Case Study ~ Syllabus Understanding of Internet resources, Web browser, Email header forensic, social networking sites. ~ Contents 7 72 73 74 Understanding of intemet Resources Web Browser - Marks 7 Email Header Forensic . ++ Marks 7 Social Networking Sites . ++ Marks 7 7-1EAI understanding of Internet Resources networks. A collection of interc , The Internet, with a capital "I", jg the * Internet is a collection of interconnected /IP protocol or can interact wig networks is called internetworks or interne! TCP, network of networks which either use the TCP/IP networks via gateways. ‘amber of computer networks of many © The Internet is a collection of large ™ el i different types. Internet communication mechanism is big technical achievement and it is possible by using passing of messages. oo «The Internet is a very large distributed system. The We ene a ervices that it supports has e imp i ternet and the services Internet. The implementation of the Inte vie i suppor entailed the development of practical solutions # «Internet service providers are companies that provide modem ee other types of connection to individual users and small organizations, enabling them to access services anywhere in the Internet. It also provides local services such as email and web hosting. «A backbone in a network link with a high transmission capacity, employing je. The Internet also provides multimedia satellite connections and fibre optic cabl ‘ services. User can download audio and video files. Using Internet user can watch TV, play online games and do the video conference. + An Internet Browser is a software program that enables us to view Web pages on our computer. Browsers connect computers to the Internet, and allow people to "surf the Web." Internet Explorer is one of the browsers most commonly used. There are other browsers available as well, including Netscape. « A Web site can be a collection of related Web pages. Each Web site contains a home page and may also contain additional pages. * Internet protocol is combined with TCP and it helps Internet traffic find its destination. Every device connected to the Internet is given a unique IP number. . nee laeioaidnas praia iad Hypertext Transfer Protocol and designed the ier system. HTTP is the. language compute! to communicate HTML documents over the Internet and the URL a ° a address where the pages can be easily found, Pe ae * A company that provides Internet access for ct ust the Internet Service Provider (ISP), then to the Inn geen, omuter connects to : G the Internet. The Internet js interconnected computer network in which ever t is a global, exchange data with any other connected sets computer connected to it can * Domain Name Server (DNS) is responsi Ponsible for i specific IP add me : addresses. After the DNS makes the conversion the nnn Tas bie TECHNICAL PUBLICATIONS‘ : ve nee set nt © ~-8N up-thrust for kno)rendered (displayed) by the browser, '8 directions for how the Page for subcomponents of the web page such ae images file names + The World Wide Web (WWW) is a Tepository of information Points all over the world. The documents in yc WWW « piapaes together from broad categories : static, dynamic, and active, ‘an be grouped into three ‘ocuments that are created and stored ina of the document. When a client acoaees the Sent The user can then use a browsing server. The client can get only a copy document, a copy of the document i program to display the document. INDEX.DAT File : various information about the web pages and files we have opened by using Internet Explorer. * Generally, index.dat stores summary information (URL or file path, date and time, etc) about all files user have ever opened by using Internet Explorer. These include web pages, websites, local files, image files, PDF files, etc. The time frame of Storing these information spans from the very first web page or file opened by IE to the most recent one visited or opened. * An index.dat resides primarily in three Internet related folders / directories : 1. Temporary Internet Files : index.dat file in this directory stores almost all the website addresses of the web pages and pictures user have opened in Internet Explorer, including the locations of local files and pictures. Cleaning Temporary Internet Files would not erase the content of indexdat file. It will only remove the cached files but the web page URLs stored in index.dat are kept intact. 