suspicious emails or suspicious
attachments.
• Delete any emails from unknown people or with
suspicious content. Spam emails are the main way
macro malware spreads.
• Enterprises can prevent macro malware from running
executable content using ASR (attack surface
reduction) rules-Reducing your attack surface means
protecting your organization's devices and network,
which leaves attackers with fewer ways to perform
attacks.
Case STUDIES
Case Study 1: Job Fraud
• Complaint: Mr. XXXXXXXXX, a manager of human resource of an MNC
company located in Pune came to Cyber Crime Police Station and
produced a written complaint along with some supporting documents on
job fraud.
• Brief facts: Some unknown people created an impersonating website of
the company for running a fake recruitment drive with an intention of
deceiving the job seekers.
• The fake website was redirected to the official website of the company.
• The job requirements were advertised through various online job portals
and classifieds.
• The accused rented an office space in the same premises of the original
company for doing fraudulent recruitment of the candidates.
• HRs were also hired to conduct the interview of shortlisted candidates.
• All the communication from the main accused is done through e-mail and
phones to evade identification.
Modus operandi:
► Accused impersonated the company website by creating a similar
website using same fonts and there logo in www.zzz2.in similar to
the original company website www.zzzz.in.org
► Accused had advertised about job openings in various online
classifieds and communicated with many jobseekers offering
guaranteed jobs in that MNC Company. The accused also informed
all the candidates who contacted him for the job will be charging a
nominal fee of INR 50000 for a job confirmation in that company.
The candidates were asked to pay the money only after receiving
the offer letter from the company.
► All the candidates were informed that a training will be organized
for them 15 days before the interview is scheduled and it is free of
charge. This was done to attract the candidates and gain their trust.
► The candidates completing the training were asked to appear for a
written exam and personal interview in the yyy building, where the
office of the complainant company presides. The victims were sent
a fake offer letter mentioning the benefits to all the candidates who
came for the interview.
Evidences provided by the complainant
• During the course of investigation, the following
documents were provided by the complainant for
verification:
An Email from the fraudulent containing job
description and benefits
Address of the interview location
Fake website link
Fake offer letter on the Company letter head
Contact numbers
SMS details
• Investigation:
► Originating IP’s were extracted after analyzing the e-mail headers
sent to
candidates from fraudsters.
► The details of CDR&CAF of the mobile numbers and physical
address of IP’s
were obtained from respective service providers.
• The authorities of yyy commercial building was contacted and

