Forensic Analysis

By
Mrs. T. Hemalatha,
Associate Professor
Department of Computer Science & Engineering

5/13/2018 1
 Cyber Crime
• Computer crime, or Cyber crime, refers to any
crime that involves a computer and
a network. The computer may have been used
in the commission of a crime, or it may be the
target.
• Netcrime refers to criminal exploitation of the
Internet.

5/13/2018 2
 Overview of Presentation
• Why is Evidence identification and
Preservation required?
• Who benefits from Computer Forensics?
• General Types of Forensic Examinations
requested.
• Process of Forensics.
• Tools of the trade.
• What is the Examiner looking for?
5/13/2018 3
 Why is Evidence important?
• In the legal world, Evidence is EVERYTHING.
• Evidence is used to establish facts.
• The Forensic Examiner is not biased.

5/13/2018 4
 Who needs Computer Forensics?
• The Vicitm!
• Law Enforcement
• Insurance Carriers
• Ultimately the Legal System

5/13/2018 5
 Who are the Victims?
• Private Business
• Government
• Private Individuals

5/13/2018 6
 Cybercrime
• Offences that are committed against individuals or
groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or
cause physical or mental harm to the victim directly or
indirectly, using modern telecommunication networks
such as Internet (Chat rooms, emails, notice boards
and groups) and mobile phones (SMS/MMS)".
• Such crimes may threaten a nation’s security and
financial health
• Ex. Cracking, Copyright Infringement, Loss or
interception of Confidential Information etc.

5/13/2018 7
 Computer Forensics

• Is to examine digital media in a forensically

sound manner
• with the aim of identifying, preserving,
recovering, analyzing and presenting facts and
opinions about the information.

5/13/2018 8
 Digital Forensics
• Goal
– Computer forensics is to perform a structured
investigation while maintaining a documented
chain of evidence to find out exactly what
happened on a computing device and who was
responsible for it.
– Computer forensics is the application of
investigation and analysis techniques to gather
and preserve evidence from a particular
computing device in a way that is suitable for
presentation in a court of cyber law.

5/13/2018 9
 Digital Forensics
• Used for various purposes
– Investigating Cyber Crimes
– Internal Policy Violations
– Reconstructing Computer Security Incidents
– Troubleshooting Operational problems
– Recovering from accidental system damage

5/13/2018 10
 Some litigations
• Civil Matters
• Breach of Contract
• Asset recovery
• Breach of Confidence
• Breach of securities industry legislation and regulation and /or
Companies Acts
• Employee disputes
• Copyright and other intellectual property disputes
• Consumer Protection law obligations (and other examples of
no-fault liability)
• Data Protection law legislation

5/13/2018 11
 Criminal Matters
• Theft Acts, including deception
• Criminal Damage
• Demanding money with menaces
• Companies Law, Securities Industry and banking offences
• Criminal offences concerned with copyright and intellectual
property
• Drug offences
• Trading standards offences
• Official Secrets
• Computer Misuse Act offences

5/13/2018 12
 Phases involved in examination
• Collection
Identifying, labeling, recording, and acquiring data from the
possible sources of relevant data, while following
procedures that preserve the integrity of the data.
• Examination
using a combination of automated and manual methods,
and assessing and extracting data of particular interest,
while preserving the integrity of the data
• Analysis
Analyzing the results of the examination, using legally
justifiable methods and techniques, to derive useful
information
• Reporting
Reporting the results of the analysis
5/13/2018 13
 Investigators
• use a variety of techniques and proprietary
software forensic applications to examine the
copy, searching hidden folders and
unallocated disk space for copies of deleted,
encrypted, or damaged files. Any evidence
found on the digital copy is carefully
documented in a "finding report" and verified
with the original in preparation for legal
proceedings that involve discovery,
depositions, or actual litigation
5/13/2018 14
• Computer Forensic Analysis and Incident
Response will help to determine
– How did the breach occur?
– What systems were compromised?
– What did they take? What did they change?
– How do we remediate the incident?
• Incident responders should be armed with the
latest tools, memory analysis techniques, and
enterprise scanning methodologies in order to
identify, track and contain advanced
adversaries, and remediate incidents.