2. History : index.dat contains all the URLs or paths user have ever opened in Internet Explorer. Removing IE History by using IE's Clear History button Won't help. It will only remove the History but not the content of index.dat file located under the History folder. TECHNICAL PUBLICATIONS® - an up-thrust for knowledge a7-4 e Digital Forensics a ee of cookies placed on our com, Web Browser y: 3. Cookies : index.dat contains a li ter computer by the weh at” PY si Todted, Cockses are anal] fies placed oo Ott SPF ebatn vig .d explore content Web browser is a software pee ee a ae a MW Wide Web. These pieces of content, in : ma as using ‘pperiinks and classified with URIs. > form Resource Locator (URL) is a standard for specifying any ying ; i eee “he Internet. The URL defines four things : protocg) re informa computer, port, and path. trieve the : The protocol is the client/server program used to A i. a ¢ docuens different protocols can retrieve @ document; among thet or HTTP mu most common today is HTTP. ae The host is the computer on which the information is located, although the name of the computer can be an alias. Web pages are usually stored in computers, and computers are given alias names that usually begin with the characters "www”, This is not mandatory, however, as the host can be any name given to the computer that hosts the Web page. The URL can optionally contain the port number of the server. If the port is included, it is inserted between the host and the path, and it is separated from the host by a colon. Path is the pathname of the file where the information is located. Note that the path can itself contain slashes that, in the UNIX operating system, separate the directories from the subdirectories and files. Cookies Cookies are just files or strings, not executable Program. In principle cookies contain a virus, but since cookies are treated as data there is no official way for the virus to actually run and do damage. t responds. Their relationship is ov. igi ign of : al design 0 WWW, retrieving publicly available documents, ea fits i puipoe oF The creation and storage of cook aes les depend on the implementation; however, the When a server recei client in a file or a strin, 1 a client, it stores informati bout the \8: The informati e mation al client, the contents "mation may inchy : the clit Suh sae, ess orton th ser eon nae of information depending esto" Number, d gathered al Seana on the implementat, "1 8° 9M), a timestamp, and other on, ves a request from——___ Cone seusy Tesponse that it sends to the a browser stores mn Server name + The server includes the cookie in the the client receives the response, the directory, which is sorted by the domai ga Web Attack 2, Web attack targets vulnerabilities in websites to gain umauithe. confidential information, introduce malicious content, or alter the coke ah «Web application attacks are the single most prevalent and eee threat facing organizations today. Attacks such as SOL injection and reese scripting (X85) are responsible for some of the largest security breaches in protins types of Web Attack client yy the hen, ‘Okie in the cookie , QL Injection : | SOL injection is a code injection technique, used to attack data-driven applications, jn which malicious SQL statements are inserted into an entry field for execution SQL injection attacks are also known as SQL insertion attacks. SQL Injection is one the most common application layer attack techniques used today SQL injection refers to a class of code-injection attacks in which data provided by the user is included in an SQL query in such a way that part of the user's input is treated as SQL code. An attacker can submit SQL commands directly to the database. SQL injection attacks can lead to privilege bypass and/or escalation, disclosure of confidential information and corruption of database information, among other effects. SQL Injection Example : An example SQL injection attack starts with code utilizing an SQL statement, such as : Séb_stetement = "SELECT COUNT(1) FROM ‘users' WHERE ‘username’ = ‘Susemame’ AND vassword' = $password"; + In an SQL injection attack against code such as this, the attacker supplied input, such as the following, to the application : mame = "badUser", sword = “OR '1' ='1"; 7 Using this eamples, the SQL statement executed becomes the following = CT COUNT (1) FROM ‘users' WHERE ‘username’ = 'badUser’ AND ‘password’ =" OR 't . form of SQL injection occurs when user input is not filtered for escape acters and is then passed into an SQL statement. These results in the potential aoe of the statements performed on the database by the end user of the ication, TECHNICAL PUBLICATIONS® - an up-thrust for knowiedgeived from a Web form, Cokie, inp yy ei eee bie pang them SL quetieg ak oe eal es statements. * Server. Then dynamically built 8) injection attack, 2. Cross.Site Scripting (xs! side code inject aac dlent-si nae re at = a ae in web browser ? the victim by including ty ‘ ahs mn. oe be ae web page or web _ The amet ‘k occurs when the victim visits the ve : prs : web “lg, 0 tt ome te ian erm a a rh le to deliver the malicious script to the us ae ra i i a used for Cross-site Scripting a rums, Mee aay ts. boards, and web Pages that allow comment _ A web page or web application is vulnerable to ot ae tad, uut that it generates, This user input mu: a Patseq oy te ae ble in VBScript, Activex, Fash, and Victim's browser. X$g attacks are possible . tements where available, Furtherm; ” We can consider using a third-party authentication workflow to Outsource our database Protection, 4. DDos ° A denial-ot-service attack floods syster exhaust resources and bandwidth, legitimate Tequests, Attackers can also