following details were obtained:
 e-mail of person who booked the premises to conduct fake
interview which is located in the same building of original company
 CCTV Clippings
 Mobile numbers
 Payment details for taking premises on rent
More details on investigation
► The registration and access details from the ESP (E-mail service provider) were also obtained.
► CDR & CAF of the mobile numbers were obtained from MSP (Mobile Service Providers).
► KYC details from the bank were obtained, during the investigation the beneficiary of the
account revealed that they had sold their account to the accused. The access details obtained
from the ESP was sent to ISP for the physical address which was traced to a cyber café!!
► A request is made to collect all the classifieds published by the accused to post the jobs e.g.:
through Quikr, Olx etc. The registration details, ad posting IPs and ad details were obtained
from classified sites like Quikr and OLX were obtained. The email address used in registration
was sent to ESP’s to get the registration and access details.
► The service provider of IP’s received from ESPs were identified and requisition was sent to
collect the physical address. Again physical address which was traced to the same cyber
café!!
► The registrant details were obtained using who is domain lookup of www.zzz2.in. The warrant
was obtained to search the cyber cafe, the owner of the cyber café was questioned. A team
went to cyber café & the owner was asked to produce cyber café logs and CCTV clippings if
any. There was no information in log book which just had name, in time, out time, sign and
no CCTV was installed.
► After asking multiple questions, the owner of cyber café recognized that one of his regular
customer by name a-1 who used to do recruitment activities of various companies including
the Complainants company through accused own laptop. He then produced his laptop.
► Instructions were given to the owner of cyber café to inform the police when the
suspect visits the café. The information was received from the owner of cyber café
about the presence of accused in his café.
► The accused was arrested & was directed to take the team to his home for seizing
laptop, mobile phone, Pen Drives etc.,
► The mobile number was identified through an USSD (Unstructured Supplementary
Service Data) Code. The mobile number was matching with the number used to
contact the victims. It was registered with a fake address.
► The laptop was seized and later was analyzed using a write blocker to create the
image. Using sophisticated forensic tools like enCase, IEF and Belkasoft evidence
finder relevant artifacts were extracted from the disk image. The documents
containing company letter heads, E-mail sent to victims were identified.
► IMEI’s of seized mobile handsets were matched with the IMEI’s of some suspected
number CDR’s. Three more accused were identified and arrested and all of them
confessed about the crime that they had committed
► Twenty candidates deposited money in the fake bank account where all the
accused used to share the money deposited. The case came to light when one of
the candidate visited the original company with a fake offer letter.
Case study 2: Sharing of morphed obscene
contents through e-
mail & Facebook
• Complaint: Mrs. XXXXXXXXX, a senior software engineer of
an MNC company came to Cyber Crime Police Station and
produced a written complaint along with e-mail containing
links of her obscene morphed image circulated on
Facebook.
• Brief facts: A suspect started sending mails from
XYZ@yahoo.com to complainant’s mail id
Aisxxxxa@yyy.com to defame the complainant, published
her morphed photograph in an obscene manner the
Facebook account
(http:/www.facebook.com/DesiSexyAunties), with a
criminal intimidation, and also he communicated through
mail that he will upload the pictures in multiple websites if
the complainant doesn’t respond to him.
• Investigation:
► The printouts of e-mails along with the full header details are taken with the
help of complainant by logging in to her e-mail account.
► A notice under 79(2)(c) & (3)(b) of the Information Technology Act, 2000 read
with The Information Technology (Intermediaries Guidelines) Rules, 2011 is sent
to the yahoo for obtaining registration and access details of the suspects account.
► A notice under 79(2)(c) & (3)(b) of the Information Technology Act, 2000 read with
The Information Technology (Intermediaries Guidelines) Rules, 2011 is sent to
Facebook for taking down the content and requesting access details of the post.
► Yahoo Inc, didn’t provide any information citing the reason that e-mail ID belongs
to US domain and bound by USA laws.
► Facebook Inc, didn’t provide any information as well and mentioned that the
desired information by the IO will be provided through MLAT.
► The IO analysed the header and identified the originating IP. The service provider
details of the IP was found by searching the WHOIS database.
► The IP range was belonging to the Airtel.
► The date and time in the e-mail header was noted. The time zone is converted from
SGT to IST before requesting the IP details from the service provider.
► A notice under 91 CrPC is issued to obtain the physical address from the service
Provider.
► It was traced to a PG. A team went there for further investigation. The connection
was in the name Mr. XXX. After questioning, he informed that he was not using Wi-
Fi on the said date as he went to his native place to visit his parents. He informed
his roommate Mr. YYY is also using the same Wi-Fi and the bill is split between
them.
► Mr. YYY was questioned. His laptop was seized. The image was searched in the
laptop. It was not found (stored) in the laptop. The laptop was further analysed using
EnCase, Belkasoft evidence centre and the obscene image of the complainant was
recovered.
► The accused was instructed to open the e-mail id (XYZ@yahoo.com), which was
used to send morphed photo of complainant to complainant’s mail id
Aisxxxxa@yyy.com. The screen shots of the mails sent to the victim were taken
and incorporated in the Mahazar.
► The seized laptop is sent to CFSL for providing expert opinion.
Case study 3: Matrimonial Fraud
Complaint: Ms. XXXX, a project manager from an MNC came to the Cybercrime Police
Station and produced a written complaint that she was duped of Rs. 20 Lakhs by the accused
on the matrimonial website.
Brief facts: Ms. XXXX, was registered in a matrimonial website www.xxxmatrimony.com.
• She was approached by a person with the profile mentioning as Director of a reputed MNC
company in England.
• She liked the profile and they exchanged the numbers. They started communication on the
phone, WhatsApp, Facebook.
• They both exchanged their pictures talked about future plans and many other things. Ms.
XXXX thought she found a great match in the matrimonial site.
• After few months of communication he told his funds are tied up in the stocks and he told
that he wanted to buy a flat in her name.
• He shared the property details and requested her to transfer a down payment of Rs. 500000
to a bank account number.
Investigation:
► The creation and access logs were requested from the matrimonial website
and Facebook by issuing a notice under 79(2)(c) & (3)(b) of the Information
Technology Act, 2000 read with The Information Technology (Intermediaries
Guidelines) Rules, 2011
► The numbers used by the suspect was now inactive
► The logs received by both matrimonial website and Facebook
► All the IP addresses were analyzed and it was traced outside India
► The websites were accessed by accused through proxy IP addresses by installing a
proxy software on the system.
► One IP in the Facebook access logs was of Indian service provider. The physical
address of the IP address was requested from the service provider. It was traced to a
cyber café
► The owner of the cyber café was not maintaining logs of the people using the
facility. Upon questioning the owner based on the date and analyzing the PC’s in
the cyber café. One system was installed with a proxy software. The suspect was
zeroed in based on the information given by the owner of the cyber café. Since the
suspect was using the same system whenever he visited the cyber café.
► The suspect’s address was known to one of the customer and he took the team to
suspect’s residence. The suspect was arrested and produced before the court.
END OF UNIT 3

CSF Unit 3

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSF Unit 3

Uploaded by

Copyright:

Available Formats

UNIT 3

1. Data Acquisition of Digital Evidence from Electronic Media

• Digital devices are everywhere in today’s world, helping people

• Take reference from CSF LAB FILE

Digital evidence is information and data of value to an

Thus trying to link the criminal with the crime

 Other potential source of digital evidence

Removable Media Thumb Drives

Potential evidence: E-mail messages, Internet browsing history,

Potential evidence: The connected devices themselves. The device functions,

 Follow departmental policy for securing crime scenes.

 Immediately secure all electronic devices.

 Ensure that no unauthorized person has access to any electronic devices.

 Refuse offers of help or technical assistance from any unauthorized persons.

 Remove all persons from the crime scene

 Ensure that the condition of any electronic device is not altered.

 STOP! Leave a computer or electronic device off if it is already turned off

If a computer is on or the power state cannot be determined , we check

 Active communications with other computers instant messaging or chat rooms.

 Web cameras (Web cams) and determine if they are active.

Purpose of the computer

Document / Email / Login Passwords

Security software / provisions

Internet connectivity details

A chain of custody form must answer the following questions:

After altering only one pixel in the original image.

Hash Result :E0AA50C70414562B29C6DB660FA9BC2A

After accessing the doc file directly from suspect drive

Date of Access : 23 March 2010

After erroneously booting from Suspect Hard Disc

SUSPECT HARD DISC

SANITIZE HARD DRIVES AT 7GB/MIN Sanitizes hard drives at speeds exceeding

 Attaching suspect storage

Tower for multiple hard disc imaging

“Image Master” device for Imaging

Portable devices for Forensic Analysis

Portable suitcase for Forensic Analysis

Hash Value Hash Value

If acquisition hash equals verification

 Case analysis details must have

Computers Mobile communication devices

External data storage devices

Video and still photo cameras and media

Internet activity records Photo editing and viewing software

References to user-created folders and file names that classify images

Digital camera software Printed images or pictures

Computers Mobile communication devices

Lists of Internet protocol addresses

Lists or records of computer intrusion software

Usernames and passwords

Computers Hand held mobile devices

Lists of Internet protocol addresses

Wireless network equipment Information regarding steganography

Voice over Internet Protocol (VoIP) equipment

Network devices, routers, switches

Guide to Computer Forensics

Guide to Computer Forensics

Guide to Computer Forensics

 Admissible. Must be able to be used in court or elsewhere.

The primary activities of network forensics are investigative in nature. The

2. The “stop, look and listen”

• A firewall is often installed away from the rest of the