5/13/2018 15
 Computer Forensics Methods (1)
• safe seizure of computer systems and files, to avoid
contamination and/or interference
• safe collection of data and software
• safe and non-contaminating copying of disks and other data
media
• reviewing and reporting on data media
• sourcing and reviewing of back-up and archived files
• recovery / reconstruction of deleted files - logical methods
• recovery of material from "swap" and "cache" files
• recovery of deleted / damaged files - physical methods

5/13/2018 16
 Computer Forensics Methods (2)
• core-dump: collecting an image of the contents of the active
memory of a computer at a particular time
• estimating if files have been used to generate forged output
• reviewing of single computers for "proper" working during
relevant period, including service logs, fault records, etc.
• proving / testing of reports produced by complex client /
server applications
• reviewing of complex computer systems and networks for
"proper" working during relevant period, including service
logs, fault records, etc.
• review of system / program documentation for: design
methods, testing, audit, revisions, operations management.

5/13/2018 17
 Computer Forensics Methods(3)
• reviewing of applications programs for "proper" working
during relevant period, including service logs, fault records,
etc.
• identification and examination of audit trails
• identification and review of monitoring logs
• telecoms call path tracing (PTTs and telecoms utilities
companies only)
• reviewing of access control services - quality and resilience of
facilities (hardware and software, identification /
authentication services)
• reviewing and assessment of access control services - quality
of security management
• reviewing and assessment of encryption methods - resilience
and implementation
5/13/2018 18
 Computer Forensics Methods (4)
• setting up of pro-active monitoring in order to detect
unauthorised or suspect activity
• monitoring of e-mail
• use of special "alarm" or "trace" programs
• use of "honey pots"
• inter-action with third parties, e.g. suppliers, emergency
response teams, law enforcement agencies
• reviewing and assessment of measuring devices, etc. and
other sources of real evidence, including service logs, fault
records, etc.
• use of routine search programs to examine the contents of a
file
• use of purpose-written search programs to examine the
contents of a file
5/13/2018 19
 Computer Forensics Methods (5)
• reconciliation of multi-source files
• examination of telecoms devices, location of associated
activity logs and other records perhaps held by third parties
• event reconstruction
• complex computer intrusion
• complex fraud
• system failure
• disaster affecting computer driven machinery or process
• review of "expert" or rule-based systems
• reverse compilation of suspect code
• use of computer programs which purport to provide
simulations or animations of events: review of accuracy,
reliability and quality
5/13/2018 20
 Examination
• The Operating System
• Services
• Applications/processes
• Hardware
• LOGFILES!
• System, Security, and Application
• File System

5/13/2018 21
 Examination Continued
• Deleted/Hidden Files/NTFS Streams
• Software
• Encryption Software
• Published Shares/Permissions
• Password Files
• SIDS
• Network Architecture/Trusted Relationships

5/13/2018 22
 Off-Site Storage
• “X-Drives”
• FTP Links
• FTP Logs
• Shares on internal networks

5/13/2018 23
 Toolkit requirements
• File Viewers

• Uncompressing Files

• Graphically Displaying Directory Structures

• Identifying Known Files

• Accessing File Metadata

5/13/2018 24
 Protection

• Protect the integrity of the evidence. Maintain

control until final disposition.
• Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
• When Booting a machine for Analysis, utilize
HD Lock software.

5/13/2018 25
 Operating system
• Volatile Data vs. Non Volatile data

• Focus on Volatile Data

– Contents of Memory - 3rd party utilities
– Network Configuration – ifconfig, ipconfig
– Network Connections - netstat
– Running Processes - ps
– Open Files - lsof
– Login Sessions
– Operating System Time – date,time,nlsinfo

5/13/2018 26
 File System
• File systems are designed to store files on media
• Deleted Files
• Slack Space
• Free Space - is the area on media that is not allocated
to any partition; it includes unallocated clusters or
blocks
• Data might be hidden is through Alternate Data
Streams (ADS) within NTFS volumes - used to store
unnamed stream
• Renaming the files with inappropriate extensions – File
headers need to be analyzed to detect such attacks

5/13/2018 27
 Network system Data
• Packet sniffers
• Wire shark
• Traffic analyzer
• NAT