this attack, This is "Se multiple Sompromised devices to launch wn as a distributed de, Traffic analytics tools can attack ; help user SPOt some of these telltale Signs of a DDoS Suspicious amounts Of trafic Sriginatin, ii A flood of fom a single p address or IP range traffi ™ users Who 1 device type, BeOlocation, o¢ Wel zt 7 a single behavioral Profile, such a5 Versionoe jy. Odd traffic patterns such a8 spikes at appear to be unnatural St odd hours of the day or patterns that he following symptoms could indicate a DoS or Dos attack : 1, Inability to access any website 5, Suddenly increase in the amount of spam we receive in our 2 acco | slowdown the network /Intemet speed. = |, Particular website is unavailable poofing spoofing is the creation of email messages with a forged sender addr do because the core protocols do not have any penal ® peniation. It can be accomplished from within a LAN or from an ee gnvironment using Trojan horses. Spam and phishing emails typically use such lead the recipient about the origin of the message. «poofing t0 mish 1 spoofing attack, the sender's email address looks identical to the email «Email je easy 10 «In an email genuine email address. email, our email client tells, who the email is supposedly When we receive an from. When we click “reply,” our client automatically fills in the "to" field in our im email. It's all done automatically and behind the scenes. But, this formation is not as reliable as we might think. because it's surprisingly easy to forge the "from" elements header, to make it seem like someone else has sent it. ofing is so common «Sp mail's envelope and of a Eee Rececalel + Li any fur types of web atlacks. How are these web attacks investigated ? E] Email Header Forensic such as threats * Email is used in criminal acts, but also in inappropriate actions, and frauds (phishing). While in principle email is hard to connect to an individual, 'm practice, email can be traced and connected to the perpetrator. * Ov : —— Period of year's e-mail protocols have been secured through several ty extensions and producers, however, cybercriminals continue to misuse it distributing child for illegitim: ‘ate purposes by sending spam, phishing e-mails, Parse and s Pornography jan tae and hate e-mails besides propagating viruses, worms, hoaxes* E-mail forensic analysis is used to study the source aes emai Bey identi the actual sender, recipient and date and time j fe, as evidence, identifying ie 2 ete. to collect credible evidence to bring crimit * For networks, a port means an endpoint to a logical connection. The port nu identifies what type (application/service offered) . port it is. The commonly sed default port numbers used in e-mail are shown below : id cats ee | : 4 ee j i ie enn * Identities used in e-mail are globally unique and are: mailbox, domain name, message-ID and ENVID. Mailboxes are conceptual entities identified by e-mail address and receive mail. E-mail forensics refers to the study of source and content of e-mail as evidence to identify the actual sender and recipient of a message, data/time of transmission, Getailed record of e-mail transaction, intent of the sender, ete * A forensic investigation of e-mail can investigation should have the following ; 1. Examining sender's e-mail address 2. Examining message initiation protocol (HTTP, SMTP) 3. Examining message ID 4 Examining sender's IP address TECHNICAL PUBLIcATIONs® ~ @” Upsthrust for knowledge examine both email header and body. Anpigtel Forensic Emall headers hen investigating emai : igating email, we Usually analyze the headers of the emey : adds lines on top of the header," °8¢h SMTP gop PIE* of emit that handles tart wig i itself ang + Meta data in the e-mail message in the © manage and headers including headers in the meso Of Ol informay, Be body cont OP Le. envelope sender and/or the path along which the message hes tn tain information about th, Wersed, e 4 Inconsistencies between the data that subs can prove that the email in question ig fia see Serves supposedly crete header contents itself. ™ investigation is tha « Ifa message does not have these, then it is faked. If possibl another email following supposedly the same path ag tent i" Pin investigation and see whether these ideosyncratic lines have udp va under possible that the administrator of an SMTP node changed the behavior or ae it is routing, these changes tend to be far and in between, eve + In email server investigation, copies of delivered emails and server logs are investigated to identify source of an e-mail message. E-mails purged fren ah cients (senders or receivers) whose recovery is impossible may be requested front servers (Proxy or ISP) as most of them store a copy of all e-mails after their deliveries + Some other aspects that controls forensics step include the following properties: 1, Storage format of email : Server side storage format may include maildir, mbox format. Server-side stores email in SQL Server databases. Reading different types of formats can be done for forensics analysis by using notepad editor and applying regular expression-based searches. At the client-side, an email is stored as mbox format. Client side may also store emails as PST (MSOutlook), and NSF (Lotus Notes) files. 2 Availability of backup copy of email : When checking from the serve side, all Copies are transferred to the client. This requires seizing the client computer. For webmail, copies are always saved at the server side. 5. Protocol used to transport email : Email can be initiated and transported based on SMTP or HTTP depending on the email server applications. Mal forensic tools : 1 eMaitr, io analyses the headers of an e-mail to detect the IP address of the “ce mul . Sent the message so that the sender can be tracked down. It can Ps emails atthe same time and easily keep track of them. Pies erateDigital Forensics 7-10 C280 Stugy 2. EmailTracer is an Indian effort in cyber forensics by the Resource Centre fo, Cyber Forensics (RCCF) which is a premier centre for cyber forensics in India. j, develops cyber forensic tools based on the requirements of law enforcement agencies, 3. Adcomplain is a tool for reporting inappropriate commercial e-mail and usenet postings, as well as chain letters and "make money fast’ postings. Checking UNIX E-mail Server Logs * Log file provides useful information for investigation. A! . creates number of files on the server to track and maintain the email service. The "/etc/sendmail.cf" is the file for configuration information ria send mail. The "/etc/syslog.cont" file specifies how and which events send mail logs. Communication between SMTP and POP3 is maintained in /var/log/maillog file It also record IP address and time stamp. é Email evidence is in the email itself (header). ? Email evidence is left behind as the email travels from sender to recipient. Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it. Received is the most essential field of the email header : It creates a list of all the ‘email servers through which the message traveled in order to reach the receiver. fter sending the mail, it © The best way to read are from bottom to top. 1. The bottom "Received" shows the IP address of the sender's mail server. 2. The top "Received" shows the IP address of receiver mail server. 3. The middle "Received" shows the IP address of the mail server through which email passes from sender to receiver. ¢ The syslog.conf file simply specifies where to save different types of e-mail log files. The, first log file it configures is /var/log/maillog, which usually contains a record of simple mail transfer protocol communication between servers. « UNIX systems are set to store log files in the /var/log directory. Microsoft E-mail Server Log + Microsoft e-mail server software is exchange server. It uses d . tab: the Microsoft Extensible Storage Engine. ‘atabase and based on * Microsoft Extensible Storage Engine (ESE) uses different files in various combinations for providing E-mail service. For investi . ati ; helpful. They are "edb "and "stm " files, eae ee TECHNICAL PUBLICATIONS® . an up.thrust for knowledgegta! Forensics + Checkpoint and temporary tes ais contains many tables that hold metaony NlP* for the exchange store. all e-maiy The stm file stores native Internet con tent. Beca native format, there is no need to convert tmeneages ies con othe invest iat meen tion. The ages edb file and other items in ent is written in format * items to exchange is ible for m | An edb file is responsi esa formatted wie premaing Intece (MAP), « Mien sytem ger HBR Arphetin appications to Work together. es different e-may re edb and stm files function as a pait, and : for the database sj «header in both files. The intemal schema ignature is stored as * the .stm pages is stored in the edb fie ga E-mail Forensic Tools : MailXaminer + MaiXaminer is a tooF-kit having multiple functionalities out of which powerful search mechanism is the best feature without any limitation. With this email search cftvare, users can scan, view, search, investigate, analyze, smart review ana sereate report of emails in a very less amount of time. 1) Input file in disk required : This indicates the Presence of email file at the local disk, MailXaminer requires input file to be present in the disk. 2) Search option : This feature indicates how to perform search of interesting words in the content of an email. MailXaminer can perform plain text-based search. 3) Information provided : This feature indicates the information extracted and shown as part of forensic analysis. The MailXaminer tool shows the message, date and time details of an email. 4) Recovery capability : A forensic tools should have the capability to recover corrupted email or deleted email to be useful for investigation. The MalXaminer can recover corrupted email. It also has the capability to import Corrupted contacts, calendar. 5) Bnail format supported : This feature indicates the file type supported by a fol The MailXaminer supports Gmail, yahoo, Hotmail IMAP, Mozilla Thunderbird, Lotus Notes, Outlook, Exchange, Mac Outlook email format. oY ? Visualization format Supported : A forensic tool should allow investigator di se OP Of display of the extracted information to enable more Sathering. MailXaminer supports different view -optior TEC} HNICAL PuBLIcaTIONs® . an ‘up-thnust for knowledgeCe Stuy, Digital Forensics a ey 7) OS Supported : Ideally, a forensic tool shoul: 8) Export format ; A forensic tools should he 9) Extended device support : (abd Rete 1d support different types op operating systems to make it useful for email applications running on differen, platforms. The MailXaminer can run on Windows ave friendly format for saving the examination results for compatible analysis with other forensic tools. ‘This feature indicates if a tool can act on Pliging devices such as added hard. disk or USB memory stick ee On 1. Explain e-mail header forensic in detail Social Networking Sites mobile-based Internet applications that © Social media is defined as web-based and e of user-generated content that is allow the creation, access and exchangt ubiquitously accessible. ‘* Social media refers to online tools and 5 information, videos, pictures and graphics, Social media also all so that professional work can be shared thro «It is empowered by web 2.0 "One to many” communication Everyone, ervices which allow an exchange of ideas, just about anything we can name. lows easy sharing and distribution of existing content to others ugh networks. changing into "many to many” communication. every voter becomes online "broadcaster". © Characteristics of social media L eo 8 Everyone can be a media outlet. Disappearing of communications barrier. Rish user interaction. User-Generated Contents User enriched contents User developed widgets. Collaborative environment Collective wisdom «Types of social media services are as follows : 1. Bookmarking sites and social news sites (Digg) 2. Blogs and microblogs (Twitter, Tumblr) TECHNICAL PUBLICATIONS® - an up-thrust for knowledge7-43 3, Social networking sites (Facebook, Google+) 4. hopping sites (Amazon) =. Multimedia sharing (YouTube, Flickr) ¢. Virtual worlds (Word of Warcraft, Second Life) fa process of using social media channels to track, Gocial media monitoring 1s gather and mine the information and data of certain individuals or groups, usually eempanies or organizations, £0 assess their reputation and discern how they are perceived online toring is also known as social media listening and social media Social media moni measurement. social media can be ctive way of starting a marketing campaign, with a big impact Pos trategy sho cheap and effe sible from minimal investment. uld contain a smart mix of engaging content and a grow a focused community which is Our social media st fmendly and responsive ‘persona’ can interested in our product/service/brand ‘and can recommend our business to others. 0 our Public Relations (PR) strategy. PR Social media should be incorporated int means getting people. to talk and thick about our business in a posi Social media provides a tomers to talk with each other. How we manage that platform ani at our customers are saying is an important part of our PR strategy. The biggest challenges business face with social media are lack of resources, no normal strategy, building a community of followers and tracking results. Some of the main challenges to consider are : a) What do we hope to achieve by using social media ? tive way. platform for our cus! .d engage with whi b) How much time we can devote to social media ? ) What are the most effective platforms to use ? he are we trying to achieve for our business ? ae a media gives us the chance to build brand awareness and customer ih ere are also dangers in participating in a public conversation forum. need ji : Pes = idea of how to handle negative feedback about our presen, ee ensure that what we post and how we interact with people Professional image to the world. TECHNIC CAL PUBLICATIONS® - an up-thrust for knowledge7-44 a Cos Sg | follows eon 7 jedia are a8 ternal Security Threat due to social ™ for internal security of nation th, 1. Cyber terrorism : The biggest challenges i ead Brest moniam Today terrorists select Socal meg octal networking site is cybet The function of nations and other buy a practical alternative to dist 1 to cause huge change activities because this technique has potential also invite fraudsters to take excel, 2. Fraud : Social networking sites . i schemes. opportunity to become wealthy by applying deceiver ac The other national and international users such as 4, 3.0 i ers : Se ‘rious threat using the social media political parties, NGO's, hackers pose @ $¢! 4. Communal violence and fanning tensions + Importantly, social media aig, seems te be playing a significant role in polarizing different communities i India and compounding India's security challenges. The viral videos and fatge updates of communal clashes, riots and terrorists attack have created a massive impact in the life of public. University Question} 1. Explain the use of digital forensic in social networking sites. Ue Qo3 TECHNICAL PUBLICATIONS®