5/13/2018 28
 Application Data
• Configuration Files
• Log files
– Event log
– Audit Log
– Error log
– Installation log
– Debugging log
• Types of application
– Local or client server or peer to peer
– Web application
• Trusted or Malware analysis

5/13/2018 29
 Log File Analysis
• Events.
• What Events are monitored?
• What do the event records reveal?
• Firewall/Router/Server log files?
• Modem/FTP/Telnet

5/13/2018 30
 Memory Forensics
• effective at finding evidence of worms, rootkits, and
advanced malware
• Identify Rogue Processes
• Analyze process DLLs and Handles
• Review Network Artifacts
• Look for Evidence of Code Injection
• Check for Signs of a Rootkit
• Acquire Suspicious Processes and Drivers
– STUXNET
– TDL3/ TDSS
– Zeus/Zbot

5/13/2018 31
 Dead-box and Live-box analysis

•Dead Box Analysis – Accessing and analyzing

all the Non volatile Information
•Live Box Analysis - – Accessing and analyzing
all the volatile Information
•fdpro.exe was used to create a physical
memory from a Windows XP SP3 OS.

5/13/2018 32
 Evidence Search
• Image Files
• Software applications
• Deleted Files
• Hidden Files
• Encrypted Files
• Hidden partitions
• Keyword Search
• Known Remote Access Tools
5/13/2018 33
 Malicious code
• Investigators need to know if malicious code is
running on a suspect’s machine. Physical
memory analysis provides a new approach to
detecting rootkits and malicious code. This
capture shows HBGary Responder identifying
a hidden kernel driver called msdirectx.sys.
The process notepad.exe is hidden from the
system

5/13/2018 34
Evidence Processing Guidelines
• New Technologies Inc. recommends following 16
steps in processing evidence
• They offer training on properly handling each step
– Step 1: Shut down the computer
• Considerations must be given to volatile information
• Prevents remote access to machine and destruction of
evidence (manual or ant-forensic software)
– Step 2: Document the Hardware Configuration
of The System
• Note everything about the computer configuration
prior to re-locating

5/13/2018 35
Evidence Processing Guidelines (cont)
– Step 3: Transport the Computer System to A Secure
Location
• Do not leave the computer unattended unless it is locked in a
secure location
– Step 4: Make Bit Stream Backups of Hard Disks and Floppy
Disks
– Step 5: Mathematically Authenticate Data on All Storage
Devices
• Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File

5/13/2018 36
Evidence Processing Guidelines (cont)
– Step 9: Evaluate File Slack
• File slack is a data storage area of which most computer users
are unaware; a source of significant security leakage.
– Step 10: Evaluate Unallocated Space (Erased Files)
– Step 11: Search Files, File Slack and Unallocated Space for
Key Words
– Step 12: Document File Names, Dates and Times
– Step 13: Identify File, Program and Storage
Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document Your Findings
– Step 16: Retain Copies of Software Used

5/13/2018 37
5/13/2018 38
5/13/2018 39
5/13/2018 40
5/13/2018 41
5/13/2018 42
5/13/2018 43
5/13/2018 44
5/13/2018 45
 NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved

AFind - File access time finder

SFind - Hidden data streams finder

HFind - Hidden file finder

5/13/2018 46
 Typical CBD Files

5/13/2018 47
 Imaging Software

5/13/2018 48
5/13/2018 49
 Security Identifers

SIDS can be used to ID the perpetrator.

Security is used within Win2K to ID a user.
Security is applied to the SID.

5/13/2018 50
 Where to find the SID

5/13/2018 51
5/13/2018 52
 SID Structure
• Domain Identifier: All values in the series,
excluding the last value ID the Domain.
• Relative Identifier (RID) is the last value. This
ID’S the Account or Group
• S-1-5-21-838281932-1837309565-
1144153901-1000

5/13/2018 53
 Users

5/13/2018 54
5/13/2018 55
5/13/2018 56
5/13/2018 57
5/13/2018 58
5/13/2018 59
5/13/2018 60
5/13/2018 61
5/13/2018 62
 Documentation
• Document EVERYTHING
• Reason for Examination
• “The Scene”
• Utilize Screen Capture/Copy Suspected files
• All apps for Analysis/apps on Examined
system.

5/13/2018 63
 Thank You

5/13/2